Machine Speed.
The offense ran on automation this week. An AI agent drove a four-pivot intrusion from a public notebook to a database dump in about an hour, improvising SQL as it went. A worm backdoored 5,561 repositories in six hours by editing CI workflows to steal cloud tokens. A poisoned VS Code extension stayed live for eleven minutes and still found time to read the config and auth files your AI coding assistant stores on disk. The response usually still waits on a human to read the logs.
> download one-pager (PDF)> New here? Get next Tuesday's issue in your inbox.
🎯 Attack of the Week: an AI agent drove the intrusion
How it runs. The entry point is an internet-reachable marimo notebook (marimo is an open-source Python notebook). The attacker hits CVE-2026-39987, an RCE reachable over a WebSocket to the /terminal/ws endpoint, and lands code execution. Pivot one harvests credentials from environment files on the host.
Pivot two replays the stolen AWS credentials, but the calls come from Cloudflare Workers used as a per-request egress pool. Twelve API calls land across eleven distinct source IPs in 22 seconds, a sts:GetCallerIdentity to orient, then enumeration. Pivot three calls secretsmanager:GetSecretValue and pulls an SSH private key straight out of AWS Secrets Manager. Pivot four SSHes to a bastion and dumps a PostgreSQL database. The bastion phase takes under two minutes. The full chain runs 18:23 to 19:32 UTC, about an hour start to finish.
Sysdig's read that a model was driving rests on four tells. The agent improvised, targeting a credential table it could only guess at, going off the name. A planning comment in Chinese, 看还能做什么 ("see what else we can do"), leaked into the command stream across six source IPs at sub-second cadence. The commands were machine-shaped: echo '---' delimiters between probes, quoted-EOF HEREDOCs bundling six SELECT statements at once, head output truncation, -P pager=off, 2>/dev/null on everything. And each step consumed the prior step's output, reading PostgreSQL credentials from ~/.pgpass and a SecretId from a ListSecrets response without a human in the loop.
- Alert when a workload role calls
secretsmanager:GetSecretValueon a secret holding SSH or private-key material, especially right after asts:GetCallerIdentityfrom the same principal. A role reading a key outside its normal access pattern is the pivot here. - Flag one IAM principal making API calls from many distinct egress IPs in seconds. Twelve calls across eleven IPs in 22 seconds points at an edge network used as a proxy pool, moving faster than any human at a keyboard.
- Pull internet-reachable dev tools off the public internet and behind auth. Marimo, Jupyter, Langflow, any notebook server with a terminal endpoint is a code-execution front door.
In-issue poll: Do you have an alert today for a workload role pulling SSH keys out of Secrets Manager? (Yes / No / Not sure what reads our secrets)
🚨 Rule of the Week: id-token: write is a privileged change
Megalodon backdoored 5,561 public repositories in a six-hour window on May 18. It shipped two workflow variants: SysDiag.yml, the mass version that fires broadly, and Optimize-Build.yml, a dormant targeted version. Both request permissions: id-token: write, which lets the workflow request a short-lived OIDC token from GitHub. The payload steals that token to reach any cloud role whose trust policy accepted that repository's GitHub OIDC claims, and separately sweeps credentials off the runner itself: AWS access keys and session tokens, GCP OAuth tokens, Azure IMDS credentials, SSH keys, kubeconfigs, Terraform credentials, and Docker registry configs. Exfiltration is an HTTPS POST to 216.126.225.129:8443.
Build the detection at the permission layer. Alert on any commit that adds id-token: write to a workflow outside your reviewed allowlist, and require a human review on every change that grants it. Grep .github/workflows across your org for the filenames SysDiag.yml and Optimize-Build.yml, and for commits authored by build-bot@github-ci.com or ci-pipeline@actions-bot.com. Block egress from runners to 216.126.225.129. The durable rule underneath the IOCs: a pull request that lets a workflow request an OIDC token is a privileged change, and it earns a review every time.
🔧 Defender's Corner: your AI assistant's config files are now a credential target
A trojanized build of Nx Console (nrwl.angular-console, over 2.2 million installs) went out through VS Code Marketplace auto-update. Version 18.95.0 was live for eleven minutes, published 12:36 UTC and pulled 12:47. Injected code in main.js ran the instant a developer opened any workspace. It harvested credentials from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and it specifically read ~/.claude/settings.json, which StepSecurity describes as possibly one of the first supply chain payloads built to harvest AI coding assistant credentials and configurations.
How the extension got poisoned traces straight up the supply chain. Per Nx's own postmortem (Jack Hsu, "Nx Console v18.95.0 Compromise Postmortem", nx.dev, 2026-05-21), the chain started with the TanStack npm compromise of May 11, where an attacker abused TanStack's GitHub Actions OIDC trusted-publisher binding (a pull_request_target Pwn Request, then cache poisoning, then OIDC-token extraction from the runner) to ship 84 malicious versions across 42 @tanstack/* packages, now CVE-2026-45321. An Nx contributor's pnpm install resolved @tanstack/zod-adapter@1.166.15, and its prepare script ran a credential harvester that lifted their GitHub token. The repo where that pnpm install ran even set a seven-day install cooldown (minimum-release-age=10080), but a pinned pnpm version predating that feature meant the cooldown never fired. The trusted-publisher binding built to take human credentials out of npm releases is what minted the malicious ones.
Treat your coding assistant's config and auth files the way you treat ~/.aws and ~/.ssh. Add ~/.claude/settings.json to the file-access monitoring and secret scanning you already run on credential paths, and inventory the exact config and auth paths for every AI assistant your team approves. Auto-update means the extension update is itself a delivery channel, so review which high-install extensions can read your home directory. For your engineer: list installed VS Code extensions, sort by install count, and check which ones execute on workspace open.
📡 Also on the Radar
Some Kubernetes CVEs were never going to be patched, and your scanner is about to say so. On June 1 the Kubernetes Security Response Committee corrected the records for three unfixed CVEs: CVE-2020-8561 (kube-apiserver follows webhook redirects, so an actor who can configure an admission webhook can aim API server requests at internal networks), CVE-2020-8562 (a DNS TOCTOU race that bypasses IP restrictions), and CVE-2021-25740 (Endpoints and EndpointSlice objects let a user forward a LoadBalancer or Ingress to backends in another namespace). All three stay unpatched by design. The webhook-redirect and cross-namespace-forwarding behaviors are features legitimate tools depend on, and the DNS race gets operational mitigation in place of a breaking code change. The records wrongly carried a fixed version field, which gave a false all-clear and produced false negatives. Your scanners may now start flagging these where they previously showed clean. The mitigations are admin-side and per-CVE, for example restricting write access to Endpoints and EndpointSlices (default edit and admin ClusterRoles dropped these in 1.22, so audit clusters upgraded from older versions) and running a local DNS cache with min-cache-ttl for the API server. A fixed field in a CVE record is a claim. Confirm the mitigation lives in your cluster.
Closer
Three of this week's four stories share one trait: the attacker side ran on automation, and it was fast. An agent improvising SQL and emptying a database in under two minutes of bastion access. 5,561 repositories backdoored in six hours. An extension live for eleven minutes that still knew exactly which files held your tokens. And the automation doing the work was usually something you were handed and told to trust: an OIDC trusted-publisher binding, a CI token, an auto-updating extension. Detection content, OIDC review, file monitoring on your agent configs, every one of them still waits on you to set up and run. Pick one item above and make it real before the next fast thing lands.