What happened
ESET's H1 2026 Threat Report (published 2026-07-08, covered by Help Net Security and GBHackers) analyzed nearly 900,000 publicly listed AI agent skills between March and May 2026, finding that unique skills scanned grew from 60,000 to ~900,000, suspicious skills grew from ~10,000 to over 25,000, and outright malicious skills grew from ~600 to over 3,000 in that period.
Why it matters
AI agent 'skills' are an emerging, rapidly growing supply-chain attack surface: as organizations increasingly grant AI coding agents (Claude Code, Codex, etc.) the ability to browse, execute commands, and access files, a poisoned skill can silently introduce credential theft, backdoors, or malware into agent-integrated developer and enterprise environments, and static scanners are shown to be insufficient defense.
Attack vector
Malicious or suspicious AI agent 'skills' — small installable functional components used by AI agents — are published to public repositories with capabilities including command execution, file access, third-party tool downloading, credential loading, code injection, and obfuscation, allowing them to steal data, execute malware, or manipulate agent behavior once installed by a user or organization.
Affected systems
Publicly listed AI agent 'skills' across open repositories (Claude Code, Codex, and other AI-agent skill ecosystems)
Mitigation
ESET recommends behavioral/dynamic analysis (sandbox detonation) rather than static scanning alone, since malicious skills evade static scanners via obfuscation; treat AI agent skills as a supply-chain attack surface requiring vetting before installation.