10,000 Infected Repositories: How Malware Campaigns Target AI Coding Agents and Developers
security github ai-agents coding-agents open-source agent-safety
trending_up Trend: security

10,000 Infected Repositories: How Malware Campaigns Target AI Coding Agents and Developers

calendar_month June 21, 2026

Summary

The cybersecurity landscape is witnessing an unprecedented wave of supply chain attacks targeting developer workstations. A highly automated campaign utilizes over 10,000 cloned GitHub repositories to distribute info-stealing Trojans targeting developers and autonomous AI coding agents (such as Cursor, Claude Code, and Gemini CLI). By copying popular open-source projects and modifying README files, attackers lure users into downloading malicious archives. Meanwhile, security researchers warn of a new exploit vector called “Agentjacking,” which manipulates the open architecture of AI agents to execute unauthorized system commands and harvest credentials.

What happened?

  • Automated Repository Clones: Security researcher Orchid discovered a massive automated network cloning legitimate projects, copying their commit history and contributor lists to build fake authenticity.
  • README Infection Vector: The cloned repositories feature instructions and links pointing to ZIP archives containing info-stealing Trojans like SmartLoader and StealC.
  • Search Engine Poisoning: Attackers bypass security filters and search ranking algorithms by frequently deleting and re-pushing commits, forcing their malicious repositories to rank high in GitHub search results and public search engines.
  • Targeting AI Autopilot Tools: These repositories do not just rely on humans. They specifically target autonomous AI coding agents. When an AI agent processes an infected project or executes setup commands automatically, the developer’s workstation is compromised.

Why it matters

Developer workstations are high-value targets because they hold unencrypted API keys, AWS credentials, SSH keys, and access to internal databases. With AI agents executing code directly in the local user context, the attack surface has expanded significantly. Historically, security tools focused on securing the production pipeline. This trend highlights that the threat has shifted to the initial coding stage on local developer machines.

Evidence

The threat has been documented across multiple reports and security databases:

  • Orchid Research Report: A comprehensive breakdown of the automated infrastructure managing the 10,000+ fake repositories.
  • GitHub Advisory Database: Notable increases in reported issues related to cloned packages and repository manipulation.
  • Agentjacking Analyses: Published research detailing how insecure Model Context Protocol (MCP) integrations and poisoned markdown files allow attackers to achieve remote code execution (RCE) via AI agents.

Analysis

The campaign’s success is built on human distraction and the implicit trust of AI systems. The search optimization tricks ensure developers looking for a quick fix or repository clone accidentally select the fake. In the case of AI coding assistants, the vulnerability is even more severe: since these tools automatically read and parse error reports, README files, or configs to generate solutions, attackers can use prompt injection techniques to force the agent to run commands with the developer’s local privileges.

Practical Takeaways

Software developers and teams should implement several immediate protective measures:

  1. Manually Verify Clone URLs: Double-check the repository owner and domain before running git clone or installing packages to ensure it points to the official source.
  2. Restrict AI Tool Permissions: Run autonomous AI coding agents inside isolated sandboxes or Docker containers, ensuring they do not have unconstrained access to your host machine’s command line or filesystem.
  3. Secure API Credentials: Avoid storing plain secrets in local environment variables. Use secret detection hooks and secure vaults to store sensitive credentials.
  4. Sanitize AI Agent Inputs: Do not allow AI tools to blindly fetch and process untrusted external data, such as public web URLs or unverified log files.

Open Questions

  • How can hosting platforms like GitHub effectively block automated cloning and update loops without hindering legitimate project forks?
  • What security protocols are needed for the Model Context Protocol (MCP) to prevent AI models from executing commands embedded in external content?

Sources

  1. Cybernews: Massive campaign uses 10,000 GitHub repos to spread malware
  2. Saptang Labs: Agentjacking and the emerging threats to AI coding environments
  3. GitHub Advisories: Database for tracking open source vulnerabilities
  4. Orchid Files: In-depth technical analysis of GitHub malware distribution networks