Valid certificates, stolen accounts: how attackers broke npm's last trust signal
Our take
The recent attack on the npm registry, where 633 malicious package versions successfully bypassed Sigstore provenance verification, is a stark reminder of the vulnerabilities that persist in our software development ecosystems. This incident, which leveraged valid signing certificates obtained through compromised maintainer accounts, highlights a critical gap in automated trust signals. As we embrace innovative tools for development, like those discussed in our article, Google goes for the glitter with disco-ball icons: ‘Are y’all sure you still want this?’, we must also acknowledge that such technology can be exploited if not adequately secured. The implications of this breach extend beyond just npm; it underscores a fundamental flaw in how trust is established within developer tools.
The incident did not occur in isolation. Similar vulnerabilities have been exposed across various AI coding CLI tools. Research teams have confirmed that the developer verification model is fundamentally broken, with multiple attack surfaces identified that could be exploited. This convergence of vulnerabilities presents a worrying trend where the tools designed to enhance developer productivity may inadvertently enable malicious actors. The attack on the Nx Console VS Code extension, which lasted less than 40 minutes but still resulted in 6,000 activations, exemplifies the ease with which these threats can propagate. This raises significant concerns about the efficacy of current verification processes and the urgency for more robust security measures.
What makes this situation particularly alarming is the growing sophistication of threat actors. The reports from security teams indicate that these attackers are not only stealing credentials but are also capable of publishing malicious packages that carry valid provenance attestations. This evolution in tactics means that traditional security measures may no longer suffice. The reliance on automated verification processes without a human-centric oversight may lead to further compromises that could jeopardize entire development environments. As outlined in our recent discussion about the potential for machine learning to automate C-suite duties, [Could ML be used to automate C-suite organizational duties? [D]](/post/could-ml-be-used-to-automate-c-suite-organizational-duties-d-cmphl40pb0cjrs0glc0hpmui9), the intersection of innovation and security must be managed with care to prevent technology from becoming a double-edged sword.
In light of these developments, organizations must take proactive steps to reassess their security practices. The audit grid presented in the analysis serves as a valuable resource for security directors to evaluate their current vendor contracts and implement necessary safeguards. This includes requiring two-party approvals for significant package publications and enforcing minimum-age policies for extension updates. As we move forward, the question remains: how can we evolve our verification models to ensure that they not only verify identities but also establish genuine trust? The answer will likely require a combination of enhanced security protocols, user education, and a shift in the development culture to prioritize security alongside innovation.
As we continue to explore the future of data management and the tools that shape our workflows, it is imperative to remain vigilant against emerging threats. The lessons learned from this incident should inform our approach to developing resilient systems that not only empower users but also safeguard their data and identities. The path forward will demand a collaborative effort among developers, security professionals, and tool vendors to create an ecosystem where trust is not just assumed but actively verified.
On May 19, 633 malicious npm package versions passed Sigstore provenance verification. They were cleared by the system because the attacker had generated valid signing certificates from a compromised maintainer account.
Sigstore worked exactly as designed: it verified the package was built in a CI environment, confirmed a valid certificate was issued, and recorded everything in the transparency log. What it cannot do is determine whether the person holding the credentials authorized the publish — and that gap turned the last automated trust signal in npm into camouflage.
One day earlier, StepSecurity documented an attack on the Nx Console VS Code extension, a widely used developer tool with more than 2.2 million lifetime installs. Version 18.95.0 was published using stolen credentials on May 18 and stayed live for under 40 minutes — but Nx internal telemetry showed approximately 6,000 activations during that window, most through auto-update, compared to just 28 official downloads. The payload harvested Claude Code configuration files, AWS keys, GitHub tokens, npm tokens, 1Password vault contents, and Kubernetes service account tokens.
The Mini Shai-Hulud campaign, attributed by multiple researchers to a financially motivated threat actor identified as TeamPCP, hit the npm registry at 01:39 UTC on May 19. Endor Labs detected the initial wave when two dormant packages, jest-canvas-mock and size-sensor, published new versions containing an obfuscated 498KB Bun script — neither had been updated in over three years, making a sudden version with raw GitHub commit hash dependencies a detection signal, but only if the tooling is watching.
By 02:06 UTC, the worm had propagated across the @antv data visualization ecosystem and dozens of unscoped packages, including echarts-for-react (~1.1 million weekly downloads). Socket raised the total to 639 compromised versions across 323 unique packages in this wave. Across the full campaign lifecycle, Socket has tracked 1,055 malicious versions across 502 packages spanning npm, PyPI, and Composer.
StepSecurity confirmed the payload contained full Sigstore integration. The attacker didn't just steal credentials; they could sign and publish downstream npm packages that carried valid provenance attestations.
These two incidents aren’t isolated. Research teams at Endor Labs, Socket, StepSecurity, Adversa AI, Johns Hopkins, Microsoft MSRC, and LayerX independently proved that the developer tool verification model is broken, and no vendor framework audits all of the attack surfaces that failed.
Seven attack surfaces failed in the 48 hours between May 18 and May 19 — npm provenance forgery, VS Code extension credential theft, MCP server auto-execution, CI/CD agent prompt injection, agent framework code execution, IDE credential storage exposure, and shadow AI data exposure — and the audit grid below maps each.
The verification model is broken across all four major AI coding CLIs
Adversa AI disclosed TrustFall on May 7, demonstrating that Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI all auto-execute project-defined MCP servers the moment a developer accepts a folder trust prompt. All four default to “Yes” or “Trust.” One keypress spawns an unsandboxed process with the developer’s full privileges.
The MCP server runs with enough privilege to read stored secrets and source code from other projects. On CI runners using Claude Code’s GitHub Action in headless mode, the trust dialog never renders. The attack executes with zero human interaction.
Johns Hopkins researchers Aonan Guan, Zhengyu Liu, and Gavin Zhong published “Comment and Control,” proving that a malicious instruction in a GitHub pull request title caused Claude Code Security Review to post its own API key as a comment. The same attack worked on Google’s Gemini CLI Action and GitHub’s Copilot Agent. Anthropic rated the vulnerability CVSS 9.4 Critical through its HackerOne program.
Microsoft MSRC disclosed two critical Semantic Kernel vulnerabilities on May 7. One routes attacker-controlled vector store fields into a Python eval() call; the other exposes a host-side file download method as a callable kernel function — meaning one poisoned document in a vector store launches a process on the host.
LayerX security researchers separately demonstrated that Cursor stores API keys and session tokens in unprotected storage, meaning any browser extension can access developer credentials without elevated permissions.
The threat actors hunting these credentials doubled their operational tempo
The Verizon 2026 Data Breach Investigations Report, released May 19, found that 67% of employees access AI services from non-corporate accounts on corporate devices. Shadow AI is now the third most common non-malicious insider action in DLP datasets. Source code leads all data types submitted to unauthorized AI platforms — the same asset class the npm worm campaign targeted.
The CrowdStrike 2026 Financial Services Threat Landscape Report, released May 14, documents the adversaries actively hunting the credential types these attacks harvest.
STARDUST CHOLLIMA tripled its operational tempo against financial entities in Q4 2025. CrowdStrike documented the group using AI-generated recruiter personas on LinkedIn and Telegram, sending malicious coding challenges that looked like technical assessments, and running fake video calls with synthetic environments. The targets are GitHub PATs, npm tokens, AWS keys, and CI/CD secrets. The shadow AI exposure in grid row 7 is the door they walk through.
Developer Tool Stolen-Identity Audit Grid
No vendor framework currently scopes all seven surfaces. This grid maps each one to the research that exposed it, what your stack cannot see, and the audit action to take before the next vendor renewal.
Attack Surface | Disclosed By | What Verification Failed | What Your Stack Cannot See | Audit Action |
1. npm provenance forgery | Endor Labs, Socket (May 19) | Sigstore certificates generated from stolen OIDC tokens pass automated verification | EDR and SAST do not validate whether the CI identity that signed a package authorized the publish | Require publish-time two-party approval for packages with more than 10,000 weekly downloads. Do not treat a green Sigstore badge as proof of legitimacy |
2. VS Code extension credential theft | StepSecurity (May 18) | VS Code Marketplace accepted a malicious extension version published with a stolen contributor token | Extension auto-updates bypass endpoint detection. Marketplace window 12:30 to 12:48 UTC; overall exposure (including Open VSX) 12:30 to 13:09 UTC | Enforce minimum-age policies for extension updates. Pin critical extension versions. Audit all extensions with access to terminal or file system APIs |
3. MCP server auto-execution | Adversa AI, TrustFall (May 7) | All four CLI trust dialogs default to “Yes/Trust” without enumerating which executables will spawn | EDR monitors process behavior, not what an LLM instructs an MCP server to do. WAF inspects HTTP payloads, not tool-call intent | Disable project-scoped MCP server auto-approval in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. Block .mcp.json in CI pipelines unless explicitly allowlisted |
4. CI/CD agent prompt injection | Johns Hopkins, Comment and Control (April 2026) | GitHub Actions workflows using pull_request_target inject secrets into runner environments that AI agents process as instructions | SIEM logs show an API call from a legitimate GitHub Action. The call itself is the attack. No anomalous network signature exists | Migrate AI code review workflows to pull_request trigger. Audit all workflows using pull_request_target with secret access for AI agent integrations |
5. Agent framework code execution | Microsoft MSRC (May 7) | Semantic Kernel Python SDK routed vector store filter fields into eval(). .NET SDK exposed host file-write as a callable kernel function | Application firewalls inspect input payloads. They do not inspect how an orchestration framework parses those payloads internally | Update Semantic Kernel Python SDK to 1.39.4 and .NET SDK to 1.71.0. Audit all agent frameworks for functions tagged as model-callable that access host file system or shell |
6. IDE credential storage exposure | LayerX (April 2026) | Cursor stores API keys and session tokens in unprotected storage accessible to any installed browser extension | DLP monitors data in transit. Cursor credentials at rest are invisible to DLP because no egress event occurs until the extension exfiltrates | Audit developer tools for credential storage practices. Require protected storage (OS keychain, encrypted credential stores) for all AI coding tool configurations |
7. Shadow AI data exposure | Verizon 2026 DBIR (May 19) | 67% of employees access AI services from non-corporate accounts on corporate devices. Source code is the leading data type submitted | CASB policies cover sanctioned SaaS. Non-corporate AI accounts on corporate devices operate outside CASB scope entirely | Deploy browser-layer AI governance that monitors non-corporate AI usage on corporate devices. Inventory AI browser extensions across the organization |
Security director action plan
Security directors may want to run this grid against current vendor contracts before Q2 renewals close — asking each vendor which of the seven surfaces their product covers, and treating the non-answers as the gap map.
Any credential accessible from a developer machine or CI runner that installed affected npm packages between 01:39 and 02:18 UTC on May 19 should be considered compromised. That includes GitHub PATs, npm tokens, AWS access keys, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and 1Password vault contents.
AI coding agent integrations running in CI/CD pipelines with pull_request_target workflows deserve a close look. Each one is a prompt injection surface that processes PR comments as agent instructions.
Procurement teams evaluating AI coding tools should consider adding a stolen-identity resistance dimension to vendor assessments. The question worth asking: can the vendor demonstrate how their tool distinguishes a legitimate maintainer publish from an attacker using compromised credentials? If they cannot, the tool is not a verification layer.
The developer tool supply chain has the same problem IAM had a decade ago: credentials prove who you claim to be, not who you are. IAM got a 10-year head start on compensating controls before nation-state groups turned credential theft into an industrial operation. The AI coding tool ecosystem is starting that clock now.
Read on the original site
Open the publisher's page for the full experience
Related Articles
- Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable stepsAny development environment that installed or imported one of the 172 compromised npm or PyPI packages published since May 11 should be treated as potentially compromised. On affected developer workstations, the worm harvests credentials from over 100 file paths: AWS keys, SSH private keys, npm tokens, GitHub PATs, HashiCorp Vault tokens, Kubernetes service accounts, Docker configs, shell history, and cryptocurrency wallets. For the first time in a TeamPCP campaign, it targets password managers including 1Password and Bitwarden, according to SecurityWeek. It steals Claude and Kiro AI agent configurations, including MCP server auth tokens for every external service an agent connects to. And it does not leave when the package is removed. The worm installs persistence in Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json with runOn: folderOpen) that re-execute every project open, plus a system daemon (macOS LaunchAgent / Linux systemd) that survives reboots. These live in the project tree, not in node_modules. Uninstalling the package does not remove them. On CI runners, the worm reads runner process memory directly via /proc/pid/mem to extract secrets, including masked ones, on Linux-based runners. If you revoke tokens before isolating the machine, Wiz’s analysis found a destructive daemon wipes your home directory. Between 19:20 and 19:26 UTC on May 11, the Mini Shai-Hulud worm published 84 malicious versions across 42 @tanstack/* npm packages. Within 48 hours the campaign expanded to 172 packages across 403 malicious versions spanning npm and PyPI, according to Mend’s tracking. @tanstack/react-router alone receives 12.7 million weekly downloads. CVE-2026-45321, CVSS 9.6. OX Security reported 518 million cumulative downloads affected. Every malicious version carried a valid SLSA Build Level 3 provenance attestation. The provenance was real. The packages were poisoned. “TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway,” Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat in an exclusive interview. “What the orphaned commit technique shows is that OIDC scope is the actual control that matters here, not provenance, not 2FA. If your publish pipeline trusts the entire repository rather than a specific workflow on a specific branch, a commit with no parent history and no branch association is enough to get a valid publish token. That’s a one-line configuration fix.” Three vulnerabilities chained into one provenance-attested worm TanStack’s postmortem lays out the kill chain. On May 10, the attacker forked TanStack/router under the name zblgg/configuration, chosen to avoid fork-list searches per Snyk’s analysis. A pull request triggered a pull_request_target workflow that checked out fork code and ran a build, giving the attacker code execution on TanStack’s runner. The attacker poisoned the GitHub Actions cache. When a legitimate maintainer merged to main, the release workflow restored the poisoned cache. Attacker binaries read /proc/pid/mem, extracted the OIDC token, and POSTed directly to registry.npmjs.org. Tests failed. Publish was skipped. 84 signed packages still reached the registry. “Each vulnerability bridges the trust boundary the others assumed,” the postmortem states. Published tradecraft from the March 2025 tj-actions/changed-files compromise, recombined in a new context. The worm crossed from npm into PyPI within hours Microsoft Threat Intelligence confirmed the mistralai PyPI package v2.4.6 executes on import (not on install), downloading a payload disguised as Hugging Face Transformers. npm mitigations (lockfile enforcement, --ignore-scripts) do not cover Python import-time execution. Mistral AI published a security advisory confirming the impact. Compromised npm packages were available between May 11 at 22:45 UTC and May 12 at 01:53 UTC (roughly three hours). The PyPI release mistralai==2.4.6 is quarantined. Mistral stated an affected developer device was involved but no Mistral infrastructure was compromised. SafeDep confirmed Mistral never released v2.4.6; no commits landed May 11 and no tag exists. Wiz documented the full blast radius: 65 UiPath packages, Mistral AI SDKs, OpenSearch, Guardrails AI, 20 Squawk packages. StepSecurity attributes the campaign to TeamPCP, based on toolchain overlap with prior Shai-Hulud waves and the Bitwarden CLI/Trivy compromises. The worm runs under Bun rather than Node.js to evade Node.js security monitoring. The attacker treated AI coding agents as part of the trusted execution environment Socket’s technical analysis of the 2.3 MB router_init.js payload identifies ten credential-collection classes running in parallel. The worm writes persistence into .claude/ and .vscode/ directories, hooking Claude Code’s SessionStart config and VS Code’s folder-open task runner. StepSecurity’s deobfuscation confirmed the worm also harvests Claude and Kiro MCP server configurations (~/.claude.json, ~/.claude/mcp.json, ~/.kiro/settings/mcp.json), which store API keys and auth tokens for external services. This is an early but confirmed instance of supply-chain malware treating AI agent configurations as high-value credential targets. The npm token description the worm sets reads: “IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.” It is not a bluff. “What stood out to me about this payload is where it planted itself after running,” Kennedy told VentureBeat. “It wrote persistence hooks into Claude Code’s SessionStart config and VS Code’s folder-open task runner so it would re-execute every time a developer opened a project, even after the npm package was removed. The attacker treated the AI coding agent as part of the trusted execution environment, which it is. These tools read your repo, run shell commands, and have access to the same secrets a developer does. Securing a development environment now means thinking about the agents, not just the packages.” CI/CD Trust-Chain Audit Grid Six gaps Mini Shai-Hulud exploited. What your CI/CD does today. The control that closes each one. Audit question What your CI/CD does today The gap 1. Pin OIDC trusted publishing to a specific workflow file on a specific protected branch. Constrain id-token: write to only the publish job. Ensure that job runs from a clean workspace with no restored untrusted cache Most orgs grant OIDC trust at the repository level. Any workflow run in the repo can request a publish token. id-token: write is often set at the workflow level, not scoped to the publish job. The worm achieved code execution inside the legitimate release workflow via cache poisoning, then extracted the OIDC token from runner process memory. Branch/workflow pinning alone would not have stopped this attack because the malicious code was already running inside the pinned workflow. The complete fix requires pinning PLUS constraining id-token: write to only the publish job PLUS ensuring that job uses a clean, unshared cache. 2. Treat SLSA provenance as necessary but not sufficient. Add behavioral analysis at install time Teams treat a valid Sigstore provenance badge as proof a package is safe. npm audit signatures passes. The badge is green. Procurement and compliance workflows accept provenance as a gate. All 84 malicious TanStack versions carry valid SLSA Build Level 3 provenance attestations. First widely reported npm worm with validly-attested packages. Provenance attests where a package was built, not whether the build was authorized. Socket’s AI scanner flagged all 84 artifacts within six minutes of publication. Provenance flagged zero. 3. Isolate GitHub Actions cache per trust boundary. Invalidate caches after suspicious PRs. Never check out and execute fork code in pull_request_target workflows Fork-triggered workflows and release workflows share the same cache namespace. Closing or reverting a malicious PR is treated as restoring clean state. pull_request_target is widely used for benchmarking and bundle-size analysis with fork PR checkout. Attacker poisoned pnpm store via fork-triggered pull_request_target that checked out and executed fork code on the base runner. Cache survived PR closure. The next legitimate release workflow restored the poisoned cache on merge. actions/cache@v5 uses a runner-internal token for cache saves, not the workflow’s GITHUB_TOKEN, so permissions: contents: read does not prevent mutation. Kennedy: 'Branch protection rules don’t apply to commits that aren’t on any branch, so that whole layer of hardening didn’t help.' 4. Audit optionalDependencies in lockfiles and dependency graphs. Block github: refs pointing to non-release commits Static analysis and lockfile enforcement focus on dependencies and devDependencies. optionalDependencies with github: commit refs are not flagged by most tools. The worm injected optionalDependencies pointing to a github: orphan commit in the attacker’s fork. When npm resolves a github: dependency, it clones the referenced commit and runs lifecycle hooks (including prepare) automatically. The payload executed before the main package’s own install step completed. SafeDep confirmed Mistral never released v2.4.6; no commits landed and no tag exists. 5. Audit Python dependency imports separately from npm controls. Cover AI/ML pipelines consuming guardrails-ai, mistralai, or any compromised PyPI package npm mitigations (lockfile enforcement, --ignore-scripts) are applied to the JavaScript stack. Python packages are assumed safe if pip install completes. AI/ML CI pipelines are treated as internal testing infrastructure, not as supply-chain attack targets. Microsoft Threat Intelligence confirmed mistralai PyPI v2.4.6 executes on import, not install. Injected code in __init__.py downloads a payload disguised as Hugging Face Transformers. --ignore-scripts is irrelevant for Python import-time execution. guardrails-ai@0.10.1 also executes on import. Any agentic repo with GitHub Actions id-token: write is exposed to the same OIDC extraction technique. LLM API keys, vector DB credentials, and external service tokens all in the blast radius. 6. Isolate and image affected machines before revoking stolen tokens. Do not revoke npm tokens until the host is forensically preserved Standard incident response: revoke compromised tokens first, then investigate. npm token list and immediate revocation is the instinctive first step. The worm installs a persistent daemon (macOS LaunchAgent / Linux systemd) that polls GitHub every 60 seconds. On detecting token revocation (40X error), it triggers rm -rf ~/, wiping the home directory. The npm token description reads: 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner.' Microsoft reported geofenced destructive behavior: a 1-in-6 chance of rm -rf / on systems appearing to be in Israel or Iran. Kennedy: 'Even after the package is gone, the payload may still be sitting in .claude/ with a SessionStart hook pointing at it. rm -rf node_modules doesn’t remove it.' Sources: TanStack postmortem, StepSecurity, Socket, Snyk, Wiz, Microsoft Threat Intelligence, Mend, Endor Labs. May 12, 2026. Security director action plan Today: “The fastest check is find . -name 'router_init.js' -size +1M and grep -r '79ac49eedf774dd4b0cfa308722bc463cfe5885c' package-lock.json,” Kennedy said. If either returns a hit, isolate and image the machine immediately. Do not revoke tokens until the host is forensically preserved. The worm’s destructive daemon triggers on revocation. Once the machine is isolated, rotate credentials in this order: npm tokens first, then GitHub PATs, then cloud keys. Hunt for .claude/settings.json and .vscode/tasks.json persistence artifacts across every project that was open on the affected machine. This week: Rotate every credential accessible from affected hosts: npm tokens, GitHub PATs, AWS keys, Vault tokens, K8s service accounts, SSH keys. Check your packages for unexpected versions after May 11 with commits by claude@users.noreply.github.com. Block filev2.getsession[.]org and git-tanstack[.]com. This month: Audit every GitHub Actions workflow against the six gaps above. Pin OIDC publishing to specific workflows on protected branches. Isolate cache keys per trust boundary. Set npm config set min-release-age=7d. For AI/ML teams: check guardrails-ai and mistralai against compromised versions, audit CI pipelines for id-token: write exposure, and rotate every LLM API key and vector DB credential accessible from CI. This quarter (board-level): Fund behavioral analysis at the package registry layer. Provenance verification alone is no longer a sufficient procurement criterion for supply-chain security tooling. Require CI/CD security audits as part of vendor risk assessments for any tool with publish access to your registries. Establish a policy that no workflow with id-token: write runs from a shared cache. Treat AI coding agent configurations (.claude/, .kiro/, .vscode/) as credential stores subject to the same access controls as cloud key vaults. The worm is iterating. Defenders must, as well This is the fifth Shai-Hulud wave in eight months. Four SAP packages became 84 TanStack packages in two weeks. intercom-client@7.0.4 fell 29 hours later, confirming active propagation through stolen CI/CD infrastructure. Late on May 12, malware research collective vx-underground reported that the fully weaponized Shai-Hulud worm code has been open-sourced. If confirmed, this means the attack is no longer limited to TeamPCP. Any threat actor can now deploy the same cache-poisoning, OIDC-extraction, and provenance-attested publishing chain against any npm or PyPI package with a misconfigured CI/CD pipeline. “We’ve been tracking this campaign family since September 2025,” Kennedy said. “Each wave has picked a higher-download target and introduced a more technically interesting access vector. The orphaned commit technique here is genuinely novel. Branch protection rules don’t apply to commits that aren’t on any branch. The supply chain security space has spent a lot of energy on provenance and trusted publishing over the last two years. This attack walked straight through both of those controls because the gap wasn’t in the signing. It was in the scope.” Provenance tells you where a package was built. It does not tell you whether the build was authorized. That is the gap this audit is designed to close.
- Claude Code, Copilot and Codex all got hacked. Every attacker went for the credential, not the model.On March 30, BeyondTrust proved that a crafted GitHub branch name could steal Codex’s OAuth token in cleartext. OpenAI classified it Critical P1. Two days later, Anthropic’s Claude Code source code spilled onto the public npm registry, and within hours, Adversa found Claude Code silently ignored its own deny rules once a command exceeded 50 subcommands. These were not isolated bugs. They were the latest in a nine-month run: six research teams disclosed exploits against Codex, Claude Code, Copilot, and Vertex AI, and every exploit followed the same pattern. An AI coding agent held a credential, executed an action, and authenticated to a production system without a human session anchoring the request. The attack surface was first demonstrated at Black Hat USA 2025, when Zenity CTO Michael Bargury hijacked ChatGPT, Microsoft Copilot Studio, Google Gemini, Salesforce Einstein and Cursor with Jira MCP on stage with zero clicks. Nine months later, those credentials are what attackers reached. Merritt Baer, CSO at Enkrypt AI and former Deputy CISO at AWS, named the failure in an exclusive VentureBeat interview. “Enterprises believe they’ve ‘approved’ AI vendors, but what they’ve actually approved is an interface, not the underlying system.” The credentials underneath the interface are the breach. Codex, where a branch name stole GitHub tokens BeyondTrust researcher Tyler Jespersen, with Fletcher Davis and Simon Stewart, found Codex cloned repositories using a GitHub OAuth token embedded in the git remote URL. During cloning, the branch name parameter flowed unsanitized into the setup script. A semicolon and a backtick subshell turned the branch name into an exfiltration payload. Stewart added the stealth. By appending 94 Ideographic Space characters (Unicode U+3000) after “main,” the malicious branch looked identical to the standard main branch in the Codex web portal. A developer sees “main.” The shell sees curl exfiltrating their token. OpenAI classified it Critical P1 and shipped full remediation by February 5, 2026. Claude Code, where two CVEs and a 50-subcommand bypass broke the sandbox CVE-2026-25723 hit Claude Code’s file-write restrictions. Piped sed and echo commands escaped the project sandbox because command chaining was not validated. Patched in 2.0.55. CVE-2026-33068 was subtler. Claude Code resolved permission modes from .claude/settings.json before showing the workspace trust dialog. A malicious repo set permissions.defaultMode to bypassPermissions. The trust prompt never appeared. Patched in 2.1.53. The 50-subcommand bypass landed last. Adversa found that Claude Code silently dropped deny-rule enforcement once a command exceeded 50 subcommands. Anthropic’s engineers had traded security for speed and stopped checking after the fiftieth. Patched in 2.1.90. “A significant vulnerability in enterprise AI is broken access control, where the flat authorization plane of an LLM fails to respect user permissions,” wrote Carter Rees, VP of AI and Machine Learning at Reputation and a member of the Utah AI Commission. The repository decided what permissions the agent had. The token budget decided which deny rules survived. Copilot, where a pull request description and a GitHub issue both became root Johann Rehberger demonstrated CVE-2025-53773 against GitHub Copilot with Markus Vervier of Persistent Security as co-discoverer. Hidden instructions in PR descriptions triggered Copilot to flip auto-approve mode in .vscode/settings.json. That disabled all confirmations and granted unrestricted shell execution across Windows, macOS, and Linux. Microsoft patched it in the August 2025 Patch Tuesday release. Then, Orca Security cracked Copilot inside GitHub Codespaces. Hidden instructions in a GitHub issue manipulated Copilot into checking out a malicious PR with a symbolic link to /workspaces/.codespaces/shared/user-secrets-envs.json. A crafted JSON $schema URL exfiltrated the privileged GITHUB_TOKEN. Full repository takeover. Zero user interaction beyond opening the issue. Mike Riemer, CTO at Ivanti, framed the speed dimension in a VentureBeat interview: “Threat actors are reverse engineering patches within 72 hours. If a customer doesn’t patch within 72 hours of release, they’re open to exploit.” Agents compress that window to seconds. Vertex AI, where default scopes reached Gmail, Drive and Google’s own supply chain Unit 42 researcher Ofir Shaty found that the default Google service identity attached to every Vertex AI agent had excessive permissions. Stolen P4SA credentials granted unrestricted read access to every Cloud Storage bucket in the project and reached restricted, Google-owned Artifact Registry repositories at the core of the Vertex AI Reasoning Engine. Shaty described the compromised P4SA as functioning like a "double agent," with access to both user data and Google's own infrastructure. VentureBeat defense grid Security requirement Defense shipped Exploit path The gap Sandbox AI agent execution Codex runs tasks in cloud containers; token scrubbed during agent runtime. Token present during cloning. Branch-name command injection executed before cleanup. No input sanitization on container setup parameters. Restrict file system access Claude Code sandboxes writes via accept-edits mode. Piped sed/echo escaped sandbox (CVE-2026-25723). Settings.json bypassed trust dialog (CVE-2026-33068). 50-subcommand chain dropped deny-rule enforcement. Command chaining not validated. Settings loaded before trust. Deny rules truncated for performance. Block prompt injection in code context Copilot filters PR descriptions for known injection patterns. Hidden injections in PRs, README files, and GitHub issues triggered RCE (CVE-2025-53773 + Orca RoguePilot). Static pattern matching loses to embedded prompts in legitimate review and Codespaces flows. Scope agent credentials to least privilege Vertex AI Agent Engine uses P4SA service agent with OAuth scopes. Default scopes reached Gmail, Calendar, Drive. P4SA credentials read every Cloud Storage bucket and Google’s Artifact Registry. OAuth scopes non-editable by default. Least privilege violated by design. Inventory and govern agent identities No major AI coding agent vendor ships agent identity discovery or lifecycle management. Not attempted. Enterprises do not inventory AI coding agents, their credentials, or their permission scopes. AI coding agents are invisible to IAM, CMDB, and asset inventory. Zero governance exists. Detect credential exfiltration from agent runtime Codex obscures tokens in web portal view. Claude Code logs subcommands. Tokens visible in cleartext inside containers. Unicode obfuscation hid exfil payloads. Subcommand chaining hid intent. No runtime monitoring of agent network calls. Log truncation hid the bypass. Audit AI-generated code for security flaws Anthropic launched Claude Code Security (Feb 2026). OpenAI launched Codex Security (March 2026). Both scan generated code. Neither scans the agent’s own execution environment or credential handling. Code-output security is not agent-runtime security. The agent itself is the attack surface. Every exploit targeted runtime credentials, not model output Every vendor shipped a defense. Every defense was bypassed. The Sonar 2026 State of Code Developer Survey found 25% of developers use AI agents regularly, and 64% have started using them. Veracode tested more than 100 LLMs and found 45% of generated code samples introduced OWASP Top 10 flaws, a separate failure that compounds the runtime credential gap. CrowdStrike CTO Elia Zaitsev framed the rule in an exclusive VentureBeat interview at RSAC 2026: collapse agent identities back to the human, because an agent acting on your behalf should never have more privileges than you do. Codex held a GitHub OAuth token scoped to every repository the developer authorized. Vertex AI’s P4SA read every Cloud Storage bucket in the project. Claude Code traded deny-rule enforcement for token budget. Kayne McGladrey, an IEEE Senior Member who advises enterprises on identity risk, made the same diagnosis in an exclusive interview with VentureBeat. "It uses far more permissions than it should have, more than a human would, because of the speed of scale and intent." Riemer drew the operational line in an exclusive VentureBeat interview. "It becomes, I don't know you until I validate you." The branch name talked to the shell before validation. The GitHub issue talked to Copilot before anyone read it. Security director action plan Inventory every AI coding agent (CIEM). Codex, Claude Code, Copilot, Cursor, Gemini Code Assist, Windsurf. List the credentials and OAuth scopes each received at setup. If your CMDB has no category for AI agent identities, create one. Audit OAuth scopes and patch levels. Upgrade Claude Code to 2.1.90 or later. Verify Copilot's August 2025 patch. Migrate Vertex AI to the bring-your-own-service-account model. Treat branch names, pull request descriptions, GitHub issues, and repo configuration as untrusted input. Monitor for Unicode obfuscation (U+3000), command chaining over 50 subcommands, and changes to .vscode/settings.json or .claude/settings.json that flip permission modes. Govern agent identities the way you govern human privileged identities (PAM/IGA). Credential rotation. Least-privilege scoping. Separation of duties between the agent that writes code and the agent that deploys it. CyberArk, Delinea, and any PAM platform that accepts non-human identities can onboard agent OAuth credentials today; Gravitee's 2026 survey found only 21.9% of teams have done it. Validate before you communicate. "As long as we trust and we check and we validate, I'm fine with letting AI maintain it," Riemer said. Before any AI coding agent authenticates to GitHub, Gmail, or an internal repository, verify the agent's identity, scope, and the human session it is bound to. Ask each vendor in writing before your next renewal. "Show me the identity lifecycle management controls for the AI agent running in my environment, including credential scope, rotation policy, and permission audit trail." If the vendor cannot answer, that is the audit finding. The governance gap in three sentences Most CISOs inventory every human identity and have zero inventory of the AI agents running with equivalent credentials. No IAM framework governs human privilege escalation and agent privilege escalation with the same rigor. Most scanners track every CVE but cannot alert when a branch name exfiltrates a GitHub token through a container that developers trust by default. Zaitsev's advice to RSAC 2026 attendees was blunt: you already know what to do. Agents just made the cost of not doing it catastrophic.
- GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDKGitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and authorship platform. The threat group TeamPCP, formally tracked by Google Threat Intelligence Group as UNC6780, claimed responsibility and is advertising the stolen repositories for sale starting at $50,000. GitHub’s assessment: the attacker’s claim is “directionally consistent” with the investigation so far. Trend Micro, StepSecurity, and Snyk have formally tracked TeamPCP across at least seven waves of the Mini Shai-Hulud supply chain worm since March. The GitHub breach did not land in isolation. It arrived the same day a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions, one day after attackers compromised a VS Code extension with 2.2 million installs, the same day Wiz discovered TeamPCP had compromised Microsoft’s durabletask Python SDK on PyPI, and the same morning Verizon’s 2026 DBIR revealed that 67% of employees access AI tools through non-corporate accounts. Five supply chain surfaces failed in 48 hours. Two more AI-agent attack classes were disclosed the same month that completed the grid. One group connects at least three of them. GitHub confirms the breach, names the attack vector, and the attribution trail is long "Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," GitHub posted in a five-post thread on X on May 20. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. [Emphasis added by VentureBeat] The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far." GitHub added that critical secrets were rotated overnight with the highest-impact credentials prioritized first. GitHub’s confirmation narrows the attack vector to a single employee device but leaves the blast radius expanding. The company has not named the specific extension. Internal repositories contain infrastructure configurations, deployment scripts, staging credentials, and internal API schemas. Source code access at that level is not a data breach. It is an infrastructure intelligence leak. Dark Web Informer reported that TeamPCP’s listing appeared on a hacking forum hours before GitHub’s initial disclosure, advertising around 4,000 private repositories. Hackmanac independently confirmed the listing. An X account linked to TeamPCP, xploitrsturtle2, posted after GitHub’s confirmation: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.” Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked "at least seven confirmed waves" spanning Trivy (March 2026), Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack (May 11), and Mistral AI (May 12). StepSecurity, Snyk, and Trend Micro assess high confidence on the Trivy, Bitwarden CLI, and TanStack waves based on toolchain overlap. GitHub’s May 20 confirmation that the breach came through a poisoned VS Code extension aligns with the exact attack surface TeamPCP weaponized throughout 2026. Binance co-founder CZ posted immediately: "If you have ANY private repos with plain text secrets or sensitive documents/architectures, immediately rotate your secrets." Mike Riemer, CTO of Ivanti, told VentureBeat in an exclusive interview that Azure’s honeypot network now shows known vulnerabilities exploited in under 90 seconds. Stolen credentials shorten the recon phase that precedes exploitation. Every GitHub-side secret that reaches a buyer accelerates whichever attack path that buyer was already running. The worm that forges its own provenance badge Hours before GitHub's disclosure, Endor Labs detected 42 malicious npm packages published between 01:39 and 02:06 UTC on May 19. Socket's broader tracking put the full wave at 639 malicious versions across 323 packages inside Alibaba's @antv data visualization ecosystem, roughly 16 million weekly downloads. This wave introduced provenance forgery. The worm now calls Fulcio and Rekor at runtime to generate valid Sigstore signing certificates for every package it propagates to. Provenance tooling shows a green badge. The build chain belongs to the attacker. "The attestation proves where the package was built. It does not prove the build was authorized," Endor Labs stated. Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat that “TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway. Each wave has picked a higher-download target and introduced a more technically interesting access vector.” Late on May 12, vx-underground reported that TeamPCP open-sourced the fully weaponized Shai-Hulud worm code. Copycat variants have already appeared, complicating attribution. Kennedy provided VentureBeat a first-pass detection check: run find . -name ‘router_init.js’ -size +1M across project directories and grep for the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. If either returns a hit, isolate and image the machine before revoking any tokens. The worm’s destructive daemon triggers on revocation. GitHub Actions tags redirected to imposter commits the same day Also on May 19, threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to an imposter commit that does not appear in the action’s normal commit history. “That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action,” StepSecurity researcher Varun Sharma said. GitHub has since disabled access to the repository. The exfiltration domain (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, tying the two clusters together. Only workflows pinned to a known-good full commit SHA were unaffected. The worm jumped to Microsoft’s own Python SDK the same day Hours after the @antv wave, Wiz detected that TeamPCP had compromised durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Three malicious versions (1.4.1, 1.4.2, and 1.4.3) were published to PyPI within a 35-minute window on May 19. The attack chain was direct: a GitHub account compromised in a previous TeamPCP operation still had access to the microsoft/durabletask-python repository. The attacker dumped GitHub Secrets, extracted a PyPI publishing token, and pushed the infected releases directly. PyPI quarantined all three versions. StepSecurity’s analysis found the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale. The durabletask package averages over 400,000 monthly downloads. VS Code extensions breached GitHub itself, and that is not even the first compromise this week On May 18, attackers published a compromised version of the Nx Console VS Code extension, installed more than 2.2 million times. The malicious version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and specifically targeted Claude Code configuration files under ~/.claude/settings.json. The Nx team removed it within 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC ran the credential stealer. One day later, GitHub confirmed that a different poisoned VS Code extension was the entry point for the 3,800-repo breach of its own internal infrastructure. As one X user framed it: “Microsoft’s GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” The entire attack chain stayed inside one vendor’s ecosystem. Developers have been reporting malicious VS Code extensions to Microsoft for years. A publicly documented complaint from December 2024 asked Microsoft to fix the marketplace. Eighteen months later, the marketplace was the entry point for a breach of GitHub itself. AI coding agents treat trust dialogs as features, not security events Adversa AI’s TrustFall research, published May 7, tested Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. "A repository can ship a configuration that auto-approves and immediately launches an MCP server, no tool call from the agent is required," researcher Rony Utevsky told Dark Reading. All four default to "Yes/Trust." The Managed scope configuration that could lock this down is "rarely used." When Claude Code runs headless through GitHub Actions, the trust dialog never renders. PR comments became agent instructions Aonan Guan, alongside Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, typed a malicious instruction into a PR title and watched Anthropic's Claude Code Security Review action post its own API key as a comment. The same prompt injection worked against Gemini CLI Action and GitHub's Copilot Agent. Anthropic classified it CVSS 9.4 Critical. Prompt injection reaches eval() through legitimate API calls Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on May 7, both critical in Semantic Kernel. The Python SDK flaw let a crafted prompt achieve host-level remote code execution. The .NET SDK flaw turned an accidentally exposed file-transfer helper into a tool the AI model could invoke, enabling sandbox escape from Azure Container Apps. Social channels deliver the payload where EDR has no signal CrowdStrike’s 2026 Financial Services Threat Landscape Report, released May 14, quantified identity theft scaling outside developer toolchains. DPRK-nexus actors stole $2.02 billion in digital assets in 2025, a 51% year-over-year increase. PRESSURE CHOLLIMA conducted the largest single financial theft ever reported: $1.46 billion through trojanized software distributed via supply chain compromise. FAMOUS CHOLLIMA doubled its operations using AI-generated identities. STARDUST CHOLLIMA tripled its tempo. The primary delivery channels: WhatsApp and LinkedIn, where EDR has no signal. “Financial services organizations face threats from every direction, and AI is making each of them harder to stop,” Adam Meyers, senior vice president, counter adversary operations at CrowdStrike, said in the report. “Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond.” His 2026 Global Threat Report found 82% of detections in 2025 were malware-free. The average eCrime breakout time fell to 29 minutes, with the fastest observed at 27 seconds. Riemer told VentureBeat the same dynamic applies to developer toolchains. "Bad guys are pivoting to what's the next weakest link. Let me get somebody's house key, and I can make it through the back door." Stolen developer identities are the house key. Shadow AI usage tripled in one year The Verizon 2026 DBIR found that 45% of employees are regular AI users, up from 15% last year, with 67% accessing AI through non-corporate accounts. Third-party involvement in breaches jumped to 48%. The Developer Tool Stolen-Identity Audit Grid No single surface in this grid qualifies as a zero day. Chained together, they function like one. "I can take a whole bunch of little things and chain them together and get the same level of access," Riemer told VentureBeat. "That's what AI does very, very well." Surface Incident / Vector Visibility Gap Recommended Action GitHub internal repositories TeamPCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on employee device. GitHub confirmed May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant Rotate GitHub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships npm provenance verification Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime Provenance check passes. Signing identity is stolen. 16M weekly downloads affected Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimumReleaseAge VS Code extension auto-update Nx Console v18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs Auto-update executes credential stealer silently. No detection category exists Pin extension versions. Audit auto-update policy. Review publisher token governance AI coding agent CLI trust dialog TrustFall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress Trust dialog is a feature, not a security event. Headless CI skips dialog entirely Disable enableAllProjectMcpServers. Require explicit per-server approval CI/CD pipeline agent execution Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions Malicious .mcp.json runs with runner’s full credentials. Zero human interaction Gate agent runs to post-merge branches. Review pull_request_target workflows AI agent framework eval() path Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval() EDR sees approved call. Flat auth plane fails to respect user permissions Upgrade to Python 1.39.4+ / .NET 1.71.0+. Disable auto-invocation Out-of-band delivery CrowdStrike FinServ (May 14). WhatsApp and LinkedIn as primary vectors. CHOLLIMA doubled and tripled tempo EDR has no signal on social-channel delivery. AI-generated identities at scale Add WhatsApp and LinkedIn to insider-threat playbooks Seven surfaces. One group confirmed across at least three of them, with open-sourced tooling enabling copycats across the rest. Kayne McGladrey, IEEE Senior Member, told VentureBeat that organizations are "defaulting to cloning human user profiles for agents, and permission sprawl starts on day one." The compliance frameworks enterprises rely on were written for humans. Agent identities do not appear in any control catalog McGladrey has encountered.
- In the wake of Claude Code's source code leak, 5 actions enterprise security leaders should take nowEvery enterprise running AI coding agents has just lost a layer of defense. On March 31, Anthropic accidentally shipped a 59.8 MB source map file inside version 2.1.88 of its @anthropic-ai/claude-code npm package, exposing 512,000 lines of unobfuscated TypeScript across 1,906 files. The readable source includes the complete permission model, every bash security validator, 44 unreleased feature flags, and references to upcoming models Anthropic has not announced. Security researcher Chaofan Shou broadcast the discovery on X by approximately 4:23 UTC. Within hours, mirror repositories had spread across GitHub. Anthropic confirmed the exposure was a packaging error caused by human error. No customer data or model weights were involved. But containment has already failed. The Wall Street Journal reported Wednesday morning that Anthropic had filed copyright takedown requests that briefly resulted in the removal of more than 8,000 copies and adaptations from GitHub. However, an Anthropic spokesperson told VentureBeat that the takedown was intended to be more limited: "We issued a DMCA takedown against one repository hosting leaked Claude Code source code and its forks. The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended. We retracted the notice for everything except the one repo we named, and GitHub has restored access to the affected forks." Programmers have already used other AI tools to rewrite Claude Code's functionality in other programming languages. Those rewrites are themselves going viral. The timing was worse than the leak alone. Hours before the source map shipped, malicious versions of the axios npm package containing a remote access trojan went live on the same registry. Any team that installed or updated Claude Code via npm between 00:21 and 03:29 UTC on March 31 may have pulled both the exposed source and the unrelated axios malware in the same install window. A same-day Gartner First Take (subscription required) said the gap between Anthropic's product capability and operational discipline should force leaders to rethink how they evaluate AI development tool vendors. Claude Code is the most discussed AI coding agent among Gartner's software engineering clients. This was the second leak in five days. A separate CMS misconfiguration had already exposed nearly 3,000 unpublished internal assets, including draft announcements for an unreleased model called Claude Mythos. Gartner called the cluster of March incidents a systemic signal. What 512,000 lines reveal about production AI agent architecture The leaked codebase is not a chat wrapper. It is the agentic harness that wraps Claude's language model and gives it the ability to use tools, manage files, execute bash commands, and orchestrate multi-agent workflows. The WSJ described the harness as what allows users to control and direct AI models, much like a harness allows a rider to guide a horse. Fortune reported that competitors and legions of startups now have a detailed road map to clone Claude Code's features without reverse engineering them. The components break down fast. A 46,000-line query engine handles context management through three-layer compression and orchestrates 40-plus tools, each with self-contained schemas and per-tool granular permission checks. And 2,500 lines of bash security validation run 23 sequential checks on every shell command, covering blocked Zsh builtins, Unicode zero-width space injection, IFS null-byte injection, and a malformed token bypass discovered during a HackerOne review. Gartner caught a detail most coverage missed. Claude Code is 90% AI-generated, per Anthropic's own public disclosures. Under the current U.S. copyright law requiring human authorship, the leaked code carries diminished intellectual property protection. The Supreme Court declined to revisit the human authorship standard in March 2026. Every organization shipping AI-generated production code faces this same unresolved IP exposure. Three attack paths, the readable source makes it cheaper to exploit The minified bundle already shipped with every string literal extractable. What the readable source eliminates is the research cost. A technical analysis from Straiker's Jun Zhou, an agentic AI security company, mapped three compositions that are now practical, not theoretical, because the implementation is legible. Context poisoning via the compaction pipeline. Claude Code manages context pressure through a four-stage cascade. MCP tool results are never microcompacted. Read tool results skip budgeting entirely. The autocompact prompt instructs the model to preserve all user messages that are not tool results. A poisoned instruction in a cloned repository's CLAUDE.md file can survive compaction, get laundered through summarization, and emerge as what the model treats as a genuine user directive. The model is not jailbroken. It is cooperative and follows what it believes are legitimate instructions. Sandbox bypass through shell parsing differentials. Three separate parsers handle bash commands, each with different edge-case behavior. The source documents a known gap where one parser treats carriage returns as word separators, while bash does not. Alex Kim's review found that certain validators return early-allow decisions that short-circuit all subsequent checks. The source contains explicit warnings about the past exploitability of this pattern. The composition. Context poisoning instructs a cooperative model to construct bash commands sitting in the gaps of the security validators. The defender's mental model assumes an adversarial model and a cooperative user. This attack inverts both. The model is cooperative. The context is weaponized. The outputs look like commands a reasonable developer would approve. Elia Zaitsev, CrowdStrike's CTO, told VentureBeat in an exclusive interview at RSAC 2026 that the permission problem exposed in the leak reflects a pattern he sees across every enterprise deploying agents. "Don't give an agent access to everything just because you're lazy," Zaitsev said. "Give it access to only what it needs to get the job done." He warned that open-ended coding agents are particularly dangerous because their power comes from broad access. "People want to give them access to everything. If you're building an agentic application in an enterprise, you don't want to do that. You want a very narrow scope." Zaitsev framed the core risk in terms that the leaked source validates. "You may trick an agent into doing something bad, but nothing bad has happened until the agent acts on that," he said. That is precisely what the Straiker analysis describes: context poisoning turns the agent cooperative, and the damage happens when it executes bash commands through the gaps in the validator chain. What the leak exposed and what to audit The table below maps each exposed layer to the attack path it enables and the audit action it requires. Print it. Take it to Monday's meeting. Exposed Layer What the Leak Revealed Attack Path Enabled Defender Audit Action 4-stage compaction pipeline Exact criteria for what survives each stage. MCP tool results are never microcompacted. Read results, skip budgeting. Context poisoning: malicious instructions in CLAUDE.md survive compaction and get laundered into 'user directives'. Audit every CLAUDE.md and .claude/config.json in cloned repos. Treat as executable, not metadata. Bash security validators (2,500 lines, 23 checks) Full validator chain, early-allow short circuits, three-parser differentials, blocked pattern lists Sandbox bypass: CR-as-separator gap between parsers. Early-allow in git validators bypasses all downstream checks. Restrict broad permission rules (Bash(git:*), Bash(echo:*)). Redirect operators chain with allowed commands to overwrite files. MCP server interface contract Exact tool schemas, permission checks, and integration patterns for all 40+ built-in tools Malicious MCP servers that match the exact interface. Supply chain attacks are indistinguishable from legitimate servers. Treat MCP servers as untrusted dependencies. Pin versions. Monitor for changes. Vet before enabling. 44 feature flags (KAIROS, ULTRAPLAN, coordinator mode) Unreleased autonomous agent mode, 30-min remote planning, multi-agent orchestration, background memory consolidation Competitors accelerate the development of comparable features. Future attack surface previewed before defenses ship. Monitor for feature flag activation in production. Inventory where agent permissions expand with each release. Anti-distillation and client attestation Fake tool injection logic, Zig-level hash attestation (cch=00000), GrowthBook feature flag gating Workarounds documented. MITM proxy strips anti-distillation fields. Env var disables experimental betas. Do not rely on vendor DRM for API security. Implement your own API key rotation and usage monitoring. Undercover mode (undercover.ts) 90-line module strips AI attribution from commits. Force ON possible, force OFF impossible. Dead-code-eliminated in external builds. AI-authored code enters repos with no attribution. Provenance and audit trail gaps for regulated industries. Implement commit provenance verification. Require AI disclosure policies for development teams using any coding agent. AI-assisted code is already leaking secrets at double the rate GitGuardian's State of Secrets Sprawl 2026 report, published March 17, found that Claude Code-assisted commits leaked secrets at a 3.2% rate versus the 1.5% baseline across all public GitHub commits. AI service credential leaks surged 81% year-over-year to 1,275,105 detected exposures. And 24,008 unique secrets were found in MCP configuration files on public GitHub, with 2,117 confirmed as live, valid credentials. GitGuardian noted the elevated rate reflects human workflow failures amplified by AI speed, not a simple tool defect. The operational pattern Gartner is tracking Feature velocity compounded the exposure. Anthropic shipped over a dozen Claude Code releases in March, introducing autonomous permission delegation, remote code execution from mobile devices, and AI-scheduled background tasks. Each capability widened the operational surface. The same month that introduced them produced the leak that exposed their implementation. Gartner's recommendation was specific. Require AI coding agent vendors to demonstrate the same operational maturity expected of other critical development infrastructure: published SLAs, public uptime history, and documented incident response policies. Architect provider-independent integration boundaries that would let you change vendors within 30 days. Anthropic has published one postmortem across more than a dozen March incidents. Third-party monitors detected outages 15 to 30 minutes before Anthropic's own status page acknowledged them. The company riding this product to a $380 billion valuation and a possible public offering this year, as the WSJ reported, now faces a containment battle that 8,000 DMCA takedowns have not won. Merritt Baer, Chief Security Officer at Enkrypt AI, an enterprise AI guardrails company, and a former AWS security leader, told VentureBeat that the IP exposure Gartner flagged extends into territory most teams have not mapped. "The questions many teams aren't asking yet are about derived IP," Baer said. "Can model providers retain embeddings or reasoning traces, and are those artifacts considered your intellectual property?" With 90% of Claude Code's source AI-generated and now public, that question is no longer theoretical for any enterprise shipping AI-written production code. Zaitsev argued that the identity model itself needs rethinking. "It doesn't make sense that an agent acting on your behalf would have more privileges than you do," he told VentureBeat. "You may have 20 agents working on your behalf, but they're all tied to your privileges and capabilities. We're not creating 20 new accounts and 20 new services that we need to keep track of." The leaked source shows Claude Code's permission system is per-tool and granular. The question is whether enterprises are enforcing the same discipline on their side. Five actions for security leaders this week 1. Audit CLAUDE.md and .claude/config.json in every cloned repository. Context poisoning through these files is a documented attack path with a readable implementation guide. Check Point Research found that developers inherently trust project configuration files and rarely apply the same scrutiny as application code during reviews. 2. Treat MCP servers as untrusted dependencies. Pin versions, vet before enabling, monitor for changes. The leaked source reveals the exact interface contract. 3. Restrict broad bash permission rules and deploy pre-commit secret scanning. A team generating 100 commits per week at the 3.2% leak rate is statistically exposing three credentials. MCP configuration files are the newest surface that most teams are not scanning. 4. Require SLAs, uptime history, and incident response documentation from your AI coding agent vendor. Architect provider-independent integration boundaries. Gartner's guidance: 30-day vendor switch capability. 5. Implement commit provenance verification for AI-assisted code. The leaked Undercover Mode module strips AI attribution from commits with no force-off option. Regulated industries need disclosure policies that account for this. Source map exposure is a well-documented failure class caught by standard commercial security tooling, Gartner noted. Apple and identity verification provider Persona suffered the same failure in the past year. The mechanism was not novel. The target was. Claude Code alone generates an estimated $2.5 billion in annualized revenue for a company now valued at $380 billion. Its full architectural blueprint is circulating on mirrors that have promised never to come down.