Christine Lemmer-WebberMar 5

I am convinced we are on the verge of the first "AI agent worm". This looks like the closest hint of it, though it isn't it quite itself: an attack on a PR agent that got it to set up to install openclaw with full access on 4k machines https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another

But, the agents installed weren't given instructions to *do* anything yet.

Soon they will be. And when they are, the havoc will be massive. Unlike traditional worms, where you're looking for the typically byte-for-byte identical worm embedded in the system, an agent worm can do different, nondeterministic things on every install, and carry out a global action.

I suspect we're months away from seeing the first agent worm, *if* that. There may already be some happening right now in FOSS projects, undetected.

A GitHub Issue Title Compromised 4,000 Developer Machines

A prompt injection in a GitHub issue triggered a chain reaction that ended with 4,000 developers getting OpenClaw installed without consent. The attack composes well-understood vulnerabilities into something new: one AI tool bootstrapping another.

Show threadmccMar 5
@cwebber meanwhile people I talk to are like "wait why do you want guarantees your open source supply chain doesn't have LLM-sourced code in it. it has literally never occurred to me that this would be a thing someone would desire"
Show threadTaggartMar 5
@mcc @cwebber I concur with the assessment, and have been sharing similar warnings. In fact, we are beginning to see a pivot in stealer activity to install OpenClaw, etc. for exactly these purposes. It's a botnet, compute miner, and worm all in one.
Show threadmccMar 5
@mttaggart @cwebber i wonder if i can install a virus detector rigged with the single signature of an openclaw executable
Show threadTaggart
@mcc @cwebber You could, but I would not recommend doing so. Instead perhaps a purposed YARA lookup with a single rule to look for the filename/string? Not sure why you'd be so restrictive on detections, but you can.
Mar 5 at 6:52pmWeb
Show threadǝʌɐpMar 5
@mttaggart @mcc @cwebber Do we know what is being used for inference? At this point in time it's unlikely that they can use a self-hosted model, so there will be network calls.
Show threadTaggartMar 5

@dvshkn @mcc @cwebber So the trick here is if you install OpenClaw in secret on a user's machine who isn't checking carefully, you might hide easily in network traffic. Use of tools like Claude Code would make the same API calls, which is likely for users who would be targeted with these attacks.

The real insane part is if multiple instance of OpenClaw were running on the same machine, so not even the process name looked suspicious. But of course process names are a poor indicator and can be changed.

Show threadTiota SramMar 5
@mttaggart @dvshkn @mcc @cwebber this does suggest a good defense: block outgoing network traffic to the big inference providers and you're likely to be safe from the less-targeted versions of this.
Show threadmccMar 5
@dvshkn @mttaggart @cwebber one thing i wonder is if it's in principle possible to firewall claude/copilot endpoints. in the old days of the internet this would have been possible, in the present day the claude/copilot api servers are probably mixed in with the aws/azure IP pool and more than likely move around…
Show threadǝʌɐpMar 5
@mcc @mttaggart @cwebber I think openrouter is another good inference endpoint to check for
Show threadTaggartMar 5
@mcc @dvshkn @cwebber It's very easy and being done, although in big places you'll hear screams from your devs. api.anthropic[.]com can be blocked today.
Show threadmccMar 5

@mttaggart @dvshkn @cwebber …that… should have occurred to me. I guess I got too used to the threat model of "is Windows 10 phoning home / searching bing without telling me", where Microsoft has the ability to ship IP lists. Probably only Microsoft can really do this.

… I guess if the attacker really thought ahead they could do DNS lookup through the firefox DoH server or something but they don't have much reason to try that.