Artificial Intelligence Autonomous AI Agents Provide New Class of Supply Chain Attack While this campaign targets crypto wallets and steals money, the methodology has far wider potential that could be used by other attackers. By Kevin Townsend | February 23, 2026 (7:30 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Found in Clawhub, promoted on Moltbook, Bob-ptp is an ongoing active agent-based crypto scam. It’s ironic that new technology often defies the fundamental security rule of zero trust – but that’s the basis of agentic AI. AI agents are often trusted with freedom to roam and act without adequate verification. Straiker, a firm that focuses on the security of AI applications and agents, has analyzed the 3,505 Claude Skills available on Clawhub. Clawhub is a primary marketplace for ‘skills’, which are essentially AI plugins. Claude describes Skills as “modular capabilities that extend Claude’s functionality [and] that Claude uses automatically when relevant.” Straiker found 71 Claude Skills that are overtly malicious, and a further 73 that exhibit high-risk behaviors. “The critical finding,” says researcher Dan Regalado, “was an active agent-to-agent attack chain operated by threat actor ‘26medias’ (in Clawhub) and ‘BobVonNeumann’ (in Moltbook and Twitter).” In this attack (which at the time of writing remains active), BobVonNeumann published the skill bob-p2p on Clawhub, posing as a decentralized API marketplace. What bob-p2p does, however, is instruct agents to store Solana wallet private keys in plaintext, purchase worthless $BOB tokens, and route the payment through an attacker controlled infrastructure. BobVonNeumann is effectively a human disguised as an agent on Moltbook. Moltbook is effectively a social media platform for AI agents. The premise is unusual, but humans can observe how agents interact with each other. The actor/agent used this arena to promote the skill to other agents, exploiting the implicit trust that exists between agents. Advertisement. Scroll to continue reading. But this was also social engineering. Agents that engaged with it, installed the skill, thereby granting access to users’ private keys and financial assets. “This compromise then spread laterally through automated agent collaboration, shared workflows, and dependency chains – no further human interaction required,” explains Regalado. He summarizes the impact as, “Financial loss for the human wallet owners behind compromised agents via unauthorized transactions and payment redirection.” Birdeye – itself an AI-based reputation tool – flags the $BOB token with a 100% probability that it is a ‘ rug pull ’ scam. “This represents a new attack class,” continues Regalado: “traditional supply chain poisoning combined with social engineering campaigns that target algorithms, not humans.” Agent Infection Chain (Image Credit: Straiker) The Bob P2P attack weaponizes the trust relationships between autonomous agents. While this campaign targets crypto wallets and steals money, the methodology has far wider potential that could be used by other attackers. “The Bob P2P case establishes the playbook,” explains Regaldo: “Create a convincing AI persona, embed it in agent social networks, build credibility with a benign skill first, then deploy the malicious payload through earned trust. That playbook is infinitely repeatable and scalable.” So, what can we expect? “Agent influence campaigns where coordinated networks of fake agent personas manipulate recommendations, rankings, and skill adoption across multiple platforms simultaneously,” he suggests. Autonomous AI agents trust but don’t adequately verify. Related : Security Analysis of Moltbook Agent Network: Bot-to-Bot Prompt Injection and Data Leaks Related : OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts Related : Rethinking Security for Agentic AI Related : AI Security Firm Straiker Emerges From Stealth With $21M in Funding Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts Cyber Insights 2026: The Ongoing Fight to Secure Industrial Control Systems API Threats Grow in Scale as AI Expands the Blast Radius CISA Navigates DHS Shutdown With Reduced Staff Hacker Conversations: Professional Hacker Douglas Day RATs in the Machine: Inside a Pakistan-Linked Three-Pronged Cyber Assault on India New ‘ZeroDayRAT’ Spyware Kit Enables Total Compromise of iOS, Android Devices New Paper and Tool Help Security Teams Move Beyond Blind Reliance on CISA’s KEV Catalog Latest News Romanian Hacker Pleads Guilty to Selling Access to US State Network Hundreds of FortiGate Firewalls Hacked in AI-Powered Attacks: AWS Recent RoundCube Webmail Vulnerability Exploited in Attacks Mississippi Hospital System Closes All Clinics After Ransomware Attack PayPal Data Breach Led to Fraudulent Transactions Critical Grandstream Phone Vulnerability Exposes Calls to Interception NIST’s Quantum Breakthrough: Single Photons Produced on a Chip In Other News: Ransomware Shuts US Clinics, ICS Vulnerability Surge, European Parliament Bans AI Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move Wealth management platform Envestnet announced the appointment of Rich Friedberg as CISO. Yuneeb Khan has been named Chief Financial Officer of KnowBe4, succeeding Bob Reich, who is retiring. Cyera has appointed Brandon Sweeney as President, Shira Azran as Chief Legal Officer and Joseph Iantosca as Chief Financial Officer. More People On The Move Expert Insights How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity To all those who are fighting the good fight in the world of cyber, keep collaborating to ensure our world never succumbs to the chaos of the Upside Down. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email