Cybercriminals Plant Malicious AI Agents in Open Source Tool Repositories

Written by

Cybercriminals are increasingly turning to AI agents and chatbots to autonomously plan and carry out cyber-attacks, according to new analysis of hacker activity.

Cybersecurity researchers at ESET examined 900,000 AI skills, small functional components used by AI agents, listed in public repositories and identified tens of thousands of suspicious and thousands of outright malicious instances.

According to ESET’s threat report for the first half of 2026, published on July 8, the availability of suspicious and malicious AI toolsets has expanded the attack surface for cybercriminals and puts organizations at increased risk of cyber threats.

AI agents can plan tasks, browse the web, interact with third-party services, write files, execute commands and take actions for its users. Many legitimate users take advantage of AI agents to bolster their productivity, but as agentic AI has become more common, it has also been picked up by cybercriminals and other malicious threat actors.

Analysis of the repositories found that there has been a significant rise in suspicious and malicious tools in recent months. AI agent skills identified by ESET which were considered suspicious grew from around 10,000 to over 25,000 during the reporting period while those blocked as malicious rose from approximately 600 to over 3,000.

Exploiting AI Tools to Steal Data

These AI agent toolsets can be abused, or specifically designed, to perform actions on behalf of a malicious attacker. They can also be placed in open source repositories in the hope of regular users unwittingly downloading a malicious toolset, or they are offered out to attackers as outright malicious.

Either way, malicious capabilities which the AI tools allow attackers to exploit include the ability to exfiltrate data, download and execute malware, override user instructions, or even subtly alter the behavior of the agent.

For example, one set of tools was identified as offering legitimate red teaming features. However, the agent also had the ability to go much further than advertised, allowing for the exfiltration of credentials and achieving highly privileged, persistent access. Some even drop remote access tools like Mimikatz, commonly associated with ransomware attacks.

There are also thousands of tools which may not be outright malicious, but the way they have been built means they could easily be adapted to help cybercriminals to commit cyber-attacks.

Cybercriminals have previously used similar methods to develop and distribute browser extensions and mobile apps which can be exploited for malicious behaviour. But ESET warned that the addition of AI has increased the risk to potential victims.

“When it comes to handling of sensitive data, making purchases, running API calls, or instruction chains, the higher level of autonomy of AI agents increases the risk and scope of such attacks,” said the report.

The availability of malicious and suspicious AI tools has created another cybersecurity risk for the enterprise. Organizations must ensure that, if needed, they have policies in place to restrict potentially suspicious tools and that users are made aware of the potential risks around downloading free tools from unfamiliar sources.

“Although AI uses impressive speed and autonomy, we can still do our best in protecting data with familiar defences such as looking for tools demanding sweeping access to files or credentials for a simple task and anything pushed through hype rather than official sources,” Jake Moore, global cybersecurity advisor at ESET told Infosecurity

“If a free AI tool promises the world and asks for the keys to your machine in return, there may well be a slight mismatch,” he added.

What’s Hot on Infosecurity Magazine?