We track the attack techniques that target the plugin layer specifically — not generic malware signatures. Here is each technique: how it works, what it looks like in the wild, and how PluginSec detects it.
A plugin is published purely to steal — wallets, private keys, API tokens, and credentials are harvested the moment it activates, often within an otherwise functional tool.
A "wallet helper" or popular-looking formatter that, on activation, scans the home directory and environment for keys and ships them to an attacker endpoint.
Every plugin is correlated against our threat intel and returns a clean / suspicious / malicious verdict; known-malicious publishers and payloads are blocked before activation.
A plugin that was trusted at install time silently auto-updates to a malicious version. The name, publisher, and listing are unchanged, so no one re-evaluates it.
A widely-installed extension changes hands or is compromised, and a later version quietly adds new host permissions and an exfiltration call.
We track the content hash and declared permissions of every version. A changed hash or new permission request surfaces the drift and re-triggers a verdict before the update runs.
Look-alike names and spoofed publishers trick developers into installing the wrong thing — a one-character-off package or a clone of a popular extension.
An npm package named one letter away from a popular library, or a "Prettier" extension from a publisher spelled prettir-team.
Name and publisher similarity to known-good packages is scored, and impersonation patterns are flagged as suspicious in the inventory.
Scope creep — a plugin requests far more access than its function needs, giving it a foothold for later abuse even if it is benign today.
A code formatter that suddenly requests network access, full filesystem read, and shell execution.
Declared permissions are captured per version and scored against the plugin's stated purpose; excessive or newly-added scopes raise the risk score.
A malicious MCP server ships crafted tool descriptions or payloads that manipulate the AI agent into unintended actions — exfiltrating data, running commands, or chaining into other tools.
An MCP "filesystem" helper whose tool description embeds instructions that hijack the agent the moment it is loaded.
MCP servers are first-class assets. We inventory each server's tools and endpoints and flag poisoned descriptions and suspicious tool surfaces.
A plugin quietly ships secrets, session cookies, tokens, or source to an attacker-controlled endpoint — often piggybacking on legitimate-looking network calls.
A browser extension that reads session cookies across every tab, or an IDE extension that uploads .env contents on save.
Exfiltration patterns and known bad endpoints feed the verdict; plugins exhibiting them are marked malicious and can be blocked or quarantined.
Shadow MCP configs are added to agents with no review — each is a local process with tool access and no security team in the loop.
A developer wires a random MCP server from a gist into Claude Code or Codex to save time; nobody else knows it exists.
We surface every MCP server and skill registered across your agents — registry-installed or hand-wired — so unvetted ones can no longer hide.
PluginSec is enterprise-only and onboarded by invitation. Tell us about your team and we'll set up a demo on your fleet.
