Podcast Detail

SANS Stormcast Tuesday, February 3rd, 2026: Scanning for AI; Notepad++ Compromise; OpenClaw Vulnerabilities

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9792.mp3

previous
Podcast Logo
Scanning for AI; Notepad++ Compromise; OpenClaw Vulnerabilities
00:00

Podcast Transcript

 Hello and welcome to the Tuesday, February 3rd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Incident Response. So today's episode will be a little bit
 AI heavy, sorry for that, but we'll start with some simple
 scanning for anthropic models. That's something that we
 detected over the weekend in our honeypots. Not honestly
 sure what they're going after, but I assume that they're
 looking for people who have installed some at least
 anthropic related models on their own system, then expose
 it. Maybe some system also exposed them via proxies. I've
 seen that. So here they may take advantage of any API keys
 or so that are preloaded and in the proxy that they can
 abuse. But either way, the scans came from a Tor exit
 node. And if you're doing anything like this, please
 just don't expose them to the internet. And Notepad++ today
 did release an advisory stating that their update
 website had been compromised at least since June 2025. Now
 this became sort of news in December last year, when
 people noticed that something is wrong here with certain
 files being downloaded from the website. According to this
 advisory now, it looks like there was a compromise of the
 hosting infrastructure. So nothing that Notepad++
 directly controlled. They have since also changed hosting
 providers. Sadly, not a lot of details about the exact nature
 of the compromise here, how it all unfolded. On the other
 hand, Rapid7 did release a detailed breakdown of the
 backdoor and how it worked and also indicators of compromise
 that you may want to use if you're using Notepad++ to
 check if you had been compromised by any of the
 malicious files downloaded from Notepad++. So now let's
 dive in a little bit into the AI topics I have for today.
 And they're all related to, well, OpenClaw, which also
 used to be known as ClawdBot and as MoldBot. This is
 essentially an AI assistant and people like it because
 it's very easy to connect to different websites, email and
 the like, and essentially automate sort of a lot of day
 -to-day workflows with OpenClaw. The problem with
 this is that, well, in order to function, OpenClaw needs
 access to all of these different services. And it
 appears that OpenClaw really sort of is really good in
 gaining publicity by having really outrageously bad
 security flaws. We always sort of wonder, you know, how
 companies' stock tends to go up after they had like a
 security breach and such. Well, I think OpenClaw really
 sort of perfected that kind of PR. So let's talk about a
 couple of the different vulnerabilities here. The
 first one I have here, and I'm not covering with any
 particular order, is the ability to steal credentials
 from OpenClaw. So OpenClaw listens by default on the
 loopback interface. It can also listen for other inbound
 connections. But here the loopback interface is
 particularly interesting. And if you're connecting via the
 loopback interface, it does not require any
 authentication, which usually tends to be a real bad idea,
 has caused a lot of problems for other tools as well. In
 OpenClaw, you connect to it then via a WebSocket. Now you
 can just run JavaScript in the user's browser and then
 connect to the WebSocket via loopback because, well, after
 all, it runs in the user's browser on the same system.
 And with that, gain authenticated access to all of
 the credentials that OpenClaw may have stored. So this was
 the first vulnerability here. The next issue, also sort of a
 known problem, and that's extensions. They call it
 skills that you may be loading into OpenClaw. There are a
 total of 2,800, according to Koi research, that are
 available right now. So with that limited kind of ecosystem
 at this point, they were able to actually audit all 2,800
 and found that, well, more than 10%, 340 of them are
 malicious. And most of them, something like 320 out of the
 340 are actually part of one campaign installing
 InfoSteelers. This is a problem that we had before, of
 course, in all kinds of similar ecosystems, given that
 this ecosystem is still somewhat small. It is
 certainly plausible and not that difficult to do at least
 a basic audit of all of the skills that are available now.
 So double check with Koi Securities Research to check
 if any skills that you installed were on that
 malicious list. And Census did a quick survey of the internet
 for exposed OpenClaw installs. And yes, they found more than
 20,000 of them. So again, their PR campaign here via
 vulnerabilities is certainly successful. We have lots of
 people installing them. Installing and directly
 exposing OpenClaw is not recommended by the
 instructions. And they recommend using something like
 an SH tunnel or so to connect from the outside to your
 OpenClaw instance. But apparently not all users are
 reading the instructions or, well, maybe the bot didn't
 read them right for them. Well, and this is it for
 today. So thanks for listening. Thanks for liking
 and subscribing to this podcast and talk to you again
 tomorrow. Bye.