This Week in Security: AI Agent Attacks, 31Tbps DDoS, and the OpenClaw Ecosystem Under Fire
The security landscape this week reveals a clear pattern: attackers are targeting trust—trusted updates, trusted marketplaces, and increasingly, trusted AI workflows. Here’s what matters for anyone building or deploying AI agent systems.
The Core Insight
OpenClaw (formerly Clawdbot/Moltbot) has become a prime target. The AI agent framework announced a VirusTotal partnership to scan skills uploaded to ClawHub, the public registry for extending agent capabilities. The move comes after researchers discovered malicious skills designed to exfiltrate data and support botnet operations.
The numbers are stark: Censys identified 21,639 exposed OpenClaw instances as of January 31, 2026. Pillar Security observed attackers actively scanning exposed gateways on port 18789, attempting prompt injections, authentication bypasses, and raw command execution.
Meanwhile, Veracode found that npm and PyPI packages with “claw” in the name exploded from near-zero to over 1,000 since January—an obvious typosquat attack vector targeting developers copying dependencies.
But the biggest story might be the Notepad++ supply chain compromise. Between June and October 2025, attackers (attributed to Lotus Blossom) infiltrated the third-party hosting provider serving Notepad++ updates. They selectively redirected traffic to malicious executables, abusing insufficient update verification controls in older versions. The attack continued until December 2025 even after the initial foothold was lost.
Why This Matters
The Notepad++ attack demonstrates that trusted distribution channels are exactly what sophisticated attackers target. When one compromise creates thousands of downstream victims, the attack surface multiplies asymmetrically.
For AI agents specifically, the attack surface is even broader. Trend Micro’s assessment is blunt: “Unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats, not just for individual users but also across entire organizations.”
The Docker AI Assistant vulnerability (DockerDash) illustrates the danger. Malicious instructions embedded in Docker image metadata labels were forwarded to the MCP Gateway and executed without validation—a technique researchers call “meta-context injection.”
Microsoft’s response is interesting: they’ve developed a scanner to detect backdoors in open-weight LLMs by identifying shifts in attention patterns when hidden triggers are present. The acknowledgment that “models tend to leak their own poisoned data” suggests the cat-and-mouse game is only beginning.
Key Takeaways
- 31.4 Tbps DDoS: The AISURU/Kimwolf botnet achieved a record-breaking attack that lasted just 35 seconds—Cloudflare mitigated automatically
- MoltBook prompt injection: Researchers found 506 prompt injection attacks in posts targeting AI readers, plus sophisticated social engineering exploiting “agent psychology”
- EtherHiding in npm: 54 malicious packages use Ethereum smart contracts as dead drop resolvers for C2, making takedowns nearly impossible
- Microsoft LLM backdoor scanner: Identifies trigger candidates by analyzing memorized content and attention shifts
- OpenClaw requires higher security competence: The local-first model means endpoint trust becomes critical
Looking Ahead
The convergence of supply chain attacks, AI agent vulnerabilities, and sophisticated social engineering creates a threat surface that’s qualitatively different from traditional security challenges. Attackers aren’t breaking through defenses—they’re finding paths around them through trusted systems.
For AI agent developers: the lesson is that every integration point is an attack surface. Skills registries, model weights, update channels, metadata fields—all are vectors. Defense-in-depth isn’t optional; it’s the minimum viable security posture.
The question isn’t whether your AI system will face these attacks. It’s whether your architecture can survive them.
Based on analysis of Weekly Recap: AI Skill Malware, 31Tbps DDoS, Notepad++ Hack – The Hacker News
Tags: ai-security, openclaw, supply-chain-attacks, prompt-injection, cybersecurity