{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/repository-hijacking/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github","agent-skills","repository-hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA supply chain attack has been identified targeting agent skill marketplaces that utilize a link-out distribution model, specifically indexing skills via GitHub repository URLs. The vulnerability arises when original repository owners rename their GitHub accounts, making the previous username available for takeover. Attackers can claim the orphaned username, recreate the repository, and intercept all future skill downloads. A study found 121 skills forwarding to 7 vulnerable repositories, with the most-downloaded hijackable skill having over 2,000 downloads. Further analysis of 238,180 unique skills from various marketplaces revealed significant disagreement among scanners, with fail rates ranging from 3.79% to 41.93%. Additionally, live API credentials for services such as NVIDIA, ElevenLabs, Gemini, and MongoDB were found embedded within the analyzed corpus, highlighting a severe lack of security hygiene in the agent skill ecosystem. This attack highlights the risks associated with relying on external repositories and the need for robust validation mechanisms in agent skill marketplaces.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOriginal GitHub repository owner renames their account, making the old username available.\u003c/li\u003e\n\u003cli\u003eAttacker registers the now-available GitHub username.\u003c/li\u003e\n\u003cli\u003eAttacker recreates the repository at the same URL as the original skill.\u003c/li\u003e\n\u003cli\u003eUsers download the \u0026ldquo;skill\u0026rdquo; from the marketplace, which now points to the attacker\u0026rsquo;s repository.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s repository serves malicious code instead of the original skill.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes on the user\u0026rsquo;s system or agent platform.\u003c/li\u003e\n\u003cli\u003eAttackers leverage the skill to gain access to the victim\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eAttackers exfiltrate sensitive data or deploy further malicious payloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can compromise systems and data by delivering malicious code through hijacked agent skills. The discovery of 121 vulnerable skills and 7 vulnerable repositories demonstrates the scale of this threat. The presence of live API credentials for major services like NVIDIA, ElevenLabs, Gemini, and MongoDB within the skill corpus suggests widespread insecure development practices. Successful exploitation can lead to data breaches, system compromise, and unauthorized access to cloud services, potentially impacting numerous users and organizations relying on these agent skills. The disagreement between scanners highlights the difficulty in detecting these malicious skills, further compounding the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement monitoring for GitHub repository ownership changes for all deployed skills to detect potential hijacking (refer to Attack Chain).\u003c/li\u003e\n\u003cli\u003ePin skills to specific commit hashes rather than mutable branch heads to ensure code integrity (refer to Attack Chain).\u003c/li\u003e\n\u003cli\u003eRequire a minimum of two independent scanners to flag a skill before treating it as confirmed malicious to reduce false positives (refer to Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to identify potential GitHub username registration events (see \u0026ldquo;Detect GitHub Username Registration\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003ePrefer direct-hosting marketplaces over link-out distribution models to reduce reliance on external repositories (refer to Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-agent-skill-hijacking/","summary":"A supply chain attack targets agent skill marketplaces by exploiting GitHub username hijacking, allowing threat actors to intercept skill downloads from vulnerable repositories, with scanners showing significant disagreement on malicious skill identification and embedded live API credentials discovered.","title":"Agent Skill Marketplace Supply Chain Attack via GitHub Account Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-agent-skill-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — Repository-Hijacking","version":"https://jsonfeed.org/version/1.1"}