For Banks
For Government Agencies
For Enterprise
For Service Providers
Learn
Partner
About
Contact
View all articles
Close-up view of a mouse cursor over digital security text on display.
News

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models,.
Sami Malik
Copywriter

What Happened

Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tool

This intelligence was reported by AlienVault OTX on 2026-05-11. The activity is associated with the following threat categories: amos stealer, clawhub, openclaw, hugging face, trojanized skills, cryptominer.

Why This Matters

Threats of this type affect organisations that rely on internet-facing infrastructure, cloud services, or employee-facing authentication systems. The window between public disclosure and active exploitation in production environments has narrowed significantly. Security teams that wait more than 48 hours to review new campaigns routinely find themselves responding to incidents that were preventable.

Knowing your organisation's attack surface is the first line of defence. You cannot protect assets you have not mapped.

Who Is at Risk

Organisations running internet-facing services in financial services, critical infrastructure, and enterprise software are the primary targets in campaigns of this type. The techniques involved are not industry-specific. Any organisation with exposed authentication endpoints or unmonitored external assets is a viable target. The threat categories here (amos stealer, clawhub, openclaw, hugging face, trojanized skills, cryptominer) are among the most active in the current landscape.

Indicators of Compromise

If you are investigating whether your environment may be affected, the following indicators of compromise have been identified:

  • IPv4: 91.92.242.30
  • URL: https://install.app-distribution.net/setup/
  • FileHash-MD5: a37f6403fbf28fa0b48863287f4c5a5d
  • URL: http://91.92.242.30/1v07y9e1m6v7thl6
  • URL: http://91.92.242.30/6wioz8285kcbax6v
  • domain: velvet-parrot.com

What to Do Now

  • Review your external attack surface. Identify assets matching the target profile: exposed authentication endpoints, unpatched services, or credentials that may have been previously exposed.
  • Search for the indicators listed above in endpoint logs, network traffic, and SIEM alerts. A match warrants immediate investigation.
  • Update detection rules in your SIEM and EDR for the specific file hashes, IP addresses, or behavioural patterns identified in this campaign.
  • Validate your incident response playbook covers the threat categories involved. Exercises built on real campaigns outperform generic scenarios.

Frequently Asked Questions

How do I know if my organisation has been affected?

Start with the indicators of compromise above. Run them against your endpoint detection tools, firewall logs, and SIEM. If you find a match, isolate the affected system immediately before taking further action. No matches does not confirm you are unaffected: it means the known indicators were not found. Behavioural analysis and threat hunting are the next steps.

What is the fastest way to reduce exposure to this type of threat?

Close exposed services that should not be publicly reachable, rotate credentials that may have been compromised, and enforce MFA on all external-facing authentication. These steps take hours, not weeks, and reduce exposure across a wide range of active campaigns.

Is this relevant for organisations outside the sectors mentioned?

Yes. The threat categories involved (amos stealer, clawhub, openclaw, hugging face, trojanized skills, cryptominer) are general-purpose techniques reused across industries. Any organisation that has not reviewed its defences against these specific categories in the past 90 days should treat this as a prompt to do so.

How often should we review new threat intelligence?

Campaigns that are new today are actively exploiting vulnerable organisations within 24 to 72 hours of public disclosure. Weekly reviews are the minimum. Automated monitoring that surfaces new campaigns in real time gives your team the lead time needed to act before exploitation begins.

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

A mysterious hacker wearing a Guy Fawkes mask and black hoodie in a dimly lit room focused on computer screens.
News
Taggez vos photos avec de l'IA en local
Sami Malik
Copywriter
News
Des faux installateurs Claude Code se baladent dans Google
Sami Malik
Copywriter
News
New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps
Sami Malik
Copywriter
Discover simplified
Cyber Risk Management
Request access and learn how we can help you prevent cyberattacks proactively.
See your exposure
Solutions
For BanksFor Government AgenciesFor EnterpriseFor Service Providers
Company
Privacy PolicyTerms of UseVulnerability DisclosureAbout Us
Resources
Press-kitCareersHelp CenterLLM
©
2026
. Defendis
Service Status