A recently-patched OpenClaw vulnerability allowed attackers to use malicious websites to steal session credentials from other browser tabs. The heart of the problem was a websocket service for orchestrating Chrome which accepted connections without authentication, including connections from javascript running in the user's browser.

OpenClaw users are encouraged to patch ASAP, and to use caution where and how they deploy it, given its ongoing security issues and security architecture concerns.

A complete account takeover found with AI for any application using better-auth with API keys enabled, and with 300k weekly downloads, it probably affects a large number of projects. Some of the folks using it can be found here: https://github.com/better-auth/better-auth/discussions/2581.