The 38-day review window produced the largest AI-adjacent supply chain campaign in the library’s history. Mini Shai-Hulud — the TeamPCP worm first seen in the R1 window — returned in force. Two waves in May compromised packages totalling 518 million cumulative downloads across 170+ packages, achieved SLSA Build Level 3 attestation forgery, and — critically for this case — seeded persistence hooks specifically inside AI coding agent configuration files: .claude/settings.json, .cursorrules, VS Code tasks.[1][2] The worm is treating AI agent instruction files as privileged execution surfaces.
The regulatory trigger has upgraded materially. On May 1, CISA published a 6-nation joint guidance document — co-signed by NSA, ASD/ACSC, CCCS, NCSC-NZ, and NCSC-UK — that explicitly addresses prompt injection in agentic AI systems and supply chain risk from AI tool ecosystems.[8] This is the first Five Eyes coordination specifically on autonomous AI agents, and the first formal CISA publication to name the risk class this case was written to detect. No triggers have fired. Three of four are now approaching.
| Trigger | Signal Required | Status | Evidence |
|---|---|---|---|
| Enterprise Breach Trigger 1 · linked: UC-082 | Prompt injection via AI coding agent causes Fortune 500 breach with disclosed impact | Not Fired |
No Fortune 500 company has publicly disclosed a breach with AI coding agent prompt injection as the attributed vector. Two developments moved the threshold closer without crossing it:
PromptPwnd (Aikido Security, May 2026): Confirmed prompt injection vulnerability class in GitHub Actions CI/CD pipelines integrated with Gemini CLI, Claude Code, and OpenAI Codex. At least 5 Fortune 500 companies confirmed impacted — unnamed. Google’s own Gemini CLI repository was patched within four days of responsible disclosure. The attack works; the disclosure doesn’t. No named company, no quantified impact, no public filing. Does not qualify.[6][7]
Survey reference (no attribution): A threat landscape summary cites a Fortune 500 internal AI assistant that “forwarded its entire client database to an external server” via a prompt injection in a vendor invoice. No named company, no regulatory disclosure, no CVE. Appears in analysis context only. Does not qualify.
|
| Supply Chain Mass Trigger 2 | Package >1M weekly downloads compromised via toxic flow, persisting >24 hours | Approaching |
Mini Shai-Hulud returned in two waves this window. The campaign now satisfies two of three trigger criteria — download threshold and (borderline) persistence. The AI-vector criterion is the remaining gap.
Wave 3 — May 11 (TanStack): TeamPCP compromised 42 @tanstack/* packages via the TanStack GitHub Actions CI pipeline — 84 malicious artifacts in six minutes. @tanstack/react-router alone draws ~12.7M weekly downloads; full ecosystem ~56M. The malware installed a persistent daemon (
gh-token-monitor) with a 24-hour auto-exit clock. Persistence mechanisms seeded into .claude/settings.json hooks, VS Code tasks, and system LaunchAgents/systemd units survived package removal. npm removal timing was fast but the daemon persistence was real.[1][3]Wave 4 — May 19 (atool / AntV): 637 malicious versions across 314 packages in two waves (01:39–02:18 UTC). Included AntV ecosystem packages. Malicious releases live on npm and PyPI for 12–36 hours before quarantine — the longest persistence in the campaign. Download threshold unambiguously cleared.[4][5]
Trigger Criterion
Assessment
Status
>1M weekly downloads
react-router 12.7M/wk; full @tanstack ~56M; AntV ecosystem in tens of millions
MET ✓
>24hr persistence
May 19 wave: 12–36hr for malicious package versions. May 11: daemon auto-exit 24hr, persistence mechanisms longer
MET ✓
AI coding agent vector
Initial compromise via OIDC token theft from GitHub Actions runner memory — not via AI agent tool call. AI agent files targeted as persistence sinks, not propagation vector
GAP ✗
The campaign explicitly weaponises AI agent instruction files as persistence surfaces. The gap is narrow: the worm arrives via CI/CD, then configures itself to survive through AI agent context. The trigger fires if a future wave uses an AI agent as the initial delivery mechanism rather than the persistence sink. |
| MCP Exploit Chain Trigger 3 | MCP server attack chains through ≥2 enterprise systems via agent tool access | Approaching |
Three significant developments since April 19 — one moves from PoC to production vulnerability, one documents production RCE at scale, and one shows the chain pattern in cloud environments:
CVE-2026-26118 — Azure MCP Server SSRF (CVSS 8.8): An attacker-controlled URL causes the Azure MCP Server Tools to make outbound HTTP requests that attach the server’s managed identity token. Chain: agent tool call → Azure identity exfiltration → downstream Azure resources. This is a production vulnerability, patched by Microsoft in March 2026. The multi-system architecture (agent → MCP server → Azure identity → cloud resources) matches the trigger pattern, but the PoC direction is SSRF-based exfiltration, not confirmed production exploitation.[9]
OX Security production RCE — April 2026: Confirmed command execution on 6 live production platforms (LiteLLM, LangChain, IBM LangFlow, others). 10+ High/Critical CVEs. 7,000+ publicly accessible servers confirmed exposed, up to 200,000 vulnerable. Anthropic has formally declined to patch the protocol root cause. These are single-system hits; multi-system chaining not confirmed in attribution.[10]
Trend Micro — Cloud MCP attack surface: Documents confirmed attack chain pattern: exposed MCP server → authentication assessment → credential theft from config files → lateral movement within cloud environment. Check Point Research (March–April 2026) cites two major US banks and a cloud platform as impacted via AI productivity tool entry points — without confirming MCP as the specific chaining mechanism.[11][12]
The trigger requires a confirmed production case of ≥2 systems chained via MCP tool access with attribution. The architectural prerequisites are proven; the public attribution gap persists. Direction of travel: strongly toward firing. |
| Regulatory Response Trigger 4 | NIST / CISA / ENISA formally classifies prompt injection in AI coding tools as supply chain risk | Approaching |
Upgraded from INACTIVE in R1. The May 1 CISA 6-nation publication is the most significant regulatory development this case has seen:
CISA “Careful Adoption of Agentic AI Services” — May 1, 2026: Six-nation joint publication (CISA, NSA, ASD/ACSC, CCCS, NCSC-NZ, NCSC-UK). The first Five Eyes coordination specifically addressing autonomous AI agents. Explicitly warns against prompt injection in agentic workflows, identifies supply chain risk from typosquatted MCP tools/agents, and flags AI coding tools as a vector for autonomous data exfiltration. Published on cisa.gov. CISA is named in the trigger condition.[8]
Ruling — Not fired, but approaching. The gap between this guidance and the trigger condition is formality of classification. The May 1 document addresses the risk descriptively in official guidance — it does not issue a standalone advisory number or create a named threat category entry in a formal taxonomy (e.g., a KEV entry, a NIST SP classification, or a formal ENISA threat landscape category). The NIST AI Agent Interoperability Profile (due Q4 2026) is the most likely qualifying event. CISA could also fire it with a targeted advisory. The trigger is now genuinely approaching rather than inactive.
NSA + 7 allied agencies — March 4–5, 2026: AI/ML supply chain guidance defining a six-component AI/ML supply chain with prompt injection embedded as a threat class. Predates the review window but strengthens the regulatory trajectory.[13]
|
Health declined from 80 to 62 this window: regulatory_response upgraded from inactive to approaching (−10), and both supply_chain_mass and mcp_exploit_chain advanced materially within their approaching states (−8 combined). No triggers have fired — the single remaining gap across three of four is public attribution. The attack infrastructure is confirmed operational at production scale. The case’s thesis is being confirmed incrementally; the threshold events have not yet produced a qualifying disclosure.
The attack class is confirmed operational. Three of four triggers are approaching. The last gap is public attribution, not technical capability.
Mini Shai-Hulud changed the texture of this case. The worm is not just a supply chain attack — it is a supply chain attack that explicitly targets AI coding agent instruction files as persistence sinks. The campaign seeded hooks in .claude/settings.json and .cursorrules specifically because those files are read by AI coding agents at the start of every session. The worm treats AI agent context files as a persistence surface. When the propagation vector (not just the persistence) runs through an AI agent tool call, the supply_chain_mass trigger fires. The campaign architecture is already designed for that step.
The regulatory upgrade is the second significant development. CISA coordinating a 6-nation publication on agentic AI safety — the first Five Eyes coordination on this risk class — signals that the threat has crossed from security-researcher awareness into government-level institutional concern. The formal classification language required by the trigger is still being drafted, but the drafters are now named agencies working on a named timeline.
The Microsoft Semantic Kernel RCE finding (May 7) deserves specific note: a single malicious prompt in an AI agent framework converts to host-level code execution. That is the core thesis of this case made literal — LLMs cannot distinguish instructions from data, and the data can now execute arbitrary code on the host. The capability exists in production frameworks. The disclosed incident is a PoC. The gap to a qualifying breach event is a combination of disclosure culture and attribution willingness, not technical possibility.
.claude/settings.json and VS Code tasks.