Malicious code and prompt-injection attacks targeting developers and AI-agent ecosystems
Multiple reports describe social-engineering and supply-chain style attacks that trick developers or AI-agent users into executing attacker-controlled instructions. North Korean operators have been linked to the “Contagious Interview” campaign, in which fake recruiter personas lure software developers into running “technical interview” projects that deploy malware such as BeaverTail and OtterCookie for credential theft and remote access; GitLab reported banning 131 related accounts in 2025, with many repos using hidden loaders that fetched payloads from third-party services (e.g., Vercel) rather than hosting malware directly. Separately, OpenGuardrails reported a campaign on ClawHub (an OpenClaw AI agent “skills” repository) where attackers posted malicious troubleshooting comments containing Base64-encoded commands that download a loader from 91[.]92[.]242[.]30, remove macOS quarantine attributes, and install Atomic macOS (AMOS) infostealer—a delivery method that can evade package-focused scanning because the payload is in comments, not the skill artifact.
Research and incident writeups also highlight how indirect prompt injection and malicious open-source packages can compromise developer environments. NSFOCUS summarized a GitHub MCP cross-repository data leak scenario where attacker-injected instructions in public Issues could cause locally running AI agents to exfiltrate private repo data when agents act with broad GitHub permissions, and cited a similar hidden-command issue affecting an AI browser’s page summarization workflow. JFrog reported malicious npm packages (e.g., eslint-verify-plugin, duer-js) delivering multi-stage payloads including a macOS RAT (Mythic/Apfell) and a Windows infostealer, reinforcing ongoing risk from poisoned dependencies. In contrast, a DFIR case study on CVE-2023-46604 exploitation of Apache ActiveMQ leading to LockBit-style ransomware, and a Medium post on recon/content-discovery techniques, are separate topics and not part of the AI-agent/developer social-engineering thread.
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
5 more from sources like register security, bleeping computer, cyber security news, checkpoint research blog and nsfocus global
Related Stories
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
4 weeks ago
AI Agent Prompt-Injection and Web-to-Agent Takeover Risks in Developer Tooling
Security research highlighted **web-to-agent takeover** and **prompt-injection** risks in modern AI developer tooling. Oasis Security reported a “complete vulnerability chain” in the open-source AI agent **OpenClaw** that allowed a malicious website a developer merely visited to silently seize control of the local agent—without plugins, browser extensions, or additional user interaction—leveraging the agent’s ability to execute system commands and manage workflows. The OpenClaw maintainers rated the issue **High** severity and issued a patch within 24 hours of disclosure. Separate research described **RoguePilot**, a scenario in which a *passive prompt injection* can abuse highly privileged AI assistance inside **GitHub Codespaces**. The write-up emphasizes that Codespaces environments commonly expose a repository-scoped `GITHUB_TOKEN` with write permissions and provide AI “tools” such as terminal execution and file operations (e.g., `run_in_terminal`, `file_read`, `create_file`), creating “God Mode” conditions where untrusted text can be interpreted as instructions and lead to repository compromise. A third item (a *Smashing Security* podcast episode) primarily covers unrelated stories (alleged CAPTCHA-based DDoS activity tied to an archiving service and other news) and does not materially contribute to the AI agent takeover/prompt-injection topic.
2 weeks ago
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
1 months ago