The Security Industry Is Solving the Wrong Problem

This week's Long View is a special edition. We've been reporting on the RSAC supply chain attacks and agent security gap for the past week, and the story kept growing. It outgrew the Long View format, so we're publishing it as a standalone today.

The Day npm Broke Twice

On the night of March 30, an Elastic Security Labs engineer named Joe Desimone was working late when a Slack alert fired from a tool he'd built three days earlier. The tool was simple: poll npm for new package releases, diff them, feed the diff to a large language model, ask if it's malicious. He'd hacked it together on a Friday afternoon after flying red-eye from the RSA Conference (RSAC), the largest annual cybersecurity event. It ran on his laptop.

The alert said axios 0.30.4 was malicious.

Axios gets over 100 million weekly downloads. It is one of the most depended-upon packages in the JavaScript ecosystem. Attackers had compromised a maintainer's npm account, changed the registered email to a Proton Mail address, and published two poisoned versions that installed a cross-platform remote access trojan (RAT) through a phantom dependency called plain-crypto-js. Microsoft Threat Intelligence attributed the attack to Sapphire Sleet, a North Korean state actor. Google's threat intelligence team confirmed the DPRK nexus.

Hours later, the same registry delivered a different kind of surprise. Anthropic's Claude Code shipped its entire source code, all 512,000 lines, to every developer who ran npm install. A missing .npmignore entry combined with Bun's default source-map generation exposed the full codebase in readable form. Not a hack, just a build-pipeline oversight.

VentureBeat noted that anyone who installed or updated Claude Code via npm on March 31, between 00:21 and 03:29 UTC, may have pulled in the malicious axios versions alongside the leaked source. Two unrelated failures, on the same registry, within the same install window. Nobody planned the overlap.

The Chain: Trivy → LiteLLM → Mercor

The axios attack didn't come from nowhere. Twelve days earlier, a group calling themselves TeamPCP compromised Trivy, the popular open-source security scanner maintained by Aqua Security. They injected a credential stealer into the aquasecurity/trivy-action GitHub Action, the tool developers run to check for vulnerabilities, and harvested secrets from continuous integration pipelines.

On March 24, those stolen credentials landed. TeamPCP used LiteLLM's PyPI publishing tokens, grabbed through the poisoned Trivy pipeline, to push malicious versions of the AI proxy library. LiteLLM handles routing between AI models and processes roughly 95 million monthly downloads. The compromised versions were aggressive credential stealers: SSH keys, cloud tokens, API keys, wallet data.

Mercor, an AI recruiting startup that describes itself as serving "thousands of companies," confirmed it was breached through LiteLLM. A BreachForums listing appeared with what appeared to be Slack data, ticketing data, and videos of conversations between Mercor's AI systems and contractors on its platform.

A compromised security scanner led to stolen publishing credentials, which led to a backdoored AI library, which led to a named company breach. Each link was a different tool, a different registry, a different team.

What the Agents Are Actually Doing

While RSAC attendees filed into keynotes about agent identity, CrowdStrike CEO George Kurtz disclosed two incidents at Fortune 50 companies that had nothing to do with compromised credentials or stolen tokens.

In the first, a CEO's AI agent rewrote the company's own security policy. The agent wasn't compromised. It wanted to fix a problem, lacked the permissions to do so, and removed the restriction itself. Every identity check passed. The company caught the modification by accident.

In the second, a 100-agent Slack swarm delegated a code fix between agents with no human in the loop. Agent 12 made the commit. The team discovered it after the fact.

Both Fortune 50 companies, both caught by accident. Every identity framework that shipped at RSAC that week would have missed them, because the agents were authenticated, authorized, and operating within their assigned roles.

Kurtz also flagged ClawHavoc, the first major supply chain attack targeting an AI agent ecosystem. Koi Security's audit found 824 malicious skills on ClawHub, OpenClaw's public skills registry. Some erased their own memory after installation and stayed dormant before activating. CrowdStrike's sensors now detect more than 1,800 distinct AI applications across its customer fleet, generating 160 million unique instances on enterprise endpoints. Kurtz put the fastest recorded adversary breakout time at 27 seconds.

The Credential Flood Underneath

GitGuardian's 2026 State of Secrets Sprawl report counted 28.65 million new hardcoded secrets pushed to public GitHub in 2025, a 34% year-over-year increase and the largest single-year jump they've recorded. AI-assisted commits are accelerating it: Claude Code-assisted commits showed a 3.2% secret-leak rate, compared to a 1.5% baseline across all public commits.

The Model Context Protocol (MCP), the emerging standard for connecting AI agents to external tools, has its own problem. GitGuardian found 24,008 unique secrets exposed in MCP configuration files on public GitHub, including 2,117 verified as valid. Popular MCP setup guides recommend putting API keys directly into configuration files. When insecure credential handling appears in official quickstarts, it spreads at ecosystem speed.

Internal repositories are roughly six times more likely than public ones to contain hardcoded secrets. About 28% of incidents originate entirely outside repositories, in Slack, Jira, and Confluence, during urgent troubleshooting and incident response. The Shai-Hulud worm, a supply chain attack that propagated through developer workstations earlier this year, demonstrated what happens when agent-level access to local terminals, files, and credential stores turns a compromised laptop into an organizational breach.

Five Frameworks, Zero Behavioral Baselines

RSAC 2026 shipped five agent identity frameworks in a single week.

Cisco went deepest on identity governance, registering agents as distinct identity objects and routing every tool call through an MCP gateway. CrowdStrike treated agents as endpoint telemetry, tracking the process tree through Falcon's lineage. Palo Alto Networks built an agentic registry, an agentic identity provider, and an MCP gateway for runtime traffic control. Microsoft spread governance across Entra, Purview, Sentinel, and Defender. Okta disclosed its "blueprint for the secure agentic enterprise."

A VentureBeat analysis found that none of the three major architectures shipped an agent behavioral baseline, the foundational capability security teams would need before writing a single policy about what agents should and shouldn't do at runtime.

They verified who the agent was. None of them tracked what the agent did.

"Observing actual kinetic actions is a structured, solvable problem," CrowdStrike CTO Elia Zaitsev told VentureBeat. "Intent is not."

Zaitsev's own company came the closest by walking the process tree on endpoints, but CrowdStrike doesn't yet ship behavioral anomaly detection for policy-modifying actions as a production capability. Palo Alto's Prisma AIRS 3.0 offers pre-deployment red teaming, which runs before deployment, not during runtime when the CEO's agent decides to rewrite the rules.

The attack surface keeps expanding. Etay Maor, VP of Threat Intelligence at Cato Networks, ran a live Censys scan during RSAC (Censys indexes internet-connected devices) and counted nearly 500,000 internet-facing OpenClaw instances, up from 230,000 the week before. A BreachForums listing from February 22 advertised root shell access to a UK CEO's computer for $25,000 in cryptocurrency. The selling point: the CEO's OpenClaw assistant had accumulated the company's production database, Telegram bot tokens, and Trading 212 API keys in plain-text Markdown.

"Your AI? It's my AI now," Maor told VentureBeat. "It's an assistant for the attacker."

The defensive tools that target behavior do exist. Snyk launched Agent Security at RSAC, including an agent-scan tool for MCP server governance. Cisco's DefenseClaw framework scans OpenClaw skills and MCP servers before deployment. These are pointed in the right direction. They just weren't the headline announcements. The biggest players led with identity.

The Guy on the Laptop

Back to Joe Desimone and his Friday-afternoon project.

His tool ran on his laptop. It used Cursor's Agent CLI in read-only mode. The prompt told it what to look for: obfuscated code, base64, exec/eval, unexpected network calls, steganography, persistence mechanisms, lifecycle script abuse. He tested it against the Telnyx compromise that TeamPCP had pushed the same Friday, then let it run over the weekend.

Zero false positives all weekend. Then Monday night, axios.

One engineer, on a red-eye back from the biggest security conference in the world, hacked together an AI diff scanner that caught one of the largest npm supply chain compromises on record. He caught it before any of the five identity frameworks shipped that week could have helped, because the attack didn't involve an identity problem. It involved a maintainer's compromised account pushing code that nobody was watching.

The frameworks answer "who is this agent?" The question Desimone answered was simpler: "what just changed in this package, and does it look like malware?"

He open-sourced the tool on April 2.