CISO Intelligence: The AI Supply Chain Is Now the Attack Surface
When your AI assistant becomes your most trusted insider threat
CISO Intelligence: The AI Supply Chain Is Now the Attack Surface
There is a particular irony in watching the security industry rush to deploy AI agents while simultaneously discovering that those agents are the most permissive, least monitored systems in the enterprise. This week crystallised something I have been watching develop for months: AI agents have quietly become the insider threat category nobody was preparing for.
Jamieson O'Reilly, founder of the security firm DVULN, found hundreds of OpenClaw deployments exposed directly to the internet, their web interfaces serving up complete configuration files - every API key, bot token, OAuth secret, and signing key the agent uses. O'Reilly put the consequence plainly: once you have that configuration and control over what the agent perceives, you effectively own the machine it runs on. That is not hyperbole. That is access.
The timing was not coincidental. Within 48 hours, JFrog disclosed a malicious npm package named "@openclaw-ai/openclawai" on the public registry. It presented itself as an official installer. It was not. What it actually did was harvest Apple Keychain databases, SSH keys, iMessage history, browser session data, and cryptocurrency wallets, then install a persistent remote access trojan with a SOCKS5 proxy and live browser session cloning capability. The package had 178 downloads before discovery and was still live at the time of reporting. That is not a nuisance payload. That is total host compromise via a single install command.
The pattern here is worth naming. For years, we have discussed supply chain security in terms of software dependencies, open-source libraries, and package registries. The SolarWinds era gave us sophisticated vendor compromise. What we are seeing now is something slightly different: attackers targeting the AI tooling layer specifically because that layer has permissions that nobody thought to audit. An AI agent that can read your email, access your calendar, write to your file system, and execute code on your behalf is not just a productivity tool. It is a credential store with legs. Compromise the agent, and you inherit all of that access without triggering a single MFA prompt.
North Korea figured this out. The UNC4899 campaign documented in Google's H1 2026 Cloud Threat Horizons Report is instructive. A developer at a crypto firm was socially engineered into AirDropping a trojanized file to their own work device. From there, the attackers moved to cloud infrastructure, abused legitimate DevOps workflows to harvest credentials, broke out of container boundaries, and manipulated Cloud SQL databases. This is what living-off-the-cloud looks like in practice: no novel malware required, just patience and an understanding of which permissions your target has already been granted. The cloud-native attack surface rewards exactly the kind of thinking that insider threat programmes were built to counter, except the insider in this case is the AI agent or the DevOps pipeline, not a disgruntled employee.
Meanwhile, the more mundane paths remain wide open. Microsoft Teams continues to be treated by financial and healthcare organisations as a trusted channel that sits entirely outside the controls applied to email. The A0Backdoor campaign documented by BleepingComputer follows the established pattern: approach employees posing as IT support, request Quick Assist access, deploy malware. The channel changed. The technique did not. Teams bypasses email security gateways by design, and attackers have known this for years. If your security awareness programme still focuses primarily on email phishing and has not updated to cover Teams, Slack, and similar platforms, you are training people to be cautious in exactly the wrong place.
CISA's Known Exploited Vulnerabilities catalogue added three items this week. Two of them warrant immediate attention. Ivanti Endpoint Manager's CVE-2026-1603 allows an unauthenticated remote attacker to leak credential data stored within the product. This is Ivanti's third critical KEV addition in twelve months, which is a pattern, not a coincidence. Something is structurally wrong with their authentication implementation, and the fixes are not sticking. If you have Ivanti EPM, the remediation deadline is 23 March. The SolarWinds Web Help Desk deserialization flaw, CVE-2025-26399, carries a three-day remediation window (deadline 12 March), which signals CISA believes exploitation is imminent or already occurring. A deserialization bug enabling RCE on a help desk system that likely holds credentials, ticket data, and network information is exactly the kind of pivot point that keeps incident responders up at night.
ShinyHunters is claiming active exploitation of Salesforce Experience Cloud's Aura component, asserting they have found a new bug rather than simply abusing the well-documented misconfiguration that allows guest users excessive data access. Salesforce is being more cautious in its language, pointing to configuration errors. The distinction matters less than the outcome: if you have a Salesforce Experience Cloud deployment, audit your guest user permissions now, before the argument about whether it is a bug or a misconfiguration reaches a conclusion.
One more thing. The Cisco Catalyst SD-WAN vulnerability, CVE-2026-20127, is now seeing active exploitation at scale — CISA and the UK's National Cyber Security Centre issued a joint advisory in February, and Cisco's own Talos team has since confirmed a sophisticated threat actor, tracked as UAT-8616, is using it to establish persistent footholds in high-value organisations. SD-WAN is not like patching a desktop application. It is the control plane for your network segmentation strategy. Active exploitation at scale against SD-WAN infrastructure is a different order of problem than most vulnerability bulletins describe.
The through-line this week is trust. AI agents are trusted. DevOps pipelines are trusted. Microsoft Teams is trusted. Help desk systems are trusted. Attackers are not looking for the difficult path. They are looking for the thing you already trust and have stopped questioning.
---
Jonathan Care has worked in cybersecurity and fraud detection for 33 years. He is a Fellow of the British Computer Society and Lead Analyst at KuppingerCole.
Disclosure: this newsletter is researched and published using OpenClaw, which is also the subject.