112. GitHub OpenClaw Phishing Incident

G Web3 Infrastructure

Basic Information

ItemDetails
Incident NameOpenClaw GitHub Phishing Attack
Discovery TimeMarch 2026
DiscovererOX Security
TargetOpenClaw GitHub Contributors and Followers
Phishing Domaintoken-claw.xyz
C2 Serverwatery-compost.today
Malicious Fileeleven.js
CVE NumberRelated Vulnerability CVE-2026-25253 (CVSS 8.8)

Product Description

In March 2026, cybersecurity firm OX Security discovered a large-scale GitHub phishing attack targeting OpenClaw developers. The attackers created fake GitHub accounts and tagged followers of the OpenClaw project in Issues, claiming they had won $5,000 worth of CLAW tokens. Victims were directed to a phishing page that closely mimicked openclaw.ai, where their assets were stolen upon connecting their wallets. The incident was covered by major security and crypto media outlets such as CoinDesk, CSO Online, and Hackread.

Attack Details

Attack Process

  1. Create Fake Accounts: Attackers created disposable GitHub accounts.
  2. Open Issues: Opened Issue threads in repositories controlled by the attackers.
  3. Mass Tagging: Tagged dozens of OpenClaw stargazers.
  4. False Claims: Claimed recipients were selected to receive $5,000 CLAW tokens.
  5. Google Redirect: Redirected through Google links to token-claw.xyz.
  6. Phishing Page: A fake website closely mimicking openclaw.ai.
  7. Wallet Connection: Prompted to connect MetaMask, WalletConnect, or Trust Wallet.
  8. Asset Theft: Executed malicious transactions upon authorization.

Technical Details

  • Malicious Code Location: eleven.js JavaScript file.
  • Obfuscation Level: Highly obfuscated code.
  • C2 Communication: Collected information via watery-compost.today.
  • Phishing Domain: token-claw.xyz.
  • Supported Wallets: MetaMask, WalletConnect, Trust Wallet.

Related Security Vulnerabilities

  • CVE-2026-25253: CVSS score 8.8/10.
  • Exposure: Over 42,000 exposed OpenClaw control panels across 82 countries.
  • ClawJacked Vulnerability: Attackers could control AI agents via local WebSocket services.

Attack Timeline

TimeEvent
Late 2025Rug Pull during $CLAWD rebranding.
February 2026Disclosure of CVE-2026-25253 security vulnerability.
February 2026OpenClaw bans crypto discussions on Discord.
March 2026GitHub $CLAW phishing attack discovered.
Within hoursMalicious accounts deleted.

Impact and Response

Direct Impact

  • Malicious accounts deleted by GitHub within hours.
  • No confirmed reports of stolen assets.
  • However, attack activities continue to evolve.

OpenClaw Community Response

  • GitHub Issue #49836 marked as a security warning.
  • Sparked widespread discussion on Hacker News.
  • OpenClaw official security announcement released.
  • Community developed security skills like ClawShield.

Industry Impact

  • Covered by major media outlets like CoinDesk, CSO Online, and Hackread.
  • Sparked discussions on open-source project security.
  • Prompted GitHub platform security improvements.
  • Highlighted the importance of AI agent security.

Relationship with OpenClaw Ecosystem

The GitHub phishing incident was a significant catalyst for the development of OpenClaw's security ecosystem:

  1. Security Tool Development: Directly spurred the development of security scanning skills like ClawShield.
  2. Permission Framework: Reinforced the necessity for fine-grained permission delegation standards like ERC-7710.
  3. CoinFello Value: Demonstrated the value of CoinFello's "private keys never leave the device" approach.
  4. IronClaw Driver: Security incidents were one of the design motivations for IronClaw's four-layer defense architecture.
  5. Community Education: Raised security awareness across the entire OpenClaw community.
  6. Supply Chain Security: Exposed security risks in the AI agent skill supply chain.

References

External References

Learn more from these authoritative sources: