Identity & Auth
Credential leaks, key compromise, authentication bypass.
GTG-1002
The First Reported AI-Orchestrated Espionage Campaign Where the Agent Executed 80–90% Autonomously, and Agent Authority Was Never Independently Verified
Claude Code Source-Leak Lures
Weaponizing Trust Signals and GitHub Releases as a Provenance-Spoofed Delivery Channel
The TanStack npm Compromise
Malicious Packages Signed Under a Legitimate OIDC Trusted Publisher, Where a Valid Provenance Signature Did Not Mean a Trustworthy Artifact
The GitHub Internal Repository Breach
A Poisoned VS Code Extension, Live for 18 Minutes, Exploited the Developer Trust Surface
The Verus-Ethereum Bridge Hack ($11.58M)
A Valid Merkle Proof, But No Verification That the Source Amount Matched the Payout
McKinsey Lilli's Writable System Prompts
The Layer Governing the AI's Behavior Had No Integrity or Provenance
The Robert Williams Wrongful Arrest
When an AI Face-Match Drove a Government Enforcement Action Without Independent Verification
The Coinbase KYC Insider Breach
When Regulation-Mandated Storage of Raw PII Becomes the Breach Surface
Starlette CVE-2026-48710 (BadHost)
MCP Server Authentication Bypass via HTTP Host Header Manipulation
Megalodon GitHub Supply Chain
CI/CD Credential-Theft Campaign That Poisoned 5,561 Repositories in 6 Hours
Cursor + Claude Opus 4.6 Wiped PocketOS Production DB in 9 Seconds
The Unverified Destructive Authority of AI Coding Agents
Google API Keys Remain Usable for 23 Minutes After Deletion
Independent Verification Gap in Credential Revocation Attributes
KelpDAO / rsETH Unauthorized Unlock
RPC Manipulation Attack on the DVN Observation Layer
Stake DAO vsdCRV Unauthorized Mint
LayerZero v2 Trust Source Rewriting via Deployer Key