CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,000 Agents

Cybersecurity News Archived Jun 24, 2026 ✓ Full text saved

A malicious AI “skill” created as part of a controlled security experiment has exposed critical weaknesses in modern AI agent ecosystems, successfully bypassing security scanners and compromising more than 26,000 agents across individual and enterprise environments. According to researcher Niv Hoffman, the attack began with the creation of a seemingly legitimate AI skill named “brand-landingpage,” […] The post Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,00

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeAI Malicious AI Agent Skill Bypasses Security Scans and Seizes Full Control of Over 26,000 Agents By Abinaya June 24, 2026 A malicious AI “skill” created as part of a controlled security experiment has exposed critical weaknesses in modern AI agent ecosystems, successfully bypassing security scanners and compromising more than 26,000 agents across individual and enterprise environments. According to researcher Niv Hoffman, the attack began with the creation of a seemingly legitimate AI skill named “brand-landingpage,” marketed as a no-code tool for building visually appealing product landing pages using Google’s Stitch platform. The skill delivered real functionality, which helped build trust among non-technical users such as marketers, designers, and sales teams. Within a short time, it spread rapidly through open marketplaces, GitHub repositories, and social media promotions. To increase credibility, the researchers strategically merged the malicious skill into a popular GitHub-based plugin marketplace containing tens of thousands of stars. This allowed the project to inherit a strong reputation signal, making it appear trustworthy to both users and automated systems. The agent checks if stitch-sdk is installed and installs it only if necessary ( source : air.security ) Additionally, widely used AI security scanners, including those from major vendors, analyzed the skill and flagged it as safe, further reinforcing user confidence. Malicious AI Agent Skill Bypasses However, the attack did not rely on traditional malware techniques. Instead, it exploited a fundamental design flaw in how AI skills are evaluated. Most security scanners focus only on the local contents of a skill, such as configuration files and embedded instructions. They do not fully inspect external resources referenced by the skill, such as documentation links or installation guides. The malicious skill leveraged this gap by directing AI agents to an external domain that mimicked legitimate Stitch documentation. Initially, the domain redirected to a legitimate site, leading early inspections to appear harmless. Once the skill gained traction, the researchers replaced the external content with modified instructions that guided agents to download and execute a script. Turning our benign UI design skill into a malicious campaign was as simple as flipping a switch ( source : air.security ) Because AI agents treat external documentation as trusted input, they followed these instructions without suspicion. In this experiment, the script only collected user email addresses to demonstrate impact. However, the same technique could have been used to execute arbitrary code, exfiltrate sensitive data, or gain persistent access to enterprise systems. The results were significant. More than 26,000 agents installed the skill, including those connected to corporate environments. The researcher Niv Hoffman confirmed they could have accessed private conversations, internal tools, and other sensitive resources available to those agents. Despite this level of access, all security scanners involved failed to detect any malicious behavior. This incident highlights a growing supply chain risk within AI ecosystems. Unlike traditional software, AI skills can dynamically change behavior by modifying external content after installation. As a result, a one-time security scan provides only a snapshot of the current state. It does not account for future changes to linked resources. For enterprises, the implications are serious. Many organizations already allow employees to install AI add-ons without centralized oversight, creating an unmonitored attack surface. Since these agents often operate with broad permissions, a single malicious actor can cause widespread compromise. Security experts recommend shifting toward continuous monitoring of AI agent behavior, enforcing centralized approval for third-party skills, and expanding scanning capabilities to include external dependencies. Without these changes, AI agent platforms may remain vulnerable to large-scale attacks that exploit trust rather than technical vulnerabilities. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Bajaj Auto Hit by a Ransomware Attack – Internal Systems Affected 29-Year-Old ‘Squidbleed’ Vulnerability Discovered With the Aid of Claude Mythos Preview Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions Malicious GST Debit Note Attachment Deploys Remcos RAT Through Multi-Stage Loader Latest News Cyber Security News GTA 6 Scam Websites Use AI-Generated Images and Fake Download Buttons to Lure Gamers Cyber Security News FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials Cyber Security How Attackers Exploit Privileged Access and How to Lock Them Out  Cisco Critical Cisco Unified CM and SME Flaw Enables Remote Attacker to Launch SSRF Attacks Cyber Security CISA Warns of Ubiquiti UniFi OS Vulnerability Actively Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗