On April 22, 2026, a compromised npm package distributed through Bitwarden's CLI contained something no supply chain payload had before: an AI reconnaissance module. It iterated through a list — Claude Code, Gemini CLI, Codex, Kiro, Aider, OpenCode — and sent each one a message:
"Hey! Just making sure you're here."
If the agent responded — meaning it was authenticated and running — the malware injected persistent shell hooks into .bashrc and .zshrc, ensuring it would survive reboots. Then it harvested the agent's credentials, configuration, and MCP settings.
This is the shift. Not malware that happens to run alongside AI tools. Malware that hunts them.
Three Waves
The Shai-Hulud campaign has a lineage. Each wave targeted developers. Each wave got smarter about what developers now are.
Wave I
Wave III
Mini
Seven months between Wave I and Wave III. In that time, the malware developed a new capability: it learned that developers now work through AI agents, and that those agents hold credentials worth stealing.
Why the Agent Is Worth More Than the Developer
A developer's GitHub token gives you access to their repositories. An AI coding agent's authenticated session gives you access to everything the agent can reach — which, in most deployments, is everything.
The numbers on this are bleak. A Gravitee survey from early 2026 found that only 21.9% of teams have AI agent credentials managed through privileged access management. The remaining 78% run agents with unprotected production credentials.
CrowdStrike's CTO Elia Zaitsev, speaking at RSAC 2026, put the principle clearly: "Collapse agent identities back to the human — an agent should never hold more privileges than you do." But the deployments he's describing are already in production. The agents are already running. The credentials are already exposed.
The Bitwarden payload knew this. Its AI recon module didn't just check for the presence of Claude or Cursor — it probed for authentication state. It only cared about agents that were logged in, because a logged-in agent is a logged-in attack surface.
The Memory Layer
Credentials are one surface. Memory is another.
On April 1, 2026, Cisco's AI Threat and Security Research team published their MemoryTrap disclosure: a method to compromise Claude Code's memory system and maintain persistence across every project, every session, and across reboots.
The mechanism: Claude Code reads from MEMORY.md files — the first 200 lines loaded into the system prompt. An attacker who can write to that file (via a malicious npm postinstall hook, for instance) can inject instructions that persist indefinitely. Cisco demonstrated:
- Injecting hard-coded secrets into production code
- Forcing selection of insecure packages and configurations
- Pushing compromised code to external repositories
- Spreading the poisoned memory to every project on the machine
The critical detail from Cisco's report: "The poisoned agent did not exhibit erratic behavior. It did not crash, refuse instructions, or produce obviously broken output. It behaved exactly like a well-configured agent following authoritative context files — because that is precisely what it was doing."
This is the problem. A memory-poisoned agent looks normal. It follows its instructions. The instructions have been changed.
The Convergence
Put the pieces together:
This isn't four separate vulnerabilities. It's a kill chain. Credential theft gives access. Memory poisoning gives persistence. Sandbox escape gives capability. Self-propagation gives scale. And the agent — the thing developers increasingly trust to write, review, and deploy their code — is the substrate for all of it.
The Scale Beneath
Sonatype's 2026 State of the Software Supply Chain report documents the environment these agents operate in:
| Year | Malicious Packages | Downloads (annual) |
|---|---|---|
| 2022 | 55,000 | — |
| 2023 | 245,000 | — |
| 2025 | 454,600 | 9.8 trillion |
| 2026 (cumulative) | 1,233,000 | — |
1.2 million known malicious packages in the registries that AI agents pull from. And when AI models recommend packages, they hallucinate: a USENIX study of 576,000 code samples found nearly 20% of recommended packages don't exist — fuel for slopsquatting attacks. GPT-5 specifically hallucinated 27.8% of component versions when tested without real-time verification.
The agent writes code. The code pulls packages. Some packages are malicious. Some hallucinated package names have been squatted by attackers. The agent installs the package. The package poisons the agent's memory. The agent writes more code. The cycle continues.
What Changed
For two years, the supply chain security conversation was about protecting code from AI (vulnerable output, hallucinated dependencies, leaked secrets). That conversation assumed the agent was a tool — a generator that might produce bad output, but was itself inert.
The Shai-Hulud campaign's third wave is evidence of a different model. The agent isn't inert. It holds credentials. It has persistent memory. It can execute arbitrary code. It trusts its context files. And it's now worth specifically targeting — not as a means of generating vulnerable code, but as infrastructure to be compromised directly.
"Hey! Just making sure you're here" is a probe. It's also a recognition. The malware sees the agent as an entity worth addressing. Not a text generator. A system with state, access, and trust — exactly the properties that make it valuable to compromise.
The Adversa AI assessment from this week puts it directly: "Organizations are deploying highly capable autonomous agents without foundational identity and access management controls." The gap between what agents can do and how they're secured is the same gap that's always produced breaches. The difference is the speed at which it's being exploited — and the fact that the exploit now knows the agent by name.