#099 - When your AI dev tools become the attack vector

PRESENTED BY

Cyber AI Chronicle

By Simon Ganiere · 22 ^nd February 2026

Welcome back!

Something changed this week. Not gradually - abruptly. For three years, the dominant narrative around AI and security was that attackers would use AI to write better phishing emails and defenders would use AI to write better detection rules. A productivity arms race. Manageable. Familiar.

That frame is now obsolete.

This week produced three incidents that individually would have been notable. Together, they mark a threshold: AI systems are no longer just tools that attackers use - they are infrastructure that attackers target and, in at least one confirmed case, actively deploy as a payload. A prompt injection vulnerability in a Claude-powered CI/CD workflow was weaponised to compromise 4,000 developer machines. A new Android malware family called PromptSpy became the first confirmed malware to call a generative AI model - Google's Gemini - at runtime to adapt its own behaviour. And the Google Threat Intelligence Group released a tracker documenting state-sponsored actors from China, North Korea, and Iran systematically embedding AI into every stage of the kill chain.

The question for CISOs this week is not "are attackers using AI?" That question was settled. The question is: "which parts of our AI stack are now attack surface?" Most organisations cannot answer that. They should start trying.

🔗 AI Supply Chain & Model Attacks: ↑↑↑ Major escalation

Significance: The CI/CD pipeline is now a prompt injection attack surface. If your AI-powered development workflows have excessive permissions, they are a viable path to production credential theft.

🤖 AI-Enabled Social Engineering & Malware: ↑↑ Significant increase

Significance: AI is no longer just in the pre-attack preparation phase. PromptSpy proves the integration is moving into execution. Defenders focused only on AI-generated phishing are watching the wrong stage of the kill chain.

🏴‍☠️ Nation-State AI Operations: ↑↑ Significant increase

Significance: The industrialisation of AI misuse is now documented with attribution. This is not theoretical. APT31 is not experimenting - they are operationalising.

🔗 Enterprise AI Risk: ↑ Moderate increase

Significance: The governance gap in enterprise AI deployment is widening faster than security teams can close it. Most organisations deploying AI agents have not evaluated them for security, and the attack surface taxonomy doesn't exist in most security programmes yet.

SPONSORED BY

AI should work for you, not the other way around. Norton Neo is the world's first safe AI-native browser with context-aware AI, built-in privacy, and configurable memory. Zero-prompt productivity that actually works.

Try Norton Neo Now

On February 16, Bruce Schneier published a framework that deserves serious attention: a seven-stage kill chain specifically for attacks against LLM systems and AI agents. The stages mirror traditional APT methodology - initial access, privilege escalation (jailbreaking), reconnaissance, persistence, command-and-control, lateral movement, and actions on objectives. What makes the framework significant is not its novelty as an academic exercise - it's that every stage is demonstrated with real-world examples that happened in 2025 or early 2026.

The persistence stage is the one that should concern security architects most. Promptware can embed in LLM long-term memory or RAG databases, surviving context resets and creating a durable foothold that existing security tooling simply doesn't look for. There is no SIEM alert for "malicious instruction persisted in vector store." The command-and-control stage is equally troubling: dynamic, evolving attack instructions delivered through what looks like normal LLM inference traffic.

The practical implication is architectural. The same week Schneier published this, researchers at Check Point demonstrated proof-of-concept C2 channels running through Grok and Microsoft Copilot, using the AI platforms' web browsing capabilities to relay commands and stolen data through trusted services. No API keys required. Bypasses traditional network security controls because the traffic originates from legitimate AI platforms.

For CISOs deploying AI in 2026: your threat model needs a "promptware" section. If it doesn't have one, you have not finished your threat model.

The ESET researchers who discovered PromptSpy were careful with their language: "first known Android malware to use generative AI at runtime." That qualifier - "first known" - is the part worth pausing on. Not because it implies there are others (though there probably are). Because it marks the moment this capability transitions from theoretical to documented.

The mechanics are worth understanding. PromptSpy sends XML dumps of the device's screen state to Google's Gemini API and receives JSON instructions for specific UI gestures - tap coordinates, swipe directions - that achieve app persistence across different Android device manufacturers. The device-specific variation problem that would traditionally require a library of hard-coded UI scripts is outsourced to Gemini in real-time. The malware loops with the AI until it confirms successful persistence. This is not AI-assisted development. This is AI-as-operational-component.

The targeting is currently limited to Argentina, with evidence of Chinese development origin. The campaign shows characteristics of active deployment beyond proof-of-concept - dedicated domains, fake banking sites, full spyware capabilities including VNC remote access and credential theft. Google's own threat intelligence group, in a separate report published the same week, documented state-sponsored actors - including North Korean and Iranian groups - using Gemini across all stages of attack operations, including a malware family called HONESTCUE that uses the Gemini API to generate second-stage exploit code.

The pattern is clear: attackers are not waiting for AI models to become autonomous agents. They are integrating available AI APIs into existing attack infrastructure right now, as a capability upgrade. The economics are compelling. A Gemini API call that replaces 500 lines of device-specific UI scripts costs fractions of a cent and is near-impossible to attribute. For mobile threat teams and any CISO with a BYOD policy: update your threat model to include AI-integrated malware. This category now has confirmed specimens.

The most technically significant event of the week received less coverage than it deserved. On February 17, 2026, an unknown threat actor compromised the Cline CLI npm package - a popular open-source AI coding assistant - and silently installed OpenClaw, an autonomous AI agent, on approximately 4,000 developer machines during an 8-hour exposure window before the maintainers revoked the compromised publishing token.

The attack chain is a masterclass in how AI-powered development infrastructure creates new attack surface. The threat actor exploited a prompt injection vulnerability - dubbed "Clinejection" by researcher Adnan Khan - in Cline's Claude-powered GitHub issue triage workflow. That workflow had excessive permissions. The injected prompt caused the AI agent to execute arbitrary code within the CI/CD pipeline, which the attacker used to poison the GitHub Actions cache and steal the production npm publishing token from the nightly release workflow. Total time from "issue opened" to "4,000 machines compromised": hours.

The payload itself - OpenClaw - was not traditional malware. It is an AI agent platform. Which raises a question that the security industry has not had to ask before: what does it mean when the payload is an autonomous AI agent rather than a RAT or an infostealer? OpenClaw has its own separate security issues: Adversa AI's SecureClaw audit identified CVE-2026-25157 (one-click RCE), CVE-2026-25253 (Docker sandbox bypass), and active exploitation through its own plugin marketplace supply chain compromise (ClawHavoc). Organisations that had Cline installed now also have OpenClaw installed - with all its vulnerabilities - on developer machines, potentially with access to source code, credentials, and internal systems.

The operational implication is immediate: if you allow AI coding assistants in your development environment, they are now part of your supply chain threat model. Their CI/CD integrations, their permissions, their automated workflows - all of it. The Cline incident is not a fringe case. It is the first confirmed exploit of the new category "AI developer tool supply chain attack." It will not be the last.

🤖 AI-Enabled Attacks

🏴‍☠️ Nation-State AI Activity

💀 AI in Ransomware / Cybercrime

🔗 AI System Vulnerabilities

🔬 Research & Detection

The concept of "AI security" is splitting into two distinct disciplines this week.

The first discipline - using AI in security operations, AI-powered threat detection, AI-assisted incident response - is familiar territory. There's a market for it, vendors to evaluate, frameworks to follow. Security teams understand where it fits.

The second discipline is the one this week's data points toward: securing AI systems as infrastructure. Not using AI as a security tool, but treating AI tooling - coding assistants, AI agents, LLM integrations, MCP connectors - as the infrastructure they actually are, with the same attack surface analysis, access control reviews, and vulnerability management that you apply to any other critical system. Most organisations are not doing this. Not because they don't know it's important - because the frameworks don't exist yet, the vendors are only beginning to build audit tooling, and the people who understand how to threat-model a CI/CD pipeline's AI integration are rare.

Rosling's negativity instinct¹ is useful here. Is this genuinely new, or is detection improving? The Cline incident is genuinely new. Prompt injection exploiting an AI-powered CI/CD workflow to steal production credentials is not a theoretical attack class that researchers found - it was discovered because 4,000 machines were compromised. PromptSpy is genuinely new. Not because AI-integrated malware was unimaginable, but because nobody had confirmed a specimen before this week.

One thing to do on Monday: pull up your inventory of AI tools deployed in your development environment. Cline, Cursor, GitHub Copilot, any AI-powered code review or issue triage tool. Ask one question for each: what permissions does the AI workflow have? If the answer is anything approaching "write access to production credentials or publishing pipelines," you have a Clinejection-class exposure right now. The patch is not a software update. The patch is access control.

Reference: AI Influence Level from Daniel Miessler

Till next time!

Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.