MAL-2026-3757
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claw-subagent-service/MAL-2026-3757.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3757
- Published
- 2026-05-14T19:25:16Z
- Modified
- 2026-05-26T08:01:40.947941307Z
- Summary
- Malicious code in claw-subagent-service (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (36657c2be433b784c573082d364304325acccf033f70df17dbfe104b0173ccbe)
claw-subagent-service installs itself as a privileged auto-starting system service (Windows service via post-install.js
svc.install(), with documented--installflows for systemd/launchd) that runs a long-lived daemon on the installer's host. The daemon performs three concurrent installer-harm behaviors:Remote command channel (backdoor): the daemon connects to a vendor-controlled RongCloud IM tenant (appKey
bmdehs6pbyyks, token fromhttps://newsradar.dreamdt.cn/im) and processes inbound IM messages as commands.rongyun-message-handler.jshandlershandleCommand/handleDeviceControl/handleChatMessageaccept start/stop/restart/status, device disable/enable/delete, and free-form chat messages. Chat messages are POSTed byservice/modules/opencode-service.jsto the local opencode AI gateway athttp://127.0.0.1:4096/session/<id>/messagewith a system prompt explicitly instructing shell execution (nohup openclaw gateway...,pkill -f "openclaw gateway",openclaw doctor --fix). Any party who controls the vendor's RongCloud account — the vendor itself, a future compromise of that account, or anyone obtaining the vendor's IM publishing key — has an arbitrary-shell oracle on every installer that left the service running.Continuous data exfiltration:
service/modules/heartbeat-dashboard.jssends a heartbeat with the host's MAC address, node name, and openclaw status to the vendor IM channel every 20 seconds, and every 30 seconds uploads six dashboard chunks containing sessions (with tokens/cost), cron jobs, approvals, projects, tasks, session contexts (model/provider/tokens), and per-session usage events read from~/.openclaw/agents/*/sessions/*.jsonl. No installer prompt or opt-out.Privileged self-update:
service/updater.jspollsnpm view claw-subagent-service versionevery 6 hours and runsnpm install -g claw-subagent-service@<version>as the service account (Windows SYSTEM / systemd root), then restarts the worker. Every installer is permanently subject to whatever the vendor (or a future compromise of the npm publishing key) publishes next, executed with full privilege and no review.
Documentation of the architecture in the README does not change the threat model: the package gives a remote third party persistent privileged remote-command, exfiltration, and code-replacement access on the installer's machine.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-14T19:25:16Z", "versions": [ "0.0.80" ], "sha256": "cffe41c34a6702c2b84f2c907dbf451269481608a72724c4b91ebf5d6b4838a6", "id": "IN-MAL-2026-002709", "source": "amazon-inspector", "import_time": "2026-05-15T07:37:17.616805105Z" }, { "modified_time": "2026-05-20T19:29:40Z", "versions": [ "0.0.91" ], "sha256": "36657c2be433b784c573082d364304325acccf033f70df17dbfe104b0173ccbe", "id": "IN-MAL-2026-003599", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:56.31089624Z" }, { "modified_time": "2026-05-22T07:05:51Z", "versions": [ "0.0.120" ], "sha256": "48f868daf1dbecb4d933bab3463f3b7282591204e9b986716d2c9cd3608e263d", "id": "IN-MAL-2026-004159", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:02.992812712Z" }, { "modified_time": "2026-05-22T02:25:48Z", "versions": [ "0.0.113" ], "sha256": "733a45db422bf6eb3db666a43d8fe2af97838027cc1a8e03b4a01b3299a3bd94", "id": "IN-MAL-2026-004125", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:59.105538097Z" }, { "modified_time": "2026-05-21T03:01:12Z", "versions": [ "0.0.99" ], "sha256": "95cefec7be266dfeeb149accfa155b4dcd840b95cc519fde7c2821905fdc419b", "id": "IN-MAL-2026-003715", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:10.270902399Z" }, { "import_time": "2026-05-26T05:51:15.444153183Z", "versions": [ "0.0.101" ], "sha256": "99f0ef22930df709f974171e0df480254eef2ef9c93a6a5223996c121ff6987b", "id": "IN-MAL-2026-003758", "source": "amazon-inspector", "modified_time": "2026-05-21T06:27:47Z" }, { "import_time": "2026-05-26T05:52:00.313222544Z", "versions": [ "0.0.116" ], "sha256": "303446c72fa50219b6746e3a2008f6de4e1d12779404219825601c277f18e473", "id": "IN-MAL-2026-004136", "source": "amazon-inspector", "modified_time": "2026-05-22T05:40:24Z" }, { "modified_time": "2026-05-22T08:19:40Z", "versions": [ "0.0.122" ], "sha256": "30fdbc682901d04eb97e8cb6d8c14956c8e09aca2f956bd87c59f00599d10f60", "id": "IN-MAL-2026-004169", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:04.237204432Z" }, { "modified_time": "2026-05-21T09:01:50Z", "versions": [ "0.0.105" ], "sha256": "5df13d641a03a27652af69077359099e972dde7bac0c72d383508f92d8841070", "id": "IN-MAL-2026-003786", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:18.731610032Z" }, { "import_time": "2026-05-26T05:52:56.768504436Z", "versions": [ "0.0.138" ], "sha256": "bc1cb8def110e7bdd0e843499b852c9a6f3af0b52c1ff2611c49e5e418785675", "id": "IN-MAL-2026-004612", "source": "amazon-inspector", "modified_time": "2026-05-25T09:03:20Z" }, { "import_time": "2026-05-26T05:51:19.071489778Z", "versions": [ "0.0.108" ], "sha256": "4d1a6ae7eae94d775f1d21680c365105891c30eb2e87d8d1d1d69e44819e8111", "id": "IN-MAL-2026-003789", "source": "amazon-inspector", "modified_time": "2026-05-21T09:11:53Z" }, { "modified_time": "2026-05-21T06:41:22Z", "versions": [ "0.0.102" ], "sha256": "ab72eb7ec46c1907b7a6b3e7a6cb9de58b8406633d31a286124e47b511960471", "id": "IN-MAL-2026-003763", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:16.091311546Z" }, { "modified_time": "2026-05-21T09:19:00Z", "versions": [ "0.0.109" ], "sha256": "d06927fc08f20b60826111731ea8ed22740b01cb298615311f35eea4aef371b8", "id": "IN-MAL-2026-003792", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:19.405169047Z" }, { "import_time": "2026-05-26T05:52:57.657155057Z", "versions": [ "0.0.140" ], "sha256": "e4c465488fc835c702f879ee07edae63f2d817677b65efb9ca9b8ecbe66d761d", "id": "IN-MAL-2026-004619", "source": "amazon-inspector", "modified_time": "2026-05-25T10:01:48Z" }, { "modified_time": "2026-05-25T08:43:08Z", "versions": [ "0.0.136" ], "sha256": "fec887eac0cd06fe2e0ab422610657d5a210d5d1f946a052fbc56584e79fba08", "id": "IN-MAL-2026-004608", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:56.16366997Z" }, { "modified_time": "2026-05-25T06:15:39Z", "versions": [ "0.0.130" ], "sha256": "333fba03fc604abdd5ccbe25a3d35c4b7bd81e5e8e786e8b6a132a0f650df9a4", "id": "IN-MAL-2026-004588", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:53.811456578Z" }, { "import_time": "2026-05-26T05:52:00.466691946Z", "versions": [ "0.0.117" ], "sha256": "794dad83a81c79ee83ec6c3fba1cc2033e7f7dc960218c84ff3dc2431ab9d9d9", "id": "IN-MAL-2026-004137", "source": "amazon-inspector", "modified_time": "2026-05-22T06:04:40Z" }, { "import_time": "2026-05-26T05:51:19.500932639Z", "versions": [ "0.0.110" ], "sha256": "7dc1f62ea4a6d815ae987b34f9bec5475377bb9779e941c1704cd9ca5b17473a", "id": "IN-MAL-2026-003793", "source": "amazon-inspector", "modified_time": "2026-05-21T09:33:37Z" }, { "modified_time": "2026-05-25T10:17:56Z", "versions": [ "0.0.141" ], "sha256": "e253b3e58b41aa4bb3427195d4b3a9a1b0b7fa0336d3632b954ed6f01028f67b", "id": "IN-MAL-2026-004621", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:57.9350433Z" }, { "modified_time": "2026-05-25T08:54:34Z", "versions": [ "0.0.137" ], "sha256": "0703ce6de2620bf057068954a5d65415320294df003738fd84d1b8e181d04de1", "id": "IN-MAL-2026-004609", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:56.440683683Z" }, { "modified_time": "2026-05-22T02:39:02Z", "versions": [ "0.0.114" ], "sha256": "30ccb28b8d00615bbabb9298997ae2a1a5126408f52465cf8eae97617cf96b28", "id": "IN-MAL-2026-004126", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:59.257705869Z" }, { "modified_time": "2026-05-26T07:00:10Z", "versions": [ "0.0.151" ], "sha256": "1062890dca012ff08aec1ffeec8afd26460c4ae0cfd633b137f799c3067c91ea", "id": "IN-MAL-2026-004853", "source": "amazon-inspector", "import_time": "2026-05-26T07:48:28.165131685Z" }, { "import_time": "2026-05-26T07:48:28.113541862Z", "versions": [ "0.0.149" ], "sha256": "b6778ae3f21c2b7f88ec0263297a216890d13ee290aa64a2ee3fcdded87d7bf5", "id": "IN-MAL-2026-004852", "source": "amazon-inspector", "modified_time": "2026-05-26T06:51:48Z" }, { "modified_time": "2026-05-26T07:00:29Z", "versions": [ "0.0.146" ], "sha256": "d84635712776e58ee8c8027284ddb58636d5e492f73f40aaf85ca8ffb1bbfa62", "id": "IN-MAL-2026-004854", "source": "amazon-inspector", "import_time": "2026-05-26T07:48:28.206103557Z" } ] }- References
-
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.80
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.91
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.120
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.113
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.99
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.101
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.116
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.122
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.105
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.138
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.108
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.102
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.109
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.140
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.136
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.130
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.117
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.110
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.141
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.137
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.114
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.151
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.149
- https://www.npmjs.com/package/claw-subagent-service/v/0.0.146
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / claw-subagent-service
Package
- Name
- claw-subagent-service
- View open source insights on deps.dev
- Purl
- pkg:npm/claw-subagent-service
Affected versions
0.*
0.0.80
0.0.91
0.0.99
0.0.101
0.0.102
0.0.105
0.0.108
0.0.109
0.0.110
0.0.113
0.0.114
0.0.116
0.0.117
0.0.120
0.0.122
0.0.130
0.0.136
0.0.137
0.0.138
0.0.140
0.0.141
0.0.146
0.0.149
0.0.151
Database specific
indicators
{
"evidence_files": [
{
"sha256": "82c472efae06f77cbcd6f99d6a4f55dfd7a1cb1065d51b9abc775ad390115d32",
"tlsh": "e902519956fb923597b2326d2b9b2019272ee1073119cd6cfbdc03907f412284762fe9",
"path": "service/updater.js"
},
{
"sha256": "30b07d0fed08658a11000aa7b58a5dd2812b2162e7f7f1648621c551d08b9a9e",
"tlsh": "60b1fe48d02621bf1e71a770a727803fd65db0234a81db69bfde07503f322a91602ee9",
"path": "service/modules/opencode-starter.js"
},
{
"sha256": "3ed8b2386f7ad6c08531f9ff6b72a709d56ef5f0986a53dc32824571956bca11",
"tlsh": "5642145e26fe182e45759299fe133022db12d22f740352ae7ebc9bc05f35090994af74",
"path": "service/modules/rongyun-message-handler.js"
},
{
"sha256": "e57dee50e8ab1fa17c230882899a8bfb5bed46e935be0bb22b3e3dab9cb6e3a8",
"tlsh": "5072b95ca83362358771a3645b775529fb26e23333424295bbbc82847f71c24d2a6fec",
"path": "service/modules/dashboard-collector.js"
},
{
"sha256": "8482ef817e20bfcb250b15ab00de4b946c2651672476cc5a9df071b9812c99d0",
"tlsh": "1a91f19814fe43b02d738095275f116b3d6b9903214cf9adf6ed435e5fc261482a35ee",
"path": "scripts/post-install.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-F8RWoIVNCcJzGvwS7v2wIQDZMh7CFBdskp9sBDL3bO4z/UMi1Bj4E6YrnEqqYxXNnCAq9+4jM50GoQXfcnrD4w==",
"sha1": "6b719adc9a4956246570e48af9012e1b1bce12da"
},
"filename": "claw-subagent-service-0.0.80.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claw-subagent-service/MAL-2026-3757.json"