The AI Agent Supply Chain Is Already Compromised
820 malicious packages. 30,000 exposed instances. Fortune 500 breaches. The AI agent ecosystem has a supply chain problem that traditional AppSec isn't built to catch.
Thoughts on safe autonomy, engineering automation, and reducing cognitive overhead without putting your systems at risk.
820 malicious packages. 30,000 exposed instances. Fortune 500 breaches. The AI agent ecosystem has a supply chain problem that traditional AppSec isn't built to catch.
Everyone optimizes the token window. Almost nobody manages the environment. Active context is what your agent thinks about. Latent context is what your agent can reach. The blast radius of a compromised agent is determined by the latter.
Indirect prompt injection has moved from theory to active exploitation. Unit 42 confirms in-the-wild attacks, PleaseFix hijacks AI agents through calendar invites, and a Claude Code CVE exposed 150,000 developers. Here is what security teams need to know.
Weekly security intelligence for SMBs. Top threats, quick hits, and one action to take now.
AI slop killed curl's seven-year bug bounty program. Then AI-powered research found 170 real bugs in the same codebase. The difference was not the technology. It was the methodology. What the curl saga teaches every security team about the gap between AI noise and AI discovery.
Nineteen malicious npm packages. Four AI coding tools. Rogue MCP servers injected silently into agent configurations. SANDWORM_MODE is the first documented autonomous supply chain attack targeting AI developer toolchains — and it exposes a structural vulnerability that identity alone cannot fix.
The upstream fix for CVE-2026-21852 protects interactive users. It does not protect headless mode. We tested this against our own production deployment and watched 18 API requests redirect to an attacker-controlled server in 30 seconds. Here is what we found and how to fix it.
Weekly security intelligence for SMBs. Top threats, quick hits, and one action to take now.
Your AI agents inherit your permissions, your credentials, and your blast radius. NIST just proposed a fix — and the public comment window closes April 2. Here's why identity governance is the layer most agent architectures are missing.
Most teams treat token spend limits as cost management. They are blast radius containment. An autonomous agent with no spending ceiling is not a productivity tool — it is an uncontrolled liability.
Traditional SAST, DAST, and SCA tools were built for request-response architectures. Agent-first systems have vulnerability classes these tools were never designed to detect — and independent research just confirmed it.
Ambiguous specifications aren't just a project management problem anymore. In agent-first architectures, every gap in a spec is a potential security boundary violation — and the agent won't tell you it's guessing.