Thursday, July 9, 2026

News

Nearly 3,000 Malicious AI Plugins Detected in ESET Scan

ResearchPatryk Raba

ESET's report for the first half of 2026 found that among nearly 900,000 scanned AI agent plugins, more than 3,000 turned out to be malicious, with the number of suspicious extensions multiplying within just a few months.

Contents
  1. What researchers found
  2. New phishing attack variants
  3. Why this matters for companies deploying agents
  4. Part of a growing wave of attacks on AI tools

The market for add-ons that extend the capabilities of AI agents, known as AI skills, is growing faster than anyone can keep up with from a security standpoint. A report published by ESET on July 8 covering the first half of 2026 found that among nearly 900,000 scanned plugins, more than 3,000 contained malicious code capable of stealing data or deploying malware.

What researchers found

ESET analysts documented malicious plugins with capabilities including executing arbitrary system commands, accessing user files, stealing saved login credentials, injecting code into other processes, and using obfuscation techniques to evade detection. The list also included plugins described as red-team testing tools, skills capable of modifying their own code, and extensions that automate purchases on a user's behalf, which in practice can be exploited for fraud.

The scale of the problem stems largely from how current AI agent plugin marketplaces operate. Skill developers can publish extensions with virtually no vetting, and an agent that installs such an add-on automatically gains whatever permissions the plugin declares, often far broader than what its stated function requires.

AI skills can enable a wide range of abuses of agentic artificial intelligence, from automated reconnaissance and red-team-style attacks to spam generation, malware modification and its distribution - Anton Mäčko, ESET malware analyst

New phishing attack variants

The report also describes a family of attacks built around fake tech support pages impersonating communications from Anthropic, OpenAI and Microsoft. A variant called AI-fix feeds victims false instructions for fixing a supposed system problem, CrashFix operates through malicious browser extensions that display fabricated security warnings, and ConsentFix tricks users into handing over Microsoft OAuth authorization codes under the pretext of a fake identity verification.

On Android, researchers described malware named PromptSpy that uses Google's Gemini model to interpret the interface of an infected device and maintain persistent access, even when standard security mechanisms try to remove it. It is one of the first documented cases of mobile malware using a major company's language model as part of its own attack infrastructure.

Why this matters for companies deploying agents

For companies that have spent recent months rapidly rolling out coding agents and assistants built on third-party plugins, the ESET report is a warning sign. The scale of growth, fifteen times more skills scanned within a few months, shows that the extension ecosystem is expanding faster than the quality and security controls on the platforms where these add-ons are published.

In practice, this means security teams should treat installing any AI agent plugin the way they would treat installing an unknown package from an open repository: verifying the source, restricting permissions, and monitoring behavior after installation, rather than treating it as a neutral functionality add-on.

Part of a growing wave of attacks on AI tools

The ESET report fits into a broader trend of vulnerabilities and abuses uncovered in recent weeks targeting coding assistants and AI agents, all sharing one common thread: the growing autonomy of these tools is creating new attack vectors that platform developers did not need to consider even a year ago. The figures ESET reports, over 3,000 confirmed malicious plugins compared with 600 half a year earlier, suggest the problem is growing faster than the industry's ability to contain it.

Sources: Thousands of malicious AI skills found capable of stealing data, running malware (helpnetsecurity.com)

Share: