Researchers from AIR have discovered a critical vulnerability in AI agent ecosystems: attackers were able to distribute a malicious tool disguised as a useful skill, which successfully passed security checks from Cisco and Nvidia.

image

What Happened

Attackers distributed a landing page creation tool that, during the inspection phase, pointed to the legitimate Google Stitch website. This allowed the tool to bypass security scanners and reach 26,000 users. After widespread distribution, the attacker redirected the domain to a malicious script designed for data theft.

Context

The problem lies in the use of "mutable payload" attacks. In such scenarios, static analysis is ineffective because malicious activity is loaded dynamically from external sources after the tool has passed its initial security check.

Why It Matters for the Industry

For the industry, this means that AI agent skills cannot be treated as simple text; they must be perceived as executable dependencies. The current paradigm of static analysis fails to handle the dynamic nature of agents, necessitating a shift toward Runtime Observability and continuous real-time execution monitoring.

Why It Matters for Users

Users should not trust AI tools solely based on their popularity, high GitHub ratings, or having passed checks by major vendors. Verification at the time of installation does not guarantee future security if the tool has the capability to load instructions from external sources.

Sources

Author

Look at AI, Editorial Team