Three stories today share a common thread: the AI toolchain is an attack surface, and the security model has not caught up. Autonomous agents are being hijacked into sending money. Browser extensions are being silently installed. And the static scanners enterprises rely on to vet AI plugins are failing at a 90% clip. Each of these stories points to the same gap — organizations deploying AI-powered automation without corresponding input validation, sandboxing, and behavioral detection controls.
In the News
Prompt Injection Campaigns Force AI Agents to Send Crypto to Attackers
Autonomous AI agents — the code assistants, research bots, and automated purchasing tools that organizations are deploying at scale — are now confirmed targets of prompt injection campaigns. SecurityWeek reported that malicious websites embed hidden instructions designed to hijack browsing agents into initiating cryptocurrency payments to attacker-controlled wallets.
The mechanism is straightforward. An AI agent with web-browsing capability visits an untrusted URL as part of its task. The page contains prompt injection payloads — text that the agent’s LLM interprets as instructions rather than content. If the agent has access to a crypto wallet or payment API, the injected instructions direct it to execute a transaction. No exploit chain required. No vulnerability in the traditional sense. The agent does exactly what it is told — by the wrong party.
This is the first documented campaign where prompt injection results in direct financial loss, not just data leakage or misclassification. The implication for any organization running LLM-based automation that touches untrusted inputs is immediate: if the agent can browse arbitrary URLs and hold financial credentials, input validation and output filtering are not optional controls — they are the primary countermeasure.
What defenders should do: Enforce network segmentation that restricts what autonomous AI processes can reach. Implement output validation that blocks financial transactions initiated without human approval. Apply DNS and web content filtering to limit agent access to untrusted domains. Treat every autonomous agent with external access as a privileged identity requiring the same controls as a service account. (MITRE ATT&CK: T1059.007 — Command and Scripting Interpreter: JavaScript/JScript; applicable by analogy to LLM-interpreted instructions.)
Opera GX Flaw Allowed Silent Extension Install — Gmail Data Stolen
A vulnerability in Opera GX, the Chromium-based gaming browser, allowed malicious websites to silently install browser mods without user interaction. The Hacker News reported that a proof-of-concept demonstrated full Gmail address exfiltration from a single page visit — no clicks, no prompts, no visible indicators.
No-click browser extension installation is rare. Most Chromium-based browsers require explicit user consent through the extension install flow, and enterprise policies can lock that flow down entirely. Opera GX’s mod ecosystem, designed for gaming customization, had a pathway that bypassed this consent mechanism. The result: visit a page, receive a mod, lose data.
Opera has patched the flaw. But organizations that permit non-standard browsers — particularly in developer or creative teams where Opera GX is common — should verify that auto-update actually fired. If endpoint management tools do not inventory Opera GX installations, the patch status is an assumption.
What defenders should do: Run a software asset inventory query for Opera GX binaries across endpoints. Confirm auto-update delivered the patched version. Consider browser governance policies that restrict sanctioned browsers to those with enterprise management capabilities. EDR solutions should flag unauthorized browser extension installations as a detection signal.
SkillCloak Evasion Defeats 90% of Static Scanners for AI Coding Plugins
Researchers demonstrated SkillCloak, an obfuscation technique purpose-built to defeat the static analysis tools that security teams use to vet AI coding-agent plugins. The Hacker News reported that SkillCloak achieved a 90%+ evasion rate in testing against existing scanners for GitHub Copilot extensions, Cursor add-ons, and similar AI tool plugins.
The technique packs malicious skill definitions — the instructions that tell an AI agent what actions it can take — in a way that looks benign to static analysis but unpacks to full functionality at runtime. The researchers also built a runtime behavioral checker that successfully detects what static analysis misses.
This is a direct signal that the AI supply-chain threat model must shift. Static scanning for AI agent plugins is now demonstrably insufficient, the same way static AV signatures became insufficient against polymorphic malware two decades ago. Behavioral detection at runtime — monitoring what the plugin actually does when loaded — is the required control.
What defenders should do: Do not rely solely on static scanning to vet AI coding-agent plugins. Implement runtime behavioral monitoring for AI tool extensions. Apply application allowlisting to restrict which plugins developers can load. Treat the AI plugin ecosystem with the same rigor as the npm or PyPI supply chain — software composition analysis should extend to AI agent skills. (MITRE ATT&CK: T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain.)
Threat Pulse
QuimaRAT — A new cross-platform Java-based malware-as-a-service targets Windows, Linux, and macOS at a $150/month subscription price (The Hacker News). The Java runtime makes it portable across operating systems with minimal retooling. Organizations with mixed-OS fleets — particularly those with Linux servers and macOS developer workstations alongside Windows endpoints — should verify that EDR coverage extends uniformly across all platforms. Cheap multi-OS RATs lower the barrier for adversaries who previously had to choose a target OS.
Defender Action Items
- AI agent deployments: Audit every autonomous AI process for external network access and financial API credentials. Enforce output validation that requires human-in-the-loop approval for any financial transaction. Apply DNS/web filtering to restrict agent browsing to approved domains only.
- Opera GX patching: Query endpoint management for Opera GX installations. Confirm the latest patched version is deployed. If Opera GX is unsanctioned, flag and remove.
- AI plugin vetting: Supplement static analysis of AI coding-agent extensions with runtime behavioral monitoring. Extend software composition analysis to cover AI skill/plugin manifests.
- Multi-OS EDR coverage: Verify endpoint detection is deployed and active on Linux and macOS hosts, not just Windows — QuimaRAT specifically targets mixed fleets.
Detection Queries
Monitor for autonomous processes initiating outbound connections to cryptocurrency exchange APIs or wallet endpoints — a signal for prompt-injection-driven financial exfiltration from AI agents:
index=proxy OR index=firewall sourcetype=web_proxy
| where (url LIKE "%api.coinbase.com%" OR url LIKE "%api.binance.com%" OR url LIKE "%blockchain.info/%" OR url LIKE "%etherscan.io/api%")
| eval is_ai_agent=if(match(process_name, "(?i)(copilot|cursor|agent|llm|gpt|claude|assistant)"), "yes", "no")
| search is_ai_agent="yes"
| stats count by src_ip, dest, url, process_name, user
| where count > 0
| table _time, src_ip, user, process_name, dest, url, count
Tune process_name regex to match the specific AI agent binaries in your environment. False positives will come from legitimate developer use of crypto APIs — filter by expected service accounts.
References
- Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments — SecurityWeek
- Opera GX Flaw Let Malicious Sites Auto-Install Mods — The Hacker News
- New SkillCloak Technique Lets Malicious AI Skills Evade Static Scanners — The Hacker News
- New Java-Based QuimaRAT MaaS Built to Target Windows, Linux, macOS — The Hacker News
- MITRE ATT&CK T1059.007 — Command and Scripting Interpreter: JavaScript/JScript — MITRE
- MITRE ATT&CK T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain — MITRE
Related Briefs
- FBI Seizes NetNut — 2M IoT Devices Were Proxy Nodes
- Cisco Unified CM Zero-Day Exploited — CVE-2026-45659
- NetScaler HTTP/2 Bomb and ARToken PhaaS — CVE-2026-8451
- Oracle EBS Auth Bypass CVE-2026-46817 Exploited
- libssh2 PoC Flips SSH Trust — CVE-2026-55200
Subscribe to the it-learn Brief
Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.