Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,000 Agents
Cybersecurity NewsArchived Jun 24, 2026✓ Full text saved
A malicious AI “skill” created as part of a controlled security experiment has exposed critical weaknesses in modern AI agent ecosystems, successfully bypassing security scanners and compromising more than 26,000 agents across individual and enterprise environments. According to researcher Niv Hoffman, the attack began with the creation of a seemingly legitimate AI skill named “brand-landingpage,” […] The post Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,00
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeAI
Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,000 Agents
By Abinaya
June 24, 2026
A malicious AI “skill” created as part of a controlled security experiment has exposed critical weaknesses in modern AI agent ecosystems, successfully bypassing security scanners and compromising more than 26,000 agents across individual and enterprise environments.
According to researcher Niv Hoffman, the attack began with the creation of a seemingly legitimate AI skill named “brand-landingpage,” marketed as a no-code tool for building visually appealing product landing pages using Google’s Stitch platform.
The skill delivered real functionality, which helped build trust among non-technical users such as marketers, designers, and sales teams.
Within a short time, it spread rapidly through open marketplaces, GitHub repositories, and social media promotions.
To increase credibility, the researchers strategically merged the malicious skill into a popular GitHub-based plugin marketplace containing tens of thousands of stars.
This allowed the project to inherit a strong reputation signal, making it appear trustworthy to both users and automated systems.
The agent checks if stitch-sdk is installed and installs it only if necessary ( source : air.security )
Additionally, widely used AI security scanners, including those from major vendors, analyzed the skill and flagged it as safe, further reinforcing user confidence.
Malicious AI Agent Skill Bypasses
However, the attack did not rely on traditional malware techniques. Instead, it exploited a fundamental design flaw in how AI skills are evaluated.
Most security scanners focus only on the local contents of a skill, such as configuration files and embedded instructions.
They do not fully inspect external resources referenced by the skill, such as documentation links or installation guides.
The malicious skill leveraged this gap by directing AI agents to an external domain that mimicked legitimate Stitch documentation.
Initially, the domain redirected to a legitimate site, leading early inspections to appear harmless. Once the skill gained traction, the researchers replaced the external content with modified instructions that guided agents to download and execute a script.
Turning our benign UI design skill into a malicious campaign was as simple as flipping a switch ( source : air.security )
Because AI agents treat external documentation as trusted input, they followed these instructions without suspicion.
In this experiment, the script only collected user email addresses to demonstrate impact. However, the same technique could have been used to execute arbitrary code, exfiltrate sensitive data, or gain persistent access to enterprise systems.
The results were significant. More than 26,000 agents installed the skill, including those connected to corporate environments.
The researcher Niv Hoffman confirmed they could have accessed private conversations, internal tools, and other sensitive resources available to those agents. Despite this level of access, all security scanners involved failed to detect any malicious behavior.
This incident highlights a growing supply chain risk within AI ecosystems. Unlike traditional software, AI skills can dynamically change behavior by modifying external content after installation.
As a result, a one-time security scan provides only a snapshot of the current state. It does not account for future changes to linked resources.
For enterprises, the implications are serious. Many organizations already allow employees to install AI add-ons without centralized oversight, creating an unmonitored attack surface.
Since these agents often operate with broad permissions, a single malicious actor can cause widespread compromise.
Security experts recommend shifting toward continuous monitoring of AI agent behavior, enforcing centralized approval for third-party skills, and expanding scanning capabilities to include external dependencies.
Without these changes, AI agent platforms may remain vulnerable to large-scale attacks that exploit trust rather than technical vulnerabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Bajaj Auto Hit by a Ransomware Attack – Internal Systems Affected
29-Year-Old ‘Squidbleed’ Vulnerability Discovered With the Aid of Claude Mythos Preview
Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours
GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions
Malicious GST Debit Note Attachment Deploys Remcos RAT Through Multi-Stage Loader
Latest News
Cyber Security News
GTA 6 Scam Websites Use AI-Generated Images and Fake Download Buttons to Lure Gamers
Cyber Security News
FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials
Cyber Security
How Attackers Exploit Privileged Access and How to Lock Them Out
Cisco
Critical Cisco Unified CM and SME Flaw Enables Remote Attacker to Launch SSRF Attacks
Cyber Security
CISA Warns of Ubiquiti UniFi OS Vulnerability Actively Exploited in Attacks