Compromised npm package silently installs OpenClaw on developer machines
While the AI itself wasn’t weaponized, the technique raises concerns about AI agents with broad system access.
A new security bypass has users installing AI agent OpenClaw — whether they intended to or not.
Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user’s machine.
This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.
According to research by security platform Socket, the script was live for eight hours on the registry.
It should be emphasized that, in this case, OpenClaw wasn’t inherently malicious. However, it does represent yet another chapter in OpenClaw’s shaky security saga, and situations like this could earn it ‘potentially unwanted application’ (PUA) status.
“I mean, they effectively turned OpenClaw into malware that EDR [endpoint detection and response ] isn’t going to stop,” said David Shipley of Beauceron Security. It is “deviously, terrifyingly brilliant.”
EDR, managed detection and response (MDR), and other security providers are going to be forced to declare OpenClaw as either a PUA or “flat out as malware, which, honestly, it can be,” said Shipley, or these kinds of attack win.
“I hate to give it to attackers, but you kind of have to on this one,” he said. “This is why agentic AI is going to get so many people pwned.”
Read the Full Story at InfoWorld