This threat involves a sophisticated supply chain attack campaign that abuses OpenClaw skills—modular AI agent workflows—to distribute the Atomic MacOS Stealer (AMOS) malware. Attackers upload hundreds of malicious skills to popular AI skill repositories such as ClawHub and SkillsMP. The infection chain begins with a SKILL.md file that appears harmless but installs a prerequisite component, which then downloads a Mach-O universal binary executable tailored for macOS. AMOS is designed to steal a broad spectrum of sensitive information: user credentials, browser data, cryptocurrency wallets, Apple keychains, KeePass keychains, and various user documents. The malware employs sophisticated encryption to protect its exfiltrated data and targets multiple browsers and wallet applications to maximize impact. Notably, AMOS does not establish persistence on infected systems, which may limit long-term control but does not reduce the immediate risk of data theft. The campaign represents an evolution in supply chain attacks by manipulating AI agentic workflows, highlighting the emerging risk of AI skill repositories as attack vectors. While there are no known exploits in the wild yet, the widespread distribution of malicious skills across repositories poses a significant risk to macOS users and organizations leveraging AI automation tools.

The primary impact of this threat is the extensive theft of sensitive data from macOS systems, including credentials, browser histories, cryptocurrency wallets, and keychain data. This can lead to identity theft, financial loss, unauthorized access to corporate and personal accounts, and exposure of confidential documents. The lack of persistence means attackers may not maintain long-term access, but the immediate data exfiltration can cause severe damage. Organizations relying on macOS devices, especially those using AI skill repositories or agentic AI workflows, face increased risk of supply chain compromise. The campaign’s use of AI skill repositories as a distribution vector introduces a novel attack surface, potentially affecting software supply chain trust and AI automation security. The medium severity rating reflects the significant data loss potential balanced against the absence of persistence and no current widespread exploitation. However, the campaign’s scale and sophistication suggest that targeted organizations could suffer impactful breaches if defenses are not enhanced.

1. Implement strict vetting and validation processes for AI skills and modules sourced from public repositories like ClawHub and SkillsMP, including code reviews and behavioral analysis before deployment. 2. Employ endpoint detection and response (EDR) solutions capable of detecting unusual Mach-O binary executions and suspicious network exfiltration activities on macOS systems. 3. Enforce the principle of least privilege for AI agents and workflows to limit their ability to download and execute arbitrary binaries. 4. Monitor and restrict access to sensitive data stores such as Apple keychains and KeePass databases, using encryption and access controls. 5. Educate users and administrators about the risks of installing unverified AI skills and the importance of verifying sources. 6. Use network segmentation and data loss prevention (DLP) tools to detect and block unauthorized data exfiltration attempts. 7. Regularly update macOS and security tools to incorporate the latest threat intelligence and detection capabilities. 8. Establish incident response plans specifically addressing supply chain and AI-related threats to enable rapid containment and remediation.