The New Target List
IronWorm — the npm supply chain worm disclosed June 3, 2026 — scrapes 86 environment variables from infected developer machines. The target list reads like a who's who of modern development: AWS, Docker, Kubernetes, GitHub, npm. But buried in that list is every 2026-era AI provider: Anthropic Claude, OpenAI, Google Gemini, Cohere, Mistral, Groq, Perplexity, and xAI. Eight AI platforms targeted by a single worm. Written in Rust, shipped as a 976KB ELF binary with an eBPF kernel-level rootkit to hide its processes. C2 runs over Tor.
This is not a theoretical risk. On June 5, 2026, Miasma planted .mcp.json files in 73 Microsoft Azure repositories — targeting the AI coding agents themselves. Claude Code, Cursor, Gemini CLI: all would execute the payload on project open. GitGuardian found 24,008 secrets exposed in MCP configuration files on public GitHub. Claude Code had a SOCKS5 sandbox bypass (CVE-2026-21852) silently patched in v2.1.90 with no release note. In April, Google patched Antigravity IDE for prompt injection enabling arbitrary code execution. In May, 1.5 million AI agent API tokens — including plaintext OpenAI keys — were found exposed in a Moltbook database breach.
Why AI Tools Are High-Value Targets
An AI coding assistant with valid credentials has access to everything a developer has access to — plus the ability to generate and commit code across every project the developer works on. Steal a developer's GitHub token and you can compromise their repositories. Steal their AI assistant credentials and you can potentially influence code generation across their entire workflow.
The attack chain compounds. IronWorm steals developer credentials. Those credentials provide access to GitHub repositories. The worm commits malicious code to those repositories. If those repositories use AI coding assistants with stored credentials, the blast radius expands to every project those assistants touch.
The AI-First Web Paradox
WebPulse has argued from day one that the web is being rebuilt for AI consumption. AI agents are the new browsers. Frameworks that serve clean, structured, machine-readable content will win. This thesis is playing out — and so is its dark mirror.
AI coding assistants are accelerating web development. Companies adopt Cursor, Copilot, Claude to ship faster. But those same tools are now attack vectors. The supply chain that builds the modern web is being weaponized through the AI tools building it. The acceleration works in both directions.
Only 10% of Security Operations Centers report getting 'excellent value' from AI implementations, according to a June 2026 survey. 71% report 'some value or none at all.' The gap between AI adoption speed and AI security maturity is the exploitable window.
What Organizations Should Know
If your developers use AI coding assistants — and in 2026, most do — those assistant credentials are high-value targets in every supply chain attack. They should be treated with the same security posture as cloud infrastructure credentials: rotated regularly, scoped minimally, monitored for anomalous usage.
The frameworks your team builds on determine the supply chain exposure. A Next.js project with 800 npm dependencies is 800 potential IronWorm entry points. Each compromised dependency could steal AI assistant credentials along with everything else. Hugo with zero npm runtime dependencies has zero entry points for npm-based supply chain attacks — including AI credential theft.
The AI-first web is real. So are the attacks targeting the tools building it. The question for every organization: are your AI tool credentials managed like the high-value targets they've become?
