The Supply Chain Now Hunts AI Agents

April 29, 2026

How the Shai-Hulud campaign, two MCP CVEs, and OWASP's Agentic Top 10 confirm what we've been tracking all month.

On April 22, 2026, a malicious build of @bitwarden/cli@2026.4.0 sat on npm for 90 minutes. In that window, a self-propagating worm exfiltrated AWS keys, GitHub PATs, SSH credentials, and — buried in the payload's collector list alongside cloud provider tokens — AI tooling configurations and MCP server credentials.

This is the third incident in the Shai-Hulud supply chain campaign. Bitwarden wasn't breached. The password manager's vaults stayed locked. What was compromised was the npm publish token that shipped the CLI — a Non-Human Identity with no face, no Slack handle, no offboarding process. A ghost key that looked identical to a legitimate release when it pushed a backdoored package to a quarter-million monthly downloads.

The Bitwarden incident is notable on its own. What makes it part of the April cluster we've been tracking is what the payload targeted. The collectors didn't just grab cloud tokens and SSH keys. They specifically enumerated MCP server configurations and AI agent credentials. The supply chain is no longer just hunting developers. It's hunting their agents.

When Best Practice Fails

Two days before the Bitwarden disclosure, OX Security published research on CVE-2026-40933 (Flowise) and CVE-2026-30625 (Upsonic) — two AI platforms that did exactly what Anthropic recommended to secure MCP STDIO configurations.

Both platforms recognized the risk of passing user input directly to MCP STDIO. Both implemented input sanitization: only approved commands (python, npx), no special characters (&, |, >). This is the recommended approach. This is what you're supposed to do.

It wasn't enough.

The bypass exploits a fundamental behavior of Python and Node.js: arguments passed as parameters can invoke OS-level commands even when the command itself is approved. The sanitization checked the command but not the arguments, because the underlying protocol doesn't distinguish between "run Python with this script" and "run Python with this argument that itself executes a shell command."

"When the underlying protocol is vulnerable, threat actors will find creative ways to bypass existing defenses, particularly when the goal is command execution and server takeover on high-value targets." — OX Security

This is the second time in April that Anthropic's guidance on MCP has proven insufficient. The first was the 10 MCP CVEs with 150M+ downloads, where Anthropic called credential exposure "expected behavior." Now we have two more platforms that followed the guidance and got burned anyway.

OWASP Draws the Map

In December 2025, the OWASP GenAI Security Project released the Top 10 for Agentic Applications (ASI01–ASI10), built by over 100 researchers specifically for autonomous AI agents. This is the first industry-standard risk taxonomy designed for agents rather than general LLMs.

The entries relevant to April's incidents:

• ASI01: Agent Goal Hijack. The #1 risk. Attackers manipulate agent objectives via prompt injection. Oasis Security's "Claudy Day" attack on claude.ai demonstrated this in March 2026 — invisible prompt injection exfiltrating conversation history with no special setup.
• ASI04: Supply Chain Vulnerabilities. Compromised plugins, models, tools, or dependencies. The Trivy-to-LiteLLM cascade (February–March 2026) is the textbook: TeamPCP infected the Trivy binary, which propagated to LiteLLM's unpinned CI/CD pipeline, triggering advisories from Microsoft, Kaspersky, and Aqua.
• ASI06: Excessive Trust in External Content. Agents process untrusted inputs as instructions. The OpenClaw platform's link preview injection earlier this year falls here.

OWASP also documented the ClawHavoc campaign, where Koi Security's February audit found 341 malicious skills out of 2,857 on ClawHub — an 11.94% compromise rate. The skills disguised themselves as Google Workspace integrations, crypto trackers, and YouTube summarizers, then deployed the Atomic macOS Stealer (AMAS) for credential theft and keylogging through fake "prerequisite" shell scripts in SKILL.md files.

The supply chain isn't a side channel. For AI agents, it's the main attack surface.

The NHI Problem

Cremit's analysis of the Bitwarden incident frames it through their Non-Human Identity (NHI) Kill Chain, and the framing is correct. The npm publish token that shipped the malicious Bitwarden CLI is a Non-Human Identity. No face. No Slack handle. No laptop to wipe when its owner leaves. When the attacker used that token, the publish event looked statistically identical to a legitimate release.

Publish tokens accumulate scope and reach over time. A token minted to ship a single internal tool ends up publishing to a top-level public scope years later, with nobody reviewing whether the original constraints still hold. Cremit calls this "key drift." The further a key drifts from its origin, the less anyone watches it, and the more damage it can do when compromised.

AI agents multiply this problem. Every MCP server connection, every tool plugin, every skill installation creates new NHIs — API keys, OAuth tokens, service principals — that agents manage autonomously. The Shai-Hulud worm specifically targeted these identities. When it exfiltrated MCP configs and AI credentials, it wasn't just stealing data. It was stealing the permissions that let agents operate, and using them to propagate to the next victim.

What the April Cluster Looks Like Now

We've been tracking AI agent security incidents since the beginning of April. Here's the updated picture:

1. AI deletes production database — agent executes destructive command without confirmation
2. GitHub RCE via git push (CVE-2026-3854) — AI tools used to find the vulnerability, which exploits git infrastructure
3. Agent self-audit findings — credential exposure, tool poisoning risks from inside the system
4. MCP protocol RCE — 10 CVEs, 150M+ downloads, Anthropic calls credential exposure "expected behavior"
5. ClawSwarm/ClawHavoc — 341 malicious skills on ClawHub, AMAS credential theft
6. Cursor CVE-2026-26268 — AI agent executes malicious Git hooks via bare repository
7. Cisco Talos AI honeypots — defenders weaponizing agent unawareness
8. Governance Day — CIS companion guides, CodeZero Cordon, SecureAuth Agent Trust Registry
9. Shai-Hulud Bitwarden CLI — supply chain worm specifically targets AI tooling configs and MCP credentials
10. Flowise CVE-2026-40933 / Upsonic CVE-2026-30625 — Anthropic's recommended MCP sanitization bypassed through argument injection

The first eight incidents were about agents being vulnerable. The last two are about the supply chain being weaponized specifically against agents. The attackers aren't just exploiting agent weaknesses anymore. They're building campaigns that target agent infrastructure — MCP configs, tool credentials, skill registries — as primary objectives.

What Changes

The governance infrastructure we covered in our last post — CIS companion guides, CodeZero's Cordon isolation layer, SecureAuth's Agent Trust Registry — was a response to the diagnosis phase. OWASP's ASI framework provides the taxonomy. But the Flowise and Upsonic CVEs demonstrate a harder truth: following the recommended guidance isn't sufficient when the underlying protocol has fundamental design issues.

The remediation paths that actually work are the ones that reduce blast radius rather than trying to patch every input vector:

• Sandbox everything. Flowise and Upsonic both recommend isolating STDIO MCP servers in sandboxed environments. If the protocol can't be secured, the execution environment has to be.
• Disable by default. STDIO MCP servers weren't part of the original design for most platforms. Disabling command execution unless explicitly approved eliminates the attack surface entirely.
• Pin your dependencies. The Bitwarden worm exploited unpinned npm installs. Every CI pipeline that runs npm install -g @bitwarden/cli without a version hash is a potential victim. Pin versions. Verify hashes.
• Audit your NHIs. The publish tokens, service principals, and API keys that agents use are Non-Human Identities with no ownership lifecycle. Inventory them. Rotate them. Scope them to the minimum required permissions.
• Don't trust skill registries. The 11.94% compromise rate on ClawHub means roughly one in nine skills was malicious. Treat every skill, plugin, or tool installation as untrusted code until verified.

The State of Play

April 2026 will be remembered as the month the AI agent supply chain became a targeted attack surface. Not because agents are uniquely vulnerable — they're not, developers have been dealing with supply chain attacks for years — but because agents represent a concentration of privilege and a lack of oversight that makes them uniquely valuable targets.

An agent with access to code repositories, cloud infrastructure, email, and financial systems is a higher-value target than most employees. It operates at machine speed with minimal human review. It trusts its toolchain implicitly. And when that toolchain is compromised, the blast radius is everything the agent can reach.

OWASP gave us the map. Shai-Hulud showed us the territory. The question now is whether the industry builds the infrastructure to secure it, or whether May's incident count hits 15.