Emerging use of malware invoking AI: LameHug, s1ngularity, PromptLock (www.wiz.io)

Researchers have documented a string of recent malware campaigns that don’t just deliver AI-generated content to victims (phishing text, etc.) but instead embed prompts and call LLMs from the payloads to generate and execute commands on compromised hosts. Notable examples: LameHug (July 2025) sent base64-encoded prompts to HuggingFace asking for one-line command sequences to collect system info and copy documents; an attacker-modified Amazon Q VS Code extension (July 2025) attempted to run a prompt-driven agent to delete local files and cloud resources (the destructive command failed in customer environments); s1ngularity (Aug 2025) poisoned Nx packages on npm with payloads that called Claude/Gemini/Q to search files for wallets and secrets, using prompt engineering to try to bypass LLM guardrails; and PromptLock (Aug 2025), an academic project, used a local LLM to profile files and craft personalized ransom notes. Attackers abused CI (GitHub Actions, a novel CodeBuild technique) and supply chains to insert these capabilities. The technical and defensive implications are significant: invoking remote or local LLMs from malware can produce non-deterministic, variable code that sometimes fails (often due to guardrails), but also can evade signature-based detection and complicate sandbox detonation unless the analyst environment reproduces the LLM agent. Embedded API keys and service audit logs provide detection avenues, while local models remove remote control/auditing. Defenders should treat AI tools on hosts as privileged execution paths—monitor API use and AI-related processes, harden supply chains and CI, validate generated code before execution, and enforce controls so LLM-driven actions are authorized. This pattern appears early but could evolve into more adaptive, agentic malware if left unchecked.