Password Stealers Just Evolved—Now They Want Your AI Agent's Private Keys

The First AI Agent Identity Theft

For years, infostealer malware has gone after the same targets: browser passwords, session cookies, crypto wallets. On February 13, researchers at Hudson Rock documented a new one: an AI agent's complete identity.

A variant of the Vidar infostealer, active since 2018, was caught stealing configuration files from OpenClaw, the open source AI assistant platform that has amassed over 200,000 GitHub stars since launching in November 2025. The stolen files did not just contain credentials. They contained the keys to impersonate an AI agent entirely.

What Was Stolen

The malware exfiltrated three critical files from the victim's .openclaw directory:

• openclaw.json — Contains the gateway authentication token, the user's email, and workspace path. An attacker with this token can connect to a victim's local OpenClaw instance remotely or impersonate the client in authenticated requests.
• device.json — Holds the privateKeyPem used for cryptographic pairing and signing operations. This key proves the device's identity to OpenClaw's servers.
• soul.md — Details the AI agent's operational principles, behavioral guidelines, and ethical boundaries. In the wrong hands, this file reveals exactly how the agent behaves and what guardrails it follows.

"The theft of the gateway authentication token can allow an attacker to connect to the victim's local OpenClaw instance remotely if the port is exposed, or even masquerade as the client in authenticated requests," Hudson Rock's CTO Alon Gal explained.

How the Attack Worked

The Vidar variant did not need a custom OpenClaw exploit. It used the same broad file grabbing routine that infostealers have relied on for years: scanning a victim's machine for specific file extensions and directory names known to contain sensitive data. When it found the .openclaw directory, it swept up everything inside.

This is the same approach infostealers use to find browser password databases, Discord tokens, and Telegram session files. The difference is the target. Instead of stealing a password to a website, the malware stole the identity of a personal AI agent that may have access to the developer's files, code, and professional tools.

Why This Is a Turning Point

Hudson Rock called this discovery "a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents."

The implications go beyond one stolen token. AI agents like OpenClaw increasingly sit at the center of professional workflows: reading code repositories, managing cloud services, accessing databases, and executing commands on behalf of their users. An attacker who steals an AI agent's credentials effectively inherits whatever access that agent had.

And unlike a browser password that can be rotated with a few clicks, an AI agent's identity includes cryptographic key pairs, behavioral profiles, and configuration data that together define how the agent operates. Stealing all three means an attacker could spin up a convincing clone of the agent and use it to access systems the victim trusts.

What Developers Should Do

OpenClaw has responded by partnering with VirusTotal for malicious skill scanning and adding audit capabilities for misconfiguration detection. But the broader issue is that AI agent configuration files are stored locally and are just as vulnerable as any other file on a compromised machine.

For developers using AI agents in their workflows:

• Treat AI agent configuration directories with the same sensitivity as SSH keys or cloud credentials
• Rotate gateway tokens regularly, especially if you suspect your machine has been compromised
• Do not expose OpenClaw's local port to external networks
• Monitor access logs for connections from unfamiliar IP addresses or devices
• Use endpoint detection software that flags access to known sensitive directories

The Bigger Problem

This will not be the last time infostealers target AI tools. As Gal noted, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse AI agent files, much like they already do for Chrome, Telegram, and cryptocurrency wallets.

The AI agent ecosystem is growing fast. OpenClaw alone has 200,000 GitHub stars. Every one of those users has a .openclaw directory containing the files Vidar just proved it can steal. The race between AI tool adoption and the security practices needed to protect those tools has already begun, and right now, the malware is winning.