Security teams have spent the last two years adapting to prompt injection and LLM data leakage. Now there’s a more operational threat emerging with the weaponizing of AI agent ecosystems and using the agent as a trusted intermediary to get malware onto endpoints.
Trend Micro reports a new campaign distributing a macOS malware (dubbed Atomic MacOS Stealer, or AMOS) variant through malicious “skills” on platforms associated with OpenClaw. Instead of relying on cracked software lures, this campaign abuses agentic workflows in what Trend Micro describes as a supply-chain style shift.
According to Trend Micro, the malicious instructions are tucked into a normal-looking SKILL.md file that claims a prerequisite tool must be installed first. The agent then surfaces those steps as if they’re legitimate setup requirements—nudging the user toward installing a fake CLI/“driver.”
The dangerous part is the trust handoff. Users tend to believe instructions presented by a tool they chose and configured, especially when the agent is framed as an assistant helping them do what’s needed.
Also described was a deceptive password prompt designed to trick users into manually entering their credentials as part of the installation flow.
It isn’t AI malware, but classic social engineering with the agent acting as a credibility amplifier.
This AMOS variant is positioned for broad data theft. Trend Micro says it exfiltrates Apple and KeePass keychains along with assorted user documents, and noted it does not establish persistence and appears to ignore .env files (which commonly store API keys).
They also document exfiltration via a web upload endpoint using a curl -X POST flow to deliver a staged ZIP archive to a C2-controlled destination.
The campaign spans multiple repositories and skill-hosting locations, with Trend Micro describing attackers uploading hundreds of malicious skills.
When utilizing AI agents:
- Treat agent skills like third-party software: require review, allowlisting, and strict controls
- Isolate execution: run agent tooling in containers or sacrificial environments rather than on developer or admin workstations.
- Block dangerous patterns: alert on “download + decode + execute” behaviors and unusual outbound uploads from dev endpoints.
- Train and inform users: any workflow that asks for a password in a “setup wizard” should be verified.
Reviewing every skill by hand doesn’t scale, but it just being a markdown file is no longer a safe assumption. This is a preview of a bigger trend with agent ecosystems growing skills marketplaces becoming the new plugin supply chain.
Leave a Reply