SkillTotal
← Back to home

AI Component Threat Feed

Publicly documented, confirmed malicious AI components: MCP servers, agent skills, AI-tool packages, and assistant extensions. This is what real attacks on the AI supply chain look like — and why you scan a component before trusting it.

Inclusion criteria

  • The component is AI-related (MCP server, agent skill, AI-tool package, AI-assistant extension).
  • The malicious behavior is confirmed in a public vendor advisory, CVE, or registry record — never “suspicious” or disputed findings.
  • The component is already removed or remediated. We never publish accusations against live, un-remediated components.

“Related detections” maps each incident to the SkillTotal rules that target its behavior class — it does not claim we scanned that exact (long-gone) artifact. Sources were cross-verified at publication; registry removal was checked against the npm/PyPI APIs where possible.

postmark-mcp

npmSep 2025

Malicious MCP server

An MCP server impersonating Postmark. A single line added in v1.0.16 appended a hidden BCC to every email sent through the server, silently exfiltrating full email contents to an attacker-controlled domain (~1,500 downloads).

Affected:
v1.0.16–v1.0.18 (earlier versions were clean, trust-building releases)
Status:
Unpublished from npm on 2025-09-25 (all versions; unpublish record verified via the npm registry API).
Behavior:
Email BCC exfiltration · Data exfiltration via network
Related detections:
ST-EMAIL-BCC-EXFIL · ST-MCP-DANGEROUS-TOOL

Koi Security disclosure · Postmark statement

polymarket-all-in-one

skillsFeb 2026

Malicious agent skill

The SKILL.md looked benign, but a bundled Python script contained an os.system pipe-to-shell (curl of a raw IP piped into sh) serving a reverse shell, triggered when the agent ran the script.

Affected:
All published versions (~222+ downloads)
Status:
Delisted from ClawHub; the malicious commit was purged from GitHub and registry scanning now blocks it.
Behavior:
Pipe-to-shell · Agent-triggered shell execution · Data exfiltration via network
Related detections:
ST-SHELL-PIPE-EXEC · ST-SHELL-PY · ST-SKILL-CAP-MISMATCH

Socket disclosure · ClawHub issue #152

Amazon Q Developer for VS Code

VS CodeJul 2025

Compromised AI-assistant extension

A pull request from an unverified account injected a destructive natural-language prompt instructing the Q agent to wipe the local filesystem and delete AWS cloud resources. The payload shipped to users but failed to execute due to a syntax error; no confirmed customer damage.

Affected:
Exactly v1.84.0 (CVE-2025-8217)
Status:
v1.84.0 removed from all distribution channels; superseded by v1.85.0. AWS bulletin AWS-2025-015 + GHSA published.
Behavior:
Prompt injection / agent-directed instructions · Wiper / destructive intent
Related detections:
ST-PROMPT-INJECTION

AWS security bulletin · GitHub advisory

ultralytics

PyPIDec 2024

Compromised AI/CV package (YOLO)

The legitimate YOLO computer-vision package was compromised via GitHub Actions script injection and cache poisoning. Injected code fetched and ran the XMRig cryptominer on install/import.

Affected:
8.3.41, 8.3.42, 8.3.45, 8.3.46
Status:
All four malicious versions removed from PyPI; official PyPI post-mortem published 2024-12-11.
Behavior:
Install-script dropper · Shell execution at install
Related detections:
ST-INSTALL-PY · ST-INSTALL-DROPPER

PyPI post-mortem · ReversingLabs analysis

nx (“s1ngularity”)

npmAug 2025

Compromised build tool — first malware to weaponize AI CLIs

A postinstall payload stole credentials, SSH keys, tokens and crypto wallets — and notably invoked locally installed AI CLIs (Claude Code, Gemini, Amazon Q) with permission-bypass flags and a prompt to enumerate secret file paths. Loot was triple-base64-encoded and pushed to public GitHub repos under victims' own accounts.

Affected:
nx 20.9.0–20.12.0 and 21.5.0–21.8.0, plus several @nx/* packages (CVE-2025-10894)
Status:
Malicious versions removed from npm on 2025-08-27; official advisory and post-mortem published; nx moved to npm Trusted Publishers.
Behavior:
Shell execution at install · Credential/secret theft · Agent-directed instructions · Obfuscated/encoded payload
Related detections:
ST-INSTALL-NPM · ST-INSTALL-DROPPER · ST-SENS-PATH · ST-COMBO-EXFIL

nx advisory (GHSA-cxm3-wv7p-598c) · nx post-mortem

sw-cur / sw-cur1 / aiide-cur

npmMay 2025

Cursor IDE backdoors

Packages marketed as “the cheapest Cursor API” harvested user-supplied Cursor credentials, fetched an encrypted second-stage payload, overwrote Cursor's main.js with attacker code and disabled auto-updates — a persistent backdoor inside the AI IDE.

Affected:
All versions (~3,200 combined downloads)
Status:
Replaced by npm security-holder packages in May 2025 (verified via the npm registry API).
Behavior:
Credential/secret theft · Obfuscated/encoded payload · Install-script dropper
Related detections:
ST-INSTALL-NPM · ST-OBF-DECODE-EXEC · ST-COMBO-EXFIL

Socket disclosure

gptplus / claudeai-eng

PyPINov 2024

Fake ChatGPT/Claude SDKs

Posed as GPT-4 Turbo / Claude API clients and faked functionality via a demo endpoint to avoid suspicion. Base64-encoded code in __init__.py downloaded the JarkaStealer infostealer (browser data, screenshots, session tokens).

Affected:
All versions (live ~1 year, ~3,500 downloads across 30+ countries)
Status:
Both packages removed from PyPI after Kaspersky's report.
Behavior:
Typosquatting / brand impersonation · Obfuscated/encoded payload · Credential/secret theft
Related detections:
ST-TYPOSQUAT · ST-OBF-DECODE-EXEC-PY · ST-INSTALL-DROPPER

Kaspersky disclosure

aliyun-ai-labs-snippets-sdk (+2 variants)

PyPIMay 2025

Infostealer in PyTorch model files

A fake “Aliyun AI Labs” SDK delivering malware inside PyTorch model files (zipped Pickle) loaded from __init__.py — an early confirmed case of Pickle-borne malware on PyPI. Exfiltrated machine info and .gitconfig.

Affected:
All versions (~1,600 combined downloads)
Status:
Removed from PyPI (per ReversingLabs).
Behavior:
Unsafe deserialization payload · Credential/secret theft · Data exfiltration via network
Related detections:
ST-DESERIALIZE-PY · ST-OBF-DECODE-EXEC-PY · ST-COMBO-EXFIL

ReversingLabs disclosure

SANDWORM_MODE (19 typosquats)

npmFeb 2026

npm worm planting a rogue MCP server

The packages dropped a rogue MCP server into ~/.dev-utils/ and registered it in Claude/Cursor/Continue/Windsurf configs. Its tool descriptions embedded prompt-injection instructions directing the assistant to read SSH keys, AWS credentials and .env files and pass them to the server for exfiltration.

Affected:
19 typosquat packages (claud-code, cloude-code, suport-color, rimarf, …)
Status:
Malicious packages removed by npm; attacker infrastructure removed by GitHub (per Socket).
Behavior:
Typosquatting · Prompt injection / tool poisoning · Credential/secret theft · Data exfiltration via network
Related detections:
ST-TYPOSQUAT · ST-MCP-TOOL-POISONING · ST-SENS-PATH · ST-FLOW-TRIFECTA

Socket disclosure

Hades MCP-themed typosquats

PyPIJun 2026

Trojan packages targeting MCP developers

Part of a 471-artifact npm+PyPI wave. Trojans aimed at MCP developers carried the heavily obfuscated Hades payload (one used a .pth split-loader for import-time persistence), stealing GitHub/npm/PyPI/cloud credentials, SSH keys and AI-tool configs.

Affected:
langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, ray-mcp-server (specific versions)
Status:
Removed from PyPI (verified: the packages' JSON API endpoints now 404).
Behavior:
Typosquatting · Obfuscated/encoded payload · Startup persistence (.pth) · Credential/secret theft
Related detections:
ST-TYPOSQUAT · ST-PTH-EXEC · ST-OBF-DECODE-EXEC · ST-COMBO-EXFIL

Socket disclosure

ChatGPT–中文版 + ChatMoss/CodeMoss (“MaliciousCorgi”)

VS CodeJan 2026

AI assistants with spyware inside

Shared C2 infrastructure exfiltrated every opened file (base64-encoded, keystroke-level activity) in real time; a server-controlled backdoor could batch-harvest up to 50 workspace files on command.

Affected:
~1.5M combined installs across two functional AI coding assistants
Status:
Both extensions removed from the VS Code Marketplace following disclosure.
Behavior:
Data exfiltration via network · Obfuscated/encoded payload
Related detections:
ST-NET-NODE · ST-OBF-BASE64-BLOB · ST-COMBO-EXFIL

Koi Security disclosure

Fake “ClawdBot Agent — AI Coding Assistant”

VS CodeJan 2026

Impersonation dropper

Auto-executed on IDE launch and silently installed a fully functional ScreenConnect remote-access client for persistent attacker access, with DLL-sideloading fallback delivery.

Affected:
clawdbot.clawdbot-agent (the impersonated open-source assistant has no official VS Code extension)
Status:
Removed by Microsoft.
Behavior:
Typosquatting / brand impersonation · Install-script dropper
Related detections:
ST-TYPOSQUAT · ST-INSTALL-DROPPER · ST-SHELL-EVASION

The Hacker News (Aikido research)

ClawHavoc campaign (341+ malicious skills)

skillsFeb 2026

Mass malicious-skill campaign

Fake “Prerequisites” instructions made users and agents fetch password-protected ZIP archives and obfuscated shell scripts delivering the Atomic macOS Stealer (keychain, browser data, 60+ wallet types, SSH keys). C2 overlap links the campaign to the polymarket-all-in-one backdoor.

Affected:
341 of 2,857 scanned skills at disclosure (824 flagged by Feb 16); a 335-skill coordinated cluster
Status:
Reported to ClawHub for takedown; the marketplace added malware scanning (Feb 2026) that blocks flagged skills from download. Presented here as a campaign — individual skill names are not listed.
Behavior:
Install-script dropper · Analysis evasion (password-protected archives) · Credential/secret theft · Agent-directed instructions
Related detections:
ST-ENCRYPTED-ARCHIVE · ST-SHELL-EVASION · ST-PROMPT-INJECTION · ST-SHELL-PIPE-EXEC

Koi Security disclosure

Every incident above was disclosed by the wider security community — credit belongs to the cited researchers. SkillTotal's contribution is the free, deterministic check you can run before a component like these reaches your machine: scan it on the site, or locally — skilltotal guard npm:<package> blocks on malicious indicators, and skilltotal guard --installed checks every MCP server and skill already on your machine. See how the analysis works and the State of AI Component Security research report.