Three Trust Models Broke This Week. None of Them Were New.
Big Picture
RSAC declared "Agentic Security" the next category. The same week, North Korean operators poisoned Axios at 50 million weekly downloads, Claude 4.6 wrote a kernel exploit autonomously, four AI dev tools disclosed critical flaws, and six MCP servers collapsed to a single POST request. The gap between what the industry is selling and what the industry is securing has never been wider.
TL;DR
One Legacy npm Token Undid Every Modern Protection Axios Had
The Axios npm supply chain attack is the most significant JavaScript package compromise since event-stream in 2018, and it happened despite the maintainer following best practices. North Korean actors compromised the Axios maintainer account and published malicious versions 1.14.1 and 0.30.4 on March 30-31. They bypassed GitHub Actions' OIDC-protected CI/CD entirely by using a legacy long-lived npm access token. The pipeline was secure. The token predated the pipeline.
The malicious versions pulled in a hidden dependency called plain-crypto-js containing cross-platform RAT malware. It runs silently post-installation, establishes persistence, and harvests credentials. With 50M+ weekly downloads and usage across Fortune 500 development environments, any organization that ran npm install during the two-day window faces credential compromise. The RAT vanishes after initial execution, making forensic detection harder for teams doing post-incident sweeps.
OIDC-protected publishing means nothing if legacy tokens still exist in the system.
Takeaways
Revoke every npm token that predates your OIDC migration. Today, not next sprint. The Axios attack succeeded because a single legacy credential bypassed every modern protection the maintainer had in place.
AI Found a Kernel Bug, Wrote the Exploit, and Got Root
Claude 4.6 independently discovered and wrote a complete remote kernel RCE exploit for FreeBSD (CVE-2026-4747), including a working root shell. Researchers describe it as the first remote kernel exploit both discovered and exploited by an AI. Separately, Claude found RCE vulnerabilities in Vim and Emacs that trigger on file open, with the Emacs bug still unpatched.
The defensive side is moving fast too. Trail of Bits reports AI-augmented auditors are now finding 200 bugs per week on the right engagements, a pace that wasn't possible before AI tooling. But the same capability cuts both ways. The research-to-exploit timeline compressed from weeks to hours, and for defenders, the window between "vulnerability exists" and "exploit is available" is shrinking past the point where traditional patch cycles can keep pace.
One analysis argues that AI's bug-finding efficiency will push attackers away from code vulnerabilities entirely, toward identity and social engineering attacks. The immediate reality: the volume of known exploitable vulnerabilities is about to increase dramatically, driven by the same AI tools teams are adopting for productivity. That compounds the trend from two weeks ago, when 44.5% of cloud intrusions were traced to unpatched code.
Takeaways
Your patch SLA assumes humans write exploits. Pressure-test it against 48-hour AI-generated exploit chains. Pull your top 10 unpatched criticals and ask: could any of these be weaponized by AI today? If you don't know, that's your Monday morning task.
Four AI Dev Tools Disclosed Critical Flaws in the Same Week
This week produced a pattern that's getting harder to ignore. OpenAI Codex suffered a command injection vulnerability that allowed GitHub token theft through malicious branch names. LangChain disclosed its third major input validation flaw in recent months, this time a path traversal (CVE-2026-34070) enabling local file access and API key exfiltration. CrewAI's Code Interpreter exposed four vulnerabilities permitting arbitrary code execution. And six popular MCP servers with 70K+ combined GitHub stars fell to authentication bypass and RCE in a single research disclosure.
The shared failure across all of these: excessive permissions paired with insufficient input validation. These are the same mistakes the web application security community spent two decades addressing. AI development tools are repeating the cycle faster because adoption is outpacing security review. Organizations are deploying AI agents with broad system access before basic input sanitization is in place.
Google's Vertex AI required emergency patches after researchers showed that AI agents could be weaponized to create backdoors and exfiltrate data. The tools designed to accelerate development are now the attack surface.
Takeaways
Pull up the permission list for every AI coding tool in your environment this week. "It needs broad access to work" is not a security architecture.
RSAC Proved Everyone Wants AI Security. Nobody Knows How to Ship It.
RSAC 2026 told two stories at once. On stage, 40% of the conference agenda was AI-weighted, investors confirmed "everyone is building AI or talking about building AI," and new categories are forming around agentic security. Behind the scenes, sessions focused on managing agent permissions, protecting secrets in AI contexts, and controlling trusted integrations at scale. These are problems that suggest the industry is deploying first and securing second.
The "Agentic Security" category is emerging as vendors build EDR specifically for AI agents. The tension between AI urgency and AI fatigue was a recurring theme. Teams feel pressure to adopt, but 90% of executives report zero productivity impact from AI tools (NBER study of 6,000 senior executives), suggesting systemic integration failures rather than technology gaps. Meanwhile, AWS entered automated security testing with AI agents compressing pen testing from 2-6 weeks to 1-2 days, confirming the market shift toward AI-native security workflows.
Takeaways
The vendors will still be there in Q3. The policy gaps won't fix themselves. Start with agent permissions, secrets access controls, and scope boundaries before adding another tool to the stack.
Vulnerabilities in the Wild
Actively Exploited
CVE-2026-21643 | Fortinet FortiClient EMS
Severity: Critical | Status: Actively Exploited
SQL injection enabling unauthenticated RCE in endpoint management platform; seventh SQL CVE for Fortinet in 12 months source
Axios npm supply chain compromise | Axios npm package (versions 1.14.1, 0.30.4)
Severity: Critical | Status: Actively Exploited
North Korean actors compromised maintainer account, deployed cross-platform RAT malware to 50M+ weekly downloads via legacy npm token bypass source
F5 BIG-IP APM RCE | F5 BIG-IP APM
Severity: Critical | Status: Actively Exploited
DoS vulnerability upgraded to critical RCE after active exploitation detected; added to CISA KEV catalog source
CVE-2026-3055 | Citrix NetScaler
Severity: High | Status: Actively Exploited
Memory overread vulnerability enabling session hijacking; CISA ordered federal patch deadline of April 2 source
Zero-Days
GNU Emacs RCE (file open trigger) | GNU Emacs
Severity: High | Status: Zero-Day
RCE vulnerability triggered on file open, discovered by Claude AI; remains UNPATCHED as of publication source
6 MCP servers auth bypass and RCE | Multiple MCP servers (70K+ GitHub stars combined)
Severity: High | Status: Zero-Day
Authentication bypass, RCE, and credential theft across six popular Model Context Protocol servers via single POST request source
Critical and High Severity
CVE-2026-4747 | FreeBSD kernel
Severity: Critical | Status: Patch Available
Remote kernel RCE with root shell; first exploit both discovered and written by AI (Claude 4.6) source
OpenAI Codex command injection | OpenAI Codex
Severity: High | Status: Patch Available
Command injection via malicious branch names enabling GitHub token theft from AI coding agent source
CVE-2026-34070 | LangChain
Severity: High | Status: Patch Available
Path traversal enabling local file access and API key exfiltration; third major input validation flaw in recent months source
Vim RCE (file open trigger) | Vim
Severity: High | Status: Patch Available
RCE vulnerability triggered on file open, discovered by Claude AI; affects millions of developer environments source
CrewAI Code Interpreter (4 vulnerabilities) | CrewAI Code Interpreter
Severity: High | Status: Patch Available
Four vulnerabilities permitting arbitrary code execution in AI agent framework source
Google Vertex AI agent weaponization | Google Vertex AI
Severity: High | Status: Patch Available
AI agents weaponized to create backdoors and exfiltrate data; emergency patches required source
Curated Reading List
Thought-Provoking
EU Cyber Resilience Act (Regulation 2024/2847) Guidance Deadline Analysis Why it's worth your time: The CRA treats cybersecurity as product liability with SBOM mandates and third-party audit requirements. If you sell software in the EU, this regulatory shift changes your security validation obligations starting now.
Fortinet Hit by Another Exploited Cybersecurity Flaw Why it's worth your time: Seven SQL injection CVEs in 12 months from a major security vendor. Raises uncomfortable questions about whether the companies selling security tools have solved their own secure coding problems.
Claude AI Finds Vim, Emacs RCE Bugs That Trigger on File Open Why it's worth your time: AI-discovered RCE in two of the most ubiquitous developer tools, with the Emacs bug still unpatched. Concrete proof that AI vulnerability discovery is already reshaping disclosure timelines for tools developers use daily.
Current Events
Cisco Source Code Stolen in Trivy-Linked Dev Environment Breach Why it's worth your time: Credentials stolen in the March 19 Trivy supply chain attack enabled breach of Cisco's dev environments weeks later, affecting 300+ repos including AI product source code. Shows how supply chain compromises cascade far beyond the initial blast radius.
Anthropic Confirms Mythos Leak Why it's worth your time: A cybersecurity-specific LLM with 'sharply improved reasoning and coding skills' leaked via CMS misconfiguration before planned announcement. Signals competitive positioning around purpose-built security AI models.
LangChain Path Traversal Bug Adds to Input Validation Woes in AI Pipelines Why it's worth your time: Third major input validation flaw in LangChain in recent months. If your team uses LangChain in any pipeline, the pattern of recurring vulnerabilities warrants a permission audit now, not after the fourth disclosure.
