<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Attack.t1059.007 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/attack.t1059.007/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:57:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/attack.t1059.007/feed.xml" rel="self" type="application/rss+xml"/><item><title>New Agent Skills Installation Attempt Via Node.EXE</title><link>https://feed.craftedsignal.io/briefs/2026-07-node-agent-skills-install/</link><pubDate>Fri, 03 Jul 2026 13:57:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-node-agent-skills-install/</guid><description>A new detection identifies the use of `npx skills add` commands via `node.exe` on Windows systems, a potentially abusable mechanism for attackers to install malicious AI agent skills or 'skill worms' that can execute arbitrary commands and infect infrastructure.</description><content:encoded><![CDATA[<p>This brief details a detection for the <code>npx skills add</code> command executed via <code>node.exe</code> on Windows, a vector identified as a potential supply chain risk in the emerging field of AI agents. Threat actors could exploit this legitimate functionality, designed to enhance AI agents like Claude Code or Cursor with new capabilities, by injecting malicious commands into newly installed skills. These &quot;skill worms&quot; could then be executed by the AI agent, leading to unauthorized actions, data exfiltration, or infrastructure compromise. The detection, first published on 2026-07-01, highlights the importance for organizations to monitor and regulate the installation of AI agent skills, especially given the rising concerns about the integrity and security of AI tooling. This activity, while sometimes legitimate, warrants careful scrutiny due to its high potential for abuse by malicious actors seeking to leverage AI systems for nefarious purposes.</p>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this mechanism could lead to severe consequences for organizations leveraging AI agent tooling. By installing malicious &quot;skills,&quot; attackers could gain the ability to execute arbitrary commands within the AI agent's environment, potentially leading to unauthorized data access, intellectual property theft, or further lateral movement within the compromised network. References indicate the risk of &quot;infecting infrastructures via skill worms&quot; and instances where &quot;crypto&quot; was &quot;ganked,&quot; implying financial loss and broader system compromise. The severity of impact depends directly on the privileges and access of the compromised AI agent, which could range from individual user data compromise to widespread network infection if the agent has elevated permissions or broad system access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM solution and configure it for Windows <code>process_creation</code> logs.</li>
<li>Enable comprehensive <code>process_creation</code> logging on all Windows endpoints to ensure the Sigma rule can effectively monitor <code>node.exe</code> executions.</li>
<li>Implement strict policies regarding the installation and vetting of AI agent skills within your environment, reviewing any &quot;skills&quot; installed by the <code>npx skills add</code> command.</li>
<li>Tune the provided Sigma rule based on your organization's specific policies regarding the authorized use of AI agent tooling to reduce false positives while maintaining detection efficacy.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>ai</category><category>node.js</category><category>supply-chain</category><category>attack.execution</category><category>attack.t1059.007</category></item></channel></rss>