What happened
Threat actors are distributing the AMOS infostealer by poisoning the skill marketplace of the OpenClaw AI assistant ecosystem to compromise macOS systems. According to researchers, the campaign—known as ClawHavoc—involved attackers uploading malicious OpenClaw skills disguised as legitimate add-ons such as productivity tools, cryptocurrency utilities, and integrations for popular services. When installed, these malicious skills deployed the Atomic macOS Stealer (AMOS), enabling attackers to extract browser credentials, cryptocurrency wallet data, SSH keys, session cookies, and other sensitive information.Â
AMOS operates as a credential-harvesting malware platform that enumerates system credential stores, browsers, and messaging applications to rapidly collect authentication data and transmit it to attacker-controlled infrastructure. The campaign exploited OpenClaw’s popularity as an AI assistant platform, leveraging user trust in marketplace extensions to facilitate malware installation and credential theft.Â
Who is affected
macOS users who installed malicious OpenClaw skills or AI assistant extensions are affected, as AMOS can harvest credentials, cryptocurrency wallet information, and authentication session data directly from compromised systems.Â
Why CISOs should care
The use of AI assistant extension marketplaces to distribute infostealer malware highlights how trusted software ecosystems can become distribution channels for credential theft, increasing risk to enterprise identity security and access control.Â
3 practical actions
- Audit AI assistant extensions. Review installed OpenClaw skills and remove unauthorized or suspicious add-ons.
- Monitor credential exposure indicators. Detect signs of credential harvesting, session theft, or unusual authentication activity.
- Restrict extension installation. Limit installation of third-party extensions to vetted and approved sources only.