Security agents now catch threats—and become them

Agentic security in the blast radius: Trivy CI/CD breach and the emerging agent supply chain template

The security community has been wiring agentic AI into its tooling for months. The payoff is starting to show — and so is what can go wrong when the dependency graph runs the wrong direction.

A supply chain attack has weaponized a popular open-source vulnerability scanner. Google has deployed Gemini models as frontline threat intelligence analysts, sifting millions of dark web events daily. And a Russian state-linked iOS exploit chain is circulating in the wild — the same threat intelligence team that confirmed the campaign is the one now deploying AI agents at scale to catch campaigns like it. Three events, one dependency graph running in different directions.

The Trivy breach is the clearest template for what agents-as-a-feature actually means in practice — and what can go wrong when a security agent becomes the attack surface. On March 19, 2026, Aqua Security's CI/CD pipeline was compromised using stolen credentials. A malicious Trivy v0.69.4 release was published to Docker Hub carrying a credential-stealing payload, according to the GitHub Security Advisory, which carries CVE-2026-33634 at CVSS 9.4. The malware extracted secrets from process memory and filesystem locations including SSH keys, cloud provider credentials, and Kubernetes tokens. Two related GitHub Actions — aquasecurity/trivy-action and aquasecurity/setup-trivy — were force-pushed to credential-stealing versions. Malicious versions 0.69.4 through 0.69.6 were eventually removed from Docker Hub.

The blast radius kept expanding. The same compromised credentials were used to access Aqua Security's internal GitHub organization, aquasec-com — distinct from the public aquasecurity repo — exposing proprietary source code including Trivy forks and CI/CD pipelines, according to researchers at Security Affairs. All 44 repositories in the internal org were renamed and defaced within roughly two minutes on March 22. The threat actor, tracked as TeamPCP by Wiz and other security teams, then leveraged the stolen credentials to distribute a self-propagating npm worm called CanisterWorm, which researchers at Aikido Security and Mend linked directly to the Trivy compromise.

Here's the part that should concern anyone building agent tooling into CI/CD: Trivy is itself an agent — it runs inside build pipelines, pulls images, and executes scans against target environments. It has broad network access and elevated credentials. Compromising it means owning the trust relationship between a security tool and everything it touches. The attack is agent-on-agent in a meaningful sense: a threat actor used a security agent's own update mechanism as the delivery vehicle.

The same dynamic appears on the defensive side, just inverted. Google Threat Intelligence announced this week that its dark web intelligence capability — built on Gemini models and publicly previewing at RSA Conference — is now processing what it describes as "millions of daily external events" with what Google claims is 98% accuracy, according to the Google Cloud blog. The system's value proposition is scale: parsing forums, marketplaces, and technical infrastructure that would overwhelm human analysts, then elevating only relevant threats to a given organization's profile. A quote from Michael Kosak, director of threat intelligence at LastPass, underscores the contrast: "In previous roles, I've leveraged several dark web tools and found they averaged over 90% false positives. The new dark web intelligence flips this."

The irony isn't subtle. The same Google Threat Intelligence team whose AI agents are deployed at scale to catch campaigns is also the group that confirmed DarkSword — an iOS exploit chain now in active use by Russian state hackers and commercial surveillance vendors. iVerify's detailed technical disclosure traced the exploit to Ukrainian government websites modified to serve a malicious iframe, targeting iPhones running iOS 18.4 through 18.6.2 via six distinct vulnerabilities. The exploit family — which Google dubs GHOSTBLADE, GHOSTKNIGHT, and GHOSTSABER — has been linked by GTIG to UNC6353, a Russian espionage group previously associated with the Coruna exploit kit. The chain was named DarkSword by GTIG researchers after finding const TAG = "DarkSword-WIFI-DUMP" inside recovered implant code. Apple addressed the vulnerabilities across iOS 26.1, 26.2, and 26.3, with patching complete by iOS 26.3.

What connects these events isn't just the calendar. The agentic infrastructure being wired into security tooling — Trivy's CI/CD-driven updates, Gemini's autonomous event processing, the scanner integrations running inside developer environments — creates a new class of high-value targets. Compromise a security agent and you own the trust perimeter of every environment it touches. Defend with agents and you gain scale that human analysts can't match, but you also inherit the supply chain that agent depends on. The attack surface and the defense surface are the same infrastructure, running in different directions.

The Google Threat Intelligence blog announcing Gemini's dark web capabilities was published twelve days after the Wiz acquisition closed on March 11, 2026 — Google now runs both the offensive intelligence platform and, via Mandiant, the incident response team that would be called in when something like Trivy or DarkSword detonates. The concentration is notable; the competitive implications are less clear.

The question worth sitting with: if your security posture is now partly a function of what your tooling agents can reach and how they're credentialed, who has audited that dependency graph lately?