Skip to main content
Emerging ThreatsMalware & Ransomware

Malicious AI Agents Infiltrate Open Source Repositories

Cluttered software development workspace with laptop, monitor, and papers.

ESET examined 900,000 AI skills listed in public repositories and found "tens of thousands of suspicious and thousands of outright malicious instances," the company reported on July 8. Those raw totals, the vendor says, mark a rapid escalation in the number and variety of AI components that could be used to plan, execute and scale cyber-attacks.

ESET’s findings: scale, timing and scope

In a mid‑year threat assessment published July 8 covering the first half of 2026, ESET researchers said suspicious AI agent skills rose from around 10,000 to over 25,000 during the reporting period, while items blocked as malicious climbed from approximately 600 to over 3,000. The company framed those figures as evidence that "the availability of suspicious and malicious AI toolsets has expanded the attack surface for cybercriminals" and increases risks for organizations.

How AI agent skills can be weaponized

The report describes AI agents and their skills as capable of autonomous activity: they can plan tasks, browse the web, interact with third‑party services, write files, execute commands and take actions on behalf of users. That autonomy can be legitimate — used to boost productivity — but ESET documented cases where toolsets were either deliberately malicious or capable of being adapted for malicious ends.

Malicious capabilities cited in the report include credential exfiltration, downloading and executing malware, overriding user instructions and subtly altering agent behaviour. ESET gave a concrete example: a package marketed with red‑teaming features that also allowed exfiltration of credentials, the establishment of highly privileged persistent access and, in some instances, the dropping of remote access tools such as Mimikatz — software commonly associated with ransomware attacks.

Open source repositories as distribution vectors

Researchers found many suspect and malicious AI skills hosted in public code repositories. ESET described two principal models: authors planting toolsets in open source repositories in the expectation that regular users will download them unintentionally, and actors directly offering toolsets to attackers as explicitly malicious packages. The report noted this method mirrors earlier criminal use of browser extensions and mobile apps, but warned that adding AI to the mix increases the risk to potential victims.

What this means for technologists, organizations, and end users

  • Technologists and security teams: the report places emphasis on policies that can restrict suspicious tools and on institutional awareness. ESET advised that organizations ensure policies exist to limit risky downloads and to make users aware of the dangers of free tools from unfamiliar sources.
  • Organizations and procurement leaders: the availability of adaptable or dual‑use AI toolsets expands the enterprise attack surface. The report implies that procurement and governance processes should scrutinize third‑party AI components the same way they would other software, especially when such components request broad access to files, credentials or API capabilities.
  • End users and general public: ESET and its advisors urged skepticism toward free AI tools that promise extensive functionality in exchange for wide access. Jake Moore, global cybersecurity advisor at ESET, told Infosecurity that defenders should look for "tools demanding sweeping access to files or credentials for a simple task" and be wary of offerings "pushed through hype rather than official sources."

Practical red flags and defensive posture

Both the report and ESET advisers highlighted practical signals of risk. The report cautioned that "when it comes to handling of sensitive data, making purchases, running API calls, or instruction chains, the higher level of autonomy of AI agents increases the risk and scope of such attacks." Jake Moore added tactical guidance in conversation with Infosecurity: "Although AI uses impressive speed and autonomy, we can still do our best in protecting data with familiar defences," and warned, "If a free AI tool promises the world and asks for the keys to your machine in return, there may well be a slight mismatch."

Taken together, those cues shape immediate actions: restrict or vet downloads from untrusted repositories, flag components requesting broad privileges, and treat hyped, unofficial tools with heightened suspicion.

The numbers ESET recorded — an ascent from roughly 10,000 to over 25,000 suspicious skills and from about 600 to over 3,000 malicious ones in months — present a clear, data‑driven signal. The report ties that signal to concrete attack behaviors and distribution paths, and it leaves a straightforward imperative: organisations and users who rely on public AI skills must pair that convenience with disciplined controls and scrutiny.

Original story