Infostealers have evolved. They’re no longer just swiping your browser passwords - now they’re stealing your AI agent’s entire identity.
Security researchers at Hudson Rock discovered the first known instance of infostealer malware successfully exfiltrating OpenClaw configuration files from a victim’s machine. The attack, identified on February 13, 2026, marks what Hudson Rock calls “a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the ‘souls’ and identities of personal AI agents.”
What Was Stolen
The malware - likely a Vidar variant - grabbed three critical file types from the victim’s .openclaw directory:
openclaw.json: Contains the victim’s gateway authentication token, email address, and workspace path. This token allows attackers to connect to the victim’s local OpenClaw instance remotely (if the port is exposed) or masquerade as the client in authenticated requests.
device.json: Stores public and private cryptographic keys used for secure pairing and signing operations. With the privateKeyPem, attackers can sign messages as the victim’s device and potentially bypass “Safe Device” verification.
Soul and memory files: The soul.md, AGENTS.md, and MEMORY.md files contain the AI agent’s personality instructions, behavioral guidelines, daily activity logs, private messages, and calendar events. Hudson Rock describes these as providing “a blueprint of the user’s life.”
An Opportunistic Discovery
The attack wasn’t even targeted at OpenClaw specifically. The infostealer used a broad file-grabbing routine designed to sweep for sensitive file extensions and folder names - it just happened to find .openclaw and grabbed everything.
That’s arguably more alarming. If off-the-shelf malware is already scooping up AI agent configurations by accident, purpose-built AI-targeting modules are coming.
“As AI agents move from experimental toys to daily essentials, the incentive for malware authors to build specialized ‘AI-stealer’ modules will only grow,” Hudson Rock warned. They expect dedicated modules designed to decrypt and parse these files - “much like they do for Chrome or Telegram today.”
Total Identity Compromise
The stolen combination of gateway tokens, cryptographic keys, and personal context files enables what Hudson Rock calls “a total compromise of the user’s digital identity.”
With these files, an attacker could:
- Connect to the victim’s local OpenClaw instance
- Impersonate the victim’s device in AI gateway requests
- Bypass security verifications that trust “Safe Devices”
- Access encrypted logs and services
- Understand the victim’s daily patterns, contacts, and communications
The soul.md file in this case instructed the agent to “be bold with internal actions” like reading, organizing, and learning - behaviors that become especially dangerous when an attacker controls the agent’s identity.
The Larger Problem
OpenClaw isn’t the only AI agent storing sensitive data in plaintext with questionable defaults. As personal AI assistants proliferate, each one creates new attack surface. Claude Code stores configuration in ~/.claude. Copilot and other assistants maintain their own credential stores.
The security community has documented over 200,000 GitHub stars for OpenClaw, with the founder recently joining OpenAI. The tool clearly has momentum - but so does the malware ecosystem circling it.
What You Can Do
If you run OpenClaw or similar AI agents locally:
- Don’t expose ports to the internet - Keep your AI agent’s ports bound to localhost only
- Audit your configuration files - Know what tokens and keys are stored in plaintext
- Rotate credentials if compromised - If you’ve had any malware infection, regenerate your gateway tokens
- Monitor for unusual activity - Watch for unexpected AI agent behavior or authentication from unknown devices
- Keep your system clean - Basic infostealer hygiene applies: avoid suspicious downloads, use a password manager, enable 2FA everywhere
The era of AI agent identity theft has begun. Your chatbot’s “soul” is now a target.