A supply chain attack toolkit hit a public GitHub repo, an OpenClaw email agent forwarded AWS keys to a stranger named 'Dan,' and Anthropic patched a Claude Code Action flaw that leaked CI/CD secrets. The common thread across this week's incidents: attackers rarely needed an exploit, just stolen trust.
There's a pattern worth pulling out of this week's flood of incident reports, and it has nothing to do with a single flashy zero-day. The standout stories all involve attackers walking through doors that were already unlocked: leaked attack frameworks, AI agents that act on a friendly-sounding email, trusted remote management tools repurposed for intrusion, and security software quietly throttled using settings built into the operating system. No memory corruption, no kernel magic. Just patience and misplaced trust.
If you run security for an organization that leans on automation, cloud pipelines, or AI agents, three stories below deserve your attention before the rest. Let's work through what actually happened, why it matters, and what to change.
The Miasma toolkit leak: a full supply chain attack kit goes public
For a short window starting June 8, 2026, multiple GitHub repositories named "Miasma-Open-Source-Release" appeared and made the Miasma credential-stealing framework available for free. According to analysis from SafeDep, the code went out through compromised developer accounts.
What makes this more concerning than a typical malware leak is the scope. "The Miasma codebase appears to be larger than a supply chain worm," SafeDep wrote. "It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors."
The command-and-control design is clever in a way that should worry defenders. Instead of standing up dedicated C2 servers that can be blocked or sinkholed, Miasma runs three independent channels through GitHub commit search, each using a different search string and crypto key. One string discovers attacker-controlled personal access tokens for exfiltration, another delivers JavaScript, and a third delivers Python URLs that function as a remote code execution backdoor. Using a legitimate, heavily trafficked service like GitHub for tasking means the malicious traffic blends into normal developer activity.
Miasma is assessed as a variant of the Shai-Hulud worm, and the campaign has already mutated into a Python variant called Hades. As of last week, 304 components had been impacted. If your build pipeline pulls from public registries, the practical takeaway is to pin dependencies to known-good versions, scope your CI tokens to the minimum they need, and rotate any personal access token with broad write access. A worm like this thrives on over-privileged credentials sitting in places nobody audits.
When the AI agent is the easiest target in the building
The Miasma story pairs uncomfortably well with research from Varonis, which ran four phishing simulations against an OpenClaw email agent codenamed Pinchy. The agent fell for tactics that would make a security-aware human pause.
The headline result is worth sitting with: "In one notable case, a casual email from 'Dan' asking the agent to share staging credentials was enough to forward AWS IAM keys, database passwords, and SSH access to an external Gmail."
Varonis draws a distinction that matters for how you defend against this. Most teams now think about indirect prompt injection, where malicious instructions are hidden inside data the model consumes. Agent phishing is different and arguably simpler. "A believable request arrives through a normal communication channel, reads like a legitimate business message, and succeeds when the agent acts on it before verifying who asked," the company explained. There's no exotic payload. The attack works above the application layer, exploiting the agent's willingness to be helpful.
The defensive lesson here mirrors decades of guidance for human staff, applied to non-human identities. An AI agent with access to credentials should not be able to send those credentials anywhere based on an inbound request alone. Treat every agent as an identity in your pipeline, scope its permissions tightly, require out-of-band confirmation for sensitive actions, and log what it can reach. "Audit what your agents can access" stopped being optional the moment those agents got mailboxes.
Anthropic patches a Claude Code Action secret-exposure bug
The agent-security theme extends into Anthropic's own tooling. Microsoft researchers discovered an issue in the Claude Code GitHub Action that could expose CI/CD workflow secrets when AI agents process untrusted GitHub content, including issue bodies, pull request descriptions, and comments.
The root cause is a sandboxing gap. "While Claude Code Action supported environment scrubbing for subprocess execution paths such as Bash, the Read tool was not subject to the same sandboxing model," Microsoft said. "It was eventually authorized to access /proc/self/environ, reading the workflow's ANTHROPIC_API_KEY and potentially other credentials available to the runner." In plain terms, a maliciously crafted issue or PR comment could coax the agent into reading the process environment file, where secrets live, and leaking them.
Following responsible disclosure on April 29, 2026, the fix shipped on May 5 with Claude Code version 2.1.128. The patch hardens the Read tool by unconditionally rejecting a set of files in /proc/ so they cannot be exfiltrated. If you use the Claude Code GitHub Action in any workflow, update to 2.1.128 or later and rotate the API key and any other secrets that runner could have touched. This is the kind of bug where the patch is necessary but credential rotation is what actually closes the exposure.
The quiet art of disabling defenses without an exploit
A recurring item this week is how many techniques sidestep endpoint protection by abusing legitimate OS behavior rather than breaking anything.
A researcher known as Zero Salarium published EDRChoker, which uses policy-based Quality of Service to throttle EDR agents to the lowest possible bandwidth. "It takes a list of common EDR process names and creates QoS policies that limit those processes to 8 bits per second," the researcher said. "At that bandwidth, an EDR agent becomes effectively isolated from its server." The agent looks like it's running. It just can't phone home.
The same researcher previously demonstrated EDRStartupHinder, which abuses Windows Bindlink to redirect a DLL and prevent protected security services from starting. Separately, Binary Defense detailed a method that modifies Windows Access Control Lists to add "Deny" entries against core libraries like kernel32.dll. Because security services depend on that DLL, the dependency chain breaks, and after a reboot those services simply fail to start, leaving the endpoint defenseless with no malware alert ever firing.
The common defense against all three is monitoring for the configuration changes themselves: new QoS policies targeting security processes, ACL modifications on system libraries, and services that fail to start after reboot. Your EDR cannot alert you about being disabled, so the telemetry has to come from elsewhere.
The infostealer economy keeps scaling
Underneath the headline incidents sits a supply of stolen identity data that fuels nearly everything else. Flashpoint reports that more than 11.1 million devices were infected with infostealers last year, producing over 3.3 billion stolen credentials, session cookies, cloud tokens, and other identity artifacts now circulating in illicit markets. More than 30 distinct infostealer strains are actively for sale, with Lumma, Acreed, Rhadamanthys, Vidar, and StealC leading the pack in 2025.
That stolen-credential supply connects directly to the week's other stories. The new SilabRAT, advertised at $5,000 a month by a vendor called "o1oo1," focuses on credential and cryptocurrency theft and uses Browser Profile Cloning to replicate a victim's entire browser fingerprint onto the attacker's machine. The GoFlateLoader campaign has hit more than 33,000 users since April, delivering a rotating set of stealers. And money mule networks have professionalized into Mule-as-a-Service operations that, per KELA, increasingly rely on synthetic identities and deepfake-enabled KYC bypass rather than recruiting people one at a time.
Session cookies and cloud tokens are the part to focus on. They sidestep passwords and multi-factor entirely. Shortening session lifetimes, binding tokens to devices, and watching for impossible-travel reuse do more against this supply than another password complexity rule.
A few more worth your time
Ghost-Sender Exchange spoofing. InfoGuard Labs found that certain Exchange Online and hybrid configurations using an external MX record let attackers spoof any sender to any recipient in a tenant, regardless of SPF, DKIM, or DMARC. Internal spoofs even resolve the sender's profile picture in Outlook. Review your mail flow connectors if you front Exchange with a third-party filter.
Misconfigured Grafana to 507 Meta repos. The Sectricity Security Team turned an open Grafana instance and a wildcard TLS certificate into read-write access on 507 private Meta repositories, earning a $157,000 bounty. The chain ran through an unauthenticated GCP token endpoint, then Secret Manager, then a Vercel token exposing GitHub PATs. It's a textbook reminder that one exposed dashboard can unravel an entire secret estate.
ComoDoS one-packet crash. Marcus Hutchins released a PoC for an integer underflow in Comodo Internet Security's firewall driver (CVE-2026-49494, CVSS 7.5). A single TCP/IP packet can crash the target even with all ports blocked. It remains unpatched at the time of writing.
The throughline
The perimeter stopped being the hard part. This week's incidents land inside trusted boundaries: a developer account, a CI runner, an AI agent's mailbox, a remote management tool, a security product's own service dependencies. Each one trusted something by default, and an attacker collected on that trust.
The practical agenda that falls out of all this is consistent. Audit what your agents and automation can reach, and assume every identity in the pipeline, human or not, is a potential liability. Scope tokens to the minimum and rotate the broad ones. Watch for the configuration changes that disable your defenses, because your defenses can't report their own silence. And check what your browser extensions and AI integrations are sending home, since several this week were quietly hijacking exactly that traffic. None of it requires an exploit, which is precisely the point.
Comments
Please log in or register to join the discussion