COMMENTARY: The biggest AI risk isn't model vulnerabilities. It's that the company’s copilots, CI pipelines, and SaaS admin planes are now where attackers want to live.We keep talking about "AI threats" as if they're separate from the threats we already know. Look at the attacks actually hitting organizations and a different pattern shows up.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]In January, Varonis disclosed Reprompt, a prompt injection attack against Microsoft Copilot. One click on a legitimate-looking link. Silent data exfiltration. No plugins, no further interaction. Just an AI assistant doing what it was designed to do, except for an attacker.In November, the Sha1-Hulud 2.0 worm hit 746 NPM packages from PostHog, Zapier, AsyncAPI, and dozens of other organizations. One vulnerable GitHub Action. Stolen tokens. Self-propagating code that used each victim's credentials to infect the next—all in under 14 hours.Then came s1ngularity in August: malicious Nx packages harvested 2,349 credentials from developer machines, used those stolen GitHub tokens to flip more than 10,000 private repositories public, and became the first documented case of attackers weaponizing AI CLI tools for reconnaissance.Three incidents. Same pattern. "AI threats" are workflow threats. Attackers win by abusing what's already trusted: CI pipelines, tokens, copilots, and company SaaS admin planes.AI wasn't the entry point here. It was the multiplier. The s1ngularity attackers used AI CLI tools for reconnaissance, not initial access. Reprompt weaponized Copilot's legitimate functionality for exfiltration. The AI layer amplified what traditional supply chain and credential attacks could already accomplish.AI threats are a governance problem dressed up as a security problem. The attacks succeed because organizations have best practices on paper, but lack instrumentation. They enforce least privilege inconsistently. They skip runtime guardrails. They drown in noisy alerts and iterate on detection too slowly.When copilots, CI systems, and SaaS admin planes are where work happens, that's where security has to live. Not as a compliance checkbox. As continuous operational discipline.Treat every AI integration as an expansion of the company’s attack surface. Treat every automation credential as a potential pivot point. Treat every workflow as something that needs ongoing visibility. Or keep reading about attacks that feel strangely familiar.Jack Naglieri, founder and CTO, Panther SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Trust has become an executable
Trust used to mean "this repository is reputable" or "this package gets maintained by people we know." An assessment. A judgment call about provenance.Now trust has become an executable.Add an AI assistant to an IDE and it can read the company’s code, access file systems, invoke tools. Connect a GitHub Action to the pipeline and it runs with whatever permissions were granted. Authenticate an AI agent to a cloud environment and it takes actions on the admin’s behalf.The old question: should I trust this tool? The new question: what will this tool do with my trust?The risk isn't "model vulnerabilities" in the abstract sense of jailbreaks or hallucinations. The risk has become AI embedded inside privileged paths. Shells. IDEs. MCP tool connectors. Browsers. Email. Calendars. CI runners. Compromises to these systems means immediate access to everything that matters.The modern kill chain
The s1ngularity attack shows how these chains work:- Entry via automation: Attackers compromised an npm publishing token through a vulnerable GitHub Action, then injected malicious code into widely-used Nx packages. Thousands of developers installed the poisoned versions. It was just a build system update.
- Token capture: The malware harvested GitHub tokens, npm credentials, SSH keys, API keys, cryptocurrency wallet files. It specifically targeted AI CLI tool configurations. Developers using Claude, Gemini, or similar tools often grant elevated permissions.
- Privilege multiplication: Stolen tokens + APIs + bots = fast lateral movement. No manual pivoting through each compromised account. Automate the whole thing.
- Blast radius: Using captured GitHub tokens, attackers renamed and published over 10,000 private repositories, exposing more than 82,000 additional secrets. Supply chain foothold to mass data exposure in hours.
What's actually at risk
The targets aren't "data" in some abstract sense. They're the credentials and sessions that control a digital infrastructure.GitHub personal access tokens. Organization credentials. NPM and PyPI tokens. AI tool sessions and their authentication. MCP and tool-connector credentials. CI/CD runner tokens with deployment permissions.Steal a GitHub token and an attacker can create repositories, modify code, access private repos, push to production. Steal an AI session token and the hacker inherits whatever permissions that agent had. Often far more than any single user should have.The painful part: compromise looks legitimate. A copilot summarizing documents. A CI job running after a merge. A developer tool checking versions. Normal tools running normal tasks don't trip traditional security controls. The visibility gap lives in audit logs and workflow telemetry, not at the network perimeter where most detection is focused.A practical playbook
The industry needs to start treating AI-integrated workflows with the same rigor we apply to production infrastructure. Here’s how:- Harden the automation plane: Remove or tightly constrain risky workflow triggers. Scope token permissions explicitly, especially in public or forkable repos. The tj-actions compromise hit public repos hardest because their logs were publicly accessible. Split untrusted PR checks from publish/release workflows. Require approvals for any step that touches production or package registries.
- Treat AI tools like privileged endpoints: Default to sandboxing and containerization for AI CLIs and agents. Minimize filesystem reach and tool permissions. Shorten token lifetimes. The s1ngularity attackers found that 90% of leaked GitHub tokens were still valid days later. Isolate high-value credentials from developer machines entirely.
- Move from indicator-based hunting to technique-based detection: Collect audit logs and webhook-style events so the team can see what happened and how it was triggered. Alert on techniques: repository visibility changes, mass repo renames, new public repos created, unusual user agents performing write actions, cross-fork workflow executions, suspicious PR metadata patterns. These behaviors are harder to evade than IOC lists.
- Make detection shippable: Version all detections. Code review them. Test them. Deploy them like software. Teams that iterate on detection rules weekly will catch novel attack variants. Teams pushing annual rule updates won't.





