← UC-083: The Toxic Flow
Prognostic Review · R3
UC-083 · The Toxic Flow · AI Coding Agent Supply Chain Risk
Three Approaching supply_chain_mass, mcp_exploit_chain, and now regulatory_response. Mini Shai-Hulud compromised 518M-download packages and seeded hooks inside AI agent config files. CISA’s 6-nation agentic AI guidance explicitly named prompt injection as a supply chain risk. The AI-vector criterion is the last remaining gap on supply_chain_mass.
↻ Latest review · June 29, 2026 · NARROWING · 68% health (was 62%)
Thesis escalating hard. The Miasma worm (Jun 1 — first AI-agent-weaponizing supply-chain worm), the GitHub/Microsoft 73-repo takedown (Jun 5), and “Agentjacking” (Jun 12 — 85% success hijacking Claude Code/Cursor via MCP-trusted Sentry data) all landed, and Gartner elevated prompt injection to a top-4 enterprise threat. All four triggers are approaching, none quite fired: >1M-download packages were hit but pulled in hours (not >24h), and the real multi-system breach (Mexico, 195M records) ran via an agent-as-attacker-tool, not a compromised MCP server. Right on the boundary.
Next review July 27, 2026. The detailed analysis below is the prior review (R2 · May 15, 2026); current trigger detail lives in the case index.
Published March 19, 2026
Reviewed June 29, 2026
Window 33 days (R2→R3)
Triggers fired 0 / 4
Health 68%
NARROWING

The 38-day review window produced the largest AI-adjacent supply chain campaign in the library’s history. Mini Shai-Hulud — the TeamPCP worm first seen in the R1 window — returned in force. Two waves in May compromised packages totalling 518 million cumulative downloads across 170+ packages, achieved SLSA Build Level 3 attestation forgery, and — critically for this case — seeded persistence hooks specifically inside AI coding agent configuration files: .claude/settings.json, .cursorrules, VS Code tasks.[1][2] The worm is treating AI agent instruction files as privileged execution surfaces.

The regulatory trigger has upgraded materially. On May 1, CISA published a 6-nation joint guidance document — co-signed by NSA, ASD/ACSC, CCCS, NCSC-NZ, and NCSC-UK — that explicitly addresses prompt injection in agentic AI systems and supply chain risk from AI tool ecosystems.[8] This is the first Five Eyes coordination specifically on autonomous AI agents, and the first formal CISA publication to name the risk class this case was written to detect. No triggers have fired. Three of four are now approaching.

Trigger Signal Required Status Evidence
Enterprise Breach Trigger 1 · linked: UC-082 Prompt injection via AI coding agent causes Fortune 500 breach with disclosed impact Not Fired No Fortune 500 company has publicly disclosed a breach with AI coding agent prompt injection as the attributed vector. Two developments moved the threshold closer without crossing it:
PromptPwnd (Aikido Security, May 2026): Confirmed prompt injection vulnerability class in GitHub Actions CI/CD pipelines integrated with Gemini CLI, Claude Code, and OpenAI Codex. At least 5 Fortune 500 companies confirmed impacted — unnamed. Google’s own Gemini CLI repository was patched within four days of responsible disclosure. The attack works; the disclosure doesn’t. No named company, no quantified impact, no public filing. Does not qualify.[6][7]
Survey reference (no attribution): A threat landscape summary cites a Fortune 500 internal AI assistant that “forwarded its entire client database to an external server” via a prompt injection in a vendor invoice. No named company, no regulatory disclosure, no CVE. Appears in analysis context only. Does not qualify.
Supply Chain Mass Trigger 2 Package >1M weekly downloads compromised via toxic flow, persisting >24 hours Approaching Mini Shai-Hulud returned in two waves this window. The campaign now satisfies two of three trigger criteria — download threshold and (borderline) persistence. The AI-vector criterion is the remaining gap.
Wave 3 — May 11 (TanStack): TeamPCP compromised 42 @tanstack/* packages via the TanStack GitHub Actions CI pipeline — 84 malicious artifacts in six minutes. @tanstack/react-router alone draws ~12.7M weekly downloads; full ecosystem ~56M. The malware installed a persistent daemon (gh-token-monitor) with a 24-hour auto-exit clock. Persistence mechanisms seeded into .claude/settings.json hooks, VS Code tasks, and system LaunchAgents/systemd units survived package removal. npm removal timing was fast but the daemon persistence was real.[1][3]
Wave 4 — May 19 (atool / AntV): 637 malicious versions across 314 packages in two waves (01:39–02:18 UTC). Included AntV ecosystem packages. Malicious releases live on npm and PyPI for 12–36 hours before quarantine — the longest persistence in the campaign. Download threshold unambiguously cleared.[4][5]
Trigger Criterion
Assessment
Status
>1M weekly downloads
react-router 12.7M/wk; full @tanstack ~56M; AntV ecosystem in tens of millions
MET ✓
>24hr persistence
May 19 wave: 12–36hr for malicious package versions. May 11: daemon auto-exit 24hr, persistence mechanisms longer
MET ✓
AI coding agent vector
Initial compromise via OIDC token theft from GitHub Actions runner memory — not via AI agent tool call. AI agent files targeted as persistence sinks, not propagation vector
GAP ✗

The campaign explicitly weaponises AI agent instruction files as persistence surfaces. The gap is narrow: the worm arrives via CI/CD, then configures itself to survive through AI agent context. The trigger fires if a future wave uses an AI agent as the initial delivery mechanism rather than the persistence sink.

MCP Exploit Chain Trigger 3 MCP server attack chains through ≥2 enterprise systems via agent tool access Approaching Three significant developments since April 19 — one moves from PoC to production vulnerability, one documents production RCE at scale, and one shows the chain pattern in cloud environments:
CVE-2026-26118 — Azure MCP Server SSRF (CVSS 8.8): An attacker-controlled URL causes the Azure MCP Server Tools to make outbound HTTP requests that attach the server’s managed identity token. Chain: agent tool call → Azure identity exfiltration → downstream Azure resources. This is a production vulnerability, patched by Microsoft in March 2026. The multi-system architecture (agent → MCP server → Azure identity → cloud resources) matches the trigger pattern, but the PoC direction is SSRF-based exfiltration, not confirmed production exploitation.[9]
OX Security production RCE — April 2026: Confirmed command execution on 6 live production platforms (LiteLLM, LangChain, IBM LangFlow, others). 10+ High/Critical CVEs. 7,000+ publicly accessible servers confirmed exposed, up to 200,000 vulnerable. Anthropic has formally declined to patch the protocol root cause. These are single-system hits; multi-system chaining not confirmed in attribution.[10]
Trend Micro — Cloud MCP attack surface: Documents confirmed attack chain pattern: exposed MCP server → authentication assessment → credential theft from config files → lateral movement within cloud environment. Check Point Research (March–April 2026) cites two major US banks and a cloud platform as impacted via AI productivity tool entry points — without confirming MCP as the specific chaining mechanism.[11][12]

The trigger requires a confirmed production case of ≥2 systems chained via MCP tool access with attribution. The architectural prerequisites are proven; the public attribution gap persists. Direction of travel: strongly toward firing.

Regulatory Response Trigger 4 NIST / CISA / ENISA formally classifies prompt injection in AI coding tools as supply chain risk Approaching Upgraded from INACTIVE in R1. The May 1 CISA 6-nation publication is the most significant regulatory development this case has seen:
CISA “Careful Adoption of Agentic AI Services” — May 1, 2026: Six-nation joint publication (CISA, NSA, ASD/ACSC, CCCS, NCSC-NZ, NCSC-UK). The first Five Eyes coordination specifically addressing autonomous AI agents. Explicitly warns against prompt injection in agentic workflows, identifies supply chain risk from typosquatted MCP tools/agents, and flags AI coding tools as a vector for autonomous data exfiltration. Published on cisa.gov. CISA is named in the trigger condition.[8]
Ruling — Not fired, but approaching. The gap between this guidance and the trigger condition is formality of classification. The May 1 document addresses the risk descriptively in official guidance — it does not issue a standalone advisory number or create a named threat category entry in a formal taxonomy (e.g., a KEV entry, a NIST SP classification, or a formal ENISA threat landscape category). The NIST AI Agent Interoperability Profile (due Q4 2026) is the most likely qualifying event. CISA could also fire it with a targeted advisory. The trigger is now genuinely approaching rather than inactive.
NSA + 7 allied agencies — March 4–5, 2026: AI/ML supply chain guidance defining a six-component AI/ML supply chain with prompt injection embedded as a threat class. Predates the review window but strengthens the regulatory trajectory.[13]
Health
62
/ 100
OPEN — Three Approaching
Window State
OPEN
0 triggers
NARROWING
1–2 triggers
CLOSING
3 triggers
CLOSED
4 triggers

Health declined from 80 to 62 this window: regulatory_response upgraded from inactive to approaching (−10), and both supply_chain_mass and mcp_exploit_chain advanced materially within their approaching states (−8 combined). No triggers have fired — the single remaining gap across three of four is public attribution. The attack infrastructure is confirmed operational at production scale. The case’s thesis is being confirmed incrementally; the threshold events have not yet produced a qualifying disclosure.

Next review · June 27, 2026 · Watch: any Fortune 500 breach disclosure with AI agent attribution; NIST AI Agent Interoperability Profile (due Q4 2026); next Mini Shai-Hulud wave (AI-agent as propagation vector, not just persistence); confirmed production MCP chain with attribution.
0 / 4
Triggers Fired
62%
Window Health
3 / 4
Approaching
Jun 27
Next Review

The attack class is confirmed operational. Three of four triggers are approaching. The last gap is public attribution, not technical capability.

Mini Shai-Hulud changed the texture of this case. The worm is not just a supply chain attack — it is a supply chain attack that explicitly targets AI coding agent instruction files as persistence sinks. The campaign seeded hooks in .claude/settings.json and .cursorrules specifically because those files are read by AI coding agents at the start of every session. The worm treats AI agent context files as a persistence surface. When the propagation vector (not just the persistence) runs through an AI agent tool call, the supply_chain_mass trigger fires. The campaign architecture is already designed for that step.

The regulatory upgrade is the second significant development. CISA coordinating a 6-nation publication on agentic AI safety — the first Five Eyes coordination on this risk class — signals that the threat has crossed from security-researcher awareness into government-level institutional concern. The formal classification language required by the trigger is still being drafted, but the drafters are now named agencies working on a named timeline.

The Microsoft Semantic Kernel RCE finding (May 7) deserves specific note: a single malicious prompt in an AI agent framework converts to host-level code execution. That is the core thesis of this case made literal — LLMs cannot distinguish instructions from data, and the data can now execute arbitrary code on the host. The capability exists in production frameworks. The disclosed incident is a PoC. The gap to a qualifying breach event is a combination of disclosure culture and attribution willingness, not technical possibility.

[1]
The Hacker News — “Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages.” May 11 wave: 42 @tanstack/* packages, 84 malicious artifacts in 6 minutes. Persistence hooks in .claude/settings.json and VS Code tasks.
thehackernews.com
May 2026
[2]
Wiz — “Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised.” Campaign scope: 518M cumulative downloads, 170+ packages, SLSA Build L3 attestation forgery.
wiz.io
May 2026
[3]
Security Boulevard — “Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign.” Technical analysis of the @tanstack wave and persistence mechanisms.
securityboulevard.com
May 2026
[4]
Snyk — “Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published.” May 19 wave: 637 malicious versions across 314 packages, 12–36 hour persistence before quarantine.
snyk.io
May 19, 2026
[5]
Bleeping Computer — “New Shai-Hulud malware wave compromises 600 npm packages.” Scale reporting on the May 19 atool/AntV wave.
bleepingcomputer.com
May 2026
[6]
Aikido Security — “Prompt Injection Inside GitHub Actions: The New Frontier of Supply Chain Attacks (PromptPwnd).” Five Fortune 500 orgs confirmed impacted (unnamed). Google Gemini CLI patched within 4 days.
aikido.dev
May 2026
[7]
Cybersecurity News — “Prompt Injection Vulnerability in GitHub Actions Hits Fortune 500 Firms.” Scope reporting on PromptPwnd exposure.
cybersecuritynews.com
May 2026
[8]
CISA — “Careful Adoption of Agentic AI Services.” Six-nation joint guidance (CISA, NSA, ASD/ACSC, CCCS, NCSC-NZ, NCSC-UK). First Five Eyes coordination on autonomous AI agents. Explicitly names prompt injection as agentic supply chain risk.
cisa.gov
May 1, 2026
[9]
Point Guard AI — “Microsoft MCP Server Vulnerability (CVE-2026-26118).” SSRF in Azure MCP Server Tools, CVSS 8.8. Managed identity token exfiltration via attacker-controlled URL in tool call. Patched March 2026.
pointguardai.com
2026
[10]
OX Security — “The Mother of All AI Supply Chains.” Confirmed RCE on 6 live production platforms. 7,000+ publicly accessible servers exposed. Anthropic declines to patch protocol root cause.
ox.security
April 2026
[11]
Trend Micro — “Update on Exposed MCP Servers: The Threat Widens to the Cloud.” Attack chain: exposed MCP server → credential theft → lateral movement in cloud. Cloud attack surface expansion documented.
trendmicro.com
2026
[12]
Check Point Research — “AI Attacks Are No Longer Experimental: March–April 2026 AI Threat Landscape.” Two major US banks and a cloud platform cited as impacted via AI productivity tool entry points.
checkpoint.com
2026
[13]
Cloud Security Alliance — “NSA + 7 Allied Agencies: AI/ML Supply Chain Risk and Mitigation Guidance.” Six-component AI/ML supply chain definition. Prompt injection embedded as threat class.
cloudsecurityalliance.org
March 4–5, 2026
[14]
Microsoft Security Blog — “When prompts become shells: RCE vulnerabilities in AI agent frameworks.” Semantic Kernel: malicious prompt converts to host-level code execution. Confirmed in production AI agent framework.
microsoft.com
May 7, 2026