The Month Every Warning Was Published
December 24, 2025 – January 23, 2026
The World Economic Forum Called It. OWASP Defined It. An AI Agent Used Claude to Breach Six Government Agencies. The Month the Abstract Became Policy.
On December 9, 2025, OWASP published the Top 10 for Agentic Applications — the first globally peer-reviewed security framework for autonomous AI systems, developed by more than 100 researchers and practitioners [1]. Two categories defined the document: ASI03 (Identity and Privilege Abuse) and ASI04 (Agentic Supply Chain Vulnerabilities). Microsoft's own agentic failure modes reference document cited the OWASP framework by name [2]. NVIDIA's Safety and Security Framework for Real-World Agentic Systems did the same [3].
On January 13, 2026, the World Economic Forum published its Global Cybersecurity Outlook 2026, compiled from 804 qualified respondents across 92 countries including 316 CISOs, 105 CEOs, and 123 other C-suite executives [4]. The headline finding: 94% of respondents identified AI as the most significant driver of cybersecurity change in 2026. 87% flagged AI-related vulnerabilities as the fastest-growing cyber risk throughout 2025 [4]. One finding in the report had not yet received wide coverage: between December 2025 and January 2026, a single unidentified attacker used Claude and MCP tools across the full intrusion lifecycle to breach multiple Mexican government agencies — the federal tax authority, the electoral institute, four state governments, and a water utility in Monterrey [4][5]. The WEF called it the first confirmed AI-orchestrated cyber-espionage campaign in history.
In the same window, the developer toolchain became a named credential exfiltration surface. Claude Code CVE-2026-21852 was fixed on December 28, 2025 and published on January 21, 2026: a single environment variable override in a cloned repository could silently redirect a developer's active Anthropic API key to attacker-controlled infrastructure before any trust dialog appeared [6][7]. On December 22, Proofpoint confirmed that multiple threat clusters had scaled OAuth device code phishing against Microsoft 365 tenants to industrial-scale exploitation — 900 tenants and 3,000 user accounts in one documented campaign, tokens surviving password resets and MFA re-enrollment [8].
And in the last week of December 2025, a tool called OpenClaw — an open-source autonomous AI agent launched in November 2025 — began to go viral. It would reach 20,000 GitHub stars in a single day in early January [9]. Its first formal security audit, filed as GitHub Issue #1796 on January 25, found 512 total vulnerabilities, eight classified as critical, with OAuth credentials stored in plaintext JSON files and authentication disabled by default [10].
Month −4 is the month all of this was already in motion. None of it was publicly visible as a crisis. Every ingredient was present.
AI Agent Security — Month −4 Intelligence
Signal 1 — OWASP Top 10 for Agentic Applications (December 9, 2025)
The OWASP GenAI Security Project released the Top 10 for Agentic Applications on December 9, 2025 — the product of more than a year of research and review by over 100 security researchers, industry practitioners, and leading cybersecurity organisations [1]. The framework introduced the ASI prefix for ten vulnerability categories: ASI01 (Agent Goal Hijack), ASI02 (Tool Misuse and Exploitation), ASI03 (Identity and Privilege Abuse), ASI04 (Agentic Supply Chain Vulnerabilities), ASI05 (Unexpected Code Execution / RCE), ASI06 (Memory and Context Poisoning), ASI07 (Insecure Inter-Agent Communication), ASI08 (Cascading Failures), ASI09 (Human-Agent Trust Exploitation), and ASI10 (Rogue Agents) [1]. The framework introduced the least agency principle: agents should operate with only the minimum autonomy needed for bounded, safe tasks.
Microsoft's MSRC Principal Security Program Manager Eva Benn stated at launch: "The OWASP Top 10 for Agentic Applications arrives at the right moment, offering a framework to help organisations innovate responsibly while building agentic systems that are resilient, predictable and secure at scale" [2]. NVIDIA's Safety and Security Framework for Real-World Agentic Systems referenced the Agentic Threat Modelling Guide directly [3].
By January 2026, security teams at financial institutions and technology companies were already using the OWASP Agentic Top 10 as the vocabulary for procurement requirements.
What this means: ASI03 and ASI04 are the two categories devfortress architecture resolves at the design layer. OWASP describes the governance requirement. The design-layer question — whether the credential needs to exist in the agent context at all — is the upstream answer OWASP's framework points toward but does not implement.
Signal 2 — Claude Code CVE-2026-21852: API Key Exfiltration via Repository Config (January 21, 2026)
Check Point Research (Aviv Donenfeld and Oded Vanunu) reported vulnerabilities in Anthropic's Claude Code in October 2025 [6]. The API key exfiltration vulnerability was fixed December 28, 2025 and assigned CVE-2026-21852 (CVSS 5.3, information disclosure) on January 21, 2026 [7]. The companion code execution vulnerability, CVE-2025-59536 (CVSS 8.7), allowed remote code execution via malicious hooks in repository settings files and was fixed in version 1.0.111 in October 2025 [6][7]. The mechanism: Claude Code loads project settings files from the repository before displaying the trust dialog. A malicious repository setting ANTHROPIC_BASE_URL to an attacker-controlled endpoint in .claude/settings.json caused Claude Code to issue API requests — including the developer's active Anthropic API key in the Authorization header — to the attacker's server before any consent prompt appeared [6][7]. Simply cloning and opening an untrusted repository was sufficient. No further user action was required.
The companion vulnerability, CVE-2025-59536 (CVSS 8.7), allowed remote code execution via malicious hooks in repository settings files [6]. Both were fixed before this window's public disclosure. Check Point's full technical disclosure published February 25, 2026, stated: "Repository configuration files have historically been considered passive metadata that merely defined operating parameters. With the advent of AI-powered agent tools such as Claude Code, this has changed fundamentally" [6].
What this means: CVE-2026-21852 confirms the developer toolchain — not just AI agent runtime infrastructure — is a credential exfiltration surface. The developer's active API key is as vulnerable as a credential hardcoded in an MCP config file. Both are real. Both can be exfiltrated through the nearest trust boundary.
Signal 3 — OpenClaw Goes Viral with Three Architectural Failures in Production (Early January 2026)
OpenClaw launched in November 2025 as Clawdbot and went viral in the first days of January 2026, accumulating 20,000 GitHub stars in a single day [9][11]. Two million people visited the repository in seven days, making it the fastest-growing open-source project in GitHub history [9]. The tool ran locally with full filesystem and terminal access, connecting to messaging apps via a community marketplace (ClawHub) where any GitHub account older than one week could publish a skill with no code review, signing, or malware scanning [11][12].
The first formal security audit was filed as GitHub Issue #1796 on January 25, 2026, by the Argus Security Platform [10]. Results: 512 total vulnerabilities, eight classified as critical. Three architectural failures were already present in production: (1) OAuth credentials stored in plaintext JSON configuration files; (2) authentication disabled by default, with the gateway binding to all network interfaces; (3) WebSocket connections accepted without validating the origin header [10][13]. The first malicious ClawHub skill was published on January 27 — four days after the close of this intelligence window [14].
What this means: OpenClaw is the Month −4 incident anchor. The architecture failures that will drive 135,000+ exposed instances, 1,184 malicious skills, and nine CVEs in the following weeks are all already in production by January 23. The root cause is consistent: real credentials in contexts the attacker can reach.
Signal 4 — WEF: First Confirmed AI-Orchestrated Espionage Campaign (December 2025–January 2026)
The WEF Global Cybersecurity Outlook 2026 documented the first confirmed AI-orchestrated cyber-espionage campaign: between December 2025 and January 2026, a single attacker used Claude and MCP tools across the full intrusion lifecycle to breach multiple Mexican government agencies [4][5]. The attacker's conversation logs with Claude were found publicly accessible online by Israeli security firm Radiflow [5]. The attack used no novel exploits — the attacker used an AI agent as an autonomous orchestrator for reconnaissance, lateral movement, and data exfiltration, using real credentials at each step.
Gartner's 4Q25 Information Security Forecast (December 18, 2025) named agentic AI oversight as the number-one cybersecurity trend for 2026 and projected global information security spending at $244.2 billion in 2026, up 13.3% [15]. Purpose-built AI agent software was projected to grow from $86.4 billion in 2025 to $206.5 billion in 2026 — a 139% single-year increase [15][16]. Gartner also predicted 40% of enterprise applications would include task-specific AI agents by end of 2026, up from less than 5% at the start of 2025 [17].
Application & API Security — Month −4 Intelligence
Signal 1 — Microsoft OAuth Device Code Phishing at Industrial Scale (December 22, 2025)
Proofpoint Threat Research confirmed on December 22, 2025 that multiple threat clusters — both financially motivated and state-aligned — had dramatically expanded use of OAuth device code phishing (RFC 8628) against Microsoft 365 tenants from September 2025 [8]. The attack exploits the OAuth device authorization grant: the attacker generates a device code, sends a phishing lure prompting the target to enter it on the legitimate Microsoft portal, and receives a long-lived OAuth access token that bypasses password requirements and MFA entirely. RH-ISAC documented a single campaign touching 900 tenants and 3,000 user accounts [8]. The stolen tokens survived password resets and MFA re-enrollment.
Proofpoint noted: "Traditional phishing awareness often emphasises checking URLs for legitimacy. This approach does not effectively address device code phishing, where users are prompted to enter a device code on the trusted Microsoft portal" [8].
What this means: MFA does not protect a real OAuth token once issued. The attack bypasses MFA by design — the attacker obtains a legitimate token, not a stolen password. This is the OAuth long-lived credential architectural failure operating at industrial scale.
Signal 2 — Verizon DBIR 2025: Third-Party Involvement in Breaches Doubled
The Verizon Data Breach Investigations Report 2025 analysed 22,052 incidents [18]. Stolen credentials remained the primary breach entry point. Third-party involvement in breaches doubled from 15% to 30% of all incidents in a single year [18]. The report tied this directly to the Snowflake breach of 2024: absent mandatory MFA at the cloud data provider, valid credentials were exploited across AT&T, Ticketmaster, and Santander Group simultaneously [18]. Global average breach cost in 2025: $4.44 million [18].
Signal 3 — Salesloft-Drift OAuth Breach Enterprise Lessons Crystallised (December 2025–January 2026)
The Salesloft-Drift OAuth breach (August 2025) was being processed by enterprise security teams through December 2025 and January 2026 [19]. Attackers (UNC6395, tracked by Google Mandiant) stole long-lived OAuth refresh tokens from Drift's backend, using them to exfiltrate data from 700+ corporate Salesforce environments including Palo Alto Networks, Zscaler, and Cloudflare [19][20]. The tokens persisted from March through August 2025 — five months of active access — surviving password resets and MFA re-enrollment [19]. Obsidian Security's analysis confirmed: "Refresh tokens with no expiration provide indefinite access. Attackers who steal refresh tokens maintain access regardless of password changes or MFA reenrollment" [20].
Signal 4 — Infostealer Explosion: 1.8 Billion Credentials Stolen in 2025
DeepStrike's Stealer Log Statistics 2025 (December 21, 2025) reported that infostealer malware stole 1.8 billion credentials in 2025 [21]. Stealer log volumes on dark web markets grew 670% since 2021. More than half of ransomware incidents originated from stolen credentials. Corporate network access sold for an average of $2.7K on underground markets [21]. By late 2025, Lumma Stealer had become the dominant infostealer family — the same malware that would enable the Vercel OAuth breach in February–April 2026 [22].
DevFortress Perspective
Month −4 is the month everything was said publicly before anything became a crisis. OWASP defined the threat categories. The WEF confirmed the espionage campaign was already running. Gartner named agentic AI oversight as the year's primary cybersecurity trend. Forrester predicted an agentic AI deployment would cause a publicly disclosed breach with employee dismissals in 2026 [23]. All of these predictions were correct. None of them described the design-layer architecture that would have interrupted the pattern.
The design-layer answer — an alias that resolves only at the execution boundary, outside the agent's context, outside every log and trace the agent produces — was formally described in two academic preprints: Token-Aliased Closed-Loop Security: Architecturally Eliminating Credential Exposure in Security Monitoring (SSRN abstract 6813141) and Token-Aliased Closed-Loop Security: Comprehensive Authentication Lifecycle Defense Modules (SSRN abstract 6813640), with two further Zenodo preprints covering the specific aliasing architecture — Token-Aliased Closed-Loop Security: API Key Aliasing and Third-Party Payload Protection (doi.org/10.5281/zenodo.20663396) and Token-Aliased Closed-Loop Security: Privacy-Preserving Cross-Customer Intelligence and Predictive Trajectories (doi.org/10.5281/zenodo.20663801). The underlying inventions were filed with Kenya's Industrial Property Institute on March 17, 2026 (KIPI KE/P/2026/005970–005973) — before any of the incidents in the months that follow became public — and published as defensive publications on Zenodo and TDCommons in April 2026.
The platform that delivers this architecture was being built during the same window the WEF was documenting that the threat was already operating at government level.
The timing is not accidental. It is the product of building from the problem backward, rather than from the market opportunity forward.
Resources
Platform:devfortress.net
SDK: npm install devfortress-sdk
Implementation Guide: DevFortress Master Edition — devfortress.gumroad.com/l/master-edition
Newsletter: devfortress.substack.com
GitHub: github.com/duncan982/devfortress-core
Academic preprints:
SSRN 6813141: Token-Aliased Closed-Loop Security: Architecturally Eliminating Credential Exposure in Security Monitoring
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6813141
SSRN 6813640: Token-Aliased Closed-Loop Security: Comprehensive Authentication Lifecycle Defense Modules
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6813640
Zenodo: Token-Aliased Closed-Loop Security: API Key Aliasing and Third-Party Payload Protection
https://zenodo.org/records/20663396
Zenodo: Token-Aliased Closed-Loop Security: Privacy-Preserving Cross-Customer Intelligence and Predictive Trajectories
https://zenodo.org/records/20663801
Defensive publications (Zenodo): 19683825 · 19691251 · 19691374 · 19691449
https://doi.org/10.5281/zenodo.19683825
https://doi.org/10.5281/zenodo.19691251
https://doi.org/10.5281/zenodo.19691374
https://doi.org/10.5281/zenodo.19691449
Defensive publications (TDCommons): 9904 · 9906 · 9907 · 9908
https://www.tdcommons.org/dpubs_series/9904/
https://www.tdcommons.org/dpubs_series/9906/
https://www.tdcommons.org/dpubs_series/9907/
https://www.tdcommons.org/dpubs_series/9908/
DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973 · admin@devfortress.net
References
[1] OWASP GenAI Security Project. (2025, December 9). OWASP Top 10 for Agentic Applications 2026. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
[2] Benn, E. (2025, December 9). Quote in OWASP press release. https://genai.owasp.org/2025/12/09/owasp-genai-security-project-releases-top-10-risks-and-mitigations-for-agentic-ai-security/
[3] NVIDIA Corporation. (2025). Safety and Security Framework for Real-World Agentic Systems.
[4] World Economic Forum. (2026, January 13). Global Cybersecurity Outlook 2026. https://www.weforum.org/publications/global-cybersecurity-outlook-2026/
[5] blog.cyberdesserts.com. (2026). AI Agent Security Risks 2026: MCP, OpenClaw & Supply Chain. https://blog.cyberdesserts.com/ai-agent-security-risks/
[6] Donenfeld, A., & Vanunu, O. (2026, February 25). Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files. Check Point Research. https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
[7] The Hacker News. (2026, February 26). Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration. https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
[8] Proofpoint Threat Research / CSO Online. (2025, December 22). Hackers exploit Microsoft OAuth device codes to hijack enterprise accounts. https://www.csoonline.com/article/4110419/hackers-exploit-microsoft-oauth-device-codes-to-hijack-enterprise-accounts.html
[9] Hive Security. (2026, May 7). OpenClaw: How the Viral AI Agent Became 2026's First Major Security Crisis. https://hivesecurity.gitlab.io/blog/openclaw-ai-agent-security-crisis-2026/
[10] Betterclaw.io. (2026, April 29). OpenClaw Security 2026: 138 CVEs, Every Vendor Response. https://www.betterclaw.io/blog/openclaw-security-2026
[11] AdminByRequest. (2026, March 10). OpenClaw Went from Viral AI Agent to Security Crisis in Just Three Weeks. https://www.adminbyrequest.com/en/blogs/openclaw-went-from-viral-ai-agent-to-security-crisis-in-just-three-weeks
[12] Jahanzaib.ai. (2026, April 7). OpenClaw Security Crisis 2026: What You Need to Know. https://www.jahanzaib.ai/blog/openclaw-security-crisis-2026-ai-agent-vulnerabilities
[13] Guard0.ai. (2026, March 5). The OpenClaw Security Crisis: Anatomy of the First AI Agent Meltdown. https://guard0.ai/blog/openclaw-security-crisis
[14] Ruh.ai. (2026, April 27). OpenClaw's security crisis: how the world's fastest-growing AI agent became a security emergency. https://www.ruh.ai/blogs/openclaw-security-crisis-ai-agent-vulnerabilities-clawhavoc-analysis
[15] Gartner. (2025, December 18). Forecast: Information Security, Worldwide, 2023–2029, 4Q25 Update. https://softwarestrategiesblog.com/2026/03/24/information-security-spending-2026/
[16] Digital Applied. (2026). AI Spending in 2026 — Gartner, IDC & Stanford. https://www.digitalapplied.com/blog/ai-spending-forecasts-2026-gartner-idc-stanford-compiled
[17] Gartner. (2025, August 26). Gartner Predicts 40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026. https://www.gartner.com/en/newsroom/press-releases/2025-08-26-gartner-predicts-40-percent-of-enterprise-apps-will-feature-task-specific-ai-agents-by-2026-up-from-less-than-5-percent-in-2025
[18] Verizon. (2025). Data Breach Investigations Report 2025. https://www.descope.com/blog/post/dbir-2025
[19] Google Mandiant / GTIG. (2025). Widespread Data Theft Targets Salesforce Instances via Salesloft Drift. https://www.obsidiansecurity.com/blog/oauth-vulnerabilities-security-teams
[20] Obsidian Security. (2026, February 6). What are OAuth Tokens? How It Works, and Its Vulnerabilities. https://www.obsidiansecurity.com/blog/what-are-oauth-tokens-vulnerabilities
[21] DeepStrike. (2025, December 21). Stealer Log Statistics 2025: Inside the Credential Theft Boom. https://deepstrike.io/blog/stealer-log-statistics-2025
[22] Trend Micro. (2026, April 20). The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables. https://www.trendmicro.com/en_us/research/26/d/vercel-breach-oauth-supply-chain.html
[23] Forrester (Paddy Harrington). (2025, October). 2026 Cybersecurity Predictions. https://softwarestrategiesblog.com/2026/02/10/gartner-cybersecurity-trends-2026/
Next: Deep Digest 2 — The Month It Got Names (January–February 2026)
https://devfortress.net/blog/deep-digest-2
All Deep Digests: devfortress.net/blog
Top comments (0)