The Rise of AI Agent-Based Attacks and Supply Chain Compromises

Introduction

The cybersecurity field is seeing a significant increase in sophisticated attack vectors, particularly those targeting software supply chains and using artificial intelligence agents. This trend shows an important shift in how malicious actors compromise systems and exfiltrate data. Traditional defenses are being tested by novel methods that exploit dependencies and mimic legitimate operations.

Understanding these developments is critical for organizations seeking strong security. The rise of AI agent-based attacks and supply chain compromises challenges digital trust and operational integrity across industries. This analysis details recent incidents and their implications.

Cisco Catalyst SD-WAN Zero-Day Vulnerability (CVE-2026-20182)

On May 14, 2026, Cisco disclosed CVE-2026-20182, a maximum severity vulnerability (CVSS score of 10) in its Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Controller and SD-WAN Manager. This flaw allows a remote, unauthenticated attacker to bypass authentication and gain administrative privileges. Cisco Talos confirmed real-world exploitation occurred prior to the release of security patches.

Applying relevant security patches for Cisco Catalyst SD-WAN Controller and SD-WAN Manager products is necessary. Cisco recommends issuing the request admin-tech command from each control component before upgrading to preserve potential Indicators of Compromise (IoCs). Auditing the "auth.log" file for unauthorized IP addresses can reveal signs of compromise. PurpleOps provides extensive coverage on zero-day threats, including specific analyses of similar incidents like the Cisco SD-WAN Zero-Day.

Threat actor UAT-8616 exploited CVE-2026-20182, consistent with their prior exploitation of CVE-2026-20127 in February 2026. UAT-8616 operations involved adding SSH keys and modifying Network Configuration Protocol (NETCONF) configurations to achieve root privileges. Additional details are available in our post on CVE-2026-20182 in Cisco SD-WAN.

Separately, Cisco Talos observed 10 threat actor clusters exploiting three other patched vulnerabilities in Cisco Catalyst SD-WAN Manager: CVE-2026-20133 (CVSS: 7.5), CVE-2026-20128 (CVSS: 7.5), and CVE-2026-20122 (CVSS: 5.4). These attacks deployed webshells (Godzilla, Behinder, XenShell), C2 frameworks (AdaptixC2, Sliver), XMRig coin miner, and a credential stealer, often using public Proof-of-Concept (PoC) exploits.

CISA added CVE-2026-20182 to its Known Exploited Vulnerabilities (KEV) catalog, setting a May 17 deadline for Federal Civilian Executive Branch (FCEB) agencies to patch. Organizations are advised to apply patches for CVE-2026-20182 and related flaws. Our article on a critical zero-day affecting Cisco Catalyst SD-WAN offers further context.

What Cisco Catalyst SD-WAN versions are affected by CVE-2026-20182?

Versions of Cisco Catalyst SD-WAN Controller and SD-WAN Manager earlier than 20.9, as well as 20.9, 20.10, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, and 20.18, up to specific patch levels, are affected. Several older versions have reached End-of-Life (EoL) status and require replacement.

The following table details vulnerable and fixed versions:

Cisco Catalyst SD-WAN VersionsFixed Release
Earlier than 20.9Migrate to a fixed release.
20.920.9.9.1
20.1020.12.7.1
20.1120.12.7.1
20.1220.12.5.4, 20.12.6.2, 20.12.7.1
20.1320.15.5.2
20.1420.15.5.2
20.1520.15.4.4, 20.15.5.2
20.1620.18.2.2
20.1820.18.2.2
26.126.1.1.1

What Indicators of Compromise (IoCs) are associated with these attacks?

Cisco provided a list of IoCs related to the exploitation of CVE-2026-20182 and other associated vulnerabilities, including attacker IP addresses, C2 server domains, and SHA256 hashes of malicious payloads. These indicators are crucial for breach detection and threat hunting efforts.

IOC TypeIndicatorDescription
IP Address38.181.52.89Attacker IP Address
IP Address89.125.244.33Attacker IP Address
IP Address89.125.244.51Attacker IP Address
IP Address71.80.85.135Attacker IP Address
IP Address212.83.162.37Attacker IP Address
IP Address38.60.214.92Attacker IP Address
IP Address65.20.67.134Attacker IP Address
IP Address104.233.156.1Attacker IP Address
IP Address194.233.100.40Attacker IP Address
IP Address194.163.175.135AdaptixC2 C2 IP Address
IP Address23.27.143.170Sliver C2 IP Address
IP Address83.229.126.195XMRig C2 IP Address
IP Address79.135.105.208Backdoor C2 IP Address
IP Address13.62.52.206Backdoor C2 IP Address
IP Address176.65.139.31Backdoor C2 IP Address
IP Address47.104.248.7Coin miner C2 IP Address
Domainmtls[://]23.27.143[.]170:44Sliver C2 Domain
Domainhxxp://83[.]229[.]126[.]195:8081/xmrigXMRig Download Domain
Domainhxxp://83[.]229[.]126[.]195:8081/config[.]jsonXMRig Configuration File Domain
Domainhxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit[.]dev/downloadBackdoor Download Domain
Domainhxxp://13[.]62[.]52[.]206:5004Backdoor C2 Domain
SHA256 Hashf6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1AdaptixC2 SHA256 Hash
SHA256 Hash02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8Sliver SHA256 Hash
SHA256 Hash0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0XMRig SHA256 Hash
SHA256 Hash96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46XMRig SHA256 Hash
SHA256 Hash7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1XMRig SHA256 Hash
SHA256 Hash0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15dBackdoor SHA256 Hash
SHA256 Hash18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80KScan SHA256 Hash
SHA256 Hashd94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfaGSocket SHA256 Hash
SHA256 Hashb0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3SHA256 Hash of Credential Stealer
SHA256 Hash72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060SHA256 Hash of Malicious Script
SHA256 Hash17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925SHA256 Hash of Malicious Script

Critical 'Claw Chain' Vulnerabilities Put Thousands of OpenClaw AI Servers at Risk

A series of critical security vulnerabilities, collectively named Claw Chain, were recently discovered in the autonomous AI agent OpenClaw (originally Clawdbot). Identified by security experts at Cyera, these flaws affect thousands of OpenClaw servers globally, exposing them to data theft, backdoor installation, and attacks for administrative access. The vulnerabilities were patched on April 23, 2026, but prior to this date, systems remained at risk.

These flaws allow compromise of systems using OpenClaw to automate tasks, including connections to internal files and messaging applications like Telegram. Chained vulnerabilities result in extensive, persistent compromise, with malicious actions camouflaged as legitimate.

The Claw Chain vulnerabilities consist of four distinct flaws:

  • CVE-2026-44112: A critical timing error in the OpenShell sandbox system (CVSS: 9.6) that allows attackers to bypass sandbox boundaries and install permanent backdoors.
  • CVE-2026-44113: A high-severity flaw (CVSS: 7.7) that enables attackers to replace safe file paths with symbolic links, exposing restricted system files.
  • CVE-2026-44115: A high-severity vulnerability (CVSS: 8.8) leading to the leakage of internal settings, API keys, and password tokens due to insufficient command validation.
  • CVE-2026-44118: A high-severity flaw (CVSS: 7.8) involving a local digital process that bypasses identity checks by manipulating a validation flag, gaining owner-level control.

Chaining these flaws permits attackers to use AI agents for privileged operations, hindering detection. With an estimated 65,000 to 180,000 OpenClaw servers publicly exposed in May 2026, organizations handling sensitive data (e.g., banks, healthcare) face considerable risk.

Supply Chain Compromise: node-ipc npm package

A recent supply chain attack targeted the npm ecosystem through the popular node-ipc package. This Node.js module, used for inter-process communication, had credential-stealing malware injected into newly published versions node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1. This was confirmed by Socket, Ox Security, and Upwind.

Malicious code within the CommonJS entrypoint (node-ipc.cjs) executes upon application loading. This follows a March 2022 incident where the maintainer published politically motivated, weaponized versions. The package still sees over 690,000 weekly downloads, indicating its broad impact.

The malware, obfuscated, fingerprints systems and collects sensitive data, which it compresses and exfiltrates via DNS TXT queries. This less conventional method, using a fake Azure-themed domain as a resolver, helps obscure C2 traffic and breach detection.

The infostealer targeted a broad range of sensitive data, including cloud credentials (AWS, Azure, GCP), SSH keys, development environment credentials (Kubernetes, Docker, Helm, Terraform, npm, GitHub), .env files, database credentials, and macOS Keychain/Linux keyrings. It avoided large files and specific directories like .git and node_modules to optimize its operation. This shows the critical need for supply-chain risk monitoring in software development.

What happened with Instructure Canvas and ShinyHunters?

Instructure, the educational technology vendor behind the Canvas learning management system (LMS), experienced a high-profile compromise in May 2026 involving the ShinyHunters cybercrime group. This incident left numerous schools and universities without critical functions like grade reporting. The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions have sought information from Instructure regarding these attacks. Such events show the need for strong brand leak alerting and complete breach detection.

The initial breach was disclosed on May 1, with Instructure acknowledging that threat actors obtained "certain identifying information of users," including names, emails, student ID numbers, and private messages. ShinyHunters claimed possession of over 3TB of sensitive data from more than 9,000 educational institutions. Instructure temporarily took Canvas offline for investigation and declared the intrusion resolved on May 6.

However, ShinyHunters re-compromised Canvas on May 7, posting a ransom demand. This prompted legislative scrutiny of Instructure's incident response. On May 11, Instructure announced an "agreement" with the threat actor, claiming data return and destruction. The subsequent removal from ShinyHunters' leak site suggests a resolution, often observed in ransomware tracking scenarios.

Legislators also investigated a September 2025 compromise of Instructure's Salesforce environment by UNC6040, a group tied to ShinyHunters. This prior breach, part of broader Salesforce attacks, suggests Instructure was a repeat target. Such patterns show the need for supply-chain risk monitoring and underground forum intelligence.

The Next Cybersecurity Challenge: Verifying AI Agents

The cybersecurity field is transforming, moving beyond traditional defenses to address the complexities of autonomous AI agents. These agents are increasingly deployed to automate tasks, introducing a new challenge: establishing trust and verifying their identity and actions. The rise of AI agent-based attacks shows a critical trust problem.

Current security models, including zero-trust architectures, lack adequate infrastructure to verify AI agent identities or their authorized actions, and cannot detect instruction tampering in real-time. Systems receiving requests from AI agents often cannot reliably verify their legitimacy.

The verification of AI agents presents several unique challenges:

  • Dynamic Nature: AI agent capabilities and actions can change based on context and instructions, making one-time verification insufficient.
  • Agent Chains: Multi-agent pipelines involve task delegation, where each hand-off is a potential point for spoofing or scope creep.
  • Cross-Organizational Interaction: AI agents may communicate across different organizational boundaries (vendors, customers, cloud providers), lacking a shared trust framework.
  • Prompt Injection Attacks: The attack surface extends to instructions, where malicious content can hijack an agent's behavior.

Industry efforts, like Anthropic's Cyber Verification Program (CVP), are addressing these gaps by verifying operators using AI infrastructure. Lyrie.ai's acceptance into the CVP shows a growing focus on active verification and AI-native security platforms.

Developing open, interoperable standards for AI agent verification is essential. These standards must define agent identity, authorized actions, detect instruction tampering, trace delegation chains, and enable real-time authority revocation. Lyrie's Agent Trust Protocol (ATP) is one such proposed cryptographic standard for these primitives, reflecting the demand for specialized cyber threat intelligence platforms capable of addressing agentic risks. The absence of a trusted identity framework for most online AI agents means businesses currently have limited means to verify communications, a gap that requires urgent industry collaboration to resolve.

Technical Takeaways

  • CVE-2026-20182 in Cisco Catalyst SD-WAN Controller and SD-WAN Manager is a critical zero-day exploited by UAT-8616 for administrative access.
  • Multiple Cisco Catalyst SD-WAN Manager vulnerabilities were exploited by various threat actor clusters, leading to webshell, C2 framework, and coin miner deployments.
  • Claw Chain vulnerabilities in OpenClaw AI agent permit attackers to bypass sandbox security, steal credentials, and gain administrative control. These flaws affect numerous internet-exposed servers.
  • A supply chain attack on the node-ipc npm package deployed an infostealer via obfuscated CommonJS code, exfiltrating cloud credentials, SSH keys, development environment credentials, and other sensitive data through DNS TXT queries.
  • The ShinyHunters cybercrime group executed multiple compromises against Instructure's Canvas LMS, impacting educational institutions and potentially involving a prior Salesforce breach.
  • Autonomous AI agents introduce new cybersecurity challenges related to identity verification, dynamic behavior, delegation chains, and prompt injection attacks, necessitating novel security standards.