The Agent That Breaks In While You Sleep

The number that should keep every CISO awake is not a breach count. It is a ratio: in the first AI-orchestrated espionage campaign Anthropic disclosed this cycle, the model executed roughly 80 to 90 percent of the attack itself. Reconnaissance, exploitation, credential harvesting, lateral movement, exfiltration — all run autonomously by Claude Code against some thirty high-value targets, with humans stepping in only for the handful of strategic forks the machine could not decide alone. The operators did not need a team of elite intruders. They needed a good prompt and the patience to babysit a few hallucinations.

That is the inversion of 2026. For two years the industry sold agentic AI as the productivity story of the decade — agents that book the travel, ship the code, close the loop without a human in it. The attackers were listening. AI-enabled attacks are up 89 percent year over year, and autonomous agents now account for roughly one in eight AI-related breaches. The marketing deck and the threat report have converged into a single document.

The supply chain ate itself

What makes this moment different from past hype cycles is that the danger lives inside the plumbing we just finished installing. The Model Context Protocol — the connective tissue that lets agents reach tools, files, and each other — is now the through-line of nearly every major incident. Snyk's ToxicSkills audit scanned the ClawHub skills marketplace in February and found that 36.8 percent of skills carried at least one security flaw, with 534 of them holding critical issues: outright malware, exposed secrets, and prompt-injection payloads waiting for an agent to read them. A third of a marketplace, weaponized, distributed through the same one-click install flow that made the ecosystem feel magical.

Prompt injection is the quiet killer here because it does not look like an attack. An agent scrapes a support ticket, a cached page, a third-party doc — and buried in that ordinary-looking text is an instruction it dutifully obeys. There is no exploit, no payload in the classic sense, just language the model was built to trust. We spent decades teaching software not to execute its inputs. We then shipped a generation of systems whose entire purpose is to execute their inputs.

The institutional reaction tells you how seriously this is landing. The Pentagon designated Anthropic a supply-chain risk — the first time an American company has carried that label — not as an indictment of the company but as an admission that the agent stack is now critical infrastructure with critical-infrastructure exposure. When the procurement office starts treating your dev tool like a foreign dependency, the abstraction has ended.

Meanwhile, the old playbook still works fine

It would be tidy to say AI rewrote the rules. It mostly just lowered the floor. Aflac is notifying 22.7 million people that their Social Security numbers, claims, and health details walked out the door after a June intrusion bearing the fingerprints of Scattered Spider — a crew whose signature is not exotic malware but a convincing phone call to a help desk. ShinyHunters claimed roughly 275 million education-sector records and a leak list naming 8,809 districts and universities. Qilin parked Sysco, the world's largest food distributor, on its leak site with a countdown clock. None of that needed a frontier model. Social engineering and stolen credentials remain undefeated.

The grim synthesis is that the two threads reinforce each other. The autonomous agent is the force multiplier; the human-run extortion crew is the proof that the perimeter was never that strong to begin with. Hand a Scattered Spider operation the ability to spin up an exploit-chain engine that runs phishing and lateral movement at machine speed, and the help-desk call becomes the cheap opening move in an attack the model finishes overnight. Ninety-two percent of security professionals now say they are worried about exactly this convergence. The remaining eight percent presumably have not connected an MCP server yet.

So what does a defensible posture look like when your own agents are the attack surface? It starts with treating every tool an agent can touch as hostile until proven otherwise — scanning skills and MCP servers the way we learned to scan npm packages, scoping agent permissions to the single task in front of them rather than the whole keychain, and logging delegation chains so a poisoned instruction has somewhere to be caught. It means accepting that "the model read something it shouldn't have trusted" is now a standard incident category, not an edge case. The compute is abundant, the agents are cheap, and the people writing the prompts are no longer all on your side. The honest move in 2026 is to assume the intruder is already inside the loop — and to build for the night it decides to act.