SymJack and Malicious AI Skills Expose New Supply-Chain Risks for Coding Agents
Researchers disclosed SymJack AI, an attack technique that abuses symbolic links in repositories to trick AI coding assistants and automated development tools into writing to attacker-chosen destinations. A user may approve what appears to be a harmless file change, while the operating system follows a malicious symlink to alter configuration files and enable later command execution with the victim’s privileges. The technique raises concerns for local developer workstations and for CI/CD systems that automatically process untrusted pull requests, where compromised jobs could expose cloud credentials, deploy keys, and other sensitive secrets.
Separate research found that public AI skill marketplaces remain vulnerable to simple malicious submissions that evade automated scanning. Trail of Bits reported bypassing multiple skill scanners with proof-of-concept packages that used oversized files, hidden content in .docx archives, poisoned .pyc bytecode, and prompt-injection-style social engineering to disguise malicious behavior. The findings indicate that both repository-based coding agents and downloadable agent skills can become supply-chain entry points, prompting calls for stricter validation of resolved file paths, tighter controls on configuration writes, monitoring of runtime behavior, review of pull requests that modify agent setup, and the use of curated internal skill sources instead of public marketplaces for sensitive environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
SymJack AI attack technique is publicly reported
A newly reported attack technique called SymJack AI was disclosed as a way to abuse symbolic links in repositories to achieve remote code execution through AI coding assistants and automated development tools. The report warned that the technique could also threaten CI/CD pipelines that process untrusted code.
Trail of Bits reports malicious AI skill scanner bypasses
Trail of Bits published research showing that multiple AI skill scanners could be bypassed using four proof-of-concept malicious skills, including techniques involving file truncation, hidden content in a .docx archive, poisoned .pyc bytecode, and prompt-injection-style social engineering.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Hidden Prompt-Injection and Supply-Chain Backdoors in AI Agent Skills
Security researchers are warning that *AI agent “Skills”* (markdown/YAML instruction packages that extend agent capabilities) are becoming a **supply-chain risk** due to hidden prompt-injection content that can survive human review. A demonstrated technique uses **invisible Unicode Tag codepoints** embedded in skill files to smuggle instructions that some models interpret as executable guidance, enabling outcomes such as **data exfiltration**, prompt injection, and other malicious behavior when the skill is invoked; a basic scanner was also built to help detect these hidden-instruction patterns. Separate reporting highlighted broader evidence of the same threat pattern across agent ecosystems: Simula Research Laboratory identified **hidden prompt-injection attacks** in a measurable portion of sampled content on a platform referenced as Moltbook, and Cisco researchers documented a malicious agent skill (“**What Would Elon Do?**”) that **exfiltrated data to external servers** while being artificially boosted to appear as a top-ranked skill. Researchers also anticipate the emergence of **self-replicating adversarial prompts** (“prompt worms/viruses”) that could propagate through networks of communicating AI agents, amplifying the impact of compromised skills and poisoned instruction content.
Mar 21, 2026
Malicious code and prompt-injection attacks targeting developers and AI-agent ecosystems
Multiple reports describe **social-engineering and supply-chain style attacks** that trick developers or AI-agent users into executing attacker-controlled instructions. North Korean operators have been linked to the **“Contagious Interview”** campaign, in which fake recruiter personas lure software developers into running “technical interview” projects that deploy malware such as **BeaverTail** and **OtterCookie** for credential theft and remote access; GitLab reported banning **131 related accounts** in 2025, with many repos using **hidden loaders** that fetched payloads from third-party services (e.g., *Vercel*) rather than hosting malware directly. Separately, OpenGuardrails reported a campaign on *ClawHub* (an OpenClaw AI agent “skills” repository) where attackers posted **malicious troubleshooting comments** containing Base64-encoded commands that download a loader from `91[.]92[.]242[.]30`, remove macOS quarantine attributes, and install **Atomic macOS (AMOS) infostealer**—a delivery method that can evade package-focused scanning because the payload is in comments, not the skill artifact. Research and incident writeups also highlight how **indirect prompt injection** and **malicious open-source packages** can compromise developer environments. NSFOCUS summarized a GitHub **MCP cross-repository data leak** scenario where attacker-injected instructions in public Issues could cause locally running AI agents to exfiltrate private repo data when agents act with broad GitHub permissions, and cited a similar hidden-command issue affecting an AI browser’s page summarization workflow. JFrog reported malicious npm packages (e.g., `eslint-verify-plugin`, `duer-js`) delivering multi-stage payloads including a **macOS RAT** (Mythic/Apfell) and a Windows infostealer, reinforcing ongoing risk from poisoned dependencies. In contrast, a DFIR case study on **CVE-2023-46604** exploitation of Apache ActiveMQ leading to **LockBit**-style ransomware, and a Medium post on recon/content-discovery techniques, are separate topics and not part of the AI-agent/developer social-engineering thread.
May 15, 2026
Malicious AI Agent Skills Abused for Crypto Theft and macOS AMOS Delivery
Researchers reported multiple campaigns abusing *AI agent “skills”* as a new supply-chain-like initial access vector. In one case, a malicious ClawHub skill (`bob-p2p`) masqueraded as a decentralized API marketplace and was promoted via the AI-agent social platform *Moltbook*; once installed, it caused agents to retain **plaintext Solana private keys** and execute transactions that bought worthless `$BOB` tokens while routing value to attacker-controlled infrastructure. Staiker researchers and analyst Dan Regalado highlighted that agent-to-agent collaboration, shared workflows, and dependency chains can enable **lateral movement without direct human interaction**, making the technique repeatable and scalable beyond crypto-wallet theft. Separately, Trend Micro described a shift in **Atomic macOS Stealer (AMOS)** distribution from cracked software to **malicious OpenClaw skills** hosted across ClawHub, SkillsMP, and GitHub. The campaign used seemingly benign `SKILL.md` instructions to trick models/users into installing a fake prerequisite (“OpenClawCLI”) from an external site; if followed, the workflow fetched and executed a **Base64-encoded command** that dropped a **Mach-O universal binary** (Intel and Apple Silicon). Trend Micro reported 39 malicious skills uploaded across repositories and stated that more than **2,200** malicious skills were ultimately found on GitHub, with AMOS targeting credentials, browser data, crypto wallets, Telegram data, VPN profiles, Apple Keychain items, and common user folders—underscoring that AI-agent ecosystems are becoming a practical malware delivery and data-theft channel.
May 8, 2026