TanStack Hits OpenAI, GitHub 4K Repos Stolen, CISA Leaks AWS GovCloud Secrets:
Week of May 21, 2026

This Week's Pattern: Your Supply Chain Is Your Attack Surface.

A widely-used open-source JavaScript library — TanStack — was compromised this week. Two OpenAI employees had their devices breached through it. Apple had to push macOS security updates. Grafana was breached not because of a flaw in Grafana itself, but because a token rotation step was missed after the TanStack event. GitHub confirmed 4,000 internal repositories were stolen. And CISA — the US government's own cybersecurity agency — had credentials to AWS GovCloud environments leaking from its public GitHub account.

Five separate incidents. One mechanism: something you trusted, built by someone else, holding a key to something important — and nobody noticed until the data was already out the door.

The AI layer adds a new dimension. Hackers in Latin America are now generating custom attack tools in real time using AI agents — adapting their malware on the fly to each new target environment. A new vulnerability class called OpenClaw "Claw Chain" enables full AI agent takeover. And enterprises are deploying AI agents faster than their identity security teams can govern them.

Here's what happened, why the supply chain pattern keeps winning, and what RuntimeAI enforces against each class.

Supply Chain Attacks

1 — TanStack Supply Chain Attack Compromises Two OpenAI Employee Devices

TanStack is not some obscure package maintained by one developer in a spare bedroom. It is a mature, widely-starred, enterprise-grade library used in production by companies you have heard of. The supply chain attack surface is not your vendors' worst libraries. It is their best ones. The ones that are so trusted, nobody scrutinizes the update.

The OpenAI angle is particularly instructive. The two employees compromised were almost certainly developers — people who install npm packages as reflexively as drinking coffee. Their devices held credentials that mattered enough to force an Apple macOS update. The blast radius of one developer's npm install now extends to the devices of an AI frontier lab and to the OS update infrastructure of the world's largest consumer hardware company.

Most Advanced AI Security Zero Trust · Defence in Depth

Supply chain attacks succeed because the install step is trusted and the execution environment is open. RuntimeAI constrains both:

• Discovery — package provenance inventory: RuntimeAI's AI Inventory and NHI Security track every package pulled into developer environments and CI pipelines, with source, hash, and publisher signature. A TanStack build that differs from the last verified hash is flagged before the first developer runs it — not after two devices are breached.
• Behavioural enforcement — developer workload sandboxing: KYA-issued developer identities constrain what npm postinstall hooks can reach. Credential stores, cloud metadata endpoints, and internal API surfaces are blocked from package installer processes — the TanStack payload has nothing useful to exfiltrate from inside the sandbox.
• Flow / egress control — outbound destination gating: Flow Enforcer blocks outbound calls from development tooling to non-allowlisted destinations. The attacker's exfiltration endpoint is not on the allowlist; the stolen token never reaches the C2 server.
• Immutable audit trail — package-install-time logging: Every package installation, every postinstall hook execution, and every resulting network call is recorded in the Audit Black Box. When TanStack is confirmed compromised, the forensic question "which of our developers installed it, and what did it touch" is answered in minutes, not weeks.

The supply chain is not patchable. The execution environment around it is governable.

2 — GitHub Confirms Breach: 4,000 Internal Repositories Stolen

GitHub is infrastructure for the global software supply chain. When GitHub's internal repos leak, the question is not "what did attackers get." The question is "what was in those repos that attackers can now use to compromise downstream targets." Secrets in internal repos. Undisclosed vulnerability data. CI/CD runner configurations. Service account tokens. Any of these, extracted from 4,000 repos, could fuel a multi-year downstream attack campaign that looks like normal CI activity from the outside.

Most Advanced AI Security Zero Trust, Layer by Layer

Code repository breaches are dangerous because the data inside is inherently trusted — it was put there by your own engineers. RuntimeAI enforces at the data layer, not the perimeter:

• Discovery — secrets scan across every repo: RuntimeAI's NHI Security continuously scans every code repository — including internal ones — for embedded secrets, tokens, and credentials. A GitHub breach yields the repos, but not the live credentials, because none are present to find.
• Behavioural enforcement — CI/CD identity pinning: Every CI/CD runner, every GitHub Actions workflow, and every automated pipeline is issued a KYA scoped credential with a declared purpose and expiry. Stolen runner tokens from a GitHub breach can't escalate beyond the original declared scope — there is no lateral movement from "CI runner" to "production database."
• Flow / egress control — Actions exfiltration prevention: Flow Enforcer monitors outbound traffic from CI/CD pipelines and blocks calls to non-allowlisted external destinations. Attacker-inserted Actions steps that attempt to exfiltrate build artifacts or secrets are stopped at the network boundary.
• Immutable audit trail — repo-access audit log: Every repository access, clone, and API call is logged with the requesting identity and timestamp. When GitHub confirms a breach, RuntimeAI customers can immediately pull their own access log and determine whether any of their repos were among the 4,000 — without waiting for GitHub's disclosure timeline.

Your code repo is not just your IP. It is the key to your entire delivery pipeline. Govern what it can reach.

3 — Grafana Breached via Missed Token Rotation After TanStack Attack

This is the second-order consequence of supply chain attacks that almost nobody talks about. The TanStack incident created a list of "tokens that may have been exposed" at every company running TanStack. Grafana had such a token. They either did not identify it, or identified it and did not rotate it in time. The result: a breach that had nothing to do with Grafana's own security posture and everything to do with the gap between "we know we should rotate" and "we actually rotated."

Every major supply chain event generates this list. Most of those lists never get fully actioned. The attackers know this and they wait.

Most Advanced AI Security How RuntimeAI Stops This

The missed-rotation problem is a process failure, but it is also a visibility failure. RuntimeAI addresses both:

• Discovery — supply-chain event credential mapping: When a supply chain compromise is confirmed, RuntimeAI's NHI Security instantly surfaces every credential that touched the affected component — mapped to the workload, owner, and last-use timestamp. The "rotation checklist" generates automatically, not manually.
• Behavioural enforcement — automatic rotation triggers: KYA credentials issued to workloads that pulled a compromised package are automatically flagged for rotation. If rotation is not completed within the policy window, the credential is suspended — removing the attacker's access even if the human rotation step was missed.
• Flow / egress control — post-compromise access restriction: Credentials flagged as "potentially exposed" are automatically downscoped pending rotation. An attacker holding the unrotated Grafana token would find it still technically valid but restricted to read-only, non-sensitive operations until the rotation completes.
• Immutable audit trail — rotation compliance tracking: Every rotation event (or absence of rotation) is recorded in the Audit Black Box. The question "did we complete all rotations after TanStack" has a definitive, provable answer — not an answer that depends on someone's memory of a checklist item.

The supply chain event is the trigger. The rotation window is the race. RuntimeAI wins that race automatically.

Secrets & Credentials

4 — CISA GitHub Leak Exposes AWS GovCloud Secrets

The CISA leak is the security industry's recurring cautionary tale, now starring the cautioner. If the agency that publishes advisories about GitHub secrets exposure has GitHub secrets exposure, the implicit assumption that "we would know if we had this problem" is demonstrably false for every organization below CISA's security maturity level — which is most of them. Secrets scanning is not a one-time action. It is a continuous control. The repo that is clean today has a commit tomorrow.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

The CISA scenario — secret committed, not caught, sitting in public — requires a continuous scanning posture, not a quarterly audit. RuntimeAI enforces it:

• Discovery — continuous secrets scanning: RuntimeAI's NHI Security scans every repository commit in real time for embedded secrets, tokens, and credentials. A GovCloud key committed to a public repo is detected within seconds of the push — not weeks after a researcher publishes a disclosure.
• Behavioural enforcement — commit-time blocking: Pre-commit and pre-push hooks enforced by RuntimeAI policy block any commit containing a secret pattern from reaching the remote — even if the developer pushes it to a public repository. The CISA scenario never reaches GitHub's servers.
• Flow / egress control — exposed credential auto-revocation: When a secret is detected in a public repo, RuntimeAI triggers automatic revocation of the exposed credential via the relevant provider API (AWS, GCP, Azure). The window between "secret is public" and "secret is revoked" collapses from hours to under 60 seconds.
• Immutable audit trail — exposure timeline: Audit Black Box records when the secret was committed, when it became public, and every access made using it from that moment. For regulators and incident response, the exposure timeline is cryptographically provable — not reconstructed from access logs after the fact.

Every organization has a CISA scenario waiting to happen. RuntimeAI closes the window before it opens.

AI Agent Exploits

5 — OpenClaw "Claw Chain" Vulnerabilities Enable Full AI Agent Takeover

Claw Chain is structurally similar to prompt injection, but more severe: it does not just manipulate what the agent says — it takes over what the agent does. Tool calls, API requests, file reads, and database queries all become attacker-controlled once the chain is triggered. Every enterprise running an AI agent that processes user-provided content — which is essentially every enterprise running an AI agent — has a potential Claw Chain surface.

The practical consequence: an AI agent with database access, internal API access, or file system access is now equivalent to a remotely-exploitable RCE vulnerability in your environment. The agent is the exploit surface.

Most Advanced AI Security How RuntimeAI Stops This

Claw Chain exploits the assumption that the agent's execution context is trustworthy. RuntimeAI replaces that assumption with continuous enforcement:

• Discovery — agent execution context inventory: RuntimeAI's KYA module inventories every AI agent's declared tool access, API permissions, and data plane reach. Before Claw Chain fires, the blast radius of each agent is known and bounded — an agent that should never touch the database is not issued database credentials.
• Behavioural enforcement — runtime prompt integrity checking: Flow Enforcer monitors each agent's tool-call sequence for behavioural anomalies. A Claw Chain attack produces a sudden shift in which tools are called and in what order — a pattern that deviates sharply from the agent's baseline and triggers automatic suspension pending human review.
• Flow / egress control — tool call scope enforcement: Every tool call is validated against the agent's declared purpose before execution. A hijacked agent attempting to call a tool outside its scope — exfiltrate data, call an external API, read arbitrary files — is rejected at the execution boundary, not after the fact.
• Immutable audit trail — full tool-call provenance: Every tool call, including the agent's input that preceded it, is recorded in the Audit Black Box. When a Claw Chain attack is confirmed, the forensic question "exactly what did the compromised agent do and what data did it access" is answerable in full detail.

The agent is not a user. It should not have user-level trust. RuntimeAI enforces the boundary at the tool-call level.

Vulnerability & Auth Bypass

6 — SonicWall VPN MFA Bypassed Due to Incomplete Patching

The SonicWall story is a manifestation of the same gap as the Grafana token story: knowing you should take an action and actually completing it are two different things at enterprise scale. In Grafana's case it was token rotation. Here it is a two-part patch. Patch management at enterprise scale is not "we deployed the update." It is "we verified the complete remediation was applied and we can prove it." Most organizations can do the former. Far fewer can do the latter.

Most Advanced AI Security Zero Trust, Layer by Layer

MFA bypass via incomplete patching is a network perimeter failure, but it is also a posture visibility failure. RuntimeAI enforces at both layers:

• Discovery — VPN/perimeter asset inventory with patch state: RuntimeAI's Cloud Security module maintains a continuous inventory of network perimeter assets — including VPN gateways, SSLVPN appliances, and remote access infrastructure — with their patch state. Incomplete patch deployments surface in the posture dashboard before attackers find them.
• Behavioural enforcement — zero-trust access beyond the VPN: RuntimeAI enforces that VPN authentication is not the final trust boundary. Even an attacker who bypasses SonicWall MFA is then required to present a KYA-scoped identity for any internal resource access. The VPN perimeter is assumed to have failed; the interior enforces anyway.
• Flow / egress control — VPN session anomaly detection: Sessions authenticated via a known-vulnerable VPN appliance are flagged as elevated risk and subjected to tighter Flow Enforcer policies — reduced scope, shorter session lifetime, heightened logging rate — until the patch is confirmed complete.
• Immutable audit trail — auth event logging: Every authentication event — including the VPN handshake and MFA step — is logged with full context in the Audit Black Box. When SonicWall publishes a bypass advisory, RuntimeAI customers can immediately review which sessions may have used the vulnerable path.

The perimeter will always have incomplete patches. Zero trust means the interior does not depend on the perimeter being complete.

AI-Powered Offense

7 — LatAm Hackers Generate Custom Attack Tools on the Fly Using AI Agents

The phrase "AI democratizes attack capability" has been abstract for the past two years. It is no longer abstract. When a mid-tier criminal group in Latin America is generating bespoke exploit code tuned to your specific environment — not deploying a commodity RAT, but writing a new one as they move through your network — the assumption that "our EDR has signatures for this" fails by design. The defense cannot be reactive to tools that did not exist an hour ago. The defense has to be behavioral.

Most Advanced AI Security How RuntimeAI Stops This

Signature-based detection loses to generative attacks. Behaviour-based enforcement does not — because the attacker's actions remain constrained regardless of how novel the tool:

• Discovery — behavioural baseline, not signature catalog: RuntimeAI's Flow Enforcer builds per-workload behavioural baselines — what processes run, what networks they reach, what credentials they use. A novel AI-generated tool that has never been seen before still deviates from baseline. The signature doesn't matter; the behaviour does.
• Behavioural enforcement — execution context restrictions: KYA and Flow Enforcer constrain what any process — known or unknown — can execute, call, and access. An AI-generated attack tool dropped on a developer workstation cannot reach production credentials, cannot call internal APIs, and cannot pivot to adjacent systems without presenting a valid KYA identity for each step.
• Flow / egress control — generative egress blocked: Outbound calls to AI inference endpoints not on the enterprise allowlist are blocked. A LatAm hacking group attempting to use the victim's own network to run their code-generation prompts against a public AI API hits the egress policy — the generative loop is severed.
• Immutable audit trail — novel attack pattern detection: Audit Black Box records every action across the environment. Novel attack tools generate novel sequences — sequences that stand out against the behavioral history even without a matching signature. Analysts have the full sequence to review, contain, and learn from.

The offense is generative. The defense has to be structural. RuntimeAI builds structure at the control plane level — not the tool level.

AI Agent Governance

8 — AI Agents Outpacing Identity Security: Budget Dynamics Are Shifting

The governance gap between "we deployed this agent" and "we know what this agent can do on our behalf" is the foundational security risk of the current AI deployment wave. Every agent that a developer spins up with their own OAuth grant is a new machine identity with human-level access and no human-level accountability. When the Claw Chain attack from incident #5 fires against such an agent, the blast radius is not the agent's — it is the human whose credentials it inherited.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

The governance gap exists because identity controls were designed for humans-using-tools, not autonomous-agents-using-everything. RuntimeAI was built for the second world:

• Discovery — every agent inventoried, every access mapped: NHI Security + KYA continuously enumerate every AI agent in the environment — by team, by tool, by access scope, and by the human whose credentials it inherited. Shadow agents that were never formally registered show up as the highest-priority items in the governance queue.
• Behavioural enforcement — agents get scoped credentials, not inherited ones: RuntimeAI issues each agent a KYA credential with the minimum scope required for its declared purpose. Agents do not inherit broad human permissions — they receive a narrow, time-bounded, purpose-specific credential that cannot be used for anything the agent wasn't designed to do.
• Flow / egress control — agent-to-resource policy at the platform layer: Flow Enforcer governs which agent can talk to which resource, with which payload, at what rate. A compromised or rogue agent cannot reach outside its declared scope regardless of what credentials it presents.
• Immutable audit trail — every agent action attestable: Audit Black Box records every decision, tool call, and API request made by every agent — attributed to the agent's identity and its human authorizer. When something goes wrong, "we know exactly what the agent did and on whose authority" is the answer, not "we estimate."

The identity perimeter of the enterprise now includes every AI agent it runs. RuntimeAI is the control plane for that perimeter.

Competitor Watch

9 — Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents

Microsoft open-sourcing agent security tooling is a signal, not a solution. RAMPART and Clarity are testing and design tools — they help you find problems in an agent before deployment. They do not enforce controls at runtime. An agent that passes RAMPART's red-team tests and is designed with Clarity's guidance is still unprotected once it is deployed and begins processing real inputs from real users in a real environment where adversaries can inject Claw Chain attacks, supply chain compromises, and AI-generated exploit code.

The open-source release is valuable for the industry's understanding of the problem space. It does not compete with a deployed runtime control plane. It is the diagnostic tool; RuntimeAI is the treatment.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

Pre-deployment testing identifies known weaknesses. Runtime enforcement handles the unknown ones — and the adversarially adaptive ones:

• Discovery — continuous runtime inventory vs. pre-deployment snapshot: RAMPART tests what you know about the agent at build time. RuntimeAI discovers what the agent actually does in production — including new tool combinations, new input patterns, and new access paths that appear after deployment and after red-teaming has concluded.
• Behavioural enforcement — live policy vs. static test: Clarity helps design agents with better security properties. RuntimeAI enforces those properties at every execution — catching the Claw Chain attack that arrived after the last design review, not before.
• Flow / egress control — production traffic enforcement: RAMPART cannot model every adversarial input an agent will receive in production. Flow Enforcer operates on every real input in real time — constraining what any input, however novel, can cause the agent to do.
• Immutable audit trail — production evidence vs. test reports: RAMPART produces test reports. Audit Black Box produces production evidence — cryptographically signed records of every agent action that are admissible in regulatory proceedings, available for incident response, and useful for continuous improvement.

Testing is necessary. Runtime enforcement is what keeps you safe after the test ends.

Industry

10 — Verizon DBIR 2026: Enterprises Face a Dangerous Vulnerability Glut

The DBIR's message in 2026 is the same as in 2020 and 2015, only louder: the volume-of-vulnerabilities problem is not being solved by adding more analysts. The math does not work. The only sustainable response is to change what "unpatched" means — to ensure that an unpatched vulnerability in a publicly-facing service cannot be used to reach the data and systems that actually matter. That is a zero-trust architecture problem, not a patch velocity problem.

Most Advanced AI Security Zero Trust · Defence in Depth

RuntimeAI does not solve the vulnerability volume problem. It changes what happens when a vulnerability is exploited — which is the only lever that scales:

• Discovery — exploitability context per CVE: RuntimeAI's Cloud Security module enriches every CVE in the environment with exploitability context — is the vulnerable service reachable from outside? What does it have access to? An unpatched CVE in an isolated internal service with no production data access is different risk from the same CVE in an internet-facing service with database credentials.
• Behavioural enforcement — assume-breach containment: KYA-issued credentials for every workload mean that exploiting a vulnerability gets an attacker into a contained execution environment, not the full enterprise. The blast radius of the exploit is bounded to the scope of the compromised workload's KYA credential — not "whatever the compromised service can reach."
• Flow / egress control — lateral movement prevention: Flow Enforcer's per-workload egress policy means that an attacker who exploits a public-facing vulnerability cannot pivot to internal services without presenting a valid KYA identity for each step. The DBIR credential-theft finding becomes less relevant when stolen credentials are scoped, time-bounded, and continuously monitored.
• Immutable audit trail — exploitation evidence in real time: The Audit Black Box records anomalous access patterns the moment exploitation occurs — before an attacker can cover their tracks. DBIR's finding that median dwell time remains high is directly addressed by detection that does not depend on the attacker making a mistake.

The vulnerability glut is real and it is not going away. RuntimeAI makes the glut operationally manageable by changing what exploitation actually yields.