{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/environment-variable/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41387"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","environment-variable"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.22 contain a vulnerability related to incomplete sanitization of host environment variables. This flaw, found in \u003ccode\u003ehost-env-security-policy.json\u003c/code\u003e and \u003ccode\u003ehost-env-security.ts\u003c/code\u003e, allows for the overriding of package manager environment settings. An attacker can leverage this vulnerability to redirect approved execution requests, manipulating the package resolution process or the runtime bootstrap. By doing so, they can point these processes to attacker-controlled infrastructure. This enables the execution of trojanized content, potentially leading to supply chain attacks or arbitrary code execution within the affected environment. The vulnerability is identified as CVE-2026-41387.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a version prior to 2026.3.22.\u003c/li\u003e\n\u003cli\u003eAttacker crafts malicious environment variables designed to override the package manager\u0026rsquo;s default settings.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an approved execution request within the OpenClaw environment.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete sanitization, the attacker-controlled environment variables are used by the package manager.\u003c/li\u003e\n\u003cli\u003eThe package manager is redirected to the attacker\u0026rsquo;s infrastructure for package resolution or runtime bootstrap.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s infrastructure serves trojanized content disguised as legitimate packages or runtime components.\u003c/li\u003e\n\u003cli\u003eOpenClaw executes the trojanized content, granting the attacker initial access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41387 can lead to the execution of arbitrary code within the OpenClaw environment. This can result in compromised systems, data breaches, or supply chain attacks. Due to the nature of package management redirection, the impact could extend beyond the initial target, affecting other systems relying on the compromised OpenClaw instance. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.22 or later to remediate the vulnerability described in CVE-2026-41387.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation on environment variables used by OpenClaw, focusing on package manager settings, to prevent redirection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or untrusted domains during package resolution or runtime bootstrap, as this may indicate an attempted redirection attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-env-vuln/","summary":"OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.","title":"OpenClaw Incomplete Host Environment Variable Sanitization Vulnerability (CVE-2026-41387)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["powershell","environment-variable","invoke-expression","execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using \u003ccode\u003eInvoke-Expression\u003c/code\u003e (or its alias \u003ccode\u003eiex\u003c/code\u003e) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access (\u003ccode\u003e$env:\u003c/code\u003e) with \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases, based on PowerShell Script Block Logging (Event ID 4104).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell is invoked, either directly or indirectly, via a script or another process.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an environment variable containing malicious code or a command. This might involve using \u003ccode\u003e[Environment]::SetEnvironmentVariable\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA PowerShell script is executed that reads the content of the environment variable using \u003ccode\u003e$env:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe content read from the environment variable is passed to \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its alias \u003ccode\u003eiex\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eInvoke-Expression\u003c/code\u003e dynamically executes the code, effectively bypassing static analysis.\u003c/li\u003e\n\u003cli\u003eThe executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing credentials or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use \u003ccode\u003eInvoke-Expression\u003c/code\u003e or its aliases. Tune these rules to your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine if malicious activity is occurring.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell execution for suspicious environment variable access and dynamic code execution.\u003c/li\u003e\n\u003cli\u003eImplement application control to prevent the execution of unauthorized PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-powershell-env-var-execution/","summary":"Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.","title":"PowerShell Execution via Environment Variables","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Environment-Variable","version":"https://jsonfeed.org/version/1.1"}