chore: pattern update 2026-03-22 — MAL-042, PINJ-005, 2 IOCs by kurtpayne · Pull Request #111 · kurtpayne/skillscan-security

kurtpayne · 2026-03-22T06:10:50Z

Pattern Update 2026-03-22

ID	Category	Severity	Title
`MAL-042`	malware_pattern	critical	OpenClaw wallet-draining phishing campaign (CLAW token scam)
`PINJ-005`	instruction_abuse	high	RoguePilot-style hidden HTML comment prompt injection

Domain	Type	Description
`token-claw.xyz`	phishing	OpenClaw CLAW token airdrop phishing domain
`watery-compost.today`	c2	C2 server for OpenClaw wallet-draining campaign

102_openclaw_wallet_draining_phishing: Demonstrates wallet-draining phishing with fake CLAW token airdrop
103_roguepilot_html_comment_injection: Demonstrates hidden HTML comment prompt injection targeting AI assistants

test_new_patterns_2026_03_22 — all assertions pass
Showcase scans confirmed: MAL-042 and PINJ-005 trigger on their respective showcase directories
ruff lint: clean on all changed files
3 pre-existing test failures (unrelated to this PR)

Version: 2026.03.22.1

New rules: - MAL-042: OpenClaw wallet-draining phishing campaign (CLAW token scam) - PINJ-005: RoguePilot-style hidden HTML comment prompt injection New IOCs: - token-claw.xyz (phishing domain) - watery-compost.today (C2 domain) New showcases: - 102_openclaw_wallet_draining_phishing - 103_roguepilot_html_comment_injection Sources: - https://news.bitcoin.com/wallet-draining-scam-targets-openclaw-community-with-fake-airdrop/ - https://orca.security/resources/blog/roguepilot-exploiting-github-copilot-for-a-repository-takeover/