Your AI Coding Agents Aren’t on Anyone’s Inventory
Endpoints and SaaS get tracked, but the AI coding agents writing production code don't.
Blog |
Armor Security Team
Six weeks ago, the npm ecosystem saw its second self-replicating worm in seven months. Researchers named it Mini Shai-Hulud. The first wave compromised four SAP development packages on April 29. By May 11, the campaign had escalated into its largest wave yet. 170+ packages compromised across npm and PyPI, with 400+ malicious versions and a critical CVE (CVE-2026-45321, CVSS 9.6), hitting widely-used libraries from TanStack, UiPath, Mistral AI, and OpenSearch. A separate wave on May 19 hit 317 packages in the @antv ecosystem in 22 minutes.
Most coverage stopped at the package count, but the interesting part starts after install.
The New Pattern
Why Removing the Package Isn’t Enough
Earlier supply chain attacks followed a familiar shape. A malicious dependency runs on install, scrapes whatever credentials it can find, and exfiltrates them. Removing the package removes the threat.
Mini Shai-Hulud broke that pattern. According to detailed analysis from StepSecurity, Socket, Mend.io, and Cloud Security Alliance, the worm writes two persistence files into every accessible repository: a .claude/settings.json that hooks Claude Code’s SessionStart event, and a .vscode/tasks.json configured to run on folder open. Both files live in the project tree, not in node_modules. Uninstalling the package does not remove them. Anyone who later opens the repository in Claude Code or VS Code silently re-executes the payload.
A developer who never touched the malicious package can still trigger it by opening an affected repository in their IDE.
What MDR Sees That Scanners Don’t
Armor MDR ingests developer endpoint and CI/CD pipeline telemetry to surface persistence behaviors that survive package removal.
The May 11 wave added a second escalation worth understanding. The TanStack compromise produced the first documented npm worm whose malicious packages carried valid SLSA Build Level 3 cryptographic provenance, meaning the standard is the package signed by a trusted build pipeline check now passes for compromised code. The attackers achieved this by hijacking TanStack’s own GitHub Actions release pipeline through cache poisoning and OIDC token extraction.
The AI coding agent has become the persistence layer.
The Blind Spot
The Governance Question Nobody Has Asked Yet
Your organization probably has an endpoint inventory. You almost certainly have a SaaS inventory. You may have a recently updated data classification policy. Here is the question Mini Shai-Hulud forces:
Do you have an inventory of every AI coding agent installed on every developer machine across your environment?
For each one, do you know its file system access scope, its credential access, and the configuration files it reads on startup?
Who reviews changes to those configuration files? Are they treated like source code, or like local user preferences?
When a developer onboards or offboards, is the AI coding agent inventory updated alongside the SSO directory?
Removing the malicious package no longer ends the incident.
If those questions feel awkward, that is the answer. The tooling has moved faster than the governance around it. StepSecurity’s analysis flags Mini Shai-Hulud as the first widely-tracked supply chain attack to use AI coding agent configurations as a persistence layer. TeamPCP open-sourced the worm on GitHub on May 12. A copycat compromised another npm package within a week, and a second large wave hit the @antv ecosystem on May 19. The technique is now an open pattern.
Attack Surface
Why This Is Structurally Different
In the old model, the dependency tree was the attack surface. You audited it, you pinned versions, you ran scanners, and you accepted residual risk in the long tail.
The new model includes everything the old one did, plus two additional surfaces. The configuration files that AI coding agents read on launch, sitting inside repositories that get cloned, forked, and reopened across an entire engineering organization, and the cryptographic provenance layer itself, which the TanStack compromise demonstrated can be forged by hijacking the legitimate release pipeline. Removing the malicious package no longer ends the incident. The blast radius extends to anyone who later opens an affected repo in an IDE, regardless of whether they ever ran npm install.
Endpoint detection and dependency scanning help. Neither is sufficient on its own. The control surface now has to include the AI coding agent itself.
Response Checklist
What To Do About It
Inventory AI Coding Agents
Start with a simple census across developer machines and CI/CD runners. Capture name, version, install location, and configured access scopes.
Treat Agent Configuration Files Like Source Code
.claude/settings.json, .vscode/tasks.json, MCP server configs, and equivalent files in other tools should be reviewable in PRs, monitored for unexpected changes, and protected by the same branch rules as production code.
Pin Exact NPM and PyPI Versions.
Floating version ranges (^, ~) are how a two-hour attack window turns into a 170-package compromise. SAP issued this specific recommendation alongside Security Note 3747787.
Don’t Rely on Provenance Attestation Alone
The May 11 wave produced cryptographically valid SLSA Build Level 3 attestations for malicious packages by hijacking the legitimate release pipeline. Provenance still helps, it’s just no longer sufficient on its own. Pair it with runtime behavioral monitoring.
Audit Existing Repositories for Unexpected IDE Configs
Search for .claude/ and .vscode/ directories committed in projects that wouldn’t normally have them, and review recent commits authored by unfamiliar email addresses making changes to those directories.
Rotate Developer and CI/CD Credentials on a Defined Cadence
Any environment that touched a compromised package version between April 29 and May 19, 2026 should be treated as potentially exposed. Audit GitHub Actions runs from the same windows for unexpected npm publish events and outbound connections to attacker infrastructure (filev2.getsession.org, api.masscan.cloud).
Monitor Developer Endpoints and CI/CD Runners Continuously
The behaviors that distinguish this campaign, including process memory reads on Linux runners, persistence daemons (such as the gh-token-monitor introduced in the May 11 wave), and unexpected GitHub repos created under developer accounts, are detectable when someone is watching.
The Watch That Doesn’t Sleep
Armor MDR delivers AI-Powered SOC monitoring powered by Nexus AI, with human analysts governing every consequential response action.
The Tooling Is Real, but the Governance Isn’t There Yet.
AI coding agents are useful, productive tools that aren’t going away. The work ahead is building the same governance disciplines around them that already exist for endpoints, SaaS, and data. That argument extends the case we made earlier about data eligibility for AI, the surfaces are different, the shape of the problem is the same.
If you want a structured starting point, our Cyber Resilience Assessment is built for exactly this kind of question. Where the controls actually are today, where the weak spots live, and what closing them looks like in your environment.
About Armor
Armor is a global leader in cloud-native managed detection and response. Trusted by over 1,700 organizations across 40 countries, Armor delivers cybersecurity, compliance consulting, and 24/7 managed defense built for transparency, speed, and results. By combining human expertise with AI-driven precision, Armor safeguards critical environments to outpace evolving threats and build lasting resilience. For more information visit our website, follow us on LinkedIn, or request a free Cyber Resilience assessment.
This Site Uses Cookies
We use cookies to enhance browsing and personalize your experience. By continuing you are consenting to the use of cookies. You may opt out of cookie usage but certain site features may be unavailable.
