GitHub Phishing Campaign Targets OpenClaw Developers with Fake $CLAW Token Airdrop
What happened
OX Security researchers discovered and disclosed on March 18 a coordinated phishing campaign targeting OpenClaw's GitHub community. Attackers created throwaway GitHub accounts to mass-tag users who had starred OpenClaw repositories, posting fake issues claiming recipients had earned a "$5,000 allocation of $CLAW tokens" for their open-source contributions.
The phishing messages included links disguised with Google share redirects that pointed to token-claw[.]xyz, a carefully crafted clone of the legitimate openclaw.ai website. Once visitors connected their cryptocurrency wallets, malicious JavaScript extracted wallet addresses, balances, and transaction history, routing data to a command-and-control server at watery-compost[.]today. As of publication, no confirmed wallet drains had been reported, though the attacker's infrastructure remained active.
Why it matters
With OpenClaw surpassing 311,000 GitHub stars, its community has become a high-value target for social-engineering attacks. The campaign's novel use of GitHub Issues as a phishing delivery mechanism — exploiting the platform's notification system to reach developers directly — represents a supply-chain social-engineering technique that could be replicated against any popular open-source project. The crypto angle specifically targets the overlap between the OpenClaw developer community and cryptocurrency users.
What's next
GitHub may need to implement rate-limiting or verification for mass-tagging in issues, particularly for new accounts. The OpenClaw project should consider publishing a verified communications policy so community members can distinguish legitimate announcements from scams. The broader open-source ecosystem should treat this as a template attack that will be adapted for other high-profile projects.
Related
- ClawHub — OpenClaw's official skill marketplace (also targeted by malicious skills)
- OpenClaw Security Monitor — Community security tracking