https://feed.craftedsignal.io/tags/environment-variable/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.OpenClaw versions prior to 2026.3.22 contain a vulnerability related to incomplete sanitization of host environment variables. This flaw, found in host-env-security-policy.json and host-env-security.ts, allows for the overriding of package manager environment settings. An attacker can leverage this vulnerability to redirect approved execution requests, manipulating the package resolution process or the runtime bootstrap. By doing so, they can point these processes to attacker-controlled infrastructure. This enables the execution of trojanized content, potentially leading to supply chain attacks or arbitrary code execution within the affected environment. The vulnerability is identified as CVE-2026-41387.

Attack Chain

1. Attacker identifies an OpenClaw instance running a version prior to 2026.3.22.
2. Attacker crafts malicious environment variables designed to override the package manager’s default settings.
3. The attacker triggers an approved execution request within the OpenClaw environment.
4. Due to the incomplete sanitization, the attacker-controlled environment variables are used by the package manager.
5. The package manager is redirected to the attacker’s infrastructure for package resolution or runtime bootstrap.
6. The attacker’s infrastructure serves trojanized content disguised as legitimate packages or runtime components.
7. OpenClaw executes the trojanized content, granting the attacker initial access to the system.

Impact

Successful exploitation of CVE-2026-41387 can lead to the execution of arbitrary code within the OpenClaw environment. This can result in compromised systems, data breaches, or supply chain attacks. Due to the nature of package management redirection, the impact could extend beyond the initial target, affecting other systems relying on the compromised OpenClaw instance. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.

Recommendation

• Upgrade OpenClaw to version 2026.3.22 or later to remediate the vulnerability described in CVE-2026-41387.
• Implement stricter input validation on environment variables used by OpenClaw, focusing on package manager settings, to prevent redirection attacks.
• Monitor network traffic for connections to unusual or untrusted domains during package resolution or runtime bootstrap, as this may indicate an attempted redirection attack.

]]>highadvisoryvulnerabilitysupply-chainenvironment-variablehttps://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-powershell-env-var-execution/Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.Attackers are increasingly leveraging PowerShell to execute malicious code embedded within environment variables. This method involves storing commands or encoded content in environment variables and then using Invoke-Expression (or its alias iex) to dynamically construct and execute code at runtime. This tactic is employed to evade traditional static analysis techniques and conceal the true intent of the executed code. Observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign, this technique is a significant threat. Defenders should be aware of this trend and implement appropriate detection mechanisms. The focus is on identifying PowerShell scripts that combine environment variable access ($env:) with Invoke-Expression or its aliases, based on PowerShell Script Block Logging (Event ID 4104).

Attack Chain

1. The attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.
2. PowerShell is invoked, either directly or indirectly, via a script or another process.
3. The attacker sets an environment variable containing malicious code or a command. This might involve using [Environment]::SetEnvironmentVariable.
4. A PowerShell script is executed that reads the content of the environment variable using $env:.
5. The content read from the environment variable is passed to Invoke-Expression or its alias iex.
6. Invoke-Expression dynamically executes the code, effectively bypassing static analysis.
7. The executed code downloads and executes a secondary payload, such as a keylogger or a remote access tool.
8. The attacker achieves their objective, such as stealing credentials or establishing persistent access.

Impact

Successful exploitation can lead to the execution of arbitrary code on the compromised system, allowing attackers to install malware, steal sensitive data, or establish a persistent foothold. The VIP Keylogger campaign, for example, demonstrates how this technique can be used to harvest user credentials. Due to the obfuscated nature of this attack, it is difficult to detect and remediate, often leading to extended dwell time for the attacker. Compromised systems can be further used as a launchpad for attacks against other systems within the network.

Recommendation

• Enable PowerShell Script Block Logging (Event ID 4104) on all Windows systems to capture the de-obfuscated script blocks before execution.
• Deploy the provided Sigma rules to your SIEM to detect PowerShell scripts that access environment variables and use Invoke-Expression or its aliases. Tune these rules to your environment to reduce false positives.
• Investigate any alerts generated by these rules to determine if malicious activity is occurring.
• Monitor PowerShell execution for suspicious environment variable access and dynamic code execution.
• Implement application control to prevent the execution of unauthorized PowerShell scripts.
• Review and harden PowerShell execution policies to limit the attack surface.

]]>highadvisorypowershellenvironment-variableinvoke-expressionexecution