26,000 个人工智能代理下载了“有用的工具”。然后陌生人重写了指令，他们就完成了一切

26,000 个人工智能代理下载了“有用的工具”。然后陌生人重写了指令，他们就完成了一切

While you have not read this text, your agent may have already received new orders.来自谁是一个好问题。

To force an AI agent to execute a dangerous command, it is not necessary to hide malicious code in an archive. Simply direct the agent to an external instruction page and then change the text on it. The information security company AIR tested this scheme in practice: it created a harmless add-on, got it published in a popular directory, bought advertising, and after installation replaced the content of the linked page.

The add-on was called brand-landingpage and promised to help create a landing page through the Google Stitch service. Such a package contains not only a description of the function, but also instructions for the agent: what sites to open, what to install, what files to work with and what commands to execute. The agent follows these instructions with almost the same trust as the owner's requests, so the link in the instructions may be more dangerous than the code inside the archive itself.

AIR decided to check how much people rely on the usual signs of reliability. The company sent a request to add brand-landingpage to the repository with 156 additions and approximately 36 thousand GitHub stars.几天后，请求被接受。 The stars did not belong to the new package, but in the catalog it appeared next to a popular project and could be perceived as a proven tool.

AIR then launched advertising on Instagram*. The ads were shown to marketers, designers, and sales staff who might find the service for quickly creating landing pages useful. According to the company itself, the add-on was installed by about 26 thousand AI agents, including agents in corporate accounts.

* The Meta company and its products are recognized as extremist, their activities are prohibited in the Russian Federation.