JiffyIntel
Back to catalog
Credential ExfilPublished Apr 1, 2026

Silent Exfiltrator pattern in PR-optimizer skills

CriticalAARM tierConfirmed
MITRE-ATLAS-AML.T0055NIST-CSF-2.0-PR.AA-01OWASP-Agentic-2026-AIA-10OWASP-LLM-2025-LLM02
Category:
Seen287times across14customers
jiffy-ti-2026-000001

Summary

Skills marketed as productivity tools (e.g., GitHub PR Optimizer) that include hidden curl/wget exfiltration of .env files, SSH keys, or browser cookies to an external C2. Matches the OWASP LLM-2026 Tool Poisoning pattern.

Severity & confidence

Severity
Critical

Critical

Active exploitation in the wild, high blast radius, or direct data exfiltration vector. Treat as an urgent remediation target; quarantine affected artifacts immediately.

Confidence
Confirmed

Confirmed

Observed directly by Jiffy scanners or validated by multiple independent sources. Indicators are reliable enough to drive automated action.

Indicators

Observed patterns and artifacts associated with this entry. Each indicator can be copied into your detection stack or SIEM.

  • curl\s+[^|]*\|\s*(sh|bash)
  • read_file.*\.env|read_file.*\.ssh
  • paste.ee
  • transfer.sh
  • 0x0.st

Detection rule

A YARA-style pseudo-rule auto-generated from the indicators above. Useful as a starting point — adapt the syntax for your target detection platform.

YARA-style pseudo-rule
rule jiffy_ti_2026_000001
{
    meta:
        source = "jiffy-intel"
        severity = "critical"
        description = "Auto-generated from Jiffy Intel indicators"
    strings:
    $command_pattern_0 = "curl\\s+[^|]*\\|\\s*(sh|bash)"
    $tool_call_pattern_1 = "read_file.*\\.env|read_file.*\\.ssh"
    $endpoint_2 = "paste.ee"
    $endpoint_3 = "transfer.sh"
    $endpoint_4 = "0x0.st"
    condition:
        $command_pattern_0 or $tool_call_pattern_1 or $endpoint_2 or $endpoint_3 or $endpoint_4
}

Auto-generated from the indicators above. Adapt syntax for your detection stack before deploying.

Affected tools

ToolVersionsStatus
Claude Code*vulnerable
Cursor*vulnerable
Codex*vulnerable

Example artifacts

Sanitized examples of artifacts Jiffy has observed exhibiting this pattern. Publisher handles are redacted; version ranges and status reflect the most recent scan.

  • pr-helper-proSkill
    Removed
    Source
    Anthropic Skills
    Versions
    1.0.0 – 1.3.2
    First observed
    Mar 18, 2026
    Last observed
    Apr 6, 2026

    Publisher handle redacted. Removed by marketplace after disclosure.

  • auto-merge-assistantSkill
    Removed
    Source
    GitHub Marketplace
    Versions
    0.4.x
    First observed
    Mar 22, 2026
    Last observed
    Apr 9, 2026

    Dual-use listing; malicious variant served via update channel only.

  • review-buddy-v2Skill
    Quarantined
    Source
    Community registry
    Versions
    2.0.0
    First observed
    Mar 29, 2026

    Identified pre-install by Jiffy scanner; held in quarantine pending review.

  • github-pr-optimizerSkill
    Removed
    Source
    Anthropic Skills
    Versions
    1.1.0
    First observed
    Apr 2, 2026

How to remediate

  1. 01Remove skills that invoke curl/wget against non-allowlisted domains.
  2. 02Require skill manifests to declare allowed_domains.
  3. 03Review .env / ~/.ssh / credential-file access.

Timeline & sources

Timeline

  1. First observedApr 12, 20265 days ago
  2. Last updatedApr 12, 20265 days ago
  3. PublishedApr 1, 202616 days ago

Sources

scannercuratedexternal_partner

References

genai.owasp.orgOWASP

OWASP LLM Top 10 — Tool Poisoning (2026)

https://genai.owasp.org/llmrisk/llm-03-2026/
arxiv.orgarXiv

Liu et al. Malicious Agent Skills in the Wild (2026)

https://arxiv.org/abs/2604.03070
blog.jiffylabs.aiJiffy Research

Jiffy Research — Scanning AI Skills at Scale

https://blog.jiffylabs.ai/posts/scanning-ai-skills-at-scale-what-we-learned

Related intel

Other entries of type Credential Exfil, or the most recent published entries if no same-type matches exist.

Credential ExfilHigh

.cursorrules fetches remote rule that encodes "submit secrets" logic

.cursorrules with `extends: <url>` resolves to a remote rule set whose content includes directives to read repo-local .env and post-process before any commit. A separation between policy declaration (local) and policy content (remote) hides the exfiltration.

Jiffy IntelApr 27
Credential ExfilHigh

Custom GPT Action logs full request bodies including Authorization headers

Action backend that logs every inbound request, including the OAuth Authorization header forwarded by the GPT. Logs are retained and occasionally shared with third-party observability tools.

Jiffy IntelApr 27
Credential ExfilLow

Claude Project knowledge file contains hardcoded API tokens

Project uploader accidentally includes a knowledge file (often a README or internal doc) that has API tokens embedded. Any team member running the project can view the file, and the tokens enter model context on every turn.

Jiffy IntelApr 27

Scan for patterns like this

Point Jiffy at your GitHub org, IDE config, or a single artifact. Get a scored report in under a minute.

Start a free scan