English
中文
Deutsch
HomeArticle

Beware, the AI you're running might turn into a traitor and help attackers hijack your computer.

机器之心2025-08-28 15:46
No matter how well you guard against outsiders, it's hard to guard against a traitor within the family.

By now, most people probably have large AI model tools on their devices.

With the evolution of various capabilities such as multi - modality, interaction, and coding, the applications of AI agents have become increasingly widespread. Consequently, AI agents are gaining more and more permissions in corresponding application scenarios.

Recently, when watching videos, I've seen danmu (floating comments) exclaiming that smart assistants have extremely high permissions.

Especially in the programming field, a killer application area where AI has been implemented, agents almost have full read - write permissions for files on users' devices. The risks in this regard are self - evident. Just like the Replit "database deletion" incident we reported on before.

The "database deletion" incident was a failure of the AI agent itself. The public's attention always seems to be drawn to the risks caused by the limitations of AI models themselves, but they seem to have overlooked greater external risks.

The AI agent on your device could very likely be used to attack you.

This is not an alarmist statement. At around 10:32 PM UTC on the 26th, such malicious programs emerged and affected thousands of developers.

The First Malware Attack Using AI Tools

At around 10:32 PM UTC on August 26, 2025, the popular Nx build system package was compromised and implanted with a data - stealing malicious program. These backdoored versions were only available on the network for a little over 5 hours before being taken down, but in this short period, thousands of developers may have been affected.

This is the first recorded case of malware using an AI CLI tool for reconnaissance and data theft.

This malicious code didn't just steal SSH keys, npm tokens, and.gitconfig files.

It went a step further by weaponizing the AI command - line tools (CLI) commonly used by developers, including Claude, Gemini, and q. These AI tools were hijacked for information gathering and data exfiltration. This is the first known case where hackers turned developers' AI agents into accomplices in attacks.

Due to the popularity of the Nx ecosystem and the abuse of AI tools, this incident highlights the severity of the hacker attack. All users who installed the contaminated version must immediately take remedial measures. Currently, the nx team has issued an official security notice (No. GHSA - cxm3 - wv7p - 598c), confirming the intrusion and disclosing more details. The notice confirms that the attack originated from the leakage of an npm account token of a maintainer, which allowed hackers to gain control of the publishing permissions.

Event Timeline (UTC)

The attack unfolded rapidly within a few hours:

  • 10:32 PM —— The malicious version 21.5.0 was released to the npm repository.
  • 10:39 PM —— The malicious version 20.9.0 was released.
  • 11:54 PM —— Hackers released two poisoned versions, 20.10.0 and 21.6.0, simultaneously.
  • 12:16 AM on August 27th —— The malicious version 20.11.0 was released.
  • 12:17 AM —— Just one minute later, the malicious version 21.7.0 was released.
  • 12:30 AM —— A community member submitted an issue on GitHub, alerting the nx team to the suspicious behavior.
  • 12:37 AM —— The last two malicious versions, 21.8.0 and 20.12.0, were released.
  • 02:44 AM —— The npm official took action and removed all affected versions.
  • 03:52 AM —— The owner of the nx organization revoked the stolen maintainer account to prevent further malicious releases.
  • 09:05 AM —— GitHub restricted the repositories with stolen confidential information, setting them as private and removing them from search results.
  • 10:20 AM —— npm further cleaned up and removed more affected package versions.
  • 03:57 PM —— npm enabled new security measures covering all Nx packages.

The entire attack lasted about 5 hours and 20 minutes, during which hackers released 8 malicious versions in two major version branches.

This incident is not only a major warning for supply - chain security but also reveals for the first time that AI development assistants can be "turned against" by hackers and become part of the attack chain.

Technical Analysis of This Malicious Attack

The compromised Nx package has over 4 million downloads per week. Hackers implanted a malicious post - install hook in it.

Whenever a developer installs this package, it automatically runs a script called telemetry.js. This script is triggered almost instantly, opening the door for attackers to access developers' computers on a large scale.

Once the script runs, it systematically collects sensitive information from the victim's computer:

  • System information: environment variables (process.env), hostname, operating system details, and platform information;
  • Cryptocurrency wallets: MetaMask keystores, Electrum wallets, Ledger and Trezor hardware wallet data, Exodus, Phantom, and Solflare wallets, as well as common key files (e.g., UTC–*, keystore.json, *.key);

After collecting the information, the malicious program executes a set of covert and efficient exfiltration steps:

  • Using the stolen GitHub token, it automatically creates a public GitHub repository named s1ngularity - repository. Some variants also add number suffixes like "-0", "-1" to the name.
  • It triple - base64 encodes all the collected data.
  • It writes the result to a file named results.b64 and uploads it to the newly created repository.
  • It sets the repository to public, indirectly exposing the sensitive data on the Internet.

The hackers not only stole data but also created chaos:

  • At the end of the ~/.bashrc and ~/.zshrc files, the malicious program adds the command: sudo shutdown - h 0
  • As a result, every time a user opens a new terminal, the system tries to shut down immediately.
  • This creates a Denial - of - Service (DoS) effect, completely disrupting the developers' working environment.

For more information about this event, you can refer to the original technical blog:

https://www.stepsecurity.io/blog/supply - chain - security - alert - popular - nx - build - system - package - compromised - with - data - stealing - malware#conclusion

The New Trend of AI Abuse by Hackers

It's not just about using AI tools to infiltrate users. The phenomenon of hackers using AI for malicious activities has become a new trend. According to Anthropic's August AI abuse report, Claude is also a major target of hacker abuse.

Blog link: https://www.anthropic.com/news/detecting - countering - misuse - aug - 2025

Hackers Use Claude to Expand Ransom

Criminals used Claude Code to carry out large - scale data theft and ransom. The victims include at least 17 different institutions, covering healthcare, emergency services, government departments, and even religious organizations.

Unlike traditional ransomware, this hacker didn't encrypt the data but directly threatened to make the sensitive information public if no money was paid. In some cases, the ransom amount reached up to $500,000.

Claude was used to an unprecedented extent in this ransom operation:

Claude Code automated a large number of reconnaissance tasks, helping hackers steal victims' credentials and penetrate networks.

Claude not only executed commands but also made tactical and strategic decisions, such as choosing which data to steal and how to write the ransom message.

It analyzed the stolen financial data to automatically calculate a reasonable ransom amount.

It could even generate visually impactful ransom notices that were directly displayed on the victims' computers, creating psychological pressure.

Anthropic calls this behavior "vibe hacking."

Criminals Sell AI - Generated Ransomware

Another cybercriminal used Claude as a "ransomware factory." They used Claude to develop, package, and market multiple versions of ransomware.

After completion, the hackers posted these "Ransomware as a Service (RaaS)" on online forums for sale, with prices ranging from $400 to $1200. In other words, even people with little technical ability can buy a ready - made AI - generated ransom tool.

The first sales advertisement of cybercriminals on the dark web in January 2025

The World's First Known AI - Driven Ransomware

ESET Research recently discovered the world's first known AI - driven ransomware and named it PromptLock.

What makes this malware unique is that it doesn't use traditional hard - coded logic but relies on an AI model to dynamically generate attack scripts.

PromptLock doesn't rely on traditional fixed malicious code. Instead, it locally invokes the gpt - oss - 20b model through the Ollama API and instantly generates malicious Lua scripts based on the prompts pre - written by the attacker and executes them immediately.

These scripts are cross - platform and can run seamlessly on Windows, Linux, and macOS.

Researchers point out that multiple signs indicate that PromptLock is more like a Proof - of - Concept (PoC) or an experimental sample still in development, rather than a mature ransomware that has been widely deployed.

What's more concerning is that PromptLock doesn't directly download the large - scale model to the victim's device. Instead, it establishes a proxy in the victim's network and forwards the requests to the Ollama API + gpt - oss - 20b model running on a remote server. This method belongs to the internal proxy technology in the MITRE ATT&CK framework and is an increasingly common means in modern cyberattacks.

Conclusion

As AI capabilities continue to improve, hackers and scammers are also constantly "upgrading" their methods. AI agents have been used as weapons to directly participate in and execute complex cyberattacks.

At the same time, AI has significantly lowered the threshold for criminal activities, turning what used to require complex knowledge systems and hacker skills into operations that anyone can easily accomplish with the help of AI.

More seriously, AI has penetrated the entire process of cybercrime: from targeting victims, analyzing stolen data, stealing credit card information, to forging identities and expanding the scale of fraud, AI is becoming an all - link "accomplice" for hackers.

This may mean that future malware could be more flexible, unpredictable, and harder to defend against.

This article is from the WeChat official account "Machine Intelligence", edited by Leng Mao, and published by 36Kr with authorization.

该文观点仅代表作者本人,36氪平台仅提供信息存储空间服务。

For media inquiries, interview requests, business collaboration and Recruit global ecological partners, please contact mohaiying@36kr.com.
Partner:startuprad.io

36kr Europe (eu.36kr.com) delivers global business and markets news, data, analysis, and video to the world, dedicated to building value and providing business service for companies’ global expansion.

© 2024 36kr.com. All rights reserved.