Message from 4 February, password management tool 1 Password published on 2 February, and its security team found assailants using fire in AI Agent OpenClawOriginal name Clawdbot And Moltbot) disseminates and embedding malware to MacOS users。
Note: OpenClaw is an AI smart body with a recent explosion, and core competitiveness lies in its “active automation” capability. The AI smart body is free to clean its inboxes, book services, manage its calendar and handle other matters without a user ' s instruction. At the same time, it has a powerful memory function that preserves all the history of dialogue and accurately reverses user preferences from past dialogue segments。
The attackers used OpenClaw's "Skills" files, usually in Markdown format, to guide AI on new missionsIt is a legal integration course disguised by hackers。
During a seemingly conventional setting, the document induces the user to copy and run a Shell command. The command will be decoded backstage to hide the payload, download subsequent scripts and modify the system settings to remove the Quarantine tag, thus successfully avoiding the macOS built-in security check。
The payload of the implanted system was identified as the "Infostealer" malicious software. Unlike the virus of the traditional destruction system, the malware focuses on the silent theft of high-value data, including browser Cookie, active login session, autofill password, SSH key and developer API tokens. For developers, this means that the attackers may use it to infiltrate the source coding, cloud infrastructure and the enterprise CI/CD system, causing a chained data leak。
ALTHOUGH SOME DEVELOPERS HAVE RELIED ON THE MODEL CONTEXT AGREEMENT (MCP) TO LIMIT AI POWERS, IT HAS PROVED TO BE INEFFECTIVE IN THE FACE OF SUCH ATTACKS。
Since the attack essentially involves the use of files for social engineering fraud, rather than direct calls for tool interfaces, the agreed boundary can be easily bypassed. At the same time, the attack showed that hackers were extremely familiar with the MacOS defence system and that environmental isolation, which relied solely on the apple system, could no longer effectively disrupt such threats。