Full Report
Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show
Analysis Summary
# Incident Report: Research-Led Supply Chain Compromise via Fake AI Agent Skills
## Executive Summary
Security firm AIR successfully executed a proof-of-concept supply chain attack by distributing a malicious AI agent skill named "brand-landingpage." Methodically bypassing automated security scanners and leveraging social proof, the firm gained unauthorized access to approximately 26,000 agents, including corporate accounts, to demonstrate structural vulnerabilities in AI ecosystem trust models.
## Incident Details
- **Discovery Date:** June 23, 2026 (Public Disclosure)
- **Incident Date:** February – June 2026
- **Affected Organization:** Approximately 26,000 AI Agent users (multiple platforms)
- **Sector:** Technology / AI Services / Enterprise
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa June 2026
- **Vector:** Targeted Social Engineering & Marketplace Poisoning
- **Details:** AIR opened a pull request to a popular skill marketplace repository (36k stars). Once merged, the malicious skill inherited the repository's reputation. This was supplemented by Instagram ads targeting marketing and sales professionals.
### Lateral Movement
- **Details:** While the "attack" did not utilize traditional network lateral movement, the skill moved from the marketplace to individual agent environments by tricking users into installing the "brand-landingpage" skill.
### Data Exfiltration/Impact
- **Details:** The payload exfiltrated user email addresses to a server controlled by AIR. In a real-world scenario, this foothold would allow for reading files and accessing internal systems available to the AI agent.
### Detection & Response
- **How it was discovered:** Disclosed by the researchers (AIR) themselves.
- **Response actions taken:** Researchers demonstrated the vulnerability to industry scanners (Cisco, NVIDIA, skills.sh) to highlight the failure of static analysis for dynamic AI skills.
## Attack Methodology
- **Initial Access:** Supply Chain Poisoning (GitHub Repository) and Social Engineering (Instagram Ads).
- **Persistence:** Skill installation within the AI agent's context.
- **Defense Evasion:** Used a "Clean-at-Scan" technique. Shared a legitimate URL (`stitch-design[.]ai` pointing to real docs) during the initial scan, then swapped the content for a malicious script after the skill was approved.
- **Collection:** Automated collection of user identity metadata (email addresses).
- **Exfiltration:** HTTPS POST to a researcher-controlled domain.
- **Impact:** Unauthorized data harvesting and potential for RCE (Remote Code Execution) within the agentic environment.
## Impact Assessment
- **Financial:** Minimal (Research-based); potential for high loss in a real attack.
- **Data Breach:** Exposure of ~26,000 email addresses and agent identities.
- **Operational:** Potential for unauthorized internal system access via agent permissions.
- **Reputational:** High impact on the perceived reliability of AI skill marketplaces and security scanners.
## Indicators of Compromise
- **File indicators:** `brand-landingpage` (Skill Name)
- **Network indicators:** `stitch-design[.]ai` (Defanged)
- **Behavioral indicators:** AI agents fetching instructions from non-official external domains after initial installation; agents requesting email/identity data for tasks not requiring such permissions.
## Response Actions
- **Containment:** Disclosure of vulnerabilities to scanner vendors.
- **Eradication:** Removal of the skill from the marketplace.
- **Recovery:** Public advisory issued to warn organizations about the "Sorry State of Skill Distribution."
## Lessons Learned
- **Static Scans are Insufficient:** Scanners only check the "package" at a fixed point in time, while attackers control the external URLs fetched by the agent during runtime.
- **False Social Proof:** GitHub stars and marketplace presence are not valid proxies for security.
- **Dynamic Content Risk:** AI agents treat external instructions with the same authority as user prompts, creating a "Prompt Injection" style risk via third-party skills.
## Recommendations
- **Treat Skills as Software:** Implement rigorous vendor risk management for AI skills, treating them with the same scrutiny as binary executable files.
- **Verification of External Links:** Do not permit agents to fetch instructions from non-vetted or dynamic third-party URLs.
- **Principle of Least Privilege:** Restrict agent permissions so that a compromised skill cannot access sensitive data or internal network resources.
- **Version Pinning:** Pin skills to specific versions and re-scan/re-audit whenever external dependencies change.