Your AI toolchain became the attack surface this week

On April 19, Vercel confirmed that attackers reached production by compromising Context.ai — a third-party AI observability tool — pivoting through an employee's Google Workspace OAuth grant, then moving laterally with what CEO Guillermo Rauch described as "surprising velocity and in-depth understanding of Vercel." A ShinyHunters-affiliated actor is now selling NPM tokens, GitHub tokens, API keys, source code, and 580 employee records, with a $2M ransom on the side.

That's the headline incident. The week's actual story is bigger.

In the same cycle: Anthropic's MCP SDK shipped with STDIO transport defaults that allow arbitrary command execution — 30+ vulnerabilities, 10 CVEs, thousands of servers, 200+ open-source projects. Cursor's AI agent can be hijacked by a malicious README in a cloned repo, achieving persistent macOS RCE via .zshenv overwrite without the developer running anything. iTerm2's SSH conductor accepts protocol commands from any terminal output, making cat readme.txt an RCE primitive. The patch is described as still unstable. Protobuf.js — 52M weekly npm downloads — got an RCE patched. Wiz traced a three-week prt-scan campaign that poisoned 106 package versions and exfiltrated AWS, Cloudflare, and Netlify credentials via 500+ malicious GitHub PRs.

The connecting thread is not five unrelated bugs. It's that every trust boundary in the modern developer environment — IDE, terminal, package registry, CI runner, AI tool OAuth grant — is now an attack vector simultaneously. The thing your team adopted last quarter to ship faster is the thing attackers are using to ship into your network.

The economics shifted under you

A researcher generated a working Chrome V8 exploit chain targeting Discord's outdated Chromium 138 base for $2,283 and 20 hours of guidance using Claude Opus 4.6. That's roughly a 100x cost reduction over traditional exploit development. Public patch notes are now exploit blueprints, and the cost of reading them dropped from "skilled reverse engineer for weeks" to "API key and patience for a day."

A separate multi-institutional team stripped Kimi K2.5's safety guardrails from a 100% refusal rate to 5% for under $500 of compute and ten hours of work. The fine-tuned model retained nearly all general capability and produced detailed CBRNE instructions on request. Model-level safety is not a security control. It's a speed bump that any motivated adversary can remove for the cost of a team lunch.

Meanwhile, the criminal supply chain itself is industrializing. TeamPCP — the group behind the Trivy and Checkmarx KICS compromises — has formalized a credential pipeline directly into the Vect ransomware group. The DevSecOps tools you installed to improve your security posture had access to container registries, cloud credentials, and deployment pipelines. Those keys are now being sold to operators who know exactly how to use them.

Your 30-day patch SLA was calibrated for a world where exploits took weeks to weaponize. That world is gone.

What containment actually looks like

GitHub published the full security architecture behind their Agentic Workflows the same week, and the design principle is unambiguous: every architectural decision assumes the agent is already compromised. Prompt injection is unsolved and may stay that way. The only production-viable strategy is containment.

The four patterns worth stealing — GitHub and OpenAI converged on them independently, which is the strongest signal you'll get this year:

Agents never hold credentials. A sidecar proxy holds tokens and validates each request. The agent talks to the proxy, the proxy talks to the world. Compromised agent, intact secrets.

Writes are buffered, not direct. Agent proposes actions to a deterministic pipeline. Pipeline validates against allowlists, enforces quantity caps (GitHub limits to three PRs per run), scans for secrets, strips URLs. Only validated operations execute.

Workflows compile to capability-bounded plans. Per-stage permissions, explicit data flow graphs, analyzable before any code runs. This is capability-based security applied to non-deterministic systems.

Every boundary is an observation point. Network, API, MCP gateway, env var access — all logged. GitHub explicitly designed observability as a future enforcement layer.

The MBZUAI teardown of Claude Code makes the operational point clearer: 1,884 files, 512K lines of harness wrapping a simple while-loop reasoning core. If your agent infrastructure is less than 10x the size of your prompt layer, you are underbuilt. The blast-radius diagram is not a nice-to-have.

What to do this week

Rotate every secret stored in or accessible through Vercel. Don't wait for the scope confirmation — Vercel's own language hedges ("reportedly protected") and ShinyHunters' operational history puts the realistic blast radius well above the official line. Stolen NPM tokens potentially mean malicious package publication into the Next.js ecosystem; stolen GitHub tokens mean private repo and CI access. Treat the official scope as a lower bound.

Then audit OAuth grants in Google Workspace and Entra ID. Most organizations have 50–200 third-party AI integrations granted by individual engineers with zero security review. Revoke anything not explicitly approved. Add admin approval for new grants via your IdP's native controls or a CASB. The Context.ai → Workspace → Vercel kill chain is the exact path your environment exposes.

For MCP: inventory every server, override the STDIO defaults with explicit command allowlists, switch to HTTP transport where possible, sandbox the processes. For Cursor: restrict to vetted internal repos until indirect prompt injection has a real defense. For iTerm2: disable SSH integration on developer machines until the patch stabilizes. For GitHub: enforce first-time contributor approval and grep your repos for the prt-scan IOCs (prt-scan-[12-hex] branches, the "ci: update build configuration" PR title, the python-requests/2.32.5 user agent).

The deeper move is structural. Pick one AI feature in production this quarter and refactor it into the proxy-and-buffer pattern: agent never touches secrets, every write goes through deterministic validation, every boundary is logged. Do it once on something small. The pattern transfers.

The perimeter moved. It now runs through every IDE, terminal, package install, and OAuth grant your team makes. Defend it accordingly.