AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing AI-adjacent and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a SmartLoader campaign that trojanized a legitimate-looking Model Context Protocol (MCP) server tied to Oura by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed StealC to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (TrustBastion) was hosted via Hugging Face repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused Atlassian Jira Cloud email reputation and Keitaro TDS redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos.
In parallel, research highlights emerging risks where AI agents and AI-enabled workflows become the target or the transport layer. Check Point demonstrated “AI as a proxy,” where web-enabled assistants (e.g., Grok, Microsoft Copilot) can be coerced into acting as covert C2 relays, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a log-poisoning / indirect prompt-injection weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive OpenClaw configuration artifacts (e.g., openclaw.json tokens, device.json keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
Related Entities
Malware
Organizations
Sources
1 more from sources like techrepublic com security
Related Stories
AI-Enabled Threats and Security Failures Across Edge Devices, AI Agents, and Infostealer Campaigns
Threat actors are increasingly operationalizing AI and automation to scale attacks and exploit weak controls across both enterprise and consumer environments. An open-source offensive platform dubbed **CyberStrikeAI**—a Go-based “AI-native security testing” framework integrating 100+ tools—was observed in infrastructure used to target **Fortinet FortiGate** edge devices at scale; researchers linked activity to an IP (212.11.64.250) exposing a `CyberStrikeAI` banner and to scanning/communications patterns consistent with mass exploitation. Separately, a newly disclosed and rapidly patched **OpenClaw** vulnerability showed how AI agent tooling can be hijacked: researchers reported that a malicious website could take over a developer’s locally running agent due to inadequate trust-boundary validation, prompting urgent upgrades to **OpenClaw v2026.2.25+**. In parallel, a “vibe-coding” hosted app on the *Lovable* platform leaked data impacting **18,000+ users** after a researcher found **16 flaws (six critical)** tied to mis-implemented backend controls (including missing/incorrect row-level security in *Supabase*), enabling unauthorized access to records and actions like bulk email and account deletion. Criminal monetization also continues to evolve beyond AI-agent risks. **AuraStealer**, a Russian-language infostealer positioned as a successor/competitor after Lumma disruptions, was advertised on multiple underground forums and is supported by a sizable C2 footprint; analysis of 200+ samples identified **48 C2 domains**, with operators abusing low-cost TLDs (e.g., `.shop`, `.cfd`) and using **Cloudflare** as a reverse proxy to mask origin infrastructure. Broader reporting and commentary reinforced that identity and access failures remain a dominant breach driver and that AI adoption is expanding the attack surface via over-privileged agents and “shadow AI,” while ransomware operators increasingly target recovery paths (including backups) and dwell to corrupt restore points. Several items in the set were non-incident thought leadership or workforce content (skills gap, jobs listings, awards, and general AI security tips) and did not add event-specific technical details beyond high-level risk framing.
2 weeks ago
Malicious code and prompt-injection attacks targeting developers and AI-agent ecosystems
Multiple reports describe **social-engineering and supply-chain style attacks** that trick developers or AI-agent users into executing attacker-controlled instructions. North Korean operators have been linked to the **“Contagious Interview”** campaign, in which fake recruiter personas lure software developers into running “technical interview” projects that deploy malware such as **BeaverTail** and **OtterCookie** for credential theft and remote access; GitLab reported banning **131 related accounts** in 2025, with many repos using **hidden loaders** that fetched payloads from third-party services (e.g., *Vercel*) rather than hosting malware directly. Separately, OpenGuardrails reported a campaign on *ClawHub* (an OpenClaw AI agent “skills” repository) where attackers posted **malicious troubleshooting comments** containing Base64-encoded commands that download a loader from `91[.]92[.]242[.]30`, remove macOS quarantine attributes, and install **Atomic macOS (AMOS) infostealer**—a delivery method that can evade package-focused scanning because the payload is in comments, not the skill artifact. Research and incident writeups also highlight how **indirect prompt injection** and **malicious open-source packages** can compromise developer environments. NSFOCUS summarized a GitHub **MCP cross-repository data leak** scenario where attacker-injected instructions in public Issues could cause locally running AI agents to exfiltrate private repo data when agents act with broad GitHub permissions, and cited a similar hidden-command issue affecting an AI browser’s page summarization workflow. JFrog reported malicious npm packages (e.g., `eslint-verify-plugin`, `duer-js`) delivering multi-stage payloads including a **macOS RAT** (Mythic/Apfell) and a Windows infostealer, reinforcing ongoing risk from poisoned dependencies. In contrast, a DFIR case study on **CVE-2023-46604** exploitation of Apache ActiveMQ leading to **LockBit**-style ransomware, and a Medium post on recon/content-discovery techniques, are separate topics and not part of the AI-agent/developer social-engineering thread.
2 weeks ago
AI-Enabled Phishing and Malware Delivery Trends
Security researchers and industry commentary describe a broader rise in **AI-assisted cybercrime**, with attackers using generative AI to improve phishing lures, clone legitimate login pages, and scale social-engineering operations. Reporting highlights that phishing remains a leading initial access vector, while **phishing-as-a-service** and AI-generated content are making campaigns more convincing and easier to produce at volume. IBM similarly warns that AI is acting as a force multiplier for attackers, lowering the cost of malware development and enabling more disposable, harder-to-attribute malicious tooling. Kaspersky documented active campaigns in which threat actors used **Google Search ads** and fake documentation pages to distribute the **AMOS** infostealer on macOS and **Amatera** on Windows, disguising the malware as popular AI tools including **OpenClaw**, **Claude Code**, and **Doubao**. By contrast, ZDNET's article focuses on the business and product-security shortcomings of Moltbook and OpenClaw acquisitions rather than a specific threat campaign, making it adjacent but not part of the same security event. The material overall is **not fluff** because it includes substantive threat reporting and technical security analysis, even though the references describe related developments rather than one discrete incident.
4 days ago