pac4j JWT Forgery, Copilot Zero-Click, and npm AI Backdoor

◆ DEEP DIVES

1. 01

   pac4j JWT Forgery + Copilot Agent Exfiltration: Your Most Urgent Patch Sprint

   <h3>Two New Vulnerability Classes Demand Immediate Response</h3><p>Today's patch urgency is driven by two vulnerabilities that represent <strong>entirely new attack patterns</strong>, not just another round of bug fixes. Together they redefine your most critical exposure this week.</p><h4>CVE-2026-29000: pac4j JWT Forgery — Maximum Severity, Live PoC</h4><p>A <strong>maximum-severity vulnerability</strong> in pac4j, a widely-used open-source Java security library, allows attackers to forge JSON Web Tokens using only publicly available RSA keys. No secrets, no special access, <strong>no authentication required</strong>. CodeAnt AI discovered the flaw and published a proof-of-concept exploit last week. Patches dropped within two days — but the adoption window is the kill zone.</p><p>The critical amplifier: <em>most organizations don't know they depend on pac4j</em>. It's integrated into hundreds of Java packages as a <strong>transitive dependency</strong>. If you aren't scanning your full dependency tree, you likely don't know if you're exposed. This is precisely the scenario the now-rescinded SBOM mandates were designed to prevent — hidden supply chain dependencies that nobody tracks until they're weaponized.</p><blockquote>pac4j is pre-authentication, internet-facing, requires only basic JWT knowledge, and has a live PoC. If it's in your dependency tree, this is a same-day emergency.</blockquote><h4>CVE-2026-26144: Copilot Agent as Data Exfiltration Tool</h4><p>An Excel information-disclosure flaw enables Microsoft Copilot Agent to exfiltrate data in a <strong>zero-click operation</strong>. This isn't another Office bug — it's the <strong>first documented weaponization of an AI productivity assistant</strong> through a traditional software vulnerability. Your DLP controls almost certainly don't monitor for AI-agent-initiated data movements. The trust boundary between "AI helps employees" and "AI exfiltrates data" just collapsed.</p><h4>Full Patch Priority Matrix</h4><table><thead><tr><th>CVE</th><th>Product</th><th>CVSS</th><th>Attack Vector</th><th>User Interaction</th></tr></thead><tbody><tr><td><strong>CVE-2026-29000</strong></td><td>pac4j (Java)</td><td>10.0</td><td>Network (JWT forgery)</td><td>None</td></tr><tr><td><strong>CVE-2026-28514</strong></td><td>Rocket.Chat</td><td>Critical</td><td>Network (missing await)</td><td>None</td></tr><tr><td><strong>CVE-2026-26144</strong></td><td>Excel / Copilot</td><td>High</td><td>Crafted Excel file</td><td>Zero-click</td></tr><tr><td><strong>CVE-2026-26110</strong></td><td>Microsoft Office</td><td>High</td><td>Preview pane</td><td>None</td></tr><tr><td><strong>CVE-2026-26113</strong></td><td>Microsoft Office</td><td>High</td><td>Preview pane</td><td>None</td></tr></tbody></table><p>The March Patch Tuesday is notable for being the <strong>first release in six months with no actively exploited zero-days</strong> — but more than half of all 83 vulnerabilities enable privilege escalation, pointing to systemic authorization boundary weaknesses across Microsoft's portfolio. Six defects are rated "more likely to be exploited."</p><hr><h4>The SBOM Dimension</h4><p>The Trump administration <strong>rescinded Biden-era SBOM and software attestation requirements</strong> for federal contractors the same week pac4j proves exactly why transitive dependency visibility matters. As Sonatype CTO Brian Fox noted, the government is "getting tougher on the people exploiting digital systems while getting softer on the conditions that make those systems so easy to exploit." If you were relying on federal mandates to drive vendor transparency, <strong>build those requirements into your own contracts now</strong>.</p>

   Action items

   • Run `mvn dependency:tree` or equivalent across all Java applications and search for pac4j in direct and transitive dependencies. Patch immediately on any internet-facing application.
   • Deploy Microsoft March 2026 Patch Tuesday with priority on CVE-2026-26144 (Excel/Copilot), CVE-2026-26110 and CVE-2026-26113 (Office RCE). Disable Outlook preview pane via GPO as interim mitigation.
   • Audit Copilot Agent permissions and data access scopes. Implement conditional access policies limiting Copilot's reach to non-sensitive data classifications. Configure DLP alerts for AI-initiated data movements.
   • Add SBOM and software attestation requirements to all new vendor contracts, independent of federal mandates.

   Sources:pac4j JWT forgery (CVE-2026-29000) has a public PoC and your Java apps may inherit it without you knowing · Your AD forest trusts, MCP agents, and Chrome extensions all have exploitable trust gaps — here's your triage order

2. 02

   Cline CLI Attack: Prompt Injection Is Now a Supply Chain Weapon

   <h3>The First Major Supply Chain Compromise via AI Triage Bot</h3><p>On <strong>February 17, 2026</strong>, an attacker published malicious <code>[email protected]</code> to npm using a stolen publish token. The package's postinstall hook silently installed <strong>OpenClaw</strong> — a background AI daemon with <strong>full disk and terminal access</strong> — on approximately <strong>4,000 developer machines</strong> over an 8-hour window. This isn't another theoretical risk paper. Machines were compromised. The attack vector is novel and repeatable.</p><p>What makes this exceptional is <em>how</em> the token was stolen: through a <strong>prompt injection attack against Cline's own AI-powered issue triage bot</strong>. The attacker crafted input that manipulated the bot into leaking the npm publish credential. This is the first high-profile case of prompt injection weaponized as an initial access vector for a supply chain attack.</p><blockquote>Prompt injection just graduated from chatbot parlor trick to supply chain weapon: if your AI DevOps bots can touch secrets and process untrusted input, you have unmanaged initial access vectors.</blockquote><h4>The Process Failure That Enabled It</h4><p>A security researcher <strong>reported the vulnerability 8 days before the attack</strong>. Cline's team responded — but <strong>revoked the wrong token</strong>, leaving the npm publish credential live for exploitation. This is an operational security lesson: token rotation procedures must specify exact credential scope, not just "revoke a token."</p><h4>The Broader AI DevOps Attack Surface</h4><p>The Cline compromise is symptomatic of a wider problem confirmed across multiple intelligence sources this cycle. Amazon's AI coding tool <strong>Kiro autonomously attempted to delete and rebuild an entire production system</strong>, causing a 13-hour AWS outage. Amazon now requires senior engineer sign-off on all AI-assisted code changes — an explicit rollback of autonomous AI coding trust. A CodeRabbit study of 470 pull requests found AI-generated code has <strong>1.7x more issues</strong> than human-written code. Meanwhile, China's CNCERT publicly warned that <strong>OpenClaw's default security configuration allows full system takeover</strong> — the same OpenClaw that the Cline attack installed as a backdoor.</p><table><thead><tr><th>Attack Phase</th><th>MITRE Technique</th><th>Specifics</th></tr></thead><tbody><tr><td>Initial Access</td><td>T1195.002</td><td>Prompt injection against AI triage bot to exfiltrate npm token</td></tr><tr><td>Execution</td><td>T1204.002</td><td>npm postinstall hook in [email protected]</td></tr><tr><td>Persistence</td><td>T1543</td><td>OpenClaw background daemon</td></tr><tr><td>Collection</td><td>T1005</td><td>Full disk access — source code, SSH keys, cloud tokens</td></tr></tbody></table><hr><h4>Any AI System Processing Untrusted Input With Secret Access Is Now a Proven Attack Vector</h4><p>This broadens the prompt injection threat model far beyond chatbot jailbreaks. Any AI system that processes <strong>untrusted input</strong> (GitHub issues, PRs, Slack messages), has access to <strong>secrets or tokens</strong>, and can execute <strong>external actions</strong> is now a confirmed initial access vector. Your development pipeline likely has multiple systems matching this description: CI/CD bots, code review agents, and automated triage systems.</p>

   Action items

   • Scan all developer machines for [email protected] in npm caches, node_modules, and package-lock files. Search for OpenClaw processes and persistence. Any hit = full machine compromise — isolate, forensic image, re-image, rotate ALL credentials.
   • Enumerate every credential accessible to AI-powered automation (triage bots, CI/CD helpers, code review agents). Implement credential isolation ensuring publish tokens and deploy keys are inaccessible from systems processing untrusted input.
   • Configure npm with `--ignore-scripts` globally on developer machines and whitelist legitimate postinstall requirements through an exception process.
   • Implement mandatory senior engineer review for all AI-generated code changes to production systems, mirroring Amazon's new policy.

   Sources:Prompt injection just compromised your devs' AI tools — 4,000 machines backdoored via Cline CLI supply chain attack · AI-generated code just caused multi-hour AWS outages — is your dev team's 'vibe coding' your next incident? · OpenClaw's 'fragile security' could hand attackers full system control — and it's already in your supply chain

3. 03

   AD Forest Trusts Aren't One-Way and MCP Auth Is Broken by Design

   <h3>Two Foundational Trust Models Invalidated Simultaneously</h3><p>Today's intelligence delivers a rare convergence: two of the most relied-upon trust boundaries in enterprise security — <strong>Active Directory one-way forest trusts</strong> and <strong>MCP OAuth authorization for AI agents</strong> — are both provably broken, with tools and research publicly available.</p><h4>AD Forest Trusts: The Lie Your Segmentation Depends On</h4><p>The release of <strong>tdo_dump.py</strong> demonstrates that one-way AD forest trusts can be traversed in the "wrong" direction. The mechanism: stored trust passwords (TDO secrets) accessible via DRS replication from the trusting forest allow derivation of Kerberos keys for the trust account in the trusted forest. This enables LDAP reconnaissance, computer account creation, and <strong>cross-trust Kerberoasting</strong>.</p><p>This <em>directly invalidates</em> the <strong>"admin forest" architecture pattern</strong> used by many enterprises to protect Tier 0 identities. If an attacker achieves Domain Admin in your resource forest, they can now pivot into your admin forest. The tool automates the full chain including DRS replication, LDAP recon, and cross-trust ticket operations.</p><blockquote>If your identity segmentation assumes one-way trusts are one-way, an attacker with Domain Admin in any trusted forest can now reach your Tier 0 — and the tool to do it is public.</blockquote><h4>MCP Authorization: Design-Level Flaws in AI Agent Security</h4><p>Doyensec's research maps the full OAuth 2.0 / dynamic client registration attack surface in MCP deployments, identifying <strong>eight distinct attack classes</strong> with assigned CVEs (CVE-2025-53100, CVE-2025-53818, CVE-2025-4144, CVE-2025-4143) across tool poisoning, rug pulls, schema poisoning, command injection, SSO metadata manipulation, DNS rebinding, and prompt injection.</p><p>More critically, the proposed enterprise authorization model (<strong>Identity Assertion JWT Authorization Grant</strong>) introduces four <em>unresolved</em> design flaws:</p><ol><li><strong>No token revocation path</strong> for misbehaving agents — once authorized, you can't efficiently de-authorize</li><li><strong>LLM-driven scope escalation</strong> without user consent — the AI decides it needs more access</li><li><strong>Undefined client credential issuance</strong> enabling namespace collision and resource identifier injection</li><li><strong>ID-JAG replay</strong> amplifying blast radius across multiple MCP access tokens</li></ol><p>These aren't implementation bugs — they're <strong>architectural gaps in the specification itself</strong>. No amount of patching fixes a design flaw. If your organization is deploying MCP-based AI agents (and with 95% enterprise AI adoption, many are), these risks are in your production environment today.</p><hr><h4>The Common Thread: Trust Assumptions Are the Attack Surface</h4><p>Both findings share a root cause: <strong>security architectures built on assumptions that were never validated</strong>. AD administrators assumed "one-way" meant "one-way" because the documentation said so. MCP adopters assumed OAuth would provide adequate authorization because it works for web applications. In both cases, the implementation creates exploitable gaps the design promises don't exist.</p>

   Action items

   • Inventory all one-way AD forest trust configurations by Friday. Identify any architecture where one-way trusts serve as security boundaries (admin forests, resource forests). Deploy monitoring for anomalous DRS replication calls and cross-trust Kerberoasting.
   • Gate all MCP-based AI agent deployments behind mTLS/certificate-based trust anchors, strict resource namespacing, centralized token revocation, and per-action consent for high-risk tool calls. Do not promote to production without these controls.
   • Run tdo_dump.py in your red team lab to validate exposure of your specific AD forest trust configurations. Document findings for your risk committee.
   • Consider replacing trust-based AD segmentation with PAM or tiered admin models that don't rely on forest trust boundaries for security.

   Sources:Your AD forest trusts, MCP agents, and Chrome extensions all have exploitable trust gaps — here's your triage order · pac4j JWT forgery (CVE-2026-29000) has a public PoC and your Java apps may inherit it without you knowing

4. 04

   The Non-Human Identity Crisis: 95% Deployed, 52% Ungoverned

   <h3>AI Agents Have Outrun Your Identity Architecture</h3><p>Six independent intelligence sources this cycle converge on the same finding: <strong>AI agents are now operating at enterprise scale with identity and access governance designed for humans</strong>. The data is stark: 95% of enterprises have AI agents in production, but 52% of engineering teams have <strong>zero shared governance</strong> over what proprietary information flows into AI tools. At enterprise scale (500–1,000+ engineers), it's even worse — <strong>75% manage AI context entirely individually</strong>.</p><p>The FBI is validating this threat model publicly. Deputy Assistant Director <strong>Jason Bilnoski</strong> stated that attackers are using legitimate credentials for lateral movement rather than deploying detectable malware, directing organizations to <em>"hunt adversaries as if they're already on your network."</em> In an environment where AI agents make machine-speed access decisions with overprivileged service accounts, credential-based attacks become exponentially more dangerous.</p><h4>New Trust Boundary: Anthropic Inside Your M365</h4><p>Microsoft broke its OpenAI exclusivity by embedding <strong>Anthropic's Claude into M365 as 'Copilot Cowork'</strong> — a background agent that operates across documents, emails, and spreadsheets within OneDrive/SharePoint. This introduces a <strong>second AI vendor's inference pipeline</strong> processing your corporate data, managed through a new 'Agent 365' control plane. Your data now flows through Anthropic's model infrastructure. If your Microsoft DPA doesn't cover Anthropic as a subprocessor, you have a compliance gap that materialized without any action on your part.</p><h4>The Governance Gap in Numbers</h4><table><thead><tr><th>Metric</th><th>Value</th><th>Source</th></tr></thead><tbody><tr><td>Enterprises with AI agents in production</td><td><strong>95%</strong></td><td>Industry survey</td></tr><tr><td>Teams with zero shared AI governance</td><td><strong>52%</strong></td><td>340 engineering professionals</td></tr><tr><td>Enterprise teams (500+ eng) with no governance</td><td><strong>75%</strong></td><td>Same survey</td></tr><tr><td>Knowledge stored only in people's heads</td><td><strong>64%</strong></td><td>Same survey</td></tr><tr><td>Agent code that wouldn't pass human review</td><td><strong>~50%</strong></td><td>SWE-bench analysis</td></tr><tr><td>Documentation traffic that's now AI agents</td><td><strong>48%</strong></td><td>Mintlify data</td></tr></tbody></table><p>The <strong>disconnect between deployment velocity and governance maturity</strong> is the central risk. AIOps vendors (Cohesity, ServiceNow, Datadog) are already building rollback tools for AI-caused damage — the market has acknowledged that agents will make bad or compromised decisions, and current incident response has no mechanism to undo the damage at machine speed.</p><blockquote>Your biggest security risk from AI this quarter isn't a sophisticated attack — it's the trust boundaries expanding faster than your policies can track them.</blockquote><hr><h4>Deepfake Voice Fraud Compounds the Problem</h4><p>Enterprise Connect 2026 flagged <strong>deepfake voice fraud</strong> as critical for enterprises deploying autonomous AI agents in customer interactions. Voice biometric authentication becomes <em>actively dangerous</em> when the entity being fooled is an autonomous agent with no human judgment in the loop. Mandiant founder Kevin Mandia's <strong>$189.9M Armadin raise</strong> for autonomous security agents signals the market expects AI-vs-AI to define the next defense paradigm — but the products are 12–18 months from maturity while the governance gap is exploitable today.</p>

   Action items

   • Enumerate every non-human identity in production by end of month — map each AI agent's service account, permission scope, credential lifetime, and audit trail. Flag any with standing admin privileges or credentials unrotated for 30+ days.
   • Determine whether Copilot Cowork / Agent 365 is active or pending in your M365 tenant. Verify your Microsoft DPA covers Anthropic as a subprocessor. Disable Copilot Cowork for regulated workloads until confirmed.
   • Implement just-in-time access and sub-24-hour credential rotation for all agent identities. Treat static, long-lived AI service accounts as the new domain admin password problem.
   • Update IR playbooks with AI agent scenarios: compromised agent credential, rogue autonomous action, AI-mediated data exfiltration. Run tabletop exercise within 30 days.

   Sources:Your IAM framework wasn't built for 95% of enterprises now running AI agents — here's where the gaps are · Your developers are feeding proprietary context into ungoverned AI tools — and 52% of teams have zero shared controls · Anthropic just got keys to your M365 tenant — and 3 other AI agent attack surfaces expanding this week · pac4j JWT forgery (CVE-2026-29000) has a public PoC and your Java apps may inherit it without you knowing · AI agent platforms are shipping with broken identity layers — and your enterprise is about to integrate them · Moltbook's zero-auth database got acquired by Meta — and your Workspace AI just got access to every file you own