New Malware Technique Hides Inside AI Coding Assistant Plugins

Researchers found that modified malware placed inside AI coding assistant plugins bypassed eight major security scanners more than 80 percent of the time.

CSBadmin
4 Min Read

Stealthy Plugins Evade Security Scanners

A new type of malicious software is targeting AI coding assistants by hiding inside add on packages called agent skills. These skills function as plugins for tools like Claude Code and OpenAI Codex, allowing AI agents to gain new capabilities. Because these packages are easy to create and share, their use has grown rapidly, with one marketplace hosting over 40,000 skills shortly after the format launched in late 2025. This growth has made them an attractive target for attackers.

A skill runs with the same system access as the AI agent that loads it, meaning it can reach a developer’s files, stored passwords, and connected accounts. Cybercriminals have already exploited this access to steal browser credentials, SSH keys, and cryptocurrency wallet data by disguising malicious code within helpful looking skills.

How Attackers Conceal Their Code

Researchers built a tool called SkillCloak to test whether existing security scanners could catch disguised malware. The results showed that across eight widely used scanners and over 1,600 real malicious skills, the cloaked versions slipped through almost every time. The evasion relies on two main techniques. Structural Obfuscation rewrites suspicious commands, web addresses, or references to passwords into forms that appear harmless to scanners. The more effective method, Self Extracting Skill Packing, hides malicious code in an ignored folder or scrambled data block where scanners never look. The payload is only rebuilt when the AI agent actually runs the skill.

Testing revealed that the packing trick defeated every scanner examined more than 90 percent of the time, while the disguise trick alone fooled most tools over 80 percent of the time. This demonstrates a fundamental weakness: today’s scanners mostly judge a skill by its appearance, not by its actual behavior once installed.

Real World Attacks and Defenses

This threat is not theoretical. A campaign called ClawHavoc planted hundreds of malicious skills on a public marketplace, with some reports counting over 300 poisoned packages. Victims unknowingly ran an information stealer that quietly grabbed saved logins, keychain passwords, and wallet files. Security researchers advise letting no agent auto run setup steps from a skill without first reviewing them, and treating unfamiliar skills like unknown software packages.

To combat this gap in traditional scanning, researchers also built a tool called SkillDetonate. Instead of judging a skill by its appearance, it runs the skill in a sandbox and watches what actually happens, tracking file access, network calls, and data movement in real time. This behavior based approach caught the vast majority of malicious skills, including those that had slipped past every static scanner before it. For users, checking a skill’s code before installation is no longer sufficient. Running unfamiliar skills in an isolated environment, watching for unusual network activity, and limiting what folders and credentials an agent can access are now essential habits.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.