The Atomic macOS Stealer (AMOS) campaign has entered a dangerous new phase.
Instead of hiding inside cracked software or pirated apps, threat actors are now embedding AMOS inside malicious OpenClaw skills — small add-on packages designed to extend AI agent capabilities.
This marks a significant shift toward AI supply chain attacks, where attackers weaponize AI workflows to distribute malware.
Security researchers identified:
- 39 malicious skills uploaded across repositories
- Over 2,200 malicious skills discovered on GitHub
- A new AMOS variant targeting macOS users
- Social engineering tactics to trick users into entering system passwords manually
For security teams, DevOps engineers, and AI platform operators, this campaign demonstrates a new and emerging attack surface: AI agent ecosystems.
In this article, we’ll break down:
- How the malicious OpenClaw skills work
- The AMOS infection chain
- Why AI workflow abuse is the next supply chain frontier
- Indicators of compromise (IOCs)
- Defensive best practices for macOS and AI environments
What Is Atomic macOS Stealer (AMOS)?
Atomic macOS Stealer (AMOS) is a malware-as-a-service (MaaS) operation targeting Apple users.
It is designed to harvest:
- System credentials
- Browser cookies and saved passwords
- Cryptocurrency wallet data (150+ wallets targeted)
- Telegram chats
- VPN configurations
- Apple Keychain items
- Files from Desktop, Documents, and Downloads
AMOS is sold in underground forums, making it accessible to lower-skilled threat actors.
The Shift: From Pirated Apps to AI Skills
Traditionally, AMOS spread through:
- Cracked macOS software
- Fake installers
- Trojanized productivity tools
Now, attackers are embedding AMOS inside OpenClaw skills hosted on platforms like:
- ClawHub
- SkillsMP
- GitHub repositories
This represents a supply chain attack targeting AI agent workflows.
Instead of infecting users directly, attackers poison AI extensions and rely on agents to execute malicious instructions.
How the Attack Works
Stage 1: A Harmless-Looking SKILL.md File
The attack begins with a seemingly benign SKILL.md file.
It instructs the AI agent to install a prerequisite tool called:
“OpenClawCLI”
This tool is hosted on a malicious external website.
Stage 2: AI Model Behavior Differences
Researchers observed interesting differences in AI model responses:
- Less cautious models (e.g., GPT-4o) may:
- Attempt silent installation
- Continuously prompt the user to install the fake “driver”
- More advanced models (e.g., Claude Opus 4.5) detect suspicious behavior and refuse to proceed
This highlights a new risk vector:
Model safety behavior can directly impact malware delivery success.
Stage 3: Payload Execution
If the installation proceeds:
- A Base64-encoded command is retrieved
- A Mach-O universal binary is dropped
- The binary runs on both:
- Intel-based Macs
- Apple Silicon devices
When macOS blocks the unsigned file, the attacker deploys the most critical social engineering trick:
A fake password dialog box appears.
The user believes they are authorizing a legitimate installation.
Instead, they are handing over system-level access.
Inside the AMOS Infection Chain
Once the password is entered, AMOS immediately begins data collection.
Data Harvested Includes:
System Data
- macOS username and password
File Collection
- Desktop, Downloads, Documents
- File types: .pdf, .csv, .kdbx, .docx
Apple Ecosystem
- Keychain credentials
- Apple Notes
Browsers (19 targeted)
- Cookies
- Saved passwords
- Credit card data
Cryptocurrency
- 150+ wallet types
All stolen data is compressed into a ZIP archive and sent to a command-and-control (C2) server.
Command-and-Control Infrastructure
AMOS exfiltrates stolen data to:
- C2 Domain:
socifiapp[.]com
Payload delivery infrastructure includes:
- Malicious skill site:
hxxps://openclawcli[.]vercel[.]app/ - Payload IP:
91.92.242[.]30 - Detection Name: Trojan.MacOS.Amos
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps://openclawcli[.]vercel[.]app/ | Malicious skill delivery |
| IP Address | 91.92.242[.]30 | Payload download server |
| URL | hxxp://91.92.242[.]30/ece0f208u7uqhs6x | Payload URL |
| File Name | il24xgriequcys45 | Mach-O AMOS binary |
| C2 Server | socifiapp[.]com | Exfiltration endpoint |
| Detection | Trojan.MacOS.Amos | Malware signature |
Why This Attack Is Significant
1. AI Workflow Supply Chain Compromise
This campaign demonstrates:
- AI agents can become malware execution vectors
- AI skill repositories can be poisoned
- Social engineering now blends human + AI manipulation
2. Manual Password Entry as an Attack Vector
Unlike many macOS exploits that require vulnerability chaining, this attack relies on:
- Fake authorization dialogs
- User trust in AI tools
- Manual password entry
It bypasses traditional exploit-based detection.
3. Universal Binary Targeting
The Mach-O payload works across:
- Intel Macs
- Apple Silicon
This ensures broad compatibility and higher infection rates.
Risk Impact Analysis
If successful, this infection can result in:
- Credential theft
- Crypto wallet draining
- Corporate data leakage
- VPN compromise
- Lateral movement into enterprise networks
For organizations adopting AI automation workflows, this introduces:
- A new supply chain attack surface
- Increased insider risk
- Expanded DevSecOps monitoring requirements
Defensive Recommendations
1. Verify AI Skills Before Execution
- Only install skills from trusted repositories
- Review SKILL.md instructions manually
- Avoid automatic execution of external dependencies
2. Avoid Entering Passwords for Unknown Tools
A key red flag:
Unexpected system password prompts from AI-driven installations.
If unsure:
- Cancel immediately
- Validate tool legitimacy independently
3. Isolate AI Agent Execution
Run AI agents in:
- Containers
- Sandboxed environments
- Virtual machines
Limit access to:
- File systems
- Keychain
- Sensitive directories
4. Monitor for Suspicious Activity
Watch for:
- Outbound traffic to known malicious domains
- Unexpected ZIP archive creation
- Execution of unsigned Mach-O binaries
- Abnormal browser credential access
5. Apply Zero Trust Principles to AI Workflows
Treat AI-generated instructions as untrusted input.
Apply:
- Execution policy controls
- Least privilege access
- EDR monitoring for macOS endpoints
- Supply chain scanning for skill repositories
Common Misconceptions
“AI tools are inherently safe.”
AI can execute instructions that are malicious if repositories are poisoned.
“macOS is immune to malware.”
AMOS is proof that macOS-targeted malware is mature and commercially available.
“Manual password entry means legitimacy.”
Social engineering thrives on user trust — not technical exploits.
FAQs
1. What is AMOS?
Atomic macOS Stealer (AMOS) is a malware-as-a-service tool that steals credentials, browser data, and cryptocurrency wallets from macOS systems.
2. How is AMOS now spreading?
Through malicious OpenClaw skills embedded in AI agent workflows.
3. Why is this considered a supply chain attack?
Because attackers poison third-party AI extensions that users trust and execute.
4. What makes this attack effective?
It combines AI instruction abuse with social engineering to trick users into entering system passwords.
5. How can organizations mitigate this risk?
Use sandboxed AI execution, verify skill sources, restrict system permissions, and monitor outbound connections.
Conclusion: AI Workflows Are the Next Security Frontier
The evolution of AMOS from cracked apps to malicious AI skills marks a turning point.
AI ecosystems are now part of the enterprise attack surface.
Organizations must:
- Treat AI skill repositories as supply chain risks
- Monitor macOS endpoints aggressively
- Enforce least privilege execution
- Educate users about fake password prompts
As AI adoption accelerates, attackers will continue adapting.
Security teams must do the same.
