Two AI Agent Security Incidents in One Week Show the Field's Growing Pains

AI agents gained powerful new capabilities in May 2026. They also gained powerful new attackers.

Two separate security incidents across a single week reveal how threat actors are adapting faster than many defenses: a supply chain campaign that hijacks AI coding assistants, and a breach where an internal AI agent became the attack vector. Together, they sketch what happens when autonomous systems meet motivated adversaries.

TrapDoor: When Your AI Assistant Becomes the Exfiltration Tool

On May 22, Socket detected the first package in what would become a cross-ecosystem supply chain campaign. By May 24, the company had identified 34 malicious packages and 384 versions across npm, PyPI, and Crates.io, all tied to a single operation Socket calls TrapDoor.

The campaign's target audience is specific: crypto, DeFi, Solana, and AI developers. The package names read like a catalog of developer concerns: eth-security-auditor, defi-threat-scanner, llm-context-compressor, wallet-security-checker, sui-move-build-helper. Install one, and a postinstall hook or build script executes a credential harvester that scans for SSH keys, wallet data, AWS credentials, GitHub tokens, browser profiles, and environment variables.

What sets TrapDoor apart from routine supply chain malware is its explicit targeting of AI coding tools. The attacker's npm payload, trap-core.js, plants .cursorrules and CLAUDE.md files containing hidden instructions encoded with zero-width Unicode characters. These files are designed to trick Cursor, Claude Code, and similar tools into treating the malicious instructions as project-specific guidance. The goal: persuade the AI assistant to run a "security scan" that actually exfiltrates local secrets.

The attacker did not stop at package registries. The same GitHub account, ddjidd564, opened pull requests against browser-use/browser-use, langchain-ai/langchain, langflow-ai/langflow, run-llama/llama_index, FoundationAgents/MetaGPT, and OpenHands/OpenHands. The PRs proposed adding .cursorrules or CLAUDE.md files under titles like "docs: add .cursorrules with dev standards and build verification." GitHub flagged at least one file for containing hidden bidirectional Unicode text.

Socket's median detection time was 5 minutes 27 seconds, with the fastest catch at 58 seconds after publication. The earliest observed package, [email protected], hit PyPI at 20:20:18 UTC on May 22.

Composio: An AI Agent Attacked Through an AI Agent

On May 21, Composio disclosed a breach with an unsettling detail: the initial foothold was an internal AI agent.

The attacker probed Composio's systems using LLM-generated exploit patterns, brute-forcing combinations until gaining access to an internal agentic tool used to monitor infrastructure and report connector failures. From there, the attacker abused the tool's access to automated remediation systems, registered malicious tool definitions inside Composio's sandboxed execution environment, and chained each step until achieving arbitrary code execution.

Composio described the attacker's speed and knowledge of internal architecture as "consistent with a highly skilled actor, likely augmented by advanced AI systems."

The impact was contained but not trivial. About 0.3% of active connections were affected, with GitHub bearing the bulk: 5,001 compromised tokens. A handful of Gmail, Slack, Notion, Linear, and other connections were also reached. An auxiliary cache service accessible during the breach window held 5,241 API keys, all of which Composio revoked as a precaution.

The company has since rotated credentials, restricted API keys to historically used IP addresses, redacted access tokens across its API, and paused all new releases. It is also moving toward a zero-trust KMS model where customers self-custody encryption keys.

What These Incidents Have in Common

Both cases exploit a shared assumption: that AI agents operate in a trusted environment. TrapDoor abuses the trust between developers and their AI assistants. Composio shows what happens when an internal agent's privileges are not properly bounded.

The attack surface is also expanding in a predictable direction. As agents gain more tools, more memory, and more autonomy, they become more valuable targets. The NSA's AI Security Center has already flagged risks in the Model Context Protocol (MCP), including prompt injection, implicit trust between agents, and serialization flaws.

What to Do

For developers and security teams, the immediate steps are specific:

• Audit dependencies. Check for the TrapDoor package names in your lockfiles. Review any recently added .cursorrules or CLAUDE.md files for hidden Unicode characters.
• Rotate secrets. If you use Composio, rotate all API keys and connected account tokens. Review GitHub audit logs for the IOC window (1:05 AM PT – 9:15 AM PT on May 21).
• Treat agents as privileged identities. Apply the same access scoping, monitoring, and lifecycle controls used for service accounts. Enable IP allowlisting where available.
• Review supply chain inputs. Audit plugins, prompts, and external inputs feeding agent workflows. Restrict installation rights and require review for new plugins.

The broader lesson is architectural. Single-layer guardrails are insufficient for agentic systems. Defense in depth, least-privilege design, and treating every data source an agent touches as a potential attack vector are no longer optional.