The AI Agent Attack Surface Expands: Weekly Security Recap Reveals New Threat Patterns
This week’s security news reveals a troubling pattern: attackers are increasingly targeting the trust relationships that power modern development and AI ecosystems. From malicious AI skills to supply chain attacks on beloved tools, the threat landscape is evolving faster than defenses.
The Core Insight
The Hacker News weekly recap crystallizes an important shift in attack methodology: adversaries are exploiting trust, not breaking security controls. Trusted update mechanisms, trusted marketplaces, trusted apps, and now trusted AI workflows have become the primary attack vectors.
Three interconnected stories dominate:
OpenClaw/ClawHub security concerns: Malicious skills are appearing on ClawHub, the public registry for AI agents, prompting a VirusTotal partnership for scanning uploaded skills. Meanwhile, Pillar Security reports attackers actively scanning exposed OpenClaw gateways with prompt injection attempts—and more sophisticated actors bypassing the AI layer entirely to attack the WebSocket API directly.
Notepad++ supply chain compromise: Between June and October 2025, threat actors (attributed to Lotus Blossom) redirected traffic from Notepad++’s update mechanism to distribute the Chrysalis backdoor. The attack exploited insufficient update verification in older versions—demonstrating that legitimate domains no longer guarantee safe updates.
DockerDash vulnerability in Ask Gordon: A critical flaw in Docker’s AI assistant allowed malicious instructions embedded in image metadata to execute without validation. The AI trusted all metadata as safe contextual information, creating a “meta-context injection” attack path.
Why This Matters
The AI Agent Attack Surface is Real
Censys identified 21,639 exposed OpenClaw instances as of January 31, 2026. Trend Micro warns that “unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats.” The architectural concentration of power in AI agents—storing secrets, executing actions, maintaining persistent memory—means a single compromise collapses multiple security boundaries.
Supply Chain Attacks Are Evolving
The Notepad++ compromise shows attackers targeting distribution points that touch large populations. Update servers, download portals, and package managers become efficient delivery systems—one compromise creates thousands of downstream victims. And attackers maintained access even after losing their initial foothold by retaining valid credentials.
Trust Models Are Breaking Down
Microsoft developing a scanner to detect backdoors in open-weight LLMs highlights how the trust assumptions around third-party AI models need revision. The scanner looks for three indicators: attention shifts when triggers are present, models leaking poisoned data, and partial triggers still activating backdoors.
Key Takeaways
31.4 Tbps DDoS attack: The AISURU/Kimwolf botnet launched a record-setting attack lasting only 35 seconds. DDoS attacks surged 121% in 2025, averaging 5,376 automatic mitigations per hour.
Signal phishing in Germany: State-sponsored actors are exploiting legitimate Signal features (PIN and device linking) to compromise high-value targets in politics, military, and journalism.
Ethereum as C2 infrastructure: 54 malicious npm packages use Ethereum smart contracts as dead drop resolvers for command-and-control servers—making takedown significantly harder.
MoltBook prompt injection: Analysis found 506 prompt injection attacks targeting AI readers, along with anti-human manifestos and unregulated cryptocurrency activity comprising nearly 20% of content.
npm/PyPI “claw” explosion: Packages with “claw” in the name have grown from nearly zero to over 1,000 since early 2026—creating new avenues for typosquat attacks.
Looking Ahead
The security community is adapting, but the attackers have initiative:
Defense-in-depth for AI: VirusTotal integration for skill scanning represents a necessary but insufficient step. The DockerDash vulnerability shows how AI trust models create novel attack vectors.
Update verification is critical: The Notepad++ attack succeeded because older versions lacked sufficient verification. Organizations should audit their update mechanisms and assume legitimate domains can be compromised.
Exposure monitoring needed: With tens of thousands of AI agent instances exposed, proactive scanning for misconfigurations is essential.
The pattern is clear: attackers follow trust. As organizations connect AI, cloud apps, developer tools, and communication systems, those same paths become attack vectors. Modern security requires assuming trust relationships will be exploited and building defenses accordingly.
Based on analysis of The Hacker News Weekly Recap covering AI agent security, supply chain attacks, and emerging threats