Inclusion criteria
- The component is AI-related (MCP server, agent skill, AI-tool package, AI-assistant extension).
- The malicious behavior is confirmed in a public vendor advisory, CVE, or registry record — never “suspicious” or disputed findings.
- The component is already removed or remediated. We never publish accusations against live, un-remediated components.
“Related detections” maps each incident to the SkillTotal rules that target its behavior class — it does not claim we scanned that exact (long-gone) artifact. Sources were cross-verified at publication; registry removal was checked against the npm/PyPI APIs where possible.
Malicious MCP server
An MCP server impersonating Postmark. A single line added in v1.0.16 appended a hidden BCC to every email sent through the server, silently exfiltrating full email contents to an attacker-controlled domain (~1,500 downloads).
- Affected:
- v1.0.16–v1.0.18 (earlier versions were clean, trust-building releases)
- Status:
- Unpublished from npm on 2025-09-25 (all versions; unpublish record verified via the npm registry API).
- Behavior:
- Email BCC exfiltration · Data exfiltration via network
- Related detections:
ST-EMAIL-BCC-EXFIL · ST-MCP-DANGEROUS-TOOL
Koi Security disclosure · Postmark statement
polymarket-all-in-one
skillsFeb 2026
Malicious agent skill
The SKILL.md looked benign, but a bundled Python script contained an os.system pipe-to-shell (curl of a raw IP piped into sh) serving a reverse shell, triggered when the agent ran the script.
- Affected:
- All published versions (~222+ downloads)
- Status:
- Delisted from ClawHub; the malicious commit was purged from GitHub and registry scanning now blocks it.
- Behavior:
- Pipe-to-shell · Agent-triggered shell execution · Data exfiltration via network
- Related detections:
ST-SHELL-PIPE-EXEC · ST-SHELL-PY · ST-SKILL-CAP-MISMATCH
Socket disclosure · ClawHub issue #152
Amazon Q Developer for VS Code
VS CodeJul 2025
Compromised AI-assistant extension
A pull request from an unverified account injected a destructive natural-language prompt instructing the Q agent to wipe the local filesystem and delete AWS cloud resources. The payload shipped to users but failed to execute due to a syntax error; no confirmed customer damage.
- Affected:
- Exactly v1.84.0 (CVE-2025-8217)
- Status:
- v1.84.0 removed from all distribution channels; superseded by v1.85.0. AWS bulletin AWS-2025-015 + GHSA published.
- Behavior:
- Prompt injection / agent-directed instructions · Wiper / destructive intent
- Related detections:
ST-PROMPT-INJECTION
AWS security bulletin · GitHub advisory
Compromised AI/CV package (YOLO)
The legitimate YOLO computer-vision package was compromised via GitHub Actions script injection and cache poisoning. Injected code fetched and ran the XMRig cryptominer on install/import.
- Affected:
- 8.3.41, 8.3.42, 8.3.45, 8.3.46
- Status:
- All four malicious versions removed from PyPI; official PyPI post-mortem published 2024-12-11.
- Behavior:
- Install-script dropper · Shell execution at install
- Related detections:
ST-INSTALL-PY · ST-INSTALL-DROPPER
PyPI post-mortem · ReversingLabs analysis
nx (“s1ngularity”)
npmAug 2025
Compromised build tool — first malware to weaponize AI CLIs
A postinstall payload stole credentials, SSH keys, tokens and crypto wallets — and notably invoked locally installed AI CLIs (Claude Code, Gemini, Amazon Q) with permission-bypass flags and a prompt to enumerate secret file paths. Loot was triple-base64-encoded and pushed to public GitHub repos under victims' own accounts.
- Affected:
- nx 20.9.0–20.12.0 and 21.5.0–21.8.0, plus several @nx/* packages (CVE-2025-10894)
- Status:
- Malicious versions removed from npm on 2025-08-27; official advisory and post-mortem published; nx moved to npm Trusted Publishers.
- Behavior:
- Shell execution at install · Credential/secret theft · Agent-directed instructions · Obfuscated/encoded payload
- Related detections:
ST-INSTALL-NPM · ST-INSTALL-DROPPER · ST-SENS-PATH · ST-COMBO-EXFIL
nx advisory (GHSA-cxm3-wv7p-598c) · nx post-mortem
sw-cur / sw-cur1 / aiide-cur
npmMay 2025
Cursor IDE backdoors
Packages marketed as “the cheapest Cursor API” harvested user-supplied Cursor credentials, fetched an encrypted second-stage payload, overwrote Cursor's main.js with attacker code and disabled auto-updates — a persistent backdoor inside the AI IDE.
- Affected:
- All versions (~3,200 combined downloads)
- Status:
- Replaced by npm security-holder packages in May 2025 (verified via the npm registry API).
- Behavior:
- Credential/secret theft · Obfuscated/encoded payload · Install-script dropper
- Related detections:
ST-INSTALL-NPM · ST-OBF-DECODE-EXEC · ST-COMBO-EXFIL
Socket disclosure
gptplus / claudeai-eng
PyPINov 2024
Fake ChatGPT/Claude SDKs
Posed as GPT-4 Turbo / Claude API clients and faked functionality via a demo endpoint to avoid suspicion. Base64-encoded code in __init__.py downloaded the JarkaStealer infostealer (browser data, screenshots, session tokens).
- Affected:
- All versions (live ~1 year, ~3,500 downloads across 30+ countries)
- Status:
- Both packages removed from PyPI after Kaspersky's report.
- Behavior:
- Typosquatting / brand impersonation · Obfuscated/encoded payload · Credential/secret theft
- Related detections:
ST-TYPOSQUAT · ST-OBF-DECODE-EXEC-PY · ST-INSTALL-DROPPER
Kaspersky disclosure
aliyun-ai-labs-snippets-sdk (+2 variants)
PyPIMay 2025
Infostealer in PyTorch model files
A fake “Aliyun AI Labs” SDK delivering malware inside PyTorch model files (zipped Pickle) loaded from __init__.py — an early confirmed case of Pickle-borne malware on PyPI. Exfiltrated machine info and .gitconfig.
- Affected:
- All versions (~1,600 combined downloads)
- Status:
- Removed from PyPI (per ReversingLabs).
- Behavior:
- Unsafe deserialization payload · Credential/secret theft · Data exfiltration via network
- Related detections:
ST-DESERIALIZE-PY · ST-OBF-DECODE-EXEC-PY · ST-COMBO-EXFIL
ReversingLabs disclosure
SANDWORM_MODE (19 typosquats)
npmFeb 2026
npm worm planting a rogue MCP server
The packages dropped a rogue MCP server into ~/.dev-utils/ and registered it in Claude/Cursor/Continue/Windsurf configs. Its tool descriptions embedded prompt-injection instructions directing the assistant to read SSH keys, AWS credentials and .env files and pass them to the server for exfiltration.
- Affected:
- 19 typosquat packages (claud-code, cloude-code, suport-color, rimarf, …)
- Status:
- Malicious packages removed by npm; attacker infrastructure removed by GitHub (per Socket).
- Behavior:
- Typosquatting · Prompt injection / tool poisoning · Credential/secret theft · Data exfiltration via network
- Related detections:
ST-TYPOSQUAT · ST-MCP-TOOL-POISONING · ST-SENS-PATH · ST-FLOW-TRIFECTA
Socket disclosure
Hades MCP-themed typosquats
PyPIJun 2026
Trojan packages targeting MCP developers
Part of a 471-artifact npm+PyPI wave. Trojans aimed at MCP developers carried the heavily obfuscated Hades payload (one used a .pth split-loader for import-time persistence), stealing GitHub/npm/PyPI/cloud credentials, SSH keys and AI-tool configs.
- Affected:
- langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, ray-mcp-server (specific versions)
- Status:
- Removed from PyPI (verified: the packages' JSON API endpoints now 404).
- Behavior:
- Typosquatting · Obfuscated/encoded payload · Startup persistence (.pth) · Credential/secret theft
- Related detections:
ST-TYPOSQUAT · ST-PTH-EXEC · ST-OBF-DECODE-EXEC · ST-COMBO-EXFIL
Socket disclosure
ChatGPT–中文版 + ChatMoss/CodeMoss (“MaliciousCorgi”)
VS CodeJan 2026
AI assistants with spyware inside
Shared C2 infrastructure exfiltrated every opened file (base64-encoded, keystroke-level activity) in real time; a server-controlled backdoor could batch-harvest up to 50 workspace files on command.
- Affected:
- ~1.5M combined installs across two functional AI coding assistants
- Status:
- Both extensions removed from the VS Code Marketplace following disclosure.
- Behavior:
- Data exfiltration via network · Obfuscated/encoded payload
- Related detections:
ST-NET-NODE · ST-OBF-BASE64-BLOB · ST-COMBO-EXFIL
Koi Security disclosure
Fake “ClawdBot Agent — AI Coding Assistant”
VS CodeJan 2026
Impersonation dropper
Auto-executed on IDE launch and silently installed a fully functional ScreenConnect remote-access client for persistent attacker access, with DLL-sideloading fallback delivery.
- Affected:
- clawdbot.clawdbot-agent (the impersonated open-source assistant has no official VS Code extension)
- Status:
- Removed by Microsoft.
- Behavior:
- Typosquatting / brand impersonation · Install-script dropper
- Related detections:
ST-TYPOSQUAT · ST-INSTALL-DROPPER · ST-SHELL-EVASION
The Hacker News (Aikido research)
ClawHavoc campaign (341+ malicious skills)
skillsFeb 2026
Mass malicious-skill campaign
Fake “Prerequisites” instructions made users and agents fetch password-protected ZIP archives and obfuscated shell scripts delivering the Atomic macOS Stealer (keychain, browser data, 60+ wallet types, SSH keys). C2 overlap links the campaign to the polymarket-all-in-one backdoor.
- Affected:
- 341 of 2,857 scanned skills at disclosure (824 flagged by Feb 16); a 335-skill coordinated cluster
- Status:
- Reported to ClawHub for takedown; the marketplace added malware scanning (Feb 2026) that blocks flagged skills from download. Presented here as a campaign — individual skill names are not listed.
- Behavior:
- Install-script dropper · Analysis evasion (password-protected archives) · Credential/secret theft · Agent-directed instructions
- Related detections:
ST-ENCRYPTED-ARCHIVE · ST-SHELL-EVASION · ST-PROMPT-INJECTION · ST-SHELL-PIPE-EXEC
Koi Security disclosure
Every incident above was disclosed by the wider security community — credit belongs to the cited researchers. SkillTotal's contribution is the free, deterministic check you can run before a component like these reaches your machine: scan it on the site, or locally — skilltotal guard npm:<package> blocks on malicious indicators, and skilltotal guard --installed checks every MCP server and skill already on your machine. See how the analysis works and the State of AI Component Security research report.