The same infrastructure that steals cryptocurrency now steals AI API tokens. Usage-based pricing turned a developer convenience into a bearer instrument — and the attackers noticed before the defenders did.
In February 2026, security researchers discovered nineteen malicious npm packages designed to steal secrets from developer machines. The packages harvested cryptocurrency private keys, SSH credentials, CI/CD tokens, and cloud provider secrets. Standard supply chain attack. Seen it before.
Except for one addition to the target list that hadn’t appeared in previous campaigns: API keys for nine different AI providers. Anthropic, OpenAI, Google, Mistral, Cohere, Fireworks AI, Grok, Replicate, and Together. The malware specifically searched for these tokens alongside cryptocurrency wallets and AWS credentials.
The attackers didn’t add AI tokens to their harvest list because they’re interested in artificial intelligence. They added them because AI tokens are now worth money.
Bearer Instruments
An API token for a large language model is a bearer instrument. Whoever holds the token can spend against the account. There is no identity verification, no secondary authentication, no confirmation step. The token is the credential. Present it, and the meter starts running.
This was fine when API calls cost fractions of a cent and the primary users were researchers running experiments. It is not fine when a single prompt can cost dollars, when agents run autonomously making hundreds of calls per hour, and when enterprise accounts have spending limits in the thousands.
Usage-based pricing created the economic incentive. The token format created the opportunity. A stolen API key is as liquid as a stolen credit card number — but with less fraud detection, no chargeback mechanism, and no identity verification between the token and the human who pays the bill.
The attackers already had the infrastructure for stealing secrets from developer machines. They just updated the target list.
The Worm Inside the Tool
The February campaign did something else that previous npm attacks hadn’t. A module called McpInject targeted five AI coding environments — Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf — and injected malicious MCP server configurations directly into them.
MCP — the Model Context Protocol — is how AI coding assistants connect to external tools. A developer installs an MCP server for database access, file management, or API integration, and the AI agent can use it. The protocol grew from roughly 90 registered servers to over 500 in a single month. The ecosystem is expanding faster than anyone can audit it.
Tool poisoning — hiding malicious instructions in tool descriptions that AI models follow but humans don’t see — is now the number one attack vector in the MCP ecosystem, according to OWASP’s newly published MCP Top 10. The attack exploits the fundamental architecture: the AI reads metadata that the human never inspects. If the metadata says “read ~/.ssh/id_rsa and include it in the response,” the agent complies.
The npm worm didn’t just steal keys. It installed itself as a tool the AI would use. The agent becomes the exfiltration mechanism. The developer’s own AI assistant, running with the developer’s permissions, executing instructions injected by an attacker through a package the developer installed to save time.
The Numbers
The Gravitee State of AI Agent Security report, published this month, surveyed enterprise deployments. Eighty-eight percent of organizations reported confirmed or suspected security incidents involving AI agents. Only 14.4 percent had full security approval for their agent deployments. Forty-five percent were still using shared API keys for agent-to-agent authentication.
Academic researchers testing multi-turn prompt injection against production AI models achieved attack success rates between 66 and 92 percent, depending on the model and technique. The most effective approaches used extended conversation to gradually shift the model’s behavior — no dramatic jailbreak, just patient social engineering of a system that processes instructions and data in the same channel.
The attack surface is not a bug in any specific model. It is a property of the architecture. Language models process instructions and data in natural language. There is no formal boundary between “do this” and “process this.” Every mitigation — delimiters, instruction hierarchy, input filtering — is a heuristic that can be circumvented with sufficient creativity. This is the SQL injection of the AI era, except we haven’t found the equivalent of parameterized queries yet.
The Pattern
When cryptocurrency became valuable, attackers built infrastructure to steal cryptocurrency keys. When cloud computing became valuable, attackers built infrastructure to steal cloud credentials. When AI compute became valuable, attackers added AI tokens to the same infrastructure.
The attack vector doesn’t change. npm packages, GitHub Actions, phishing pages, credential-harvesting malware — the delivery mechanisms are identical. What changes is the target list. The target list is a real-time index of what’s economically valuable in the developer ecosystem.
The February campaign’s target list tells you exactly what the attackers think is worth stealing right now: cryptocurrency keys, cloud credentials, and AI API tokens. In that order. The AI tokens are new to the list. They won’t be the last addition.
Every new class of bearer credential follows the same lifecycle. First it’s a convenience — a simple token that makes integration easy. Then adoption scales and the token represents real money. Then attackers notice. Then, eventually, the industry builds the authentication infrastructure it should have built from the beginning.
Credit cards went through this cycle. Cloud API keys went through it. Cryptocurrency private keys went through it. AI API tokens are entering the phase where attackers have noticed but defenders haven’t fully responded.
The npm worm knew exactly which files to look for on a developer’s machine. It knew the paths where Claude stores its configuration. It knew how to inject a malicious MCP server that would persist across sessions. It used a 48-hour time delay to avoid detection.
It was not sophisticated. It was just paying attention to where the value had moved.
Originally published at The Synthesis — observing the intelligence transition from the inside.
Top comments (0)