Incident · curated 27 Jun 2026
First reported 23 Jun 2026 · 3d ago
Single-source incident — first reported, latest, and curated coincide.
It demonstrates that malicious AI agent skills can pass existing security scans and spread widely through marketplaces, posing a real supply-chain risk to enterprise agent deployments.
Security firm AIR built a fake AI agent skill and distributed it via a popular skill marketplace and an Instagram ad, reportedly reaching roughly 26,000 agents including some on corporate accounts. Every skill security scanner tested marked it safe, though the payload was harmless by design and only collected the user's email address.
Why it matters
It demonstrates that malicious AI agent skills can pass existing security scans and spread widely through marketplaces, posing a real supply-chain risk to enterprise agent deployments.