Mac Malware “Atomic Stealer” Evolves to Target AI Agent Users via Malicious OpenClaw Skills
Mac Malware “Atomic Stealer” Evolves to Target AI Agent Users via Malicious OpenClaw Skills
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Mac Malware “Atomic Stealer” Evolves to Target AI Agent Users via Malicious OpenClaw Skills
February 27, 2026 — Cybersecurity firm Trend Micro published a report on February 23, 2026, warning macOS users of a significant evolution in how the well-known information-stealing malware Atomic Stealer (AMOS) is being distributed.
Rather than hiding inside cracked software as it once did, attackers have now turned to a more sophisticated supply chain attack — exploiting the AI agent platform OpenClaw to trick users into infecting their own machines.
A New Attack Vector: Hijacking AI Agents
Atomic Stealer has evolved from being distributed via cracked software to a more sophisticated supply chain attack that manipulates AI agentic workflows on platforms like OpenClaw. The core technique involves embedding malicious instructions inside SKILL.md configuration files — the building blocks of OpenClaw’s modular skill system.
The attack begins with a SKILL.md file that looks completely harmless. It tells the AI agent to install a fake prerequisite called “OpenClawCLI” from a malicious external website. Once the agent follows those instructions, it downloads and executes a malicious payload disguised as a legitimate tool.
Trend Micro researchers found that the attack’s success depends partly on which AI model is powering the agent. When a less cautious model like GPT-4o processes the instruction, it either installs the tool silently or continuously prompts the user to install the fake “driver” manually. More capable models like Claude Opus 4.5 flag the skill as suspicious and refuse to proceed.
To complete the infection, a deceptive human-in-the-loop dialogue box pops up to trick the user into manually entering their password. This step hands the malware the system access it needs to begin stealing data.
Scale of the Campaign
The campaign is broader than initially reported. It spans multiple repositories, with threat actors uploading hundreds of malicious skills to ClawHub and SkillsMP. Trend Micro’s researchers identified 39 distinct skills manipulating OpenClaw on ClawHub alone — and while those have since been removed, their code remains accessible in GitHub repositories. More alarmingly, over 2,200 malicious skills were identified on GitHub, making it difficult and impractical for defenders to review every single skill prior to agent installation.
What Data Is at Risk
Once installed, the AMOS malware functions as a comprehensive information stealer. It collects usernames, passwords, system information, Apple keychains, and the stored data of 19 different browsers, including cookies, passwords, autofill data, and saved credit cards. Beyond browsers, 150 cryptocurrency wallets are targeted alongside Apple Keychain, Notes, and VPN profiles. Desktop, Documents, and Downloads folders are also swept for PDFs, CSVs, and password databases. All stolen data is compressed into a ZIP archive and sent to a command-and-control server.
One notable characteristic of this variant: it lacks system persistence and ignores .env files — meaning it does not continuously run in the background after the initial theft, but the damage from a single infection can still be extensive.
A Broader Pattern of Adaptation
AMOS is not new, but its operators have consistently found novel delivery methods. Initially relying on “ClickFix” lures, the malware later spread through cracked Mac software, and subsequently leveraged poisoned Generative Engine Optimization (GEO), including poisoned answers from ChatGPT and Grok. The shift to AI agent skills represents the latest step in that evolution — and a broader warning sign for the industry.
How to Stay Protected
Trend Micro recommends the following steps for OpenClaw users and organizations:
- Verify the source and legitimacy of any OpenClaw skill before running it.
- Never enter your system password when prompted by an unfamiliar tool or AI agent.
- Test unverified skills in an isolated environment or container before deployment.
- Enterprise macOS deployments should implement skill allowlisting immediately.
- Use endpoint protection platforms that can detect and quarantine malicious binaries in real time.
The full technical report, authored by Alfredo Oliveira, Buddy Tancio, David Fiser, Philippe Lin, and Roel Reyes, is available on Trend Micro’s official research blog.
Sources: Trend Micro TrendAI™ Research (February 23, 2026)
