AI Agents’ Most Downloaded Skill Turns Malicious as Researchers Uncover Infostealer Campaign

A popular skill used by AI agents has been discovered to function as an infostealer, raising fresh concerns about how rapidly expanding agent ecosystems are becoming an attractive target for cybercriminals. Researchers say the campaign highlights a new class of risk where trusted AI tooling is repurposed to quietly harvest credentials, configurations, and sensitive operational context from developer environments.

The discovery centers on a fraudulent Visual Studio Code extension impersonating a legitimate AI assistant, which was used to distribute a malicious payload capable of credential theft and deep system reconnaissance. The finding underscores how attackers are adapting infostealer techniques to the emerging world of autonomous and semi-autonomous AI agents.

Analysts warn that as AI agents become more deeply embedded in development workflows, the impact of such compromises could rival or exceed traditional endpoint malware incidents.

From Productivity Tool to Infostealer

The malicious campaign leveraged a fake VS Code extension posing as a widely used AI assistant. Once installed, the extension behaved as advertised on the surface, while covertly deploying malware in the background.

The payload focused on harvesting credentials, API tokens, and configuration files commonly accessed by AI agents during routine tasks. This included environment variables, plaintext configuration files, and cached authentication material.

Security researchers noted that the extension’s popularity helped it blend into legitimate workflows, allowing it to evade suspicion while accumulating sensitive data over time.

Unlike traditional malware that targets browsers or operating systems directly, this attack exploited the implicit trust developers place in AI-enhanced productivity tools.

The Rise of Cognitive Context Theft

Researchers describe this tactic as “Cognitive Context Theft,” a shift from stealing isolated credentials to harvesting the broader operational context of AI agents.

Local-first AI agents often store conversation histories, system prompts, transcripts, and memory files on disk to maintain continuity. These artifacts can reveal proprietary code, internal decision logic, and sensitive business data.

In several cases, analysts observed agents storing secrets such as API keys and access tokens in plaintext files like MEMORY.md or session logs, effectively creating a high-value repository for attackers.

By exfiltrating this data, threat actors gain insight not just into what systems an organization uses, but how its AI tooling reasons, prioritizes, and operates.

Infostealer Ecosystems Adapt to AI Workflows

Major malware-as-a-service infostealer families have begun adapting their scanners to explicitly target directories associated with AI agents and developer tools.

Researchers report that malware such as RedLine and Lumma now actively search for AI configuration files, session logs, and cached tokens alongside more traditional targets like browser credentials.

This evolution reflects a broader trend where attackers follow value rather than technology, shifting focus as AI systems increasingly handle sensitive operations.

Real-World Consequences Already Emerging

Security teams point to recent breaches as evidence of how damaging credential and context theft can be when combined with cloud and VPN access.

In incidents such as the Change Healthcare compromise, stolen credentials were leveraged to gain deep access into enterprise systems, resulting in widespread operational disruption.

Researchers warn that compromised AI agents could accelerate similar attacks by providing attackers with automation, reconnaissance, and privileged access in a single package.

As AI agents continue to expand their capabilities, the blast radius of such compromises is likely to grow.

Defensive Lessons for AI-Driven Development

The incident highlights the need for stricter scrutiny of AI extensions, skills, and plugins, particularly those that operate with broad file system and network permissions.

Security teams are urged to audit how AI agents store memory, logs, and credentials, ensuring sensitive data is encrypted and access is tightly controlled.

Developers should treat AI tooling with the same caution as dependencies that handle authentication or deployment, recognizing that convenience features can introduce powerful attack surfaces.

As AI agents become foundational to modern development, this campaign serves as an early warning. The tools designed to accelerate productivity can just as easily be weaponized to undermine security at scale.