Key point: External content references that standard scanners fail to validate enabled researchers to gain access to over 26,000 autonomous agents through fake AI extensions and Instagram advertising.
Researchers at the firm AIR have demonstrated how AI extensions can be hijacked at scale through a manipulated Instagram campaign, by circumventing security scanners through external content references. The experiment revealed a critical vulnerability in the validation of AI tools on the Agents marketplace.
Niv Hoffman and Or Nevo from AIR developed a malicious extension called “brand-landingpage” that posed as a legitimate tool for Google’s design tool Stitch. They submitted the package to the GitHub-based marketplace Agents, where it was accepted by the operators and subsequently passed security scanners from Cisco, Nvidia, and Skils.sh. This marked the first step of the supply-chain attack.
The root cause of the failure lies in a fundamental limitation of the scanners: they only check files contained locally in the package, not externally linked content. The researchers exploited this gap by pairing clean code with a reference to a domain under their control. This domain initially redirected to the legitimate Google documentation to pass scanner analysis. After approval, they replaced the target page with instructions commanding AI agents to execute a script that exfiltrated user email addresses.
To scale the attack, the team used Instagram advertisements to specifically target non-technical users such as marketing professionals, designers, and sales employees. These user groups increasingly deploy preconfigured workflows on AI platforms from OpenAI or Anthropic, but often lack deep technical knowledge for risk assessment. The experiment gained access to over 26,000 AI agents through this approach.
In a real attack scenario, criminals could abuse this method for data exfiltration or to gain access to internal corporate networks, since AI agents typically operate with the full access rights of the user. Darren Guccione from Keeper Security summarized the implication: security teams treat reputation signals as a substitute for trust, but this strategy fails when the actual malicious payload lies outside the verified package.
Source: www.it-daily.net · Published June 28, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.