Guozhen AIGlobal AI field notes and model intelligence

Realtime AI News

Security Researcher Confirms 'Poison Nest' Backdoor Issues in Trae AI Plugin Market

Security researcher Cos (@evilcos) has verified that Trae's AI plugin marketplace harbors a 'poison nest' of backdoor plugins that persistently update and resist removal. The discovery exposes critical security vulnerabilities in the AI agent plugin ecosystem.

Published
安全研究员验证Trae AI插件市场存在"毒巢"后门问题,部分恶意插件持续更新难以清除
Image source: traecn.ai-kit.cn

Security researcher Cos (@evilcos) has confirmed a serious 'Poison Nest' backdoor problem in Trae AI's plugin marketplace. The term refers to a cluster of malicious plugins containing backdoors that demonstrate remarkable resilience, continuously receiving updates and persisting on the marketplace despite detection efforts.

Trae AI has been widely used by developers as an AI agent tool, with its plugin marketplace hosting numerous third-party extensions. According to Cos's findings, these backdoor plugins expose developers and regular users to severe security risks including data theft and remote system control.

This incident represents yet another major supply chain security breach in the AI industry. Browser extensions and open-source tools have historically been targeted for backdoor implants, but AI agent plugins amplify the risk significantly — they can access user context, read file systems, and even execute code, making the potential damage far greater than traditional software plugins.

The Trae platform now faces a crisis of trust. Key questions remain: whether the marketplace's review mechanism is robust enough, whether identified backdoor plugins have been removed, and how the platform will address its security vulnerabilities.

Industry-wide, this event could push AI plugin markets toward either centralized auditing or decentralized verification models. Security audit tools and trusted plugin platforms are likely to attract increased capital and user demand, while current plugin supply chain standards face pressure to accelerate formalization.

The AI agent ecosystem remains in its early stages of security governance. Similar backdoor incidents may emerge on other AI platforms, making effective plugin security review mechanisms and the balance between openness and safety a long-term challenge for the entire industry.

Why it matters

The Trae plugin backdoor vulnerability reveals critical weaknesses in AI agent supply chain security and may accelerate industry-wide adoption of plugin security standards and trusted marketplace mechanisms.

TraeAI SecurityPlugin Supply Chain
Back to realtime news

Nearby Updates

All

07/19, 14:00

TianPuLe Large Model Releases V4.7 with Enhanced AI Music Remixing and Cover Capabilities

Quwan Technology officially launched TianPuLe V4.7 at WAIC 2026, with major upgrades to remixing and cover song generation. The new version focuses on making AI-generated music easier to control and more suitable for iterative creative editing.

07/19, 14:40

MoleculeMind Shows AI Drug Design Across Two Modalities at WAIC 2026: Nanobodies and Cyclic Peptides Validated Within 30 Days

AI biotech company MoleculeMind presented new results at WAIC 2026 showing its MMDesign platform achieved over 70% first-round hit rates for de novo cyclic peptide design on p53-MDM2 and PD-L1 targets. This follows nanobody design validation just one month earlier, demonstrating the platform's extension from single-task models to cross-modal molecular design.

07/19, 12:55

Cline CLI 3.0.45 ships with unbundled AI providers to slash install footprint

Cline CLI 3.0.45 reduces its installation footprint by unbundling AI provider integrations into optional dependencies. Users now install only the backends they actually use instead of downloading all supported providers at once.

07/19, 14:56

Tencent Cloud Launches ADP 4.0 International Edition at WAIC, Says Agent Success Hinges on Scenarios

Tencent Cloud officially released the international version of ADP 4.0 at WAIC 2026, expanding its enterprise AI agent platform to global markets. Tencent Cloud VP Wu Yunsheng stated that the key to agent success lies in identifying genuinely valuable application scenarios.