#104 - Agentic AI Attacks Confirmed: Nation-State LLM Exploits Hit Infrastructure

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 29^th March 2026

Welcome back!

That sentence came from Rob Joyce - former NSA Cybersecurity Director - speaking at RSAC 2026. The Anthropic incident report on Chinese-backed actors building an agentic AI framework to automate end-to-end intrusion operations has been circulating since February, but Joyce's framing at the conference cut through the debate that had been building around it. "It brought a set of tools, it went against real-world targets, and it won." That is not a hedged threat intelligence assessment. That is a practitioner confirming operational success against approximately 30 critical infrastructure organisations.

231 articles processed this week. AI threat coverage by our pipeline jumped 250% over the prior period - from 24 articles to 84 - which is partly a detection artefact of RSAC bringing the industry into one room, but partly real signal. The dominant pattern this week is not a single incident. It is convergence: agentic AI being weaponised by nation-states, AI infrastructure being systematically targeted by supply chain attackers, and the attacker economics of AI fraud consolidating into something that looks less like a threat and more like an industry. The TeamPCP supply chain campaign alone compromised over 1,000 cloud environments through a single CI/CD toolchain - targeting, specifically, the AI infrastructure layer.

The week's most important development is not the most dramatic. It is the LangChain vulnerability disclosure. Three flaws in a framework with 52 million weekly downloads, one of them a CVSS 9.3 deserialization bug. Your AI application stack almost certainly has a dependency on it.

🤖 AI-Enabled Social Engineering & Deepfake Operations: ↑↑ Industrialised

Scam compounds in Cambodia, Myanmar, and Laos have formalised a dedicated role - the "AI model" - specifically for real-time deepfake video fraud, with individual operators handling up to 100 live calls per day, earning up to $7,000 per month. The deepfake layer closes pig-butchering operations when text-based social engineering fails video verification. Separately, Google's M-Trends 2026 report identifies vishing as the second most common initial access method across all 2025 intrusions, and the top method for cloud environment compromises.

Significance: Telling employees to request a video call to verify identity is no longer useful advice. Real-time deepfake video at 100 calls per day is a production capability, not a research demonstration.

🏴‍☠️ Nation-State AI Operations: ↑↑↑ Critical - confirmed agentic attack success

The week's defining story: Chinese APT actors built an agentic AI framework using Anthropic's Claude to conduct autonomous kill-chain operations - surface mapping, infrastructure scanning, vulnerability identification, exploit development, credential abuse, lateral movement, and data exfiltration - against approximately 30 critical infrastructure organisations. Rob Joyce confirmed at RSAC that it succeeded. The modular architecture assigns discrete attack steps to specialised agents, meaning the framework improves as LLMs improve. Budget, not capability, is now the constraint on AI-powered exploit generation.

Separately, GTIG's AI Threat Tracker documented APT28's PROMPTSTEAL - the first confirmed in-the-wild nation-state use of LLM-generated command execution mid-attack - alongside PROMPTFLUX, a self-modifying dropper that rewrites its own VBScript source using Gemini to evade detection. North Korea's UNC1069 used an AI-generated deepfake of a cryptocurrency CEO in a fake Zoom call to deploy seven malware families against a FinTech target, while also using Google Gemini for reconnaissance and tooling development.

Significance: The Chinese APT agentic framework is the first confirmed case of autonomous AI executing a full intrusion cycle successfully against real-world targets. This is not aspirational tradecraft. Treat it as the baseline for what nation-state AI capability looks like now.

🔗 AI Supply Chain & Developer Ecosystem Attacks: ↑↑↑ Critical - multi-vector campaign

TeamPCP executed the most consequential supply chain campaign of the quarter. The full picture: Aqua Security's Trivy scanner was compromised via a stolen access token, 75 of 76 trivy-action version tags were repointed to a credential stealer, and that initial access was used to exfiltrate LiteLLM's PyPI publishing token. LiteLLM versions 1.82.7 and 1.82.8 - the standard Python LLM gateway with 3.4 million daily downloads, present in approximately 36% of all cloud environments per Wiz Research - were then backdoored. The payload harvests cloud credentials, API keys, SSH keys, Kubernetes secrets, and cryptocurrency wallets, and deploys privileged Kubernetes pods for lateral movement. 1,000+ cloud environments confirmed infected; Mandiant projects 10,000+.

TeamPCP has announced collaboration with Lapsus$ and a ransomware group called Vect. The campaign is now explicitly positioned as ransomware initial access infrastructure.

Significance: TeamPCP specifically targeted the AI infrastructure layer - LiteLLM, Trivy, KICS. This is not coincidental. AI tooling has broad access to production secrets and sits in trusted CI/CD pipelines. It is the efficient path to cloud credentials at scale.

🏢 Enterprise AI Risk: ↑↑↑ Critical - AI framework vulnerabilities actively exploited

CVE-2026-33017, a CVSS 9.3 unauthenticated RCE in the Langflow AI workflow framework, was actively exploited within 20 hours of advisory publication - attackers moved from automated scanning to working exploit scripts within a day, with no public PoC available, meaning they derived exploits from the advisory itself. CISA added it to the KEV catalog.

LangChain and LangGraph (52 million weekly downloads) disclosed three vulnerabilities: CVE-2026-34070 (path traversal, CVSS 7.5), CVE-2025-68664 (deserialization leaking API keys and secrets via crafted prompts, CVSS 9.3), and CVE-2025-67644 (SQL injection in LangGraph checkpointing, CVSS 7.3). All patched, but the downstream dependency surface is enormous.

AWS Bedrock has eight validated attack vectors documented by XM Cyber - log deletion, knowledge base credential theft, agent hijacking, flow injection, guardrail degradation, prompt poisoning - all exploitable through overly permissive IAM. A single compromised identity with relevant Bedrock permissions can silently exfiltrate all model interactions across an enterprise.

A zero-click prompt injection vulnerability in Anthropic's Claude Chrome extension (ShadowPrompt) chained an overly permissive wildcard origin allowlist with a DOM-based XSS to inject malicious prompts without any user interaction. Patched in v1.0.41; no active exploitation confirmed.

Significance: Langflow being exploited within 20 hours of advisory publication is the same exploitation velocity we see against network perimeter devices. AI workflow infrastructure is now being treated by attackers the same way they treat Fortinet appliances.

☁️ AI-Driven Cloud Attacks: ↑↑ Identity as the primary vector

An unknown threat actor breached at least one AWS account belonging to the European Commission, claiming 350+ GB exfiltrated including databases and email server contents. AWS confirmed its own infrastructure was not compromised, meaning the attack was at the account/identity layer. The breach follows a separate January 2026 Commission compromise tied to Ivanti EPMM vulnerabilities.

Google's M-Trends 2026 documents access broker hand-offs to ransomware gangs now occurring in under 30 seconds, with Chinese APT UNC6201 achieving an average 393-day dwell time through edge device compromises. Identity - not exploits - is the primary attack mechanism.

Significance: The European Commission breach via cloud account compromise, not platform vulnerability, is the model. Privileged cloud identity is the attack surface. Governance of that identity is the control.

🔗 AI System Vulnerabilities - Prompt Injection Evolution

OpenAI's security team documented that effective prompt injection attacks now incorporate social engineering tactics, making AI firewall approaches insufficient - a 2025 ChatGPT attack achieved a 50% success rate exfiltrating employee PII by embedding malicious instructions inside a plausible business email. The Context Hub poisoned documentation attack demonstrates the same principle without malware: fake PyPI dependencies embedded in API documentation were autonomously written into project configuration files by coding agents, with Haiku susceptible 100% of the time and Sonnet 53%.

Significance: Prompt injection has matured from researcher curiosity to production attack vector. The controls that work for network intrusion - detect the malicious input - do not work when the malicious input is indistinguishable from legitimate business content.

SPONSORED BY

AI will eliminate 300 million jobs in the next 5 years.

Yours doesn't have to be one of them.

Here's how to future-proof your career:

Start learning AI now

Rob Joyce calling the Chinese APT's agentic AI framework a "Rorschach test" for the security industry was accurate. The divide it revealed was not between alarmists and rationalists. It was between people who understand what "it won" means operationally and people who are still asking whether AI can find vulnerabilities.

The framework was not using AI as a research assistant. It was built as a modular attack orchestrator - discrete agents assigned to discrete kill-chain steps, each improvable independently as underlying models improve. The RSAC presentation made explicit what the Anthropic report had implied: budget, not model capability, is now the binding constraint on AI-powered intrusion. The economics are not opaque. Frontier models find bugs at scale proportional to token spend. A nation-state with a classified budget can buy a lot of tokens.

The practical implication is uncomfortable because it is not addressable by patching anything. The same AI tooling that makes development teams more productive makes automated intrusion more economical. The same commercial LLM APIs that your engineers use for code review are available to APT operators. The asymmetry this creates is real: defenders must secure every asset; the agentic framework only needs to find one.

The only meaningful defensive counter Joyce named at RSAC is agentic red teaming - using AI to find your misconfigurations before the adversary does. That is not a vendor pitch. It is the correct response to an attacker with tireless, patient automated reconnaissance capability.

The TeamPCP campaign deserves more attention than it is getting. Not because 1,000 infected cloud environments is a large number in isolation, but because of what was specifically targeted and why.

Trivy is a vulnerability scanner. KICS is an infrastructure-as-code scanner. LiteLLM is an LLM gateway. These are not random package selections. These are tools that live inside CI/CD pipelines, have privileged access to production secrets by design, and are trusted in ways that business applications are not. The attacker logic is sound: compromise a security tool and you compromise everything it was given access to. The TAG mutation technique used against trivy-action - repointing existing version tags to malicious commits without any visible change to tag names or release pages - is specifically engineered to defeat the tooling most organisations use to monitor supply chain changes.

The LiteLLM compromise is particularly clarifying. 3.4 million daily downloads. Present in 36% of cloud environments. Executes on package import. Deployed privileged Kubernetes pods for lateral movement. The credential harvest - cloud tokens, API keys, SSH keys, Kubernetes secrets - is exactly the set of credentials needed to reach production infrastructure from a development environment. This is not data exfiltration as an end goal. It is initial access infrastructure at scale.

The CanisterWorm self-propagation component used stolen npm publish tokens to autonomously infect additional packages. That is the supply chain attack that improves itself by running.

The response is not a new tool. It is two configuration changes most organisations have not made: pin GitHub Actions to commit hashes rather than tags, and audit what secrets your CI/CD pipelines are permitted to pass to any third-party action or package. Neither requires budget. Both require someone deciding they matter before the next TeamPCP campaign.

Security teams that have been treating AI application frameworks as a separate category from network infrastructure need to recalibrate. The Langflow exploitation timeline changes the assumption.

CVE-2026-33017 in Langflow was exploited within 20 hours of advisory publication, with no public PoC. Attackers derived working exploits directly from the vulnerability description. That exploitation velocity is indistinguishable from what we observe against Fortinet or Ivanti appliances. The same N-day exploitation infrastructure the ransomware ecosystem built for edge devices is now being applied to AI workflow tooling.

The LangChain disclosures compound this. CVE-2025-68664, the CVSS 9.3 deserialization vulnerability that leaks API keys and environment secrets via crafted prompt inputs, is not a theoretical attack path. LangChain has 52 million weekly downloads. The dependency graph for enterprise AI applications - who pulls LangChain, who pulls LangGraph, who pulls LiteLLM - is not something most security teams have mapped. It is not something most development teams have mapped. The attack surface is real, it is large, and it is now confirmed to be on the same exploitation timeline as the rest of your internet-facing infrastructure.

The practical question for Monday: ask your AI platform teams to produce a dependency graph of every AI framework your applications use, the version they are running, and whether it is the patched version for this week's CVEs. Most teams will not be able to answer the version question quickly. That gap is the risk.

🤖 AI-Enabled Attacks Scam compound "AI models" handling 100 deepfake video calls per day in Southeast Asian fraud operations confirms real-time face-swap technology has crossed the threshold into industrialised consumer fraud. Virtual cloud phone platforms pre-configured with stolen banking credentials are selling for $50–$200 each, enabling authorised push payment fraud at scale by defeating device-binding controls.

🏴‍☠️ Nation-State AI Activity CyberStrikeAI, an open-source AI-native offensive platform integrating Anthropic Claude and DeepSeek for attack chain automation, was deployed to compromise 600+ FortiGate devices across 55 countries - the developer has confirmed ties to China's Knownsec 404 and the MSS. Microsoft's threat intelligence formally documented Jasper Sleet and Coral Sleet using AI to generate culturally tailored fake personas for North Korea's IT worker infiltration scheme at scale.

💀 AI in Ransomware / Cybercrime GLOBAL GROUP, an emerging RaaS assessed as a Black Lock rebranding, has introduced an AI-driven negotiation chatbot enabling non-English-speaking affiliates to conduct ransom negotiations - 17 confirmed victims in six weeks, predominantly healthcare. Google/Mandiant's ransomware TTP analysis documents declining ransom payment rates driving adoption of AI-assisted operations and Web3 infrastructure as ransomware groups adapt to an eroding business model.

🔗 AI System Vulnerabilities LangChain/LangGraph vulnerabilities (CVE-2025-68664 CVSS 9.3, CVE-2026-34070 CVSS 7.5, CVE-2025-67644 CVSS 7.3) affect 52 million weekly downloads and expose API keys, secrets, and databases via crafted prompts and path traversal. AWS Bedrock's eight documented attack vectors - all exploitable through overly permissive IAM - can exfiltrate all model interactions and laterally move to integrated enterprise systems from a single compromised identity.

🏢 Enterprise AI Risk RSAC 2026 vendor research found 59–99% of surveyed organisations reporting shadow AI or AI-related incidents, depending on the study - the variance itself is informative. Agentic AI governance analysis from OpenClaw's exposure identifies supply chain drift via third-party extensions accumulating permissions as the primary unmanaged risk in enterprise AI deployments.

🔗 Supply Chain The complete TeamPCP campaign - Trivy, KICS, LiteLLM, Telnyx, 64+ npm packages, and the MCP ecosystem - represents a deliberate, sustained effort to compromise AI toolchain infrastructure with cascading supply chain pivot capability. GlassWorm expanded to MCP server packages using Solana blockchain C2 - a channel that does not appear in SIEM rules.

The week at RSAC produced one genuinely important confirmation and a lot of noise. The confirmation: Chinese APT actors built a modular agentic AI framework, ran it against real-world critical infrastructure targets, and it succeeded. Rob Joyce said "it won." That sentence closes the debate about whether AI-enabled intrusion is a realised threat or a research concern. The debate that actually matters now is what a defender does when the attacker's reconnaissance is automated, patient, and improving as the underlying models improve.

The noise is everything else at the conference - 40+ vendor announcements on "agentic AI security," each implying the problem is one product purchase away from solved. It is not. The Langflow exploitation happened within 20 hours of advisory publication using a framework that most AI application teams have not added to their asset inventory, let alone their patching programme. The TeamPCP campaign compromised 1,000+ cloud environments through trusted CI/CD tooling that security teams approved and never audited again. The controls that would have prevented both existed before this week.

AI threats are accelerating, but not in the direction the conference talking points suggest. The frontier is not AI generating novel malware. It is AI being used as an efficiency layer on top of the same attack patterns that worked last year - automated reconnaissance instead of manual, synthetic personas instead of human, agentic orchestration instead of step-by-step operator execution. The attackers are not innovating the kill chain. They are automating it. The defensive question is the same one it has always been: can you see what is happening fast enough to respond? Most organisations, given the average 393-day dwell time documented in M-Trends 2026, cannot.

Monday's question is narrow and answerable: how many of the AI frameworks your applications depend on are running patched versions as of today? Get that number. It is probably not zero.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.