DEV Community

Cover image for Three Incidents. Four Layers. One Week.
duncan n. ndegwa
duncan n. ndegwa

Posted on • Edited on • Originally published at devfortress.net

Three Incidents. Four Layers. One Week.

Three Incidents. Four Layers. One Week.

The Same Week the Agentic Web Was Declared Production-Ready, Credential Exfiltration Hit Four Different Layers of the Stack.

June 15–21, 2026


On June 17, 2026, Google, Microsoft, Hugging Face, and eight enterprise infrastructure partners published the Agentic Resource Discovery specification — completing the agentic web infrastructure stack. Discovery layer. Transport layer. Description layer. Every piece is in place.

The same week, four credential incidents hit four different layers of that stack.


Layer 1 — The Enterprise SaaS API Layer

ServiceNow. June 2–9, 2026.

A Scripted REST Resource endpoint in ServiceNow was shipped with requires_authentication=false. No credentials needed to query customer instance tables — IT support tickets, employee records, internal documentation, embedded credentials from tickets.

ServiceNow's updated advisory states this activity is most likely attributable to security researchers and bug-bounty submissions, not a malicious threat actor — and that a private bug-bounty report describing the same issue had been received on April 22, before the exploitation window this post originally described. [Correction, 2026-07-04: an earlier version of this section characterized this activity as an attack. It is now understood to be researcher-driven disclosure.]

That reattribution changes who was at the keyboard. It changes nothing about the endpoint. For 64 days — internal awareness April 7 to public disclosure June 9 — that endpoint had no authentication, and anyone who found it, researcher or otherwise, had the same access. The credentials embedded in the tickets it returned were exactly as real either way. If a good-faith researcher could reach them, so could someone without good faith, at any point in that 64-day window. The design question was never about who found it. It was about what was there to find.


Layer 2 — The Network Infrastructure Layer

Fortinet. June 19, 2026.

74,000 Fortinet VPN and firewall credentials were publicly leaked. CISA issued an urgent advisory.

Long-lived credentials. Real values. Accessible when the system is reached. The network security layer is not immune to the problem it was designed to solve.


Layer 3 — The Build Pipeline

Mastra AI npm packages. June 12–18, 2026.

North Korean state-backed attackers accessed a dormant npm maintainer account. In 88 minutes, they backdoored 144 Mastra AI packages. Same pattern as LiteLLM in March 2026. One compromised maintainer account. One trusted registry. 88 minutes.

The build pipeline is where credentials live. When the pipeline is compromised, every credential it holds is exposed.


Layer 4 — The Developer IDE

JetBrains malicious plugins. June 12–18, 2026.

Malicious JetBrains plugins were found harvesting AI API keys from developers' machines. The second named developer-toolchain incident in the same month — on June 2, a proof-of-concept demonstrated that a malicious Jupyter notebook silently steals a developer's GitHub OAuth token before any permission dialog appears. No patch.

The developer IDE holds real credentials in environment variables, configuration files, and application context. Any plugin with the right permissions can read them.


What All Four Share

Different companies. Different attack methods. Different layers of the stack.

The shared characteristic in every case: a real, long-lived credential was accessible at the layer that was reached.

This is not a coincidence. It is the design condition of the current credential model. The attacker's job is to find which layer is most reachable. Four different teams found four different layers reachable in the same week.


What the ARD Spec Says About This

The ARD specification published June 17 explicitly states: "ARD sits entirely before invocation. It helps the client find the right resource; the resource is then invoked through its own native mechanism."

This is the correct scope decision for a discovery protocol. But the four incidents above happened at the invocation boundary and below it. The credential design question — whether the credential that exists at each of these layers needs to be real — is not inside any current protocol spec.


The Diagnostic

You cannot patch yourself out of a design problem.

ServiceNow patched: requires_authentication=true. The credentials in the API responses during the 64-day window were real while the window was open. Fortinet credentials were leaked. Rotating all 74,000 closes the immediate exposure. The next set of long-lived credentials will also be real. The Mastra backdoor was removed. The build pipeline architecture that made it possible remains. The JetBrains plugins were flagged. The developer's AI API keys still exist in a form that any plugin with the right permissions can read.

The governance and detection layer response is fast and well-funded. All of it is protecting the real credential after it exists.

The design question is different. It asks whether the credential needs to be real at the point it is reached.


Continue Reading

The full analysis — including the security stack breakdown across all four layers, how automated threat surveillance and closed-loop response address each incident pattern, and how the design layer integrates with detection and governance tooling already in your stack — is published in full at:

devfortress.net/blog/four-layers-one-week


Resources

Six months of incident intelligence — all free:

Deep Digest archive: devfortress.net/blog

Semi-Annual Review: devfortress.net/blog/semi-annual-2026

Platform: devfortress.net · SDK: npm install devfortress-sdk

Newsletter: devfortress.substack.com

DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973

Top comments (0)