Dependabot just became the attack vector

Shai-Hulud Post-Mortem: Dependabot Was the Vector, Six AI Tools Named, KICS Shares C2

• Dependabot is the confirmed initial access vector in at least one victim environment: GitGuardian's post-mortem shows Dependabot automatically pulled trojanized checkmarx/kics:latest on April 22 during a routine automated dependency update — executing the CI payload with full secret access and zero human review. (Previously: Issue #15 covered the KICS and Bitwarden CLI incident at disclosure — this is the first confirmed root-cause mechanism.)
• Shai-Hulud explicitly names six AI coding tools as targets: Claude Code, Gemini CLI, Codex CLI, Kiro CLI, Aider, and OpenCode — injecting a 3,500-byte heredoc persistence block into ~/.bashrc and ~/.zshrc to execute on every terminal open. (Previously: Issue #15 named Claude Code, Gemini, and Codex — Kiro CLI, Aider, and OpenCode are newly confirmed targets.)
• The mcp-addon.js Checkmarx KICS payload shares the same C2 server as the Bitwarden CLI payload: audit.checkarks.cx — a typosquat of checkmarx.cx designed to blend into audit logs — directly linking both April 22–23 attack waves as a coordinated campaign. The malware self-terminates if the Russian locale is detected.
• Exfil uses the victim's stolen GitHub token to push AES-256-GCM encrypted data to a public repo created under the victim's own account — appearing as normal developer activity in monitoring tools. Attackers leveraged Bitwarden's own OIDC trusted publishing to sign and distribute the payload.
• Bitwarden has not yet published a root-cause postmortem as of April 24; vault data is confirmed unaffected — treat all secrets accessible in affected pipeline environments as compromised without waiting for the all-clear. Audit package-lock.json and Docker layer history for @bitwarden/cli@2026.4.0; check if Dependabot has checkmarx/kics:latest in any auto-merge configuration.

---

Microsoft Entra: Agent ID Admin Role Allowed Full Tenant Service Principal Hijack (Patched April 9)

• SilverFort disclosed a scoping flaw in Microsoft Entra ID's Agent Identity Platform: the Agent ID Administrator role had no boundary enforcement, allowing it to assign ownership over any service principal in the tenant — not just AI agent identities — generate new credentials, and authenticate as the hijacked principal, inheriting all its access rights across CI/CD pipelines and security tooling.
• The Entra UI did not visually flag the Agent ID Administrator role as privileged, making it likely to be over-assigned in environments adopting the new platform; the attack requires no elevated starting permissions beyond the role itself.
• Microsoft confirmed and patched by April 9, 2026 — the role is now blocked from modifying owners of non-agent service principals. Audit current Agent ID Administrator role assignments; review credentials for any privileged service principals modified between the platform's GA date and April 9.

---

OpenClaw: 63% of 40,000+ Exposed AI Agent Instances Are RCE-Vulnerable; Cursor + Chainguard Counters at the Dependency Layer

• SecurityScorecard found 40,214 internet-exposed OpenClaw instances (28,663 unique IPs), with 63% vulnerable to RCE via three CVEs (CVSS 7.8–8.8) with public exploit code; 549 instances correlate with confirmed prior breach activity. OpenClaw manages email, calendar, and communications with broad platform permissions by design — the core risk is agents deployed without authentication controls.
• Microsoft has advised against OpenClaw deployment on standard devices; Chinese authorities have restricted it in office environments. The pattern mirrors the 175,000 exposed Ollama hosts (Issue #11): AI frameworks deployed without authentication controls as a recurring exposure class, not isolated incidents.
• Cursor and Chainguard announced an integration routing Cursor's agentic dependency resolution through Chainguard's catalog of 2,300+ hardened images and millions of Python/JS/Java library versions with signed attestations and reproducible builds — continuously rebuilt to a zero-CVE state, updated within hours of upstream patches. Chainguard customers were unaffected by the Trivy, LiteLLM, and Axios supply chain attacks. Available now for joint customers.

---

New Patches and Threat Intel: Nessus Windows RCE, AI Phishing at 54% CTR, Vercel Scope Widens

• CVE-2026-33694 in Tenable Nessus ≤10.11.3 and Nessus Agent ≤11.1.2 (Windows) is an authenticated arbitrary code execution flaw flagged by Italy's CSIRT-ITA. Update to Nessus 10.11.4+ and Nessus Agent 11.1.3+ immediately — a compromised vulnerability scanner provides credentialed lateral movement access to every asset it is authorized against.
• Cisco Talos Q1 2026 full data published today: AI-generated phishing lures drove click-through rates from 12% to 54% via personalized, native-sounding multi-language emails that defeat automated filters and human review; average emails per campaign before content rotation dropped to 1.8 — per-email content rotation defeats signature-based detection. Attackers increasingly use legitimate services (Gmail, Docusign, Outlook, Salesforce) to bypass DMARC.
• Vercel's ongoing Mandiant-assisted investigation confirms the breach impact radius is larger than initially disclosed, with additional AI agent developer accounts in scope. (Previously: Issue #12 documented the full Lumma Stealer → Context.ai OAuth → enterprise-wide env var access chain — no new technical detail yet; rotate credentials if in the context-inc Vercel team.)

---

Active Deadlines: FIRESTARTER Due Tonight, SharePoint Due Monday, RedSun Day 11

• FIRESTARTER federal deadline is 11:59 PM EST tonight (April 24): upload Cisco ASA core dumps to malware.cisa.gov; patch and hard-reset all affected hardware by April 30. Per Cisco Talos, firmware update alone does not remove FIRESTARTER — a physical power disconnect is required for confirmed-compromised devices.
• CVE-2026-32201 (SharePoint spoofing) federal deadline is April 28 (Monday): Security Boulevard published an unauthenticated impersonation chain analysis today; 1,300+ internet-facing servers remain unpatched with patches available for 10 days.
• RedSun and UnDefend remain unpatched on Day 11 of confirmed active exploitation with no out-of-band advisory from Microsoft; Vectra AI and Huntress published enterprise defense and intrusion write-ups today. Public PoCs remain live on GitHub. Enable Defender tamper protection, restrict local admin accounts, isolate any host showing cldapi.dll exploit indicators.