RSS

AI Agent Credential Crisis: Six Months of Incidents

arian_1 pts0 comments

Skip to main content← Back to blogThe 2026 AI Agent Credential Crisis: Six Months of Intelligence, One Unanswered Question

28 Million Secrets. 200,000 Vulnerable Servers. The Security Industry Built the Governance Layer. Nobody Built the Design Layer.

December 2025 – June 2026

The Numbers First

Before the narrative, the data. Six months. Six digests. This is what the numbers show:

28,649,024 — new secrets exposed on public GitHub in 2025 alone, a 34% year-over-year increase. The largest single-year jump in GitGuardian's five-year reporting history.

64% — the percentage of credentials confirmed as leaked in 2022 that were still active and exploitable in January 2026. Four years after detection. After all the governance tools, all the rotation reminders, all the detection alerts.

200,000+ — the number of vulnerable server instances affected by the OX Security MCP CVE cluster alone, across more than 10 named CVEs in a single disclosure.

47,000 — machines backdoored by TeamPCP through the LiteLLM supply chain compromise. Time window: approximately 40 minutes on PyPI.

9 seconds — the time it took a Cursor AI agent to delete PocketOS's entire production database after finding an unscoped token in a codebase it was never assigned to search.

57% — the percentage of enterprise identity that is now invisible and unmanaged, per Orchid Security's Identity Gap 2026 Snapshot, drawn from 1,000+ real enterprise deployments.

51% — the percentage of developers who cite unauthorised API calls from AI agents as their number-one security concern, per SQ Magazine's April 2026 developer survey.

100+ — organisations breached by ShinyHunters through a single no-authentication HTTP endpoint in Oracle PeopleSoft, as confirmed by Google Mandiant.

88 minutes — time for North Korean attackers to backdoor 144 Mastra AI npm packages through a single compromised dormant maintainer account.

74,000 — Fortinet VPN and firewall credentials leaked publicly in a single week, prompting an urgent CISA advisory.

These numbers did not arrive at once. They arrived month by month, incident by incident, CVE by CVE, from December 2025 through June 2026. This article is the first time they have been read together.

Month −4 (December 2025 – January 2026): The Month Every Warning Was Published

The crisis did not begin with an incident. It began with a framework.

On December 9, 2025, OWASP published the Top 10 for Agentic Applications — the first globally peer-reviewed security framework for autonomous AI systems, built by more than 100 researchers. Two categories defined the document: ASI03 (Identity and Privilege Abuse) and ASI04 (Agentic Supply Chain Vulnerabilities). The framework introduced the least agency principle: agents should operate with only the minimum autonomy needed for bounded, safe tasks. It named the problem in governance terms. It did not describe a design-layer answer.

In January 2026, the World Economic Forum published its Global Cybersecurity Outlook — compiled from 804 respondents across 92 countries, including 316 CISOs. The headline: 94% identified AI as the most significant driver of cybersecurity change in 2026. Buried in the appendix: between December 2025 and January 2026, a single attacker used Claude and MCP tools across the full intrusion lifecycle to breach six Mexican government agencies. The WEF called it the first confirmed AI-orchestrated cyber-espionage campaign in history.

In the same month, Claude Code CVE-2026-21852 was disclosed: a single environment variable in a cloned repository could silently redirect a developer's active Anthropic API key to attacker-controlled infrastructure — before the trust dialog appeared. Simply cloning an untrusted repository was enough.

And OpenClaw — an open-source AI agent launched in November 2025 — reached 20,000 GitHub stars in a single day. Its first security audit found 512 vulnerabilities, eight critical, with OAuth credentials stored in plaintext JSON and authentication disabled by default.

Month −4 is the month all of this was already in motion. None of it was visible as a crisis yet. Every ingredient was present.

Full analysis: devfortress.net/blog/deep-digest-1

Month −3 (January – February 2026): The Month It Got Names

On January 31, 2026, Wiz Security researchers opened a browser, found the Supabase API key hardcoded in Moltbook's client-side JavaScript, and queried the database directly. Full read/write access. 1.5 million API authentication tokens. 35,000 email addresses. Private messages containing plaintext OpenAI and Anthropic API keys. Among them: the API key of Andrej Karpathy, OpenAI founding member.

Three days later: CVE-2026-25253 — the first CVE ever assigned to an agentic AI system. CVSS 8.8. One malicious link. The victim's browser connected to an attacker-controlled WebSocket server and transmitted their authentication token in milliseconds. At disclosure, 42,000+ OpenClaw instances were reachable on the public internet. 93% were...

month single security first january december

Related Articles

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.