Three Incidents. Four Layers. One Week.

The Same Week the Agentic Web Was Declared Production-Ready, Credential Exfiltration Hit Four Different Layers of the Stack.

June 15–21, 2026

On June 17, 2026, Google, Microsoft, Hugging Face, and eight enterprise infrastructure partners published the Agentic Resource Discovery specification — completing the agentic web infrastructure stack. Discovery layer. Transport layer. Description layer. Every piece is in place.

The same week, four credential incidents hit four different layers of that stack.

Layer 1 — The Enterprise SaaS API Layer

ServiceNow. June 2–9, 2026.

A Scripted REST Resource endpoint was shipped with requires_authentication=false. Attackers queried customer instance tables freely — IT support tickets, employee records, internal documentation, embedded credentials.

ServiceNow logged the vulnerability internally on April 7. Exploitation happened June 2–3. Silent patch June 5. Public disclosure June 9.

64-day gap. During those 64 days, the endpoint was live. The credential was real. The credentials inside the API responses were real.

Layer 2 — The Network Infrastructure Layer

Fortinet. June 19, 2026.

74,000 Fortinet VPN and firewall credentials were publicly leaked. CISA issued an urgent advisory.

Long-lived credentials. Real values. Accessible when the system is reached. The network security layer is not immune to the problem it was designed to solve.

Layer 3 — The Build Pipeline

Mastra AI npm packages. June 12–18, 2026.

North Korean state-backed attackers accessed a dormant npm maintainer account. In 88 minutes, they backdoored 144 Mastra AI packages. Same pattern as LiteLLM in March 2026. One compromised maintainer account. One trusted registry. 88 minutes.

The build pipeline is where credentials live. When the pipeline is compromised, every credential it holds is exposed.

Layer 4 — The Developer IDE

JetBrains malicious plugins. June 12–18, 2026.

Malicious JetBrains plugins were found harvesting AI API keys from developers' machines. The second named developer-toolchain incident in the same month — on June 2, a proof-of-concept demonstrated that a malicious Jupyter notebook silently steals a developer's GitHub OAuth token before any permission dialog appears. No patch.

The developer IDE holds real credentials in environment variables, configuration files, and application context. Any plugin with the right permissions can read them.

What All Four Share

Different companies. Different attack methods. Different layers of the stack.

The shared characteristic in every case: a real, long-lived credential was accessible at the layer that was reached.

This is not a coincidence. It is the design condition of the current credential model. The attacker's job is to find which layer is most reachable. Four different teams found four different layers reachable in the same week.

What the ARD Spec Says About This

The ARD specification published June 17 explicitly states: "ARD sits entirely before invocation. It helps the client find the right resource; the resource is then invoked through its own native mechanism."

This is the correct scope decision for a discovery protocol. But the four incidents above happened at the invocation boundary and below it. The credential design question — whether the credential that exists at each of these layers needs to be real — is not inside any current protocol spec.

The Diagnostic

You cannot patch yourself out of a design problem.

ServiceNow patched: requires_authentication=true. The credentials in the API responses during the 64-day window were real while the window was open. Fortinet credentials were leaked. Rotating all 74,000 closes the immediate exposure. The next set of long-lived credentials will also be real. The Mastra backdoor was removed. The build pipeline architecture that made it possible remains. The JetBrains plugins were flagged. The developer's AI API keys still exist in a form that any plugin with the right permissions can read.

The governance and detection layer response is fast and well-funded. All of it is protecting the real credential after it exists.

The design question is different. It asks whether the credential needs to be real at the point it is reached.

Continue Reading

The full analysis — including the security stack breakdown across all four layers, how automated threat surveillance and closed-loop response address each incident pattern, and how the design layer integrates with detection and governance tooling already in your stack — is published in full at:

devfortress.net/blog/four-layers-one-week

Resources

Six months of incident intelligence — all free:

Deep Digest archive: devfortress.net/blog

Semi-Annual Review: devfortress.net/blog/semi-annual-2026

Platform: devfortress.net · SDK: npm install devfortress-sdk

Newsletter: devfortress.substack.com

DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973