CISO READINGS
Nearly 30% of the 370,000 open-source skills pose security threats
Last month, a news item caught the attention of a select circle in the cybersecurity community: researchers discovered 341 malicious packages within the plugin marketplace of an open-source AI agent framework.
While many dismissed this as typical “noise” within the open-source community, the ORION Threat Intelligence Platform™ conducted a comprehensive data harvest of the entire AI Agent extension ecosystem, followed by automated sandbox analysis. The results are clear: we are witnessing a premeditated, large-scale, ecosystem-level poisoning campaign.
When developers routinely pull third-party Skills from the web to empower their local AI assistants, they are effectively handing over workstation control to hackers on a silver platter.
A 30% Malicious Rate: Not Just Vulnerabilities, but Blatant Backdoors
As of mid-March 2026, the ORION Threat Intelligence Platform™ has captured and deeply analyzed 373,394 public custom Skills.
Among these, 109,935 were definitively identified as “Malicious Skills” containing credential theft, system destruction, or silent backdoor logic. In our isolated sandboxes, these tainted plugins triggered over 660,000 malicious behavior alerts.
With a malicious rate approaching 30%, a developer risks hitting a “landmine” for every three efficiency-boosting plugins they install. Our analysis reveals that attackers have highly “contextualized” their poisoning techniques, precisely exploiting developer expectations:
Data Source: SKILL-INJECT: Measuring Agent Vulnerability to Skill File Attacks
Masquerading as “Daily Efficiency Tools”
Attackers are mass-producing fraudulent versions of high-frequency tools. Our high-risk detection list is saturated with “utility scripts” for YouTube and Yahoo Finance. Examples include youtube-thumbnail-grabber, youtube-video-downloader, and series like yahoo-finance or yahooquery.
Developers performing data analysis or web scraping often lower their guard and “copy-paste” the installation commands. Once executed, these scripts—holding a risk score of 100—silently exfiltrate local environment variables and browser cookies in the background.
Precision Strikes on Web3 and Cryptocurrency
Hackers follow the money. In the AI plugin market, targeted poisoning against blockchain developers has become a disaster zone. We captured numerous high-risk skills named solana-security-auditor, solana-vulnerability-scanner, and even solana-bags-trading. Ironically, a developer might download a plugin to audit their Web3 code for safety, only to have the plugin itself—a Trojan—package and ship off their local private keys.
Faking Credibility via “Star Boosting”
Supply chain poisoning has evolved beyond empty repositories. We observed malicious components in the YouTube category where the hosting repository boasted over 2,081 Stars. Attackers not only inflated the star count but also disguised the author’s name as “openclaw-official.” Under the dual halo of a “high star rating” and an “official-named author”, the developer’s remaining security awareness is easily bypassed.
Why Your Current Security Stack Can’t Stop It
You might wonder: “We have a complete DevSecOps process; surely we can stop few malicious scripts?”
In truth, traditional security architectures are likely to fail here because this represents a fundamental shift in how code is introduced.
SCA Blind Spots: Traditional Software Composition Analysis (SCA) tools look for standard dependencies in
package.jsonorrequirements.txt. However, AI Agent Skills often bypass standard package managers; they may be dynamic prompt injections or execution logic delivered via WebSockets. Existing SCA tools cannot parse at this level and, therefore, fail to report the risk.EDR Evasion: When these malicious skills execute a theft (like quietly packaging a local
.envconfig file), the EDR sees a parent process that is a legitimate, trusted AI development tool. In the detection engine’s logic, this appears to be a developer using AI for a normal workflow, making it difficult to classify as high-risk and block.
Attackers are exploiting the unconditional trust developers place in AI tools and the visibility gaps within current defenses regarding emerging AI components.
What Should Security Teams Do Against New Supply Chain Poisoning?
We are sharing this hard-hitting intelligence to serve as a wake-up call: the main battlefield of software supply chain poisoning is shifting. As attackers extend their reach from traditional repositories to AI Agent Skill markets, our defensive vision must not remain static.
For enterprise security teams, the priorities are clear:
Establish New Asset Visibility: Audit which AI-assisted coding tools your R&D teams are using and determine if they are routinely connecting unvetted third-party extensions.
Tighten Endpoint Execution Permissions: Strictly review and limit the network allow-lists and sensitive directory access for local AI Agents. Implement “Zero Trust” at the AI process level.
Upgrade Threat Intelligence Dimensions: Traditional blacklists based on IP and Hash are no longer enough. Teams must introduce deep intelligence monitoring tailored to AI assets and non-standard component behaviors.
At the ORION Threat Intelligence Platform™, we have officially categorized “AI Supply Chain Threats” as a top-priority monitoring sequence. Facing this unknown minefield of over 100,000 backdoors, we are continuously isolating and distilling underlying threat fingerprints and behavioral models.
In the game of cyber-adversary, when opponents use the momentum of AI to test limits, the defender’s only leverage is to see earlier and dig deeper.