1. Summary
2. Technical details
3. Details
4. Recommendations
5. References
6. Support

Multiple NPM packages were compromised in late 2025 through account takeovers and malicious code injections. These incidents demonstrate ongoing risks in open-source package ecosystems, highlighting the need for enhanced package-hardening and supply-chain security controls. Applications that utilize NPM for updates should have automatic downloads disabled and all packages coming from NPM should be reviewed before being applied.

In late January 2026, security researchers at DepthFirst discovered a flaw in OpenClaw – formerly known as Moltbot and Clawdbot – only a few months after the platform’s rapid rise in popularity. OpenClaw was launched publicly in November 2025 and grew quickly due to its local autonomous AI capabilities. On February 3, 2026, SecurityWeek published the first public disclosure describing how malicious website could steal a user’s authentication token and gain full control over the OpenClaw gateway through a one‑click remote code execution (RCE) attack. The vulnerability was patched shortly before disclosure with the release of OpenClaw version 2026.1.29.

The flaw results from Control UI automatically trusting a gatewayURL query and establishing a WebSocket connection that includes the user’s stored authentication token without verifying its origin. The malicious webpage can then extract this token and connect to the victim’s local OpenClaw gateway disabling safety controls and executing arbitrary commands – even instances bound to loopback are vulnerable because the browser initiates the outbound connection.

• Discovery & disclosure timeline: The vulnerability was publicly disclosed on February 3, 2026, shortly after DepthFirst researchers identified the issue and OpenClaw released a patch in late January 2026.
• Impacted versions: All versions of OpenClaw/Moltbot prior to 2026.1.29 are affected.
• Fixed versions: The issue was patched in OpenClaw version 2026.1.29.
• Active exploitation: While there is no confirmed widespread exploitation, security researchers demonstrated that a malicious webpage could achieve one‑click token exfiltration and full gateway compromise in milliseconds after the victim visits a crafted link and has been validated through security research and testing.

• Update to version 2026.1.29 or later.
• Rotate tokens and credentials if a vulnerable version was used while visiting untrusted sites.
• Avoid browsing untrusted pages while logged into the Control UI; use isolated browser profiles.
• Monitor logs for unauthorized configuration changes or command execution.

1. CVE-2026-25253 detail | NVD – National Vulnerability Database
2. Vulnerability allows hackers to hijack OpenClaw AI assistant
3. OpenClaw bug enables one-click remote code execution via malicious link

As always, please let us know if you have any questions or concerns or see unusual activity on your systems that you believe might be associated with this or any other vulnerability. Please send these communications to security.response@utoronto.ca.