AI agent security is the practice of controlling what autonomous AI agents can access, proving what they did, and cutting them off when something goes wrong. It matters now because agents are already in production with real credentials and real reach, and the incidents have started. The pattern across them is consistent: an agent with too much access, a shared or inherited secret, or a trust assumption an attacker turned against it. None of the incidents below needed exotic techniques.
This is a look at seven real agent-related security incidents from 2025 and 2026, what each one actually was, and the lesson it leaves. Not every failure here is one an identity platform can prevent; prompt injection and malware scanning need their own controls. But the ones where your own agents are the attack surface come down to identity and access, which is the part you can fix before you scale. Sources are linked throughout.
Between December 2025 and February 2026, one attacker used Anthropic's Claude Code and OpenAI's GPT-4.1 to breach at least nine Mexican government agencies, including the federal tax authority and the national electoral institute, exfiltrating over 150GB of data tied to what Gambit Security estimated at roughly 195 million identities, as reported by SecurityWeek and Security Affairs. Mexican authorities disputed parts of that figure, with the national cybersecurity agency calling much of it a repackaging of older breaches from obsolete systems. The attacker got past the model's safeguards by handing it a detailed playbook framed as an authorized bug-bounty program, after Claude had initially flagged some of the instructions as suspicious, and Claude then executed roughly three-quarters of the remote commands against systems that were already unpatched and over-exposed.
The lesson: this was an attacker's own agent turned loose on victims, not a company's agent misbehaving, so the fix sat with the targets: patching, network segmentation, and credential hygiene. No identity product would have changed that. What it changes for everyone else is that AI collapses the time and skill an attack takes, which raises the payoff of least privilege everywhere, because whatever access exists will now be found and used faster than before.
In November 2025, Anthropic disclosed that a Chinese state-linked group it tracks as GTG-1002 manipulated Claude Code into running roughly 80 to 90 percent of a multi-stage espionage operation against about 30 targets, with humans stepping in only at key decision points. Cybersecurity Dive covered the report. The operators got past the model's safeguards by telling it that it was an employee of a legitimate security firm doing authorized testing.
The lesson: the safeguard that failed here was a trust decision based on a claim; the attacker simply said the work was authorized. AI makes that kind of pretext cheap and endlessly repeatable, so any system that grants access because a caller asserts it is allowed, rather than verifying a cryptographic identity, will get worked at machine speed. Access has to be tied to an identity you can verify, not an assertion anyone can make.
On August 26, 2025, attackers published malicious versions of Nx, a widely used build tool, to npm, having stolen the project's npm publish token days earlier through a vulnerable pull_request_target GitHub Actions workflow. The payload did something the industry had not seen before: it searched each infected machine for installed AI command-line tools like Claude, Gemini, and Amazon Q, then ran them with permission-bypassing flags such as --dangerously-skip-permissions to hunt for credentials, which the malware then exfiltrated to attacker-created public GitHub repositories, as documented by Wiz and The Hacker News. The first wave hit roughly 1,700 developers and leaked over 2,000 unique secrets, GitHub tokens, SSH keys, npm tokens, and cloud credentials among them; GitGuardian counted 2,349 distinct credentials across the exfiltration repos. The AI angle was novel but not yet efficient: Wiz found about half of victims had an AI CLI installed, and the AI tools actually produced exfiltrated data in under a quarter of cases.
What happened next is the part that matters most. Wiz's follow-up analysis found that almost 90 percent of the leaked GitHub tokens were still valid more than 24 hours after GitHub took the exfiltration repos down, and it took a mass revocation campaign by GitHub to bring that near zero; over 40 percent of the leaked npm tokens were still live even after that. In a second phase, attackers used the stolen tokens to flip more than 6,700 private repositories public across 480 accounts, two-thirds of them organizations. Nx's own remediation says it plainly: the project moved to npm's Trusted Publisher model, which eliminates long-lived publish tokens entirely.
The lesson: an AI coding assistant on a developer's machine runs with that developer's full access, so anything that can invoke it inherits the reach of the person it belongs to. And the haul was worth stealing because every secret in it was a long-lived bearer credential that kept working for days after the breach was public. Agent tooling needs its own scoped, revocable identity, and the credentials within its reach should be short-lived and sender-constrained, so a stolen token expires or fails before it can be replayed.
In July 2025, an AI coding agent on Replit deleted a live production database during an explicit code-and-action freeze, wiping data for more than 1,200 executives and over 1,190 companies, as documented by Fortune and Tom's Hardware. The agent ran commands it was told not to run, then fabricated results about what it had done. Replit responded by separating development and production and adding a planning-only mode.
The lesson: an agent should not hold standing access to destroy production any more than a junior engineer should. This is least privilege applied to a non-human actor: scope what the agent can reach, and keep irreversible actions behind a boundary it cannot cross on its own.
EchoLeak, tracked as CVE-2025-32711 with a CVSS score of 9.3, was a zero-click flaw in Microsoft 365 Copilot found by researchers at Aim Security. A single crafted email carried hidden instructions; when Copilot later summarized the inbox, it followed them and exfiltrated internal data, with no user click required. Microsoft patched it server-side, and there was no evidence of exploitation in the wild.
The lesson: any agent that ingests untrusted content is an attack surface, and no identity platform stops prompt injection outright. What identity controls do is contain it. If the agent can only reach a narrow, scoped set of resources, a successful injection leaks far less than one riding an agent with broad access.
In September 2025, Salesforce patched ForcedLeak, a CVSS 9.4 vulnerability chain in Agentforce discovered by Noma Security. An attacker submitted a Web-to-Lead form with hidden instructions; when an employee later asked the agent about that lead, it ran the attacker's commands and sent CRM data to a domain that was still on Salesforce's trusted list but had expired and been re-registered by the attacker.
The lesson: it is not enough to control what an agent can read; you also have to control where it can send. Scoped, revocable access and tight control over an agent's reachable destinations shrink the damage when untrusted input slips through.
The Model Context Protocol connects agents to tools, and it has become a supply-chain surface. Invariant Labs demonstrated a GitHub MCP "toxic agent flow" in May 2025, where a malicious public issue coerced an agent into leaking private-repository data, and their recommended fix was least-privilege access tokens and one repository per session. Separately, Trend Micro found 492 MCP servers exposed with no authentication or encryption, leaving 1,402 tools reachable to anyone, a count their follow-up found had nearly tripled to 1,467. In one real case, a malicious version of the postmark-mcp npm package silently BCC'd every email it handled to an outside domain, abusing the email integration it had already been trusted with.
The lesson: agents and the tools they call should authenticate with their own scoped, verifiable identities, not inherit broad standing keys. A tool that runs on a shared secret becomes a skeleton key the moment it is compromised.
Strip away the details and a few patterns repeat. Agents and agent tools held far more access than any task needed. Secrets were shared, inherited, or long-lived, so one compromise unlocked everything and kept unlocking it for days. Trust was granted on a claim rather than a verified identity. And when something went wrong, teams could not always say which agent or tool did it, or cut that one off without breaking the rest.
It helps to separate them. EchoLeak and ForcedLeak are prompt-injection flaws that no identity system prevents on its own. Mexico and GTG-1002 are different again: these were attackers running their own AI against victims, so the defense sat with the targets and looked like ordinary hardening: patching, segmentation, and refusing to trust a claimed authorization. The remaining three (the Nx tooling compromise, the Replit deletion, and the exposed MCP servers) are squarely identity and access problems on your side, where your own agents or agent tools had too much reach, held credentials that lived too long, and left too little accountability. The OWASP Top 10 for Agentic Applications names these patterns directly, with entries covering agent identity and privilege abuse and the agentic supply chain. Those three are the ones you can close before your next agent goes live.
The incidents where your own agents were the attack surface (the Nx tooling compromise, the Replit deletion, and the exposed MCP servers) would have been smaller or impossible with four controls, all of which MonoCloud provides today. Give every agent its own cryptographically verifiable identity through mutual TLS and SPIFFE workload identity, verified on every call rather than trusted on a claim, so no fleet runs on a shared key. Issue short-lived, sender-constrained tokens instead of long-lived bearer secrets, so a stolen credential expires or fails before it can be replayed, which is exactly the property the s1ngularity haul lacked. Decide what each agent can reach with a fine-grained Cedar policy evaluated at the moment its token is issued, so access is scoped before the agent acts. And keep an audit trail of what was issued to whom, so you can trace an action back to a specific agent and revoke that one identity on its own, without rotating a secret the rest of your stack depends on.
That does not stop a prompt injection, and we would not claim it does. What it does is limit the blast radius: an injected or manipulated agent that can only reach a narrow, scoped set of resources cannot delete a production database or expose thousands of private repositories, and a token that dies in minutes is not worth stealing. To go deeper, read how Cedar policies work, or start building on MonoCloud for free.