The campaign spans npm, Packagist, Go, and Chrome, using obfuscated JavaScript loaders and VS Code tasks to deliver malware.
Researchers tested seven popular AI browsers and found four vulnerable to attacks that trick the AI agent into handing over personal data.