The AI Agent Is the New Login Shell. Six Holes in Seven Days.

# The AI Agent Is the New Login Shell. Six Holes in Seven Days.

For decades the security industry has worked off a stable mental model. The endpoint was the workstation. The shell was the login session. The credentials were the user's. The blast radius of a compromise extended only as far as the user's permissions reached. Endpoint detection products, identity protection products, and SIEM platforms were all designed against this model. The model is now obsolete. The agent is the new login shell, and a single seven-day window has produced six distinct, unrelated, publicly-disclosed compromises of that surface.

The pattern is consistent: an AI tool — a coding agent, an LLM gateway, an IDE, a build-pipeline runner, an editor extension, an autonomous agent in a CI workflow — sits between a developer and the code. It runs with the developer's credentials. It loads configuration from project files. It executes code on the developer's behalf. Compromising the agent's startup configuration, its dependency tree, its workspace trust boundary, or its CI invocation owns the developer at a level no EDR product is positioned to detect.

Here are the six events. All six are in our IOC index as of April 30, 2026.

Event 1 — LiteLLM CVE-2026-42208 (April 19 disclosed, April 26 exploited)

BerriAI's LiteLLM Python AI gateway shipped a SQL injection in its proxy API key validation path. CVSS 9.3. The malicious payload landed in the Authorization header on any LLM API route. The query handler concatenated the caller-supplied key into the SQL text instead of parameterizing it. Exploitation observed in the wild twenty-six hours and seven minutes after the GitHub Advisory was indexed. Attacker IPs 65.111.27.132 and 65.111.25.67 (Sysdig disclosure) targeted litellm_credentials.credential_values and litellm_config tables. Those tables hold OpenAI organization keys with five-figure monthly spend caps, Anthropic console keys with workspace admin rights, and AWS Bedrock IAM credentials. One row of the breach payload is the cloud bill of the next victim.

LiteLLM is a 45,000-star, 7,600-fork open-source AI gateway. The customer base is thousands of organizations who route their LLM calls through a single proxy. The commercial incentive is centralizing the key vault. The compromise vector is the same centralization.

Event 2 — TeamPCP Mini Shai-Hulud (April 29)

The same operator behind the LiteLLM exploitation campaign — TeamPCP — pushed poisoned versions of four SAP-related npm packages between 09:55 and 12:14 UTC on April 29: [email protected], @cap-js/[email protected], @cap-js/[email protected], @cap-js/[email protected]. The preinstall hook downloaded a Bun runtime from GitHub Releases and ran a credential stealer harvesting GitHub, npm, AWS, Azure, GCP, and Kubernetes tokens. As of disclosure 1,100+ victim repositories had been created on victims' own GitHub accounts with the description "A Mini Shai-Hulud has Appeared."

The novel persistence vector is the part that telegraphs the future. The malware writes .claude/settings.json with a malicious SessionStart hook into every accessible repository. It writes .vscode/tasks.json with "runOn": "folderOpen" into the same repositories. Any developer who opens an infected repository in Claude Code or VS Code triggers the malware. AI coding agent and editor configurations are now executable surfaces. A malicious dependency installed once becomes a persistence mechanism in every repository the developer touches afterward.

StepSecurity, in their advisory: "This is one of the first supply chain attacks to target AI coding agent configurations as a persistence and propagation vector." It will not be the last.

Event 3 — Famous Chollima PromptMink (April 29)

ReversingLabs disclosed a North Korean threat-actor (Famous Chollima / Shifty Corsair) operation called PromptMink targeting the Solana cryptocurrency npm ecosystem. Eight packages identified, in a deliberate two-layer architecture: six benign-looking wrappers (@solana-launchpad/sdk, @meme-sdk/trade, @validate-ethereum-address/core, @solmasterv3/solana-metadata-sdk, @pumpfun-ipfs/sdk, @solana-ipfs/sdk) point to two credential-stealer payloads (@validate-sdk/v2, @hash-validator/v2). When the second-layer is detected and removed, the operators replace it within hours; the first-layer wrappers do not change.

The receipt is in the git trailer. The malicious dependency was added to openpaw-graveyard — an autonomous Solana trading agent — in a February 28, 2026 commit co-authored by Anthropic's Claude Opus large language model. A North Korean threat actor used Claude as a coding assistant to draft the commit that introduced the credential stealer. ReversingLabs documented the trailer.

This is the IT Worker scam reaching its logical extreme. DPRK assets get hired into Solana shops under fake résumés, ask the AI to write the dependency-addition commit, and the dependency is the malware. The AI is not the attacker. The AI is the productivity tool that makes the attacker indistinguishable from a competent collaborator.

Event 4 — Gemini CLI CVSS 10.0 (April 30)

Google patched a CVSS 10.0 flaw in @google/gemini-cli (versions 0.39.1 and 0.40.0-preview.3) and google-github-actions/run-gemini-cli (version 0.1.22). No CVE identifier assigned, but the maximum-severity score is documented in Google's advisory. Novee Security disclosed.

In headless mode — meaning CI environments — Gemini CLI automatically trusted the workspace folder for the purpose of loading agent configuration and environment variables. An attacker submitting a pull request to a repository whose CI workflow runs Gemini CLI against the PR code could plant a .gemini/ directory with malicious configuration. The configuration loaded. The environment variables loaded. Command execution fired on the host before the agent's sandbox initialized. The CI/CD pipeline became a supply-chain attack path.

The fix requires explicit folder trust before configuration files are read. Google's hardening also addresses the --yolo mode tool-allowlisting for prompt-injection-via-untrusted-input scenarios.

The structural lesson is the trust boundary. The agent's default trust boundary was the workspace folder. The agent's actual reachable surface was any folder it ran in. The two were not the same and the gap was exploitable for arbitrary-code-execution in CI.

Event 5 — Cursor IDE Code-Execution Flaws (April 30)

Google's same-day advisory addressed code-execution flaws in Cursor, the AI coding IDE that has become near-ubiquitous in developer workflows over 2025-2026. Specific CVE identifiers were not public at time of writing. The shape is the same family as Gemini CLI: an AI coding tool that loads project-folder configuration, executes code on behalf of the user, and trusts inputs that the developer has not actually verified. The disclosure pattern says the vulnerability class — AI coding tool auto-loads code from project files — is now an industry-wide problem with disclosures coordinated across vendors.

We are tracking Cursor as a placeholder entry in our IOC index pending CVE assignment. Defenders running Cursor across an engineering organization should subscribe to upstream advisories and treat the IDE as part of the build-pipeline attack surface, not as a passive editor.

Event 6 — EtherRAT GitHub Façades + Ethereum DDR (April 30)

Atos Threat Research Center disclosed an active campaign distributing a remote-access trojan called EtherRAT through SEO-poisoned GitHub repositories impersonating administrative tooling. The repositories spoof PsExec, AzCopy, Sysmon, LAPS, and Kusto Explorer — all utilities used almost exclusively by IT personnel with elevated network and system permissions. Successful infection on an admin workstation is the keys to the kingdom.

The novel technical detail is the C2 architecture. EtherRAT does not call home to a hardcoded domain or IP. It queries a hardcoded Ethereum smart contract address via public Ethereum RPC. The contract returns the live C2 server address. The operator can rotate C2 globally by updating the contract value. Domain takedowns and IP blocklists are useless against this resolution path because the resolution is happening on a public blockchain.

The two contract addresses we have indexed: 0xc12c8d8f9706244eca0acf04e880f10ff4e52522 and 0x37ef6e88425613564b2cf8adc496acff4b6481a9. Defenders running Ethereum-aware egress monitoring can flag queries to these contracts from non-developer-blockchain workstations — but most enterprises are not currently inspecting outbound Ethereum RPC traffic at all. The attack surface is invisible to the existing telemetry stack.

The dual-stage GitHub façade is the second novel detail. A primary repository optimized for SEO holds only a professional-looking README with a link to a second hidden repository where the actual malware lives. When the hidden payload repository gets reported and removed, the SEO façade survives because it contains no malicious code. The operator points the README at a new payload repo. Search engines keep ranking the façade. The resilience model defeats GitHub's takedown machinery as well as conventional URL blocklisting.

The Pattern

Six events in seven days. Three CVEs (LiteLLM, Gemini CLI, Cursor — though Cursor is awaiting public CVE). Three campaigns (Mini Shai-Hulud, PromptMink, EtherRAT). All six involve the agent surface or the dev environment surface or both. All six bypass the existing endpoint-detection and identity-protection product class because the failure mode is the legitimate agent doing what it was asked to do, with credentials that were properly issued, against a configuration that was successfully loaded. There is no malware signature for "valid agent config that does evil things." There is no behavioral baseline for "developer pulling a new dependency that turns out to be hostile."

The defensive lever is upstream: dependency vetting, workspace trust hardening, agent-configuration review on every commit, and outbound network inspection for non-traditional C2 channels (Ethereum RPC, public blob storage, third-party API endpoints). None of these are products that the major EDR vendors sell as a single SKU. All of them require the customer to assemble defensive coverage from multiple smaller signals across multiple vendors. The "buy the highest tier of one vendor's stack" model that the industry has spent fifteen years selling cannot defend the agent surface, because the agent surface crosses every vendor's product boundary.

What We Indexed Today

Thirty-seven new IOC documents. The full Gemini CLI affected-version list. The Cursor placeholder pending CVE. Two Ethereum smart contract addresses for EtherRAT C2 resolution. Seven C2 domains, seven C2 IPs, four loader C2 domains, and nine file hashes for Silver Fox / ABCDoor (a parallel campaign disclosed today by Kaspersky targeting India, Russia, Japan, Indonesia, South Africa with Cython-compiled Python remote-control malware).

The IOC index now holds the full week of agent-surface compromises in queryable form. Consumers pulling our STIX feed since this morning's deploy already have the new entries. Consumers pulling our OPNsense IP blocklist have the seven Silver Fox C2 IPs. The data is the data and the price is the price — every tier sees the same feed.

The Ledger Update

Yesterday we published a public ledger of nine cases where our left-of-boom timing produced an average fifteen-day lead time. That ledger only counts breaches that hit a named victim. The agent-surface compromises this week have not yet produced named victim-disclosures because the campaigns are too fresh. The lead-time math will resolve over the next thirty to sixty days as the affected developers discover their tokens leaked, their wallets were drained, their CI pipelines spawned unauthorized releases. The ledger will grow. Some of the entries will have lead times measured in negative days because the breach window was already open when the disclosure landed and our index just caught up.

That is the honest version of the receipts.

What To Do This Week

For developers running AI coding tools: pin your tooling to the patched versions. Audit your .claude/settings.json and .vscode/tasks.json files in every working repository for unexpected hooks. Rotate credentials cached on workstations that ran any of the listed compromised npm packages. Subscribe to Anthropic, Google, and Cursor security advisories.

For organizations operating CI/CD pipelines that invoke AI coding agents on user-submitted PRs: add explicit workspace trust enforcement. Set GEMINI_TRUST_WORKSPACE: 'false' for any workflow that reviews untrusted input. Migrate npm publish flows to OIDC trusted publishing on protected branches only.

For threat-hunting teams: monitor outbound Ethereum RPC traffic from non-developer workstations and flag queries to the EtherRAT contract addresses. Cross-reference your endpoint download logs against the EtherRAT impersonated-tool list (PsExec, AzCopy, Sysmon, LAPS, Kusto Explorer) and verify any MSI you find came through Microsoft's official distribution.

For everyone running anything called an "AI agent" with elevated credentials in your environment: the agent is your new login shell. Defend it like one.

The IOCs are indexed. The receipts are public. We will keep watching.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.