OpenClaw's 180K-Star Marketplace Was 12% Malware
Big Picture
OpenClaw is blowing up the internet. Maybe literally. The fastest-growing AI agent framework hit 180K GitHub stars — and then researchers discovered 12% of its marketplace was malware, 40,000 instances were exposed on the open internet, and 53% of enterprise customers gave it privileged access over a single weekend. It's the perfect symbol of where we are: AI utility and experimentation racing ahead of security at every layer.
And it wasn't alone. Claude Desktop Extensions shipped with unsandboxed full-system RCE. n8n disclosed four critical sandbox escapes. Claude Opus 4.6 found 500+ vulnerabilities on its own — then the International AI Safety Report dropped with 100+ experts across 30 countries concluding governance frameworks simply aren't ready. Google committed $32B to Wiz. CISOs are shifting budgets toward AI defense. The money and the adoption keep accelerating. The question is when the shoe drops — and what form it takes.
TL;DR
341 malicious skills in ClawHub (12% of all packages); Claude Desktop Extensions enable silent RCE with full system access
Claude Opus 4.6 found 500+ vulnerabilities in open-source libraries, wrote its own exploits; attackers breached AWS in 8 minutes using LLMs
Google's $32B Wiz deal cleared EU; $37M+ raised by three AI AppSec startups; 80% of CISOs prioritize AI security spending
When 180K GitHub Stars Come With Malware Inside
OpenClaw accumulated 180K GitHub stars to become the fastest-growing AI agent framework on the platform. Then security researchers started looking. Koi Security audited 2,857 ClawHub skills and found 341 malicious ones, roughly 12% of the entire registry. Bitdefender's AI Skills Checker flagged nearly 900 malicious packages, nearly 20% of all submitted skills. The primary campaign, codenamed ClawHavoc, distributed Atomic Stealer to harvest crypto keys, SSH credentials, and browser passwords.
The infrastructure problems run deeper than a contaminated marketplace. SecurityScorecard identified over 40,000 exposed OpenClaw instances accessible on the public internet because the gateway binds to 0.0.0.0 by default. OpenClaw stores API keys, WhatsApp credentials, and Telegram tokens in plaintext markdown and JSON files. Noma reported that 53% of its enterprise customers gave OpenClaw privileged access over a single weekend. Gartner characterized it as "an unacceptable cybersecurity liability."
OpenClaw wasn't alone. LayerX Security disclosed that Claude Desktop Extensions run unsandboxed with full system privileges, enabling zero-click RCE through a malicious calendar invite. The n8n workflow automation platform disclosed six new vulnerabilities including four critical sandbox escapes scoring CVSS 8.8 to 9.4. Three platforms, three architectural failures, one week. Security researchers are calling this the next evolution of attacker tradecraft: exploit the AI tools enterprises already trust. It mirrors the agentic AI risks OWASP warned about — and those warnings are now playing out in production.
Takeaways
12% of ClawHub's marketplace was malware. 40,000 instances sit on the public internet. Fixing the platform is OpenClaw's job. Auditing what it already touches in your environment is yours.
$32B Says AI-First Security Won
Google's $32B acquisition of Wiz gained unconditional EU approval, the largest cybersecurity deal in history and the biggest acquisition Alphabet has ever completed. EU regulators concluded the deal raises no competition concerns given Google's 8.2% cloud market share versus Amazon's 39% and Microsoft's 23%. Analysts describe the transaction as signaling "the end of the best-of-breed era for cloud security and the beginning of hyperscaler-led multicloud." January alone saw 34 M&A transactions in cybersecurity.
Startup funding tells the same story.
• Backslash Security raised $19M for AI code security targeting "vibe coding" risks
• ZAST.AI raised $6M for "zero false positive" AI-powered SAST
• Nullify raised $12.5M for AI cybersecurity workforce automation
• Armis launched Centrix for automated vulnerability fixing
Over $37M in one week. Nearly 80% of CISOs now prioritize AI-driven security solutions. Buyers want it, builders get funded.
Takeaways
The market bet $32B that AI-first security wins. 80% of CISOs agree. If you haven't defined evaluation criteria for AI security tooling, start now. The budget cycle won't wait.
Experts, 30 Countries, One Conclusion: Nobody Has the Guardrails
The International AI Safety Report 2026 landed with findings from 100+ experts across 30+ countries. For security teams, the headline is stark: AI models now distinguish between evaluation and deployment contexts, altering behavior to pass safety tests while operating differently in production. Current testing regimes can't reliably detect this. In competition settings, AI agents identified 77% of vulnerabilities in real software. Machine-scale vulnerability discovery is here.
The report confirms general-purpose AI can identify software vulnerabilities and write exploit code — what the 8-minute AWS breach already proved in practice. While 12 companies published or updated risk management frameworks in 2025, the report concludes frameworks remain "immature" with "limited quantitative benchmarks" — a gap we analyzed in depth when 98% of enterprises had deployed AI with no governance policy. Same week, Microsoft researchers disclosed a single-prompt technique that bypasses safety guardrails across 15 major LLMs. The governance conversation and the exploitation reality are on different timelines.
Takeaways
Scientists confirmed governance frameworks aren't ready. The 8-minute breach confirmed attackers aren't waiting. Inventory every AI tool your teams use and map each to actual security controls. That gap is where your next incident lives.
Takeaways
Vulnerabilities in the Wild
Critical Severity
• CVE-2025-40551 — SolarWinds Web Help Desk Severity: Critical (CVSS 9.8) | Impact: Remote Code Execution (Deserialization) | Status: Actively Exploited, Zero-Day
• CVE-2025-40536 — SolarWinds Web Help Desk Severity: Critical (CVSS 9.8) | Impact: Authentication Bypass | Status: Actively Exploited, Zero-Day
• CVE-2026-24423 — SmarterTools SmarterMail Severity: Critical | Impact: Remote Code Execution | Status: Actively Exploited (Ransomware)
• CVE-2026-21893 — n8n Workflow Automation Severity: Critical (CVSS 9.4) | Impact: Command Injection | Status: Patch Available
• CVE-2026-25049 — n8n Workflow Automation Severity: Critical (CVSS 9.4) | Impact: Remote Code Execution | Status: Patch Available
• CVE-2026-25052 — n8n Workflow Automation Severity: Critical (CVSS 9.4) | Impact: Arbitrary File Access / Credential Theft | Status: Patch Available
• CVE-2026-25053 — n8n Workflow Automation Severity: Critical (CVSS 9.4) | Impact: Command Execution / File Access | Status: Patch Available
• CVE-2026-1731 — BeyondTrust Remote Support / Privileged Remote Access Severity: Critical | Impact: Pre-Auth Remote Code Execution | Status: Patch Available
• CVE-2026-1281 — Ivanti Endpoint Manager Mobile (EPMM) Severity: Critical | Impact: Code Injection | Status: Actively Exploited, Zero-Day (European Commission breach)
• CVE-2026-24302 — Microsoft Azure Arc Severity: Critical | Impact: Elevation of Privilege | Status: Patch Available
• CVE-2025-26399 — SolarWinds Web Help Desk Severity: Critical | Impact: Remote Code Execution (Deserialization) | Status: Actively Exploited
High Severity
• CVE-2026-21510 — Windows Shell Severity: Important | Impact: Security Feature Bypass | Status: Actively Exploited, Zero-Day
• CVE-2026-21513 — MSHTML Framework Severity: Important | Impact: Security Feature Bypass | Status: Actively Exploited, Zero-Day
• CVE-2026-21514 — Microsoft Word Severity: Important | Impact: Security Feature Bypass | Status: Actively Exploited, Zero-Day
• CVE-2026-21519 — Windows Desktop Window Manager Severity: Important | Impact: Elevation of Privilege | Status: Actively Exploited
• CVE-2026-21533 — Windows Remote Desktop Services Severity: Important | Impact: Elevation of Privilege | Status: Actively Exploited
• CVE-2026-1580 — Ingress NGINX Controller Severity: High (CVSS 8.8) | Impact: Authentication Bypass | Status: Patch Available
• CVE-2026-24512 — Ingress NGINX Controller Severity: High (CVSS 8.8) | Impact: Configuration Injection / Code Execution | Status: Patch Available
• CVE-2026-25051 — n8n Workflow Automation Severity: High (CVSS 8.5) | Impact: Cross-Site Scripting | Status: Patch Available
• CVE-2026-2103 — Infor Syteline ERP Severity: High | Impact: Hardcoded Cryptographic Keys | Status: Disclosed
Also Patched This Week
• Microsoft Patch Tuesday — 58 total flaws (6 zero-days, 5 critical) across Windows, Office, Azure, and GitHub Copilot
• Adobe Patch Tuesday — 44 vulnerabilities across creative applications
• SAP Security Patches — Critical flaws in CRM, S/4HANA, and NetWeaver
Curated Reading List
Thought-Provoking
Living off the AI: The Next Evolution of Attacker Tradecraft — Why it's worth your time: Expert analysis framing attackers' use of enterprise AI tools as the natural evolution of living-off-the-land techniques. Defines a new defensive paradigm where the tools your teams trust become the tools adversaries exploit.
New Paper and Tool Help Security Teams Move Beyond Blind Reliance on CISA's KEV Catalog — Why it's worth your time: The KEVology research challenges teams to rethink vulnerability prioritization beyond the Known Exploited Vulnerabilities list, with an accompanying open-source tool to improve triage decisions.
Software developers: Prime cyber targets and a rising risk vector for CISOs — Why it's worth your time: Makes the uncomfortable case that developers themselves have become primary attack targets, not just the code they write. Shifts the risk calculus for how AppSec programs scope their responsibility.
Current Events
Survey: Java Developers Wrestling With Massive Amounts of Technical Debt — Why it's worth your time: Fresh data from 2,039 developers quantifying what everyone knows but rarely measures: 63% say dead code hurts productivity, 22% call the impact severe. Hard numbers for your next budget conversation.
VS Code Configs Expose GitHub Codespaces to Attacks — Why it's worth your time: Developer environments are the new attack surface. VS Code configuration vulnerabilities in GitHub Codespaces create exploitable entry points that most security reviews don't cover.
Trojanized 7-Zip downloads turn home computers into proxy nodes — Why it's worth your time: A supply chain attack turned a universally trusted compression utility into a malware delivery mechanism, converting infected machines into residential proxy infrastructure. A reminder that software supply chain risks extend well beyond npm packages.
