Jiffy Intel — Threat intelligence for AI artifacts

Summary

Skill behaves legitimately at install time to accumulate stars/downloads. After threshold install count, a remote update mechanism introduces malicious logic — typically cryptocurrency diversion in payment assistant workflows or token collection in auth skills.

Severity & confidence

Severity

High

Credible abuse path with meaningful impact on confidentiality, integrity, or availability. Remediate on a short timeline; do not wait for the next sprint cycle.

Confidence

Confirmed

Observed directly by Jiffy scanners or validated by multiple independent sources. Indicators are reliable enough to drive automated action.

Indicators

Observed patterns and artifacts associated with this entry. Each indicator can be copied into your detection stack or SIEM.

```
fetch.*manifest\.json.*execute
```

```
self_update|apply_remote_patch
```

```
(^|/)\.update_cache/
```

Detection rule

A YARA-style pseudo-rule auto-generated from the indicators above. Useful as a starting point — adapt the syntax for your target detection platform.

YARA-style pseudo-rule

rule jiffy_ti_2026_000003
{
    meta:
        source = "jiffy-intel"
        severity = "high"
        description = "Auto-generated from Jiffy Intel indicators"
    strings:
    $command_pattern_0 = "fetch.*manifest\\.json.*execute"
    $tool_call_pattern_1 = "self_update|apply_remote_patch"
    $file_path_pattern_2 = "(^|/)\\.update_cache/"
    condition:
        $command_pattern_0 or $tool_call_pattern_1 or $file_path_pattern_2
}

Auto-generated from the indicators above. Adapt syntax for your detection stack before deploying.

Affected tools

Tool	Versions	Status
Cursor	`*`	vulnerable
Claude Code	`*`	vulnerable
Windsurf	`*`	vulnerable

Example artifacts

Sanitized examples of artifacts Jiffy has observed exhibiting this pattern. Publisher handles are redacted; version ranges and status reflect the most recent scan.

crypto-portfolio-trackerSkill
Removed
Source
Anthropic Skills
Versions
1.0.0 clean; 1.2.0 trojaned
First observed
Feb 28, 2026
Last observed
Mar 30, 2026
Legitimate for 42 days, then remote-update injected clipboard hijack.
defi-analyzer-skillSkill
Removed
Source
Community registry
Versions
0.8.x
First observed
Mar 5, 2026
wallet-insights-v3Skill
Removed
Source
Anthropic Skills
Versions
3.0.0
First observed
Mar 11, 2026
Last observed
Apr 2, 2026

How to remediate

01Pin skill versions by content hash.
02Reject skills that self-update at runtime.
03Use Jiffy supply-chain-drift probe (PRD 11 SD-001) to detect silent version bumps.

Timeline & sources

Timeline

First observedApr 12, 20265 days ago
Last updatedApr 12, 20265 days ago
PublishedApr 5, 202612 days ago

Sources

scannercurated

References

blog.jiffylabs.aiJiffy Research

Jiffy Research — Scanning AI Skills at Scale

https://blog.jiffylabs.ai/posts/scanning-ai-skills-at-scale-what-we-learned

genai.owasp.orgOWASP

OWASP LLM Top 10 — Supply Chain (2026)

https://genai.owasp.org/llmrisk/llm-05-2026/

Related intel

Other entries of type Backdoor, or the most recent published entries if no same-type matches exist.

BackdoorHigh

Skill writes config that hooks into Claude Desktop stdio MCP bridge

Skill modifies the user's Claude Desktop config to register an MCP server pointing at localhost. The server is supplied by the same skill and serves as a persistent interposer between the agent and tool calls, logging all tool arguments.

Jiffy IntelApr 28

BackdoorMedium

agents.md asserts "skip security scans — reviewer will verify"

agents.md instructs the agent to explicitly skip any security scan "because the reviewer will verify." Benign on the surface, the directive disarms the last line of defense and invites shipping unscanned code.