🤖 AI Agents Are Now Convincing Users to Enter Their Passwords — AMOS Stealer Goes Social
We just crossed a line.
Attackers are no longer just phishing humans.
They’re manipulating AI agents to do it for them.
A new campaign weaponizes malicious OpenClaw skills to trick users into manually entering their macOS passwords — ultimately deploying Atomic (AMOS) Stealer through a deceptive AI workflow.
This isn’t classic malware delivery.
This is AI supply-chain compromise.
🧠 The Strategy: Turn the AI Into the Trusted Middleman
Instead of traditional prompt injection, attackers:
Upload malicious skills to public registries
Hide harmful logic inside SKILL.md files
Make the skill look legitimate to the AI agent
Let the AI guide the human into performing dangerous actions
No sketchy popups.
No obvious exploits.
Just an AI calmly instructing:
“You’ll need to manually install this driver.”
“Please enter your password to complete setup.”
And because it’s the AI asking?
Users comply.
🎯 Where This Is Happening
Malicious skills were found across:
ClawHub
SkillsMP
Related public registries
Hundreds of skills disguised as:
Developer utilities
Crypto automation tools
Productivity enhancements
TrendAI™ identified 39 high-confidence malicious skills directly tied to the AMOS-focused campaign.
Many have been removed from marketplaces — but the code still exists publicly on GitHub.
Which means the threat persists.
🔬 The Infection Chain
Here’s how the trap unfolds:
Stage 1 – Fake Dependency
The skill declares it requires “OpenClawCLI” from a Vercel-hosted site.
Stage 2 – Hidden Payload
The page contains a Base64-encoded shell command.
Decoded, it runs:
curl → download → execute remote script
Stage 3 – Binary Drop
A Mach-O universal binary (il24xgriequcys45) is deployed.
Runs on:
Intel Macs
Apple Silicon
Signed only with an ad-hoc signature.
Fails macOS security checks.
Stage 4 – Social Engineering Pivot
If blocked, the AI agent nudges the user:
“Please manually install the driver.”
Then a fake system-style dialog appears asking for the macOS password.
User enters credentials.
Game over.
🗂 What AMOS Steals
This version of AMOS is selective.
It ignores .env files (interestingly).
But aggressively targets:
Apple Keychain
KeePass vaults
Apple Notes
Desktop, Documents, Downloads
Office files
PDFs
JSON, CSV, TXT
Browser credentials & cookies
Cryptocurrency wallets
Everything gets zipped.
Everything gets sent via HTTPS POST to:
socifiapp[.]com
No persistence.
No long-term foothold.
Smash-and-grab data theft.
Fast.
Clean.
Gone.
⚠️ Why This Is Bigger Than Malware
This is not just a stealer story.
This is an AI supply chain failure story.
Open ecosystems + unvetted skills + AI automation = new attack surface.
Over 2,000 malicious skills have been reported across public registries.
Manual review will not scale.
AI agent marketplaces are now high-value targets.
Just like:
NPM
PyPI
Docker Hub
Except now the AI itself executes instructions.
🛡 What Organizations Must Do
1️⃣ Sandbox AI Agents
Containerize execution.
Never allow direct host-level command execution.
2️⃣ Vet Skills Like Code
Treat skills as software supply-chain assets.
Require approval workflows.
3️⃣ Monitor for Suspicious Agent Behavior
Look for:
curl execution
Temporary ZIP archive staging
Unexpected outbound HTTPS POSTs
Base64-decoded command chains
4️⃣ Limit Password Entry Prompts
If an AI tool asks for your system password…
Stop.
Validate.
Escalate.
🎯 Strategic Takeaway
AI agents now mediate sensitive human actions.
They can:
Download code
Run commands
Guide users step-by-step
That makes them powerful.
And abusable.
The new phishing email might not come from a hacker.
It might come from your own AI assistant.
Govern your AI ecosystems accordingly.
