Poisoned AI Skills and Fake Exploit Repos — The New Supply Chain Attack on Your Team

Poisoned AI Skills and Fake Exploit Repos — The New Supply Chain Attack on Your Team

Supply chain attacks used to mean poisoned npm packages and typosquatted Python libraries. In mid-2026, two campaigns showed the same playbook moving to two new targets: the skills your AI agents install, and the proof-of-concept code your security team downloads.

Experiment one: a fake skill that passed every scanner

Security firm AIR ran an uncomfortable experiment. It built a fake AI agent skill called brand-landingpage, got it merged into a popular skill marketplace repository (36,000 GitHub stars, inherited instantly), promoted it with an Instagram ad — and says it reached roughly 26,000 agents, including some on corporate accounts.

Every skill security scanner they tested it against marked it safe — including Cisco's and NVIDIA's.

The trick was elegant and structural. The skill itself contained nothing malicious; it simply told the agent to follow setup instructions at an external link. At scan time, that link showed legitimate documentation. After the skill was widely installed, AIR swapped the page behind the link for one instructing the agent to download and run a script. The scan happens once; the page it points to can change forever after. Trail of Bits demonstrated the same bypass weeks earlier, and real campaigns have used the technique for months.

The payload in this experiment only collected an email address. A real operator would have had an agent-speed foothold with everything the agent could reach: files, credentials, internal systems.

Experiment two — except this one is real

On July 1, YesWeHack and Sekoia disclosed ChocoPoC, an active campaign distributing a remote-access trojan through fake proof-of-concept exploit repositories on GitHub. The targets are the people who race to test new CVEs: vulnerability researchers, red teamers, security engineers.

The visible PoC code looks clean. The malware hides in a Python dependency the PoC pulls in — so it survives a quick code review. Run it, and it lifts saved passwords, browser cookies and files, then hands the attacker a shell. At disclosure time, the campaign and its servers were still live.

Related research rounded out the picture: a "clean" GitHub repository was shown tricking AI coding agents into executing malware during routine tasks — the agent, not the human, becomes the one who runs the payload.

The common thread

All three cases exploit the same gap: we verify artifacts once, but trust them forever — and we increasingly let software (or agents) act on that trust automatically. Stars can be borrowed. Scans read a snapshot. External links can be rewritten after the check clears. And an AI agent follows fetched instructions with roughly the authority of its user.

Practical defences

  • Treat AI skills as software, not text. Same intake process as any dependency: review, approve, install from a source you control. Skills should be a supply chain with a gate, not a marketplace free-for-all.
  • Vet what a skill points to, not just what ships in it. A skill that fetches external instructions at install or runtime deserves extra scrutiny — that content can change after review. Pin versions; re-review on any change.
  • Least privilege for agents. Assume any external instruction an agent fetches runs with the agent's access. Scope that access accordingly, and control what agents can reach on the network.
  • Never run PoCs on a work machine. Exploit code from GitHub belongs in a disposable, isolated VM with no credentials and no corporate network access — no matter how urgent the CVE or how clean the repo looks. Review the dependencies, not just the script.
  • Watch egress. Both campaigns needed to phone home. Outbound monitoring and DNS filtering catch what code review misses.
  • Train the humans in the loop. Developers and security staff are now prime targets precisely because of what they run. This belongs in your security awareness programme and your developer security training — not just in policy documents.

The takeaway

The attack surface has quietly expanded from "what your developers install" to "what your AI installs, and what it reads afterwards." If your organization is adopting agents, this is the moment to put a supply chain gate in front of them — and if you want that setup tested by someone who thinks like the attacker, our AI/LLM security assessments do exactly that.


This article is general information based on public research by AIR, Trail of Bits, YesWeHack and Sekoia, as reported by The Hacker News and BleepingComputer.

Back to blog