```html ``` The Attacker Stopped Breaking In. Now It Convinces Your AI Agent to Hand Over the Keys. A Field Map of 2026's Novel Attack Chains.
top of page

The Attacker Stopped Breaking In. Now It Convinces Your AI Agent to Hand Over the Keys. A Field Map of 2026's Novel Attack Chains.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 53 minutes ago
  • 5 min read

If you read enough incident writeups in a row, you start to see the shape underneath them, and the shape changed this year. For most of computing history, an attack chain meant breaking in: find a flaw in a server, exploit it, get a shell, move laterally. The novel chains of 2026 — the ones that are genuinely new, not last decade's technique in a fresh wrapper — mostly do not break in at all. They convince a program that already has your keys to hand them over. That program is an AI agent, and it has become the pivot point of the modern attack.


This is a map of how they are doing it, because we have been cataloging the pieces one incident at a time and they deserve to be seen together.



Why the agent is the target


Start with the motive, because it explains everything downstream. An AI coding agent, or an agent skill, or an MCP server, does not sit in some isolated sandbox. It sits next to the crown jewels — the .env file, the API keys, the model credentials, the cloud tokens, the SSH keys. It has read access to your repository and write access to your filesystem, and it acts on instructions it reads from its environment. From an attacker's point of view, that is the single most valuable process on the machine: something powerful, trusted, and — this is the part that's new — steerable by data. You do not need a memory-corruption exploit if you can simply tell the trusted process what to do and have it believe you.


So the frontier attack chains are not about code execution. They are about manipulating the agent's judgment. Three distinct techniques have emerged, and each attacks a different weak point.


Fool the blind spot. Ghostcommit, disclosed this month by the University of Missouri-Kansas City's ASSET Research Group, hides malicious instructions inside a PNG image in a pull request. AI code reviewers skip image files — it's a habit, not a rule — so the reviewer approves the change without ever seeing the payload. Later, a coding agent reads the image, opens the repository's .env, and writes every secret into the source disguised as an innocent list of numbers. Two different AI systems, and the attack lives in the gap between what one skips and what the other reads.


Let it hallucinate into your trap. HalluSquatting, from researchers at Tel Aviv University, the Technion, and Intuit, weaponizes a property of the models themselves: they confidently invent package and repository names that do not exist. An attacker measures which names an assistant tends to hallucinate, registers those names first, and waits. The next agent that dreams its way to that name installs the attacker's code. It requires no contact with the victim at all — the victim's own agent pulls the malware during normal work. That makes it untargeted and self-delivering, the propagation model of a botnet.


Lie to the guardrail. GhostApproval, from Wiz, targets the human-in-the-loop checkpoint. A malicious repository contains a symlink named project_settings.json that actually points to ~/.ssh/authorized_keys. The agent is asked to add "a line" — the attacker's SSH key. In testing, the model's own reasoning noticed the file was really a shell config, but the approval box shown to the developer named only the harmless file. The consent was real. It was just consent to the wrong thing.



The supply chain learned to cascade


The second family of novel chains isn't about a single agent — it's about the pipeline that feeds every agent, and the innovation there is propagation. Poisoning one package is old news. The 2026 versions are built to spread.


TeamPCP — a financially motivated crew we already keep a permanent profile on — ran a credential-cascade campaign: steal one maintainer's token, and automatically republish poisoned versions of every package that maintainer owns. They executed two coordinated waves in three weeks, and one of them trojanized LiteLLM, a widely used LLM gateway, to inject the SANDCLOCK credential stealer straight into enterprise environments. Shai-Hulud and Megalodon took it further into self-replicating worm territory across the AI developer supply chain. And Miasma packaged the whole thing as a modular toolkit that hits PyPI, npm, RubyGems, JFrog Artifactory, GitHub Actions, and AI-coding-tool configs from one kit. The through-line: a modern supply-chain attack is designed to become many attacks from a single foothold.


Underneath these, the industry has started naming the compound primitives themselves — FILE_READ → base64 → NETWORK_SEND for exfiltration, download → write → execute for remote code execution — as recognizable chain signatures inside AI skill registries. When the building blocks of an attack become named patterns, you know the technique has industrialized.



The two that aren't about AI at all


Not every novel chain this year runs through an agent, and two are worth holding up because they show the other directions attackers are exploring.


GigaWiper, documented by Microsoft and tied through its reused Crucio module to Iran's CyberAv3ngers, is a deception chain: it encrypts files with a .candy extension and throws up an alarming wallpaper — but there is no ransom note and no saved key, because getting your files back was never the goal. The fake ransomware is cover for a wipe, engineered so the victim wastes the first critical hours believing they can pay their way out while the disk is already gone.


And libssh2's [CVE-2026-55200](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-55200) inverts the direction of attack entirely. It is a client-side flaw: a malicious SSH server attacks the client that connects to it. Your outbound SSH — the CI/CD job, the automation script, the curl command — becomes the attack surface. Not a bug you scan the internet to find, but one you lure the victim into by controlling where their tools reach out.



Where we already are on this map


Held to about ninety-five percent, and the credit for the primary research belongs to the named teams throughout — UMKC, the Tel Aviv/Technion/Intuit group, Wiz, Unit 42, Microsoft, and the supply-chain researchers who mapped TeamPCP, Megalodon, and Miasma. We did not discover these chains.


What we did was see the pieces early and keep them. TeamPCP has a structured file in our adversary index, queryable at three in the morning. We had Megalodon's command-and-control forty-nine days before it bit, and LiteLLM flagged forty-five days early. We documented the ClawHavoc AI-agent-skill supply chain in February — a hundred and thirty days before Unit 42 published on the same actor. And Ghostcommit, GhostApproval, and HalluSquatting we covered this month, as they dropped.


The reason we can draw the whole map is that we have been standing in the window where these chains are born — the space between a proof-of-concept and a headline — on a six-hour cycle, for months. The single most useful thing a defender can take from this map is the frame itself: your AI agent is now a privileged, trusted, data-steerable process sitting on top of your secrets. Treat every input it reads — a pull request, a package name, an image, a config file, a webpage — as hostile until proven otherwise, scope it away from your crown jewels, and verify what it pulls and what it writes. The attackers already understand that the agent is the way in. The defense starts with admitting the same thing.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page