Enterprise Security in the Agentic AI Era

ClawHavoc — Agentic Skill Marketplace Supply Chain Attack

2 min read

ClawHavoc — Agentic Skill Marketplace Supply Chain Attack

Summary

Between January 27 and February 16, 2026, attackers uploaded 1,184+ malicious skills to the OpenClaw marketplace. The campaign represents the first large-scale supply chain attack targeting an agentic AI ecosystem. The primary actor “hightower6eu” uploaded 354 skills in a single burst on January 31. Payloads deployed the Atomic macOS Stealer (AMOS), harvesting browser credentials, keychains, crypto wallets, SSH keys, and Telegram data.

Attack Vector

The marketplace had no pre-publish verification, no code signing, and no behavioural analysis — gaps that a January 2026 research note had identified theoretically but that the campaign confirmed at scale. Attackers exploited the open submission flow to publish skills bundling AMOS payloads. End users installed the skills through normal flows, triggering credential exfiltration on first invocation.

Timeline

  • 2026-01-27 — first malicious uploads detected (in retrospect)
  • 2026-01-31 — “hightower6eu” uploads 354 skills in a single burst
  • 2026-02-01 — Koi Security names the campaign “ClawHavoc”
  • 2026-02-07 — OpenClaw partners with VirusTotal for marketplace scanning
  • 2026-02-12 — OpenClaw releases 40+ vulnerability patch
  • 2026-02-16 — campaign considered contained; long-tail review continues
  • Later: Snyk’s analysis finds 36% of all ClawHub skills contain security flaws (broader-than-campaign baseline issue)

Defensive Lessons

  • Marketplace controls are upstream of agent controls. The campaign succeeded not because of agent-level vulnerabilities but because the distribution layer had none of the controls software registries (e.g., npm, PyPI) have built up over 15 years.
  • Skill / tool annotation matters. Frameworks like OWASP Agentic AI Top 10 flag tool-level risk; this campaign is concrete evidence.
  • Mapping to MITRE ATLAS: the new “Publish Poisoned AI Agent Tool” technique added to ATLAS in Q1 2026 corresponds to this attack class.
  • Pre-publish verification + code signing + behavioural analysis are the three controls that, in combination, would have substantially reduced the blast radius.

Sources

  • See frontmatter sources:. Specific quote location: opening of the Q1 2026 threat-landscape section.

Graph View

Backlinks