Malware Disguised as AI Code Assistant Plugins Evades Security Scans, Threatening Developers
A new wave of malware is bypassing security measures designed for AI code assistants like Claude Code and OpenAI Codex. Researchers have discovered malicious programs hidden within 'proxy skill packages' that can evade automated scans while retaining their full malicious capabilities.
MundiX News·08 de julho de 2026·6 min de leitura·👁 1 views
A novel class of malware is capable of circumventing the security protections accompanying mainstream AI code assistants, enabling covert attacks. Researchers have identified malicious programs concealed within 'proxy skill packages' – small extension plugins used by tools such as Claude Code and OpenAI Codex – that can evade automated security scanning and detection through obfuscation and modification, while fully preserving their malicious execution logic.
Proxy skills are essentially equivalent to plugins, designed to extend the functionality of AI code agents on demand. These skill packages are typically distributed in folder formats, containing natural language configuration instructions, execution scripts, and supporting resource files. The low barrier to entry and ease of distribution for these skill packages have led to a rapid proliferation; within months of the format's official release in late 2025, the number of skills available on a public platform surpassed 40,000. This vast inventory makes them a prime target for attackers. When a skill package runs, it inherits all the permissions of the AI agent that loaded it, granting direct access to the developer's local files, saved account credentials, and various third-party linked accounts. Attackers have already exploited these permission vulnerabilities to deploy malicious skill packages disguised as useful tools, stealing browser login credentials, SSH private keys, and even cryptocurrency wallet data.
The Arxiv research team has released a special report to 'Cybersecurity News' (CSN), detailing the practical testing process of this threat. The team developed a tool called SkillCloak to verify whether existing skill scanning tools can identify disguised malicious programs. The test results are highly alarming: the research collected over 1,600 real-world malicious skill samples found in the wild and tested them against eight mainstream scanning tools. After undergoing disguise processing, nearly all malicious samples successfully bypassed detection. The team also confirmed that the code obfuscation process does not impair the original functionality of the malicious code. When a disguised malicious skill package is integrated into a real code agent environment and executed, the malicious payload can fully perform its preset data-stealing actions, with no functional loss for the attacker employing these evasion techniques.
Two Core Techniques for Attack Evasion
The scanning evasion techniques employed by this type of malware rely on two core methods:
The first is Structural Obfuscation, which involves equivalent rewriting of high-risk content (such as suspicious system commands, malicious domain names, or password-related function calls). After rewriting, the program's execution logic remains unchanged, but scanning tools are unable to identify the risky features. The second evasion method, named Self-Extracting Skill Encapsulation, offers stronger evasion. It goes beyond simple text obfuscation of malicious code by hiding the complete malicious payload in scanning blind spots, such as directories that scanning tools typically ignore or within encrypted garbled data blocks. The malicious code is only dynamically restored and released when the AI agent actually launches the skill package. During the static detection phase, scanning tools cannot read the actual attack payload, leaving virtually no detectable risk features.
Test data indicates that the encapsulation evasion method achieved a bypass success rate of over 90% for all tested scanning tools. Even using only structural obfuscation managed to fool over 80% of detection tools. This vulnerability exposes fundamental flaws in existing detection systems: current mainstream scanning tools rely solely on the static text characteristics of skill packages for judgment and cannot identify their actual malicious behavior after installation and execution.
Real-World Attack Examples Serve as a Warning
This threat is not merely theoretical. An attack group known as ClawHavoc has already deployed hundreds of malicious skill packages in public skill marketplaces. Statistics show that the number of compromised program packages exceeds 300, with the scale of affected samples being even higher across different ecosystems. Once a developer unknowingly installs such a malicious skill, their device will silently run information-stealing programs in the background, systematically pilfering local login records, credential passwords, and cryptocurrency wallet files.
Researchers reviewing similar security incidents unanimously recommend protective measures: strictly prohibit AI agents from automatically executing configuration scripts embedded within skill packages and always manually review script content. Treat skill packages from unknown sources with the same high level of vigilance as unfamiliar third-party programs from the internet. To address the shortcomings of traditional static scanning tools, the research team has also developed a detection tool called SkillDetonate. This tool abandons static text feature judgment logic and instead deploys skill packages into an isolated sandbox environment for dynamic execution, continuously monitoring behaviors such as file read/write, network outbound connections, and data exfiltration.
In testing, this behavior-based analysis detection solution successfully intercepted the vast majority of malicious skill packages, including all disguised malicious samples that bypassed static scanners. Core Security Conclusions for AI Code Tool Users
All developers using AI code assistance tools must remember the core protection principles: while manual review of skill source code before installation is still necessary, source code review alone is no longer sufficient to defend against new types of attacks. Pre-running unfamiliar skill packages in an isolated environment, continuously monitoring for abnormal network outbound connections, and strictly limiting the local directories and credential permissions accessible by AI agents have transitioned from optional protective measures to essential security operational practices.
🛡️⚡
Pare de pesquisar. Comece a hackear.
O MundiX é seu copiloto de pentest com IA: comandos exatos, análise de outputs e próximo passo na kill chain — em segundos.
Sem cartão para começar · Planos a partir de R$49/mês
A novel class of malware is capable of circumventing the security protections accompanying mainstream AI code assistants, enabling covert attacks. Researchers have identified malicious programs concealed within 'proxy skill packages' – small extension plugins used by tools such as Claude Code and OpenAI Codex – that can evade automated security scanning and detection through obfuscation and modification, while fully preserving their malicious execution logic.
Proxy skills are essentially equivalent to plugins, designed to extend the functionality of AI code agents on demand. These skill packages are typically distributed in folder formats, containing natural language configuration instructions, execution scripts, and supporting resource files. The low barrier to entry and ease of distribution for these skill packages have led to a rapid proliferation; within months of the format's official release in late 2025, the number of skills available on a public platform surpassed 40,000. This vast inventory makes them a prime target for attackers. When a skill package runs, it inherits all the permissions of the AI agent that loaded it, granting direct access to the developer's local files, saved account credentials, and various third-party linked accounts. Attackers have already exploited these permission vulnerabilities to deploy malicious skill packages disguised as useful tools, stealing browser login credentials, SSH private keys, and even cryptocurrency wallet data.
The Arxiv research team has released a special report to 'Cybersecurity News' (CSN), detailing the practical testing process of this threat. The team developed a tool called SkillCloak to verify whether existing skill scanning tools can identify disguised malicious programs. The test results are highly alarming: the research collected over 1,600 real-world malicious skill samples found in the wild and tested them against eight mainstream scanning tools. After undergoing disguise processing, nearly all malicious samples successfully bypassed detection. The team also confirmed that the code obfuscation process does not impair the original functionality of the malicious code. When a disguised malicious skill package is integrated into a real code agent environment and executed, the malicious payload can fully perform its preset data-stealing actions, with no functional loss for the attacker employing these evasion techniques.
Two Core Techniques for Attack Evasion
The scanning evasion techniques employed by this type of malware rely on two core methods:
The first is Structural Obfuscation, which involves equivalent rewriting of high-risk content (such as suspicious system commands, malicious domain names, or password-related function calls). After rewriting, the program's execution logic remains unchanged, but scanning tools are unable to identify the risky features. The second evasion method, named Self-Extracting Skill Encapsulation, offers stronger evasion. It goes beyond simple text obfuscation of malicious code by hiding the complete malicious payload in scanning blind spots, such as directories that scanning tools typically ignore or within encrypted garbled data blocks. The malicious code is only dynamically restored and released when the AI agent actually launches the skill package. During the static detection phase, scanning tools cannot read the actual attack payload, leaving virtually no detectable risk features.
Test data indicates that the encapsulation evasion method achieved a bypass success rate of over 90% for all tested scanning tools. Even using only structural obfuscation managed to fool over 80% of detection tools. This vulnerability exposes fundamental flaws in existing detection systems: current mainstream scanning tools rely solely on the static text characteristics of skill packages for judgment and cannot identify their actual malicious behavior after installation and execution.
Real-World Attack Examples Serve as a Warning
This threat is not merely theoretical. An attack group known as ClawHavoc has already deployed hundreds of malicious skill packages in public skill marketplaces. Statistics show that the number of compromised program packages exceeds 300, with the scale of affected samples being even higher across different ecosystems. Once a developer unknowingly installs such a malicious skill, their device will silently run information-stealing programs in the background, systematically pilfering local login records, credential passwords, and cryptocurrency wallet files.
Researchers reviewing similar security incidents unanimously recommend protective measures: strictly prohibit AI agents from automatically executing configuration scripts embedded within skill packages and always manually review script content. Treat skill packages from unknown sources with the same high level of vigilance as unfamiliar third-party programs from the internet. To address the shortcomings of traditional static scanning tools, the research team has also developed a detection tool called SkillDetonate. This tool abandons static text feature judgment logic and instead deploys skill packages into an isolated sandbox environment for dynamic execution, continuously monitoring behaviors such as file read/write, network outbound connections, and data exfiltration.
In testing, this behavior-based analysis detection solution successfully intercepted the vast majority of malicious skill packages, including all disguised malicious samples that bypassed static scanners. Core Security Conclusions for AI Code Tool Users
All developers using AI code assistance tools must remember the core protection principles: while manual review of skill source code before installation is still necessary, source code review alone is no longer sufficient to defend against new types of attacks. Pre-running unfamiliar skill packages in an isolated environment, continuously monitoring for abnormal network outbound connections, and strictly limiting the local directories and credential permissions accessible by AI agents have transitioned from optional protective measures to essential security operational practices.
📤 Compartilhar & Baixar
🧰 Ferramentas recomendadas
Divulgação: alguns links são patrocinados. Podemos receber comissão se você comprar — sem custo extra para você. Só indicamos o que faz sentido para a comunidade.