How do I remediate claw-subagent-service if I installed it?

Remove claw-subagent-service from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect claw-subagent-service in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking claw-subagent-service and packages like it before any post-install script runs.

Malicious package

claw-subagent-servicenpm

Malicious code in claw-subagent-service (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-3757

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall claw-subagent-service

What this malware does

On npm install -g, the package's scripts/post-install.js registers a privileged Windows service claw-subagent-service pointing at service/daemon.js, configured with sc.exe failure... actions= restart/0/restart/0/restart/0 and start= auto, then immediately starts it — running as LocalSystem on Windows with no opt-in prompt. Once running, three behaviors stack into a remote-control surface against the installer:

Self-replacing update channel (service/updater.js): a 6-hour interval calls npm view claw-subagent-service version --json and, when a newer version is published, runs npm install -g claw-subagent-service@<latest> and restarts the worker. Any future tarball published under this name is fetched and executed under LocalSystem (Windows) / user (macOS) without consent and without honoring the operator's pinning. Linux is gated, Windows + macOS are not.
Vendor-controlled IM command channel (service/worker.js, service/modules/rongyun-message-handler.js, service/modules/script-executor.js, service/rongcloud/openclaw-client.js): the worker fetches a token from https://newsradar.dreamdt.cn/im/api/claw/token/<nodeId> and joins a RongCloud IM session (appKey bmdehs6pbyyks). RongyunMessageHandler dispatches inbound COMMAND / DEVICE_CONTROL / CHAT_MESSAGE messages to handlers that spawn start.sh/stop.sh/restart.sh/status.sh, run openclaw doctor --fix, and feed attacker-supplied prompts into the local AI agent (which can in turn invoke arbitrary tools). Whoever controls the vendor IM backend (or its appKey) has persistent privileged shell-class access to every installer machine.
Continuous data exfiltration (service/modules/heartbeat-dashboard.js, service/modules/dashboard-collector.js): every 30 seconds the worker reads ~/.openclaw/agents/*/sessions/*.jsonl, ~/.openclaw/projects/projects.json, ~/.openclaw/tasks/tasks.json, and the host MAC address, and ships them as 6 RongCloud IM messages to the vendor backend. Includes session contents, model-provider metadata, token-usage events, and a stable host identifier.

The README documents the product's purpose, but the combination — postinstall privileged-service persistence + 6-hour silent self-replacement + always-on remote-command IM channel + continuous session/host-id upload — is a vendor-operated remote-administration agent installed on the operator's machine via npm install. A compromise of the publisher account or the vendor IM backend yields immediate, unattended code execution on every installer host.

Malicious versions

34 flagged

0.0.800.0.910.0.990.0.1010.0.1020.0.1050.0.1080.0.1090.0.1100.0.1130.0.1140.0.1160.0.1170.0.1200.0.1220.0.1300.0.1360.0.1370.0.1380.0.1400.0.1410.0.1460.0.1490.0.1510.0.1530.0.1560.0.1600.0.1610.0.1620.0.1640.0.1680.0.1700.0.1770.0.179

Indicators of compromise (SHA-256)

cffe41c34a6702c2b84f2c907dbf451269481608a72724c4b91ebf5d6b4838a6

36657c2be433b784c573082d364304325acccf033f70df17dbfe104b0173ccbe

48f868daf1dbecb4d933bab3463f3b7282591204e9b986716d2c9cd3608e263d

733a45db422bf6eb3db666a43d8fe2af97838027cc1a8e03b4a01b3299a3bd94

95cefec7be266dfeeb149accfa155b4dcd840b95cc519fde7c2821905fdc419b

99f0ef22930df709f974171e0df480254eef2ef9c93a6a5223996c121ff6987b

303446c72fa50219b6746e3a2008f6de4e1d12779404219825601c277f18e473

30fdbc682901d04eb97e8cb6d8c14956c8e09aca2f956bd87c59f00599d10f60

5df13d641a03a27652af69077359099e972dde7bac0c72d383508f92d8841070

bc1cb8def110e7bdd0e843499b852c9a6f3af0b52c1ff2611c49e5e418785675

4d1a6ae7eae94d775f1d21680c365105891c30eb2e87d8d1d1d69e44819e8111

ab72eb7ec46c1907b7a6b3e7a6cb9de58b8406633d31a286124e47b511960471

d06927fc08f20b60826111731ea8ed22740b01cb298615311f35eea4aef371b8

e4c465488fc835c702f879ee07edae63f2d817677b65efb9ca9b8ecbe66d761d

fec887eac0cd06fe2e0ab422610657d5a210d5d1f946a052fbc56584e79fba08

333fba03fc604abdd5ccbe25a3d35c4b7bd81e5e8e786e8b6a132a0f650df9a4

794dad83a81c79ee83ec6c3fba1cc2033e7f7dc960218c84ff3dc2431ab9d9d9

7dc1f62ea4a6d815ae987b34f9bec5475377bb9779e941c1704cd9ca5b17473a

e253b3e58b41aa4bb3427195d4b3a9a1b0b7fa0336d3632b954ed6f01028f67b

0703ce6de2620bf057068954a5d65415320294df003738fd84d1b8e181d04de1

30ccb28b8d00615bbabb9298997ae2a1a5126408f52465cf8eae97617cf96b28

1062890dca012ff08aec1ffeec8afd26460c4ae0cfd633b137f799c3067c91ea

b6778ae3f21c2b7f88ec0263297a216890d13ee290aa64a2ee3fcdded87d7bf5

d84635712776e58ee8c8027284ddb58636d5e492f73f40aaf85ca8ffb1bbfa62

1b5d67d286b4968f1935e1913720aeaf077c304ca5bf53990bca73d9955470b2

43f662536173d8d4a65688a34f43734279360c61699e5099c37620047cc64791

a0d6d3f523d5fcd475516e80698e8113ba35d9706c447f741a11b9cae791f61a

afc179e3310ae1344b516d263a0371eeb7e8b7f2f15018ac9e481d858f5cfc39

b2ccba152d6841731431c91157874c72b5f9778fdf88b634a45ab5d9da961307

46a143c6c479913ab343d4f646e622dfbe5ea1d43fadfa91cad8f88217381ee0

9390e597984a79eeec19a8c027110199a5b92686bd7e5988a1f3d79cdd8238f3

ae6ed7b124a98c15ad1c2c6dfd047b981035359f23bcdbf75a1e66acb6c3a6f2

b7ec2ce3375130ea9655acabe575991547ce220543c7898a1109dcc2faa8b100

fe00a0a1a9427eb816467287a34d06fc287f769b2169ce4a8158138d4fb7c807

Frequently asked questions

No. claw-subagent-service on npm has been identified as a malicious package (versions 0.0.80, 0.0.91, 0.0.99, 0.0.101, 0.0.102, 0.0.105, 0.0.108, 0.0.109, and 26 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002709IN-MAL-2026-003599IN-MAL-2026-004159IN-MAL-2026-004125IN-MAL-2026-003715IN-MAL-2026-003758IN-MAL-2026-004136IN-MAL-2026-004169IN-MAL-2026-003786IN-MAL-2026-004612IN-MAL-2026-003789IN-MAL-2026-003763IN-MAL-2026-003792IN-MAL-2026-004619IN-MAL-2026-004608IN-MAL-2026-004588IN-MAL-2026-004137IN-MAL-2026-003793IN-MAL-2026-004621IN-MAL-2026-004609IN-MAL-2026-004126IN-MAL-2026-004853IN-MAL-2026-004852IN-MAL-2026-004854IN-MAL-2026-005970IN-MAL-2026-005973IN-MAL-2026-005974IN-MAL-2026-005967IN-MAL-2026-005969IN-MAL-2026-005972IN-MAL-2026-005971IN-MAL-2026-005968IN-MAL-2026-005966IN-MAL-2026-005975

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection