The Silent AI Supply Chain Attack: How Malicious AI Skills Became the New Malware

Malicious AI models are the new malware. Learn how AI supply chain attacks work, why they’re almost invisible, and why “trust no model” is cybersecurity’s next frontier.

Nobody flagged it. It looked like any other developer tool, a clean name, a polished README, a download count that signalled community trust. It was listed right there in ClawHub’s top results, exactly where you’d expect to find something worth installing.

That’s the thing about this kind of attack. It doesn’t need phishing emails or suspicious attachments.
It just needs to look legitimate, and then wait.

INTRODUCTION

Between January and February 2026, something quietly broke in the AI ecosystem. Researchers at Koi Security discovered that 341 of the 2,857 skills available on ClawHub, nearly 12% of the entire registry, were malicious. Not borderline. Not mislabeled. Malicious.

ClawHub is the official skill marketplace for OpenClaw, an open-source autonomous AI agent used by developers and businesses worldwide. Skills are the building blocks of what an agent can do, including integrations with Google Calendar, web browsers, file systems, and code execution environments. Installing a skill is as natural as installing an npm package.

Except this time, one in eight of those packages contained a payload designed to steal everything: browser credentials, cryptocurrency wallets, SSH keys, Telegram session data. The campaign was later named ClawHavoc. And it was only the beginning.

HOW IT WORKED

Figure 1: The future of AI supply chain attacks may not hide in malware, but in interfaces users already trust.

The Anatomy of ClawHavoc

The ClawHavoc operation was coordinated, patient, and technically sophisticated. Seven threat actors, led by one account, hightower6eu, which alone published 677 malicious packages, uploaded skills across every major ClawHub category: productivity tools, browser automation agents, coding assistants, PDF utilities, LinkedIn integrations, even fake security-scanning skills.

The names targeted exactly what developers search for. Packages like solana-wallet-tracker, youtube-summarize-pro, calendar-sync-pro. Each came with professional documentation. Clean SKILL.md files. The attack hid in the Prerequisites section.

ClickFix 2.0: When the Agent Becomes the Attacker

Researchers at Termdock named what they observed ClickFix 2.0, an evolution of an old social engineering technique, rebuilt for the agentic era.

Traditional ClickFix attacks trick users into copying and pasting malicious commands from a website. ClickFix 2.0 is more elegant and far more dangerous. The malicious skill embeds fake “prerequisite installation requirements” inside its SKILL.md file. When an OpenClaw agent reads that file, it surfaces the fake setup dialogue to the user itself. The agent, something the user trusts implicitly, becomes the delivery mechanism.

The payload was Atomic macOS Stealer (AMOS), a commodity infostealer that harvested browser credentials, keychain passwords, cryptocurrency wallets, SSH keys, and Telegram session data. Estimated reach was 300,000 OpenClaw users.

The ClawHub Vulnerability: Gaming Trust at Scale

In March 2026, Silverfort’s security research team added another dimension to the story. They disclosed a critical vulnerability in ClawHub’s ranking system, one that let any attacker inflate their skill’s download count and position it as the #1 result in its category.

To prove it, they published a proof-of-concept. Their skill climbed to the #1 download position in its category and executed 3,900 times across more than 50 cities worldwide, within six days. Public companies were among the affected environments.

It’s npm-style trust hijacking, but for AI agents. The more downloads a skill has, the higher it ranks. The higher it ranks, the more it gets installed. The cycle is self-amplifying, and attackers learned to exploit it.

ClawSwarm: Agents Turned Into Crypto Miners

By April 2026, The Register reported a third wave. A ClawHub user identified as imaflytok had published 30 skills that silently turned AI agents into a coordinated cryptocurrency mining swarm, dubbed ClawSwarm. The campaign accumulated roughly 9,800 downloads.

What made ClawSwarm different, it didn’t use malware at all. There was nothing to scan, no payload to detect. The skills simply instructed the AI agent to contribute computing resources to a mining pool, using the agent’s own capabilities, operating entirely within its design. No exploit. No shellcode. Just instructions.

Why This Hit So Hard

The ClawHavoc campaign succeeded for reasons that have nothing to do with technical sophistication. They have everything to do with how humans extend trust in new ecosystems.

ClawHub is, as Silverfort described it, the npm of the OpenClaw agentic ecosystem. Developers learned to trust npm packages the same way, by proxy. A high download count means other developers vetted it. Top ranking means the community approves. Nobody reads the source code of every package they install.

That assumption carried directly into agentic AI. And in this environment, the stakes are higher. An AI agent has file system access, browser control, calendar permissions, API keys, and the ability to execute code. A compromised npm package silently phones home. A compromised AI skill convinces your own agent to hand over your SSH keys.

By the time Antiy Labs completed their catalogue, they had tracked 1,184 malicious skills historically published to ClawHub. Not 341. Not 824. 1,184.

From “Trust No File” to “Trust No Skill”

Figure 2: ClawHavoc revealed something deeper than a marketplace breach; it exposed how agentic AI inherited the same supply chain trust problems as software ecosystems, but at a far greater scale.

There’s a version of this story where ClawHub is just one platform and ClawHavoc is just one campaign. That reading is too small.

What ClawHavoc demonstrated is that the agentic AI layer is the new software supply chain, and it arrived before the security infrastructure to support it. ClawHub had no mandatory code review. No automated scanning until the breach forced one. No cryptographic signing of skill packages. It grew from a promising open-source tool into a platform with hundreds of thousands of users in months, and the security model never caught up.

This will happen again. Every AI agent framework that builds a skills marketplace faces the same fundamental problem: popularity is the primary trust signal, and popularity can be manufactured. The ClawHub ranking vulnerability made that explicit. An attacker willing to spend a few hours on automation could install themselves at the top of any category.

ClickFix 2.0 is the more unsettling development. It’s not a vulnerability; it’s an architectural property of how agents work. Agents read instructions from external sources and act on them. The instructions don’t need to be in malware. They can be in documentation. They can be in a README. They can be in a SKILL.md file that tells the agent, helpfully, to run a command to install its prerequisites.

The agent is not compromised. The agent is doing exactly what it was designed to do.

Key Takeaways

  • ClawHavoc planted 341+ malicious skills in OpenClaw’s ClawHub registry, nearly 12% of all published skills at the time of discovery.
  • The payload was Atomic macOS Stealer (AMOS), targeting 300,000 users across browser credentials, crypto wallets, SSH keys, and Telegram sessions.
  • ClickFix 2.0 is the defining technique, and no executable is dropped on the user’s machine. The AI agent itself surfaces the attack, using fake setup dialogues in legitimate-looking documentation.
  • A separate Silverfort-disclosed vulnerability let attackers game ClawHub’s ranking system, executing malicious code on 3,900 machines in 50+ cities within six days.
  • ClawSwarm went further, 30 skills turned agents into a crypto mining swarm using no malware at all, only instructions the agent willingly followed.
  • By final count, 1,184 malicious skills had been published to ClawHub historically.
  • The root issue is popularity-based trust, which is gameable, and agent skill marketplaces inherited this flaw from package registries without the years of hard lessons npm, PyPI, and others learned through their own breaches.

The Question the Ecosystem Has to Answer

ClawHavoc will be studied as a milestone event in AI security, the moment the agentic ecosystem learned, at scale, that it had the same supply chain problems as every software ecosystem before it, just faster and with higher stakes.

The response was real. OpenClaw partnered with VirusTotal. Silverfort built ClawNet, an open-source security plugin that scans skills for malicious patterns before installation. Patches shipped. Daily scanning was introduced. The infrastructure of trust is being rebuilt.

But ClickFix 2.0 doesn’t have a patch. You can’t patch the fact that agents execute instructions. And as agent ecosystems multiply, MCP registries, copilot plugins, model marketplaces and enterprise skill libraries, every one of them is a new ClawHub waiting to grow faster than its security model.

The security question for agentic AI isn’t whether someone will try to abuse a skill registry. They already did.
The question is: how many users will trust the wrong thing before the next ecosystem learns what ClawHub’s users learned in February 2026?

Share your love
Keerthana Srinivas
Keerthana Srinivas
Articles: 85

Leave a Reply

Your email address will not be published. Required fields are marked *