AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing AI-adjacent and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a SmartLoader campaign that trojanized a legitimate-looking Model Context Protocol (MCP) server tied to Oura by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed StealC to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (TrustBastion) was hosted via Hugging Face repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused Atlassian Jira Cloud email reputation and Keitaro TDS redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos.
In parallel, research highlights emerging risks where AI agents and AI-enabled workflows become the target or the transport layer. Check Point demonstrated “AI as a proxy,” where web-enabled assistants (e.g., Grok, Microsoft Copilot) can be coerced into acting as covert C2 relays, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a log-poisoning / indirect prompt-injection weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive OpenClaw configuration artifacts (e.g., openclaw.json tokens, device.json keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Check Point demonstrates AI assistants abused as covert C2 proxies
Check Point Research published a proof of concept showing that web-based AI assistants such as Grok and Microsoft Copilot can be used as bidirectional command-and-control relays through their URL-fetching features. The researchers also built a C++ implant using WebView2 to automate the technique and argued it could enable more adaptive AI-driven malware.
Researchers publish details of OpenClaw log-poisoning risk
A report described how unsanitized WebSocket headers such as Origin and User-Agent could poison OpenClaw logs and later influence agent behavior if those logs were reused as troubleshooting context. The disclosure also noted that thousands of OpenClaw instances appeared exposed on the default port, increasing the attack surface.
Straiker discloses SmartLoader campaign using trojanized Oura MCP server
Researchers reported a SmartLoader operation that cloned a legitimate Oura MCP server, built false credibility through fake GitHub activity, and listed the malicious package in an MCP registry. Victims who ran the archive triggered SmartLoader, which deployed the StealC infostealer to steal credentials, browser data, and cryptocurrency wallet information.
Hudson Rock reveals infostealer theft of OpenClaw agent configuration
Researchers disclosed an infostealer incident in which a victim’s OpenClaw environment was exfiltrated, including gateway tokens, cryptographic keys, and agent memory or context files. The case highlighted that malware is beginning to capture AI agent data in addition to traditional browser credentials.
Trend Micro reports Jira Cloud email abuse to Atlassian
After analyzing the spam operation, Trend Micro reported the abuse of Atlassian Jira Cloud infrastructure to Atlassian’s security team. The researchers said the campaign relied on legitimate Atlassian Cloud instances rather than compromised servers.
Researchers identify TrustBastion fake antivirus Android malware campaign
Researchers uncovered an Android malware campaign distributing spyware disguised as a legitimate antivirus app called 'TrustBastion' and hosted in public Hugging Face repositories. After installation, the app uses fake infection alerts to trigger an 'update' that activates capabilities including screenshot capture, lock-screen PIN theft, and banking credential overlays.
OpenClaw patches log-poisoning vulnerability in version 2026.2.13
OpenClaw fixed a log-poisoning flaw affecting versions prior to 2026.2.13 that allowed crafted WebSocket headers to be written into logs and potentially later ingested by the AI agent as trusted context. The issue could enable indirect prompt injection on exposed instances.
Jira Cloud spam campaign targets organizations worldwide
From late December 2025 through late January 2026, threat actors abused Atlassian Jira Cloud’s notification system and trusted email domain to send automated spam to government and corporate targets in multiple languages. The campaign used disposable Atlassian instances and Keitaro TDS redirect chains to funnel victims to investment scam and online casino pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
AI in the Middle: Turning Web-Based AI Services into C2 Proxies & The Future Of AI Driven Attacks - Check Point Research
research.checkpoint.com
Open sourceCritical “Log Poisoning” Vulnerability in OpenClaw AI Agent Allows Malicious Content Injection
cybersecuritynews.com
Open sourceSmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer
thehackernews.com
Open sourceHackers steal OpenClaw configuration in emerging AI agent threat
securityaffairs.com
Open sourceSpam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities | Trend Micro (US)
trendmicro.com
Open sourceFake 'Antivirus' App Spreads Android Malware, Steals Banking Credentials - TechRepublic
techrepublic.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI-Enabled Threats and Security Failures Across Edge Devices, AI Agents, and Infostealer Campaigns
Threat actors are increasingly operationalizing AI and automation to scale attacks and exploit weak controls across both enterprise and consumer environments. An open-source offensive platform dubbed **CyberStrikeAI**—a Go-based “AI-native security testing” framework integrating 100+ tools—was observed in infrastructure used to target **Fortinet FortiGate** edge devices at scale; researchers linked activity to an IP (212.11.64.250) exposing a `CyberStrikeAI` banner and to scanning/communications patterns consistent with mass exploitation. Separately, a newly disclosed and rapidly patched **OpenClaw** vulnerability showed how AI agent tooling can be hijacked: researchers reported that a malicious website could take over a developer’s locally running agent due to inadequate trust-boundary validation, prompting urgent upgrades to **OpenClaw v2026.2.25+**. In parallel, a “vibe-coding” hosted app on the *Lovable* platform leaked data impacting **18,000+ users** after a researcher found **16 flaws (six critical)** tied to mis-implemented backend controls (including missing/incorrect row-level security in *Supabase*), enabling unauthorized access to records and actions like bulk email and account deletion. Criminal monetization also continues to evolve beyond AI-agent risks. **AuraStealer**, a Russian-language infostealer positioned as a successor/competitor after Lumma disruptions, was advertised on multiple underground forums and is supported by a sizable C2 footprint; analysis of 200+ samples identified **48 C2 domains**, with operators abusing low-cost TLDs (e.g., `.shop`, `.cfd`) and using **Cloudflare** as a reverse proxy to mask origin infrastructure. Broader reporting and commentary reinforced that identity and access failures remain a dominant breach driver and that AI adoption is expanding the attack surface via over-privileged agents and “shadow AI,” while ransomware operators increasingly target recovery paths (including backups) and dwell to corrupt restore points. Several items in the set were non-incident thought leadership or workforce content (skills gap, jobs listings, awards, and general AI security tips) and did not add event-specific technical details beyond high-level risk framing.
Mar 21, 2026
Malicious code and prompt-injection attacks targeting developers and AI-agent ecosystems
Multiple reports describe **social-engineering and supply-chain style attacks** that trick developers or AI-agent users into executing attacker-controlled instructions. North Korean operators have been linked to the **“Contagious Interview”** campaign, in which fake recruiter personas lure software developers into running “technical interview” projects that deploy malware such as **BeaverTail** and **OtterCookie** for credential theft and remote access; GitLab reported banning **131 related accounts** in 2025, with many repos using **hidden loaders** that fetched payloads from third-party services (e.g., *Vercel*) rather than hosting malware directly. Separately, OpenGuardrails reported a campaign on *ClawHub* (an OpenClaw AI agent “skills” repository) where attackers posted **malicious troubleshooting comments** containing Base64-encoded commands that download a loader from `91[.]92[.]242[.]30`, remove macOS quarantine attributes, and install **Atomic macOS (AMOS) infostealer**—a delivery method that can evade package-focused scanning because the payload is in comments, not the skill artifact. Research and incident writeups also highlight how **indirect prompt injection** and **malicious open-source packages** can compromise developer environments. NSFOCUS summarized a GitHub **MCP cross-repository data leak** scenario where attacker-injected instructions in public Issues could cause locally running AI agents to exfiltrate private repo data when agents act with broad GitHub permissions, and cited a similar hidden-command issue affecting an AI browser’s page summarization workflow. JFrog reported malicious npm packages (e.g., `eslint-verify-plugin`, `duer-js`) delivering multi-stage payloads including a **macOS RAT** (Mythic/Apfell) and a Windows infostealer, reinforcing ongoing risk from poisoned dependencies. In contrast, a DFIR case study on **CVE-2023-46604** exploitation of Apache ActiveMQ leading to **LockBit**-style ransomware, and a Medium post on recon/content-discovery techniques, are separate topics and not part of the AI-agent/developer social-engineering thread.
May 15, 2026
AI-Enabled Phishing and Malware Delivery Trends
Security researchers and industry commentary describe a broader rise in **AI-assisted cybercrime**, with attackers using generative AI to improve phishing lures, clone legitimate login pages, and scale social-engineering operations. Reporting highlights that phishing remains a leading initial access vector, while **phishing-as-a-service** and AI-generated content are making campaigns more convincing and easier to produce at volume. IBM similarly warns that AI is acting as a force multiplier for attackers, lowering the cost of malware development and enabling more disposable, harder-to-attribute malicious tooling. Kaspersky documented active campaigns in which threat actors used **Google Search ads** and fake documentation pages to distribute the **AMOS** infostealer on macOS and **Amatera** on Windows, disguising the malware as popular AI tools including **OpenClaw**, **Claude Code**, and **Doubao**. By contrast, ZDNET's article focuses on the business and product-security shortcomings of Moltbook and OpenClaw acquisitions rather than a specific threat campaign, making it adjacent but not part of the same security event. The material overall is **not fluff** because it includes substantive threat reporting and technical security analysis, even though the references describe related developments rather than one discrete incident.
Mar 21, 2026