Agent Skill Marketplace Supply Chain Attack via GitHub Account Hijacking

A supply chain attack has been identified targeting agent skill marketplaces that utilize a link-out distribution model, specifically indexing skills via GitHub repository URLs. The vulnerability arises when original repository owners rename their GitHub accounts, making the previous username available for takeover. Attackers can claim the orphaned username, recreate the repository, and intercept all future skill downloads. A study found 121 skills forwarding to 7 vulnerable repositories, with the most-downloaded hijackable skill having over 2,000 downloads. Further analysis of 238,180 unique skills from various marketplaces revealed significant disagreement among scanners, with fail rates ranging from 3.79% to 41.93%. Additionally, live API credentials for services such as NVIDIA, ElevenLabs, Gemini, and MongoDB were found embedded within the analyzed corpus, highlighting a severe lack of security hygiene in the agent skill ecosystem. This attack highlights the risks associated with relying on external repositories and the need for robust validation mechanisms in agent skill marketplaces.

Attack Chain

1. Original GitHub repository owner renames their account, making the old username available.
2. Attacker registers the now-available GitHub username.
3. Attacker recreates the repository at the same URL as the original skill.
4. Users download the “skill” from the marketplace, which now points to the attacker’s repository.
5. The attacker’s repository serves malicious code instead of the original skill.
6. The malicious code executes on the user’s system or agent platform.
7. Attackers leverage the skill to gain access to the victim’s environment.
8. Attackers exfiltrate sensitive data or deploy further malicious payloads.

Impact

This supply chain attack can compromise systems and data by delivering malicious code through hijacked agent skills. The discovery of 121 vulnerable skills and 7 vulnerable repositories demonstrates the scale of this threat. The presence of live API credentials for major services like NVIDIA, ElevenLabs, Gemini, and MongoDB within the skill corpus suggests widespread insecure development practices. Successful exploitation can lead to data breaches, system compromise, and unauthorized access to cloud services, potentially impacting numerous users and organizations relying on these agent skills. The disagreement between scanners highlights the difficulty in detecting these malicious skills, further compounding the risk.

Recommendation

• Implement monitoring for GitHub repository ownership changes for all deployed skills to detect potential hijacking (refer to Attack Chain).
• Pin skills to specific commit hashes rather than mutable branch heads to ensure code integrity (refer to Attack Chain).
• Require a minimum of two independent scanners to flag a skill before treating it as confirmed malicious to reduce false positives (refer to Overview).
• Deploy the Sigma rule below to identify potential GitHub username registration events (see “Detect GitHub Username Registration” rule).
• Prefer direct-hosting marketplaces over link-out distribution models to reduce reliance on external repositories (refer to Overview).