Nine Incidents. One Pattern: AI Tools, CRM Systems, and Dependencies Are the New Perimeter.
A self-propagating worm injected into official SAP npm packages downloaded 570,000 times a week. A hardcoded ClickUp API key sitting in production JavaScript for over a year β silently exposing hundreds of enterprise and government organizations. Microsoft SharePoint zero-day CVE-2026-32201 actively exploited across 1,300+ unpatched servers. Medtronic losing 9 million PII records to ShinyHunters. ADT's Okta SSO compromised for 5.5 million customers via AI-assisted vishing. Itron's smart grid infrastructure breached adjacent to 110 million connected meters. Comcast settling for $117.5 million from a CRM breach that hit 30 million customers. Amtrak's Salesforce environment exposing up to 9.4 million customer records including travel history.
The pattern this week is unambiguous: the enterprise perimeter is no longer your firewall β it's every npm package, hardcoded key in client-side JavaScript, unpatched SharePoint server, and social engineering target in your organization. The most consequential breaches didn't start with sophisticated zero-days. They started with secrets left in production code, poisoned dependencies pulled automatically by CI/CD, and attackers with AI-synthesized voices impersonating IT support.
Here's what happened, why it matters, and what RuntimeAI enforces against each class of threat.
1 β SAP npm "Mini Shai-Hulud": Self-Propagating Worm in Enterprise AI Dev Packages
Four official SAP npm packages β @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt β were injected with malicious preinstall scripts that automatically executed on npm install, stealing developer tokens, GitHub Actions CI/CD secrets, and cloud provider keys (AWS, Azure, GCP, Kubernetes). The worm self-propagated by using harvested npm tokens to republish itself to any accessible package.
The attack, dubbed "Mini Shai-Hulud" by researchers at Wiz, targeted SAP's Cloud Application Programming Model β the framework enterprise developers use to build AI-integrated business applications on top of SAP BTP. The four compromised packages are fundamental dependencies, meaning a single npm install in any CAP project silently ran the malicious script.
Attribution points to TeamPCP with medium confidence β the same byte-for-byte setup.mjs loader was found in prior attacks on Trivy, Checkmarx, and Bitwarden. The attack ran from 09:55 to 12:14 UTC on April 29 before SAP restored clean versions at 13:46 UTC. Any developer who ran npm install on a CAP project in that 2-hour 19-minute window may have had credentials exfiltrated.
The self-propagation mechanism is what elevates this beyond a standard supply chain attack: by harvesting npm publish tokens, the worm could silently backdoor any other package those tokens could reach β turning each infected developer into a new vector.
RuntimeAI Take
RuntimeAI's supply chain integrity layer enforces provenance attestation and SBOM diff-checking on every dependency version change. A new version of @cap-js/sqlite published with a new preinstall script is flagged immediately β before any CI/CD pipeline pulls it. The flow enforcer blocks unapproved outbound connections from CI/CD processes, containing the exfiltration even if the malicious script runs. Stolen tokens are scope-limited by the credential vault, preventing lateral republishing.
2 β ClickUp: Hardcoded API Key in Production JavaScript Exposed Enterprise and Government Orgs for Over a Year
A hardcoded API key embedded in ClickUp's production JavaScript bundle was exposed for over a year before discovery, giving any attacker who found it authenticated access to enumerate enterprise and government customer email addresses and organization data. Hundreds of organizations β including government agencies β were affected. ClickUp has since rotated the key, but the exposure window spanned more than 12 months of production traffic.
The ClickUp incident is a canonical secrets management failure: a high-privilege API key baked into client-side code that ships to every user's browser, visible to anyone who opens DevTools. What makes it worse is the duration β over a year β and the scope: government organizations using a SaaS productivity tool had their tenant data exposed by a secret their vendor left in a JavaScript bundle.
For enterprise security teams, this incident highlights a risk that is almost impossible to detect from the outside. Your vendor's client-side code is a black box. Unless you're running continuous SCA scanning against every external SaaS dependency your organization uses β a near-impossible operational posture β you have no visibility into what secrets your vendors are shipping in their front-end bundles.
RuntimeAI Take
RuntimeAI's SaaS integration governance layer monitors API call patterns and credential usage across third-party SaaS tools, flagging anomalous access to tenant data that would indicate an exposed key being leveraged. The secrets management module enforces vault-based credential issuance for all integrations β no hardcoded credentials in any layer of the stack β and performs rotation on a configurable schedule. An exposed client-side key generating unexpected API calls would surface as an anomaly within the first request, not 12 months later.
3 β Microsoft SharePoint Zero-Day: CVE-2026-32201 Actively Exploited Across 1,300+ Servers
A zero-day remote code execution vulnerability in Microsoft SharePoint (CVE-2026-32201) was found to be under active exploitation across 1,300+ unpatched servers. The vulnerability allows an unauthenticated attacker to execute arbitrary code on SharePoint server instances, giving attackers a foothold in enterprise environments where SharePoint hosts sensitive documents, AI agent outputs, and workflow automation data.
SharePoint's role in enterprise AI workflows is increasingly significant β it's where AI agents store outputs, where automated document processing pipelines read and write, and where enterprise knowledge bases are built for RAG systems. A compromised SharePoint instance isn't just a document server breach anymore β it's a potential injection point into every AI workflow that reads from it.
The 1,300+ actively exploited servers figure reflects a persistent enterprise patching lag that threat actors plan for. Zero-days against widely deployed enterprise software follow a predictable pattern: disclosure β active exploitation of unpatched instances β lateral movement to adjacent systems. The enterprises most at risk are those running SharePoint-integrated AI workflows without network segmentation between the SharePoint tier and their AI agent infrastructure.
RuntimeAI Take
RuntimeAI's flow enforcer validates and sanitizes all data read into AI agent context from external sources β including SharePoint. A compromised SharePoint document containing a prompt injection payload is caught at the boundary before it reaches the model. The policy engine enforces network segmentation between data sources and AI agent runtime, containing the blast radius of a SharePoint compromise. Patch status monitoring flags vulnerable SharePoint versions in the asset inventory before attackers find them.
4 β Medtronic: ShinyHunters Claims 9 Million Medical Device Company Records
ShinyHunters breached Medtronic's corporate IT network and claimed exfiltration of terabytes of data including 9 million+ PII records. Medtronic confirmed unauthorized access to corporate IT systems while stating products, patient safety, and manufacturing operations were unaffected. The breach occurred six days before Medtronic's own disclosure, with ShinyHunters claiming the attack publicly first.
Medtronic's connected device ecosystem β insulin pumps, cardiac monitors, implantable defibrillators β sits on IT infrastructure adjacent to the breached corporate systems. While Medtronic states device operations were unaffected, the proximity of a breached corporate network to life-critical OT systems is the central concern regulators and security teams are watching.
The six-day gap between breach and disclosure is itself a significant finding: ShinyHunters knew about and claimed the breach days before Medtronic detected and disclosed it. In a medical device company, that detection lag in a network adjacent to patient-care systems is an unacceptable risk profile.
RuntimeAI Take
RuntimeAI's behavioral anomaly engine detects large outbound data transfers in real time β not days after the fact. The "terabytes" claimed by ShinyHunters would trigger volume-based anomaly detection within minutes of the first exfiltration event. The pre-exfiltration blocking policy quarantines the involved process and alerts the security team before data leaves the perimeter. In a healthcare environment, this is the difference between a near-miss and a breach disclosure.
5 β ADT: AI-Assisted Vishing Takes Down SSO for 5.5 Million Customers
ShinyHunters mounted a targeted vishing (voice phishing) campaign, using AI-augmented voice impersonation to manipulate an ADT employee into surrendering credentials. The attacker compromised an Okta SSO account and pivoted into ADT's environment, exposing 5.5 million unique customer records including names, email addresses, phone numbers, and physical addresses. ShinyHunters issued a ransom deadline threatening public data release.
The attack vector here is AI as a weapon rather than a victim: AI-assisted voice synthesis enabled a social engineering attack convincing enough to compromise an Okta SSO credential at a major enterprise. This is ADT's third breach since 2024 β a pattern that suggests systemic identity security weaknesses that individual breach responses have not addressed.
Once the Okta credential was compromised, the rest of the attack was straightforward SSO lateral movement β a well-understood attack pattern that phishing-resistant authentication would have prevented entirely. The sophistication was at the social engineering layer, not the technical exploitation layer.
RuntimeAI Take
RuntimeAI's identity fabric enforces hardware-bound, phishing-resistant authentication for all privileged SSO access β MFA push notifications are explicitly insufficient for admin-level accounts. Anomalous SSO access patterns (new device, unusual time, unfamiliar location) trigger immediate step-up authentication challenges before any pivot is possible. The behavioral baseline for each identity detects deviation from normal access patterns within the first session, not after data exfiltration is complete.
6 β Itron: Smart Grid Infrastructure Breached Adjacent to 110 Million Connected Meters
Itron, which provides smart metering infrastructure to over 110 million homes and businesses, disclosed that an unauthorized third party had accessed certain internal IT systems on April 13. The company found no evidence of customer data theft or OT system access, but the breach of corporate IT in an environment adjacent to grid management systems represents a significant lateral-movement risk profile.
The Itron breach may not involve AI agents directly, but it belongs in this digest because of what it represents at scale: corporate IT networks adjacent to operational technology managing energy infrastructure for 110 million endpoints. The IT/OT boundary in critical infrastructure is exactly the boundary that sophisticated attackers target for pivoting β compromising corporate IT first, then moving laterally toward control systems.
The two-week gap between breach (April 13) and disclosure (April 27) is concerning in a critical infrastructure context. Two weeks of undetected presence in a network adjacent to power grid management systems is an eternity in terms of reconnaissance and positioning.
RuntimeAI Take
RuntimeAI's IT/OT segmentation policy enforces hard boundaries between corporate and operational networks, with continuous lateral-movement detection across both layers. Any process attempting to cross the IT/OT boundary outside of approved communication paths triggers an immediate alert and automated isolation. The real-time audit trail ensures that a two-week detection gap is structurally impossible β every cross-boundary connection is logged and anomalous patterns surface within the first session.
7 β Roblox: 610,000 Accounts and a 50M-Credential Infostealer Campaign
Ukrainian authorities arrested three individuals who compromised over 610,000 Roblox accounts using infostealer malware distributed as a game-enhancement tool, generating ~$225,000 in illicit sales. Separately, a threat actor claimed a database of 50 million Roblox credentials for $777, following infostealer campaigns showing hallmarks of AI-automated targeting and distribution. At least 357 "elite" high-value accounts were sold in bulk.
The enterprise relevance of a gaming platform breach may not be immediately obvious β but it is significant. Developer and engineering populations are disproportionately represented among Roblox users, and infostealer malware doesn't distinguish between personal gaming credentials and corporate SSO tokens stored in the same browser profile. A developer who installs an infostealer disguised as a game mod has the same credential exposure risk as one who clicks a phishing link.
The scale of the 50M credential dump β and the AI-automated distribution mechanisms behind modern infostealer campaigns β means this is no longer a consumer security problem. Enterprise credential hygiene now depends on what's happening on the personal devices of your engineering team outside working hours.
RuntimeAI Take
RuntimeAI's endpoint agent monitors for infostealer behavioral signatures and quarantines compromised endpoints before corporate tokens are exfiltrated. The PII Shield ensures that even if a credential is captured at the browser layer, the downstream impact on production systems is contained by tokenization and scope-limited access. Session invalidation policies fire automatically on anomalous credential usage patterns β the stolen credential is detected and revoked before it reaches a production system.
8 β Comcast: $117.5M Settlement β The Long Tail of a 2023 CRM Breach
Comcast reached a $117.5 million settlement stemming from its 2023 data breach, with up to 30 million affected customers eligible for compensation or identity protection services. The breach originated in a CRM system, exposing customer PII, account data, and service records at scale. The settlement is one of the largest breach-related payouts in the telecom sector and illustrates the financial consequence of failing to govern data access within customer-facing AI and CRM systems.
The Comcast settlement lands in this digest not because it's a new attack β it's a 2023 breach β but because of what it signals in 2026: the financial and reputational cost of a CRM breach at scale is now quantified at nine figures. Every enterprise deploying AI agents with access to customer PII in CRM systems is looking at a potential liability of this magnitude if those systems are compromised.
The AI relevance is direct: AI agents in sales, customer service, and revenue operations increasingly have read-write access to CRM systems containing millions of customer records. The same attack surface that exposed Comcast's 30 million customers now sits behind every AI agent that can query, update, or export CRM data without governance controls.
RuntimeAI Take
RuntimeAI's AI Integration Fabric enforces scope-limited, audited access for every AI agent touching CRM data. Read vs. write permissions are enforced at the policy layer β not assumed from the underlying CRM role. Every query, export, or bulk operation is logged in the Audit Black Box with full context: which agent, which data class, which tenant, at what time. A Comcast-scale exfiltration is detectable in the first batch of anomalous record access β not in the settlement filing three years later.
9 β Amtrak: 2.1Mβ9.4M Customer Records via CRM/Salesforce Attack
A CRM/Salesforce-related attack on Amtrak compromised between 2.1 million and 9.4 million customer records, with exposed data including personal information and detailed travel history. The travel history dimension is particularly sensitive β it provides attackers with a rich behavioral dataset for targeted phishing, social engineering, and identity theft at a level of precision far beyond simple credential exposure.
Travel history data is an underappreciated attack vector. Knowing that a customer traveled to a specific city on a specific date creates a social engineering baseline that is nearly impossible to defend against at the individual level. Combined with contact information, it enables highly convincing spear-phishing that references real events from the victim's life.
For enterprises, the Amtrak breach is a reminder that CRM systems don't just store contact records β they store behavioral histories, purchase patterns, and relationship maps that are uniquely valuable to attackers. AI agents that query CRM systems to "personalize" outreach are accessing exactly the data that makes these breaches so damaging.
RuntimeAI Take
RuntimeAI's PII Shield tokenizes sensitive customer fields β including behavioral data like travel history β before they're ingested into AI agent context. An AI agent can be personalized without ever seeing raw PII. The data classification engine identifies high-sensitivity fields (location history, financial records, health data) and applies automatic masking policies. A Salesforce integration querying customer travel records triggers a classification alert and applies field-level tokenization β the agent sees a behavioral profile, not extractable PII.
The Pattern: Your AI Stack Is the New Attack Surface
Seven incidents this week. The common thread across all of them is not the sophistication of the attackers β it's the surface area that modern AI tooling has created in the enterprise environment.
- AI development dependencies (SAP npm) are pulled automatically by CI/CD pipelines with no integrity verification. One compromised maintainer account, one poisoned package β and every engineer's credentials are at risk.
- Vendor secrets in client-side code (ClickUp) expose enterprise and government tenants to risks they have zero visibility into. A hardcoded API key in a vendor's JavaScript bundle is indistinguishable from legitimate code unless you're actively scanning for it.
- Unpatched enterprise systems adjacent to AI workflows (SharePoint CVE-2026-32201) become injection points into every AI pipeline that reads from them. A compromised document store is a compromised RAG system.
- AI-augmented social engineering (ADT vishing) has made credential-based attacks more convincing than ever. The human is now the weakest link in a technically hardened identity stack.
- IT/OT boundary proximity (Itron, Medtronic) means that corporate AI workloads running adjacent to critical systems create lateral movement risk that wasn't present when corporate networks were air-gapped from operational infrastructure.
The organizations hardest hit this week weren't running obviously insecure environments. They had enterprise SSO, managed identity, and modern development tooling. The attack surface opened up because secrets in vendor code, unpatched collaboration tools, and poisoned dependencies are invisible to traditional perimeter defenses.
Supply chain integrity enforcement Β· AI tool OAuth scope governance Β· Phishing-resistant identity for privileged access Β· Real-time outbound anomaly detection Β· IT/OT boundary enforcement Β· Endpoint infostealer detection Β· Immutable audit trail across all layers. One platform. Runtime enforcement β not post-incident analysis.
If your AI security stack didn't stop these β you need RuntimeAI.
Seven incidents. Every single one detectable and blockable at the RuntimeAI control plane. See how runtime enforcement works across your environment.
Request a Demo βOr subscribe to get this digest every week: