COMMENTARY: Anthropic recently reported that its
Claude Code tool was jailbroken and embedded in an autonomous attack framework that let a
Chinese state-linked actor automate 80-90% of the functions of a series of cyberattacks on dozens of organizations.
The abuse of such a widely accepted AI platform demonstrates how we might expect otherwise benign AI to get used in a variety of cyberattack scenarios.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
A more daunting prospect ahead of us: that threat actors twist third-party AI infrastructure itself into vehicles for island hopping across cyberattack vectors. In this way, the
AI revolution that offers so much positive potential for innovation and progress also brings along “Dark Passengers” in the form of new systemic third-party cyber risks.
The state of island hopping
Island hopping has been evolving for years, but today it constitutes a major cyber insurgency. This year’s
Verizon Data Breach Investigations Report noted a 100% increase in third-party breaches. A recent EU study found a 200% increase in supply chain attacks and the UK reported that 33% of the country’s CEOs claimed they had sustained a significant cyber event because of a third-party breach.
Nation-states, cybercriminal cartels, and their hybrid partners now exploit trusted pathways in the supply chain to reach our customers. They no longer stop at breaching the perimeter; they hijack the digital ecosystem, turning our operations into attack vectors. What once began as network-based island hopping has advanced through the cloud and now operates through
APIs, applications, and the very relationship ecosystems designed to make businesses run. With the rise of AI, the AI infrastructure has been manipulated into attack vectors and the intelligence systems designed to make business smarter will get twisted to compromise business value.
AI’s “Dark Passengers” as accelerators
Agentic AI offers cross-cutting access to a myriad of tools and systems cyber adversaries can compromise and weaponize. It possesses the lethal trifecta of
access to private systems, acceptance of untrusted inputs, and an enhanced ability to exfiltrate data.As the adoption of AI escalates at the speed of business, the momentum will inevitably outrun scrutiny. AI’s “Dark Passengers” will settle into the AI stack and wait for an opportunity to act as a pilot that becomes production, a chatbot wired into calendars and CRMs, and agents granted access to files and payments. Moreover, AI models aren’t always hacked, they only need to trust and the accept the wrong input. This could take the form of poisoned records, indirect instructions, or over-privileged connectors.
At Black Hat USA 2025,
three researchers demonstrated how a poisoned calendar invite could manipulate a smart home’s connected lights, smart shutters, and access its boiler. The same pattern will apply to enterprise assistants integrated with finance, collaboration, or DevOps systems. It’s now possible because AI systems do more than answer queries: they act. They read calendars, invoke plug-ins, access data, and send automated commands. This amplifies the “dark passenger’s” risk potential and impact in an island hopping cyber-attack context.
These AI “Dark Passengers” are dangerous because of the implicit trust we place on the technology and the invisible intermediaries we empower to do our work. We trust models and agents to routinely treat enterprise sources, SaaS connectors, and user-provided content as safe by default. We empower SDKs, extensions, and RAG pipelines to orchestrate high‑impact tasks behind the scenes, making it difficult to track where instructions originate.
The “Dark Passengers” ride inside trusted workflows where controls are assumed, such as:
Poisoned data, rogue models: They poison data by slipping harmful information into training data or internal knowledge bases. The organization might not realize the errors until the damage of incorrect decisions, data leaks, or backdoor behaviors escalate ahead of its ability to detect and correct them. We simply cannot control our AI models if we do not control the data the models use for training.
Broken trust, broken access controls: IBM’s Cost of a Data Breach Report 2025 found that 97% of organizations suffering an AI-related breach cited a lack of proper access controls as the cause. A single connector can become an adversary’s Swiss Army Knife in the form of over-privileged, long-lived, and unaccountable tokens, service accounts, and agent permissions.
Compromised supply chains: The same IBM study found that supply chain compromises such as compromised apps, APIs, and plug-ins were the most common cause of AI security incidents. If AI agents trust third-party components, even very secure plug-ins represent great risk.
Because a single poisoned record can trigger wire transfers and a single compromised plug-in can leak data, teams need to implement controls that bind, audit, and fence in the AI agents working within the company’s environment. In the AI world, teams must manage the agents activity securely, empower the agents to take safe actions, and have full context as to the upstream and downstream activity in runtime.
Organizations rushing to implement AI must recognize these “Dark Passengers” and take steps to govern and secure them with proven controls before they commandeer the organization’s operations, integrity, and the trust the company maintains with its customers and partners.
Tom Kellermann, vice president of cyber risk, HITRUSTSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
