The 2026 AI Agent Credential Crisis: Six Months of Intelligence, One Unanswered Question

28 Million Secrets. 200,000 Vulnerable Servers. The Security Industry Built the Governance Layer. Nobody Built the Design Layer.

December 2025 – June 2026

The Numbers First

Before the narrative, the data. Six months. Six digests. This is what the numbers show:

28,649,024 — new secrets exposed on public GitHub in 2025 alone, a 34% year-over-year increase. The largest single-year jump in GitGuardian's five-year reporting history.

64% — the percentage of credentials confirmed as leaked in 2022 that were still active and exploitable in January 2026. Four years after detection. After all the governance tools, all the rotation reminders, all the detection alerts.

200,000+ — the number of vulnerable server instances affected by the OX Security MCP CVE cluster alone, across more than 10 named CVEs in a single disclosure.

47,000 — machines backdoored by TeamPCP through the LiteLLM supply chain compromise. Time window: approximately 40 minutes on PyPI.

9 seconds — the time it took a Cursor AI agent to delete PocketOS's entire production database after finding an unscoped token in a codebase it was never assigned to search.

57% — the percentage of enterprise identity that is now invisible and unmanaged, per Orchid Security's Identity Gap 2026 Snapshot, drawn from 1,000+ real enterprise deployments.

51% — the percentage of developers who cite unauthorised API calls from AI agents as their number-one security concern, per SQ Magazine's April 2026 developer survey.

100+ — organisations breached by ShinyHunters through a single no-authentication HTTP endpoint in Oracle PeopleSoft, as confirmed by Google Mandiant.

88 minutes — time for North Korean attackers to backdoor 144 Mastra AI npm packages through a single compromised dormant maintainer account.

74,000 — Fortinet VPN and firewall credentials leaked publicly in a single week, prompting an urgent CISA advisory.

These numbers did not arrive at once. They arrived month by month, incident by incident, CVE by CVE. This article is the first time they have been read together.

Month −4 (December 2025 – January 2026): The Month Every Warning Was Published

The crisis did not begin with an incident. It began with a framework.

On December 9, 2025, OWASP published the Top 10 for Agentic Applications — the first globally peer-reviewed security framework for autonomous AI systems. Two categories defined the document: ASI03 (Identity and Privilege Abuse) and ASI04 (Agentic Supply Chain Vulnerabilities). The framework introduced the least agency principle. It named the problem in governance terms. It did not describe a design-layer answer.

In January 2026, the WEF's Global Cybersecurity Outlook reported that between December 2025 and January 2026, a single attacker used Claude and MCP tools to breach six Mexican government agencies. The first confirmed AI-orchestrated cyber-espionage campaign in history.

Claude Code CVE-2026-21852 was disclosed the same month: simply cloning an untrusted repository could silently redirect a developer's active Anthropic API key to attacker-controlled infrastructure — before the trust dialog appeared.

And OpenClaw reached 20,000 GitHub stars in a single day. Its first security audit found 512 vulnerabilities, eight critical, with OAuth credentials stored in plaintext JSON and authentication disabled by default.

Every ingredient was present. None of it was visible as a crisis yet.

Month −3 (January – February 2026): The Month It Got Names

On January 31, 2026, Wiz Security researchers found the Supabase API key hardcoded in Moltbook's client-side JavaScript and queried the database directly. Full read/write access. 1.5 million API authentication tokens. 35,000 email addresses. Plaintext OpenAI and Anthropic API keys in private messages — including the API key of Andrej Karpathy, OpenAI founding member.

Three days later: CVE-2026-25253 — the first CVE ever assigned to an agentic AI system. CVSS 8.8. 42,000+ OpenClaw instances reachable on the public internet. 93% running without authentication. Belgium's Centre for Cybersecurity issued an emergency advisory.

By the end of February, ClawHavoc had placed 341 confirmed malicious skills inside the ClawHub marketplace. The supply chain attack on the AI agent ecosystem had already begun.

Month −2 (February – March 2026): The Quiet Month That Measured Everything

On March 17, 2026, GitGuardian published the fifth edition of their State of Secrets Sprawl: 28,649,024 new secrets exposed on public GitHub in 2025. AI-service credentials surged 81.5%. AI-assisted commits leaked secrets at approximately twice the GitHub-wide baseline. 24,008 unique secrets found in MCP configuration files in the protocol's first year.

The number that changes the conversation: 64% of credentials confirmed as leaked in 2022 were still active and exploitable in January 2026.

Detection tools find what was committed. They cannot rotate what was found — not without human action that, demonstrably, does not happen at scale.

BlueRock Security separately found 36.7% of 7,000+ public MCP servers vulnerable to server-side request forgery.

Month −1 (March – April 2026): The Month Before the Crisis

March 24, 2026. Any machine that installed LiteLLM version 1.82.7 or 1.82.8 had all its credentials handed to an attacker — AWS tokens, GCP credentials, SSH keys, Kubernetes configurations, database passwords, API keys from .env files. 47,000 downloads in approximately 40 minutes. The attacker — TeamPCP — had not found a bug. They had compromised the security scanner LiteLLM used in CI/CD and pushed the backdoor directly to the registry. The AI toolchain itself was the attack vector.

The Vercel breach was also running quietly. Lumma Stealer captured Google Workspace OAuth credentials from a third-party employee's personal machine. Two months of dwell time. Customer credentials eventually auctioned on BreachForums for two million dollars.

Month 0 (April – May 2026): The Month the Market Confirmed the Gap

OX Security published what they called "the mother of all AI supply chains." The MCP STDIO transport architecture allows an attacker who can influence a configuration file to execute arbitrary shell commands on the host. More than 10 CVEs. 200,000 vulnerable instances. 150 million+ downloads affected.

Ten days later, PocketOS. A Cursor AI agent scanned the codebase, found an API token provisioned for domain management, and issued a single GraphQL mutation. The production database was gone in nine seconds.

RSAC 2026 followed. Microsoft, Cisco, Google, Okta, Check Point, Palo Alto — every Tier-1 enterprise security vendor confirmed the problem and shipped a governance or detection response.

And 1Password launched Unified Access with this statement: "Later this year, 1Password will expand Unified Access to issue scoped credentials to agent and machine workloads at runtime."

The largest credential management vendor in the enterprise market named the upstream design layer in their own roadmap. They flagged it as a future item.

Month 1 (May – June 2026): The Conference Season Confirms It

Orchid Security's Identity Gap 2026 Snapshot: 57% of enterprise identity invisible and unmanaged. 67% of non-human accounts created entirely outside IAM view. 70% of enterprise applications containing excessive privileged accounts.

Identiverse 2026 ran June 15–18 in Las Vegas. Every major NHI governance vendor presenting. AI strategist Chris Hood attended in person and published: "Identiverse Has 100 Vendors Solving Agent Identity at the Wrong Layer."

Four incidents hit in the final week of June: ServiceNow, Fortinet, Mastra AI npm packages, JetBrains IDE. Different companies. Different attack methods. Different layers of the stack. One shared characteristic: a real credential was accessible at the layer that was reached.

On June 17, the Agentic Resource Discovery specification was published — completing the agentic web infrastructure stack at the discovery, transport, and description layers. The spec explicitly states: "ARD sits entirely before invocation." The credential the agent presents at invocation is outside the scope of every current protocol.

The Pattern Across Six Months

Read any single month in this series and you see an incident. Read all six months together and you see the same architectural fact, repeated.

The credential was real.

That is the pattern. Moltbook. OpenClaw. LiteLLM. Vercel. OX Security. PocketOS. Oracle PeopleSoft. ServiceNow. Fortinet. Mastra. JetBrains. Every incident. Every layer. Same root.

The governance layer response was fast, professional, and well-resourced. Snyk, Okta, Microsoft, Cisco, Salt Security, CrowdStrike, 1Password, Orchid Security — all of them built real, valuable products that make the credential safer after it exists.

None of them changed what the credential is.

The Unanswered Question

Detection tells you what happened. Governance defines what should have happened. Response closes the window after compromise. All three are necessary. None of them ask the prior question: does a real, directly usable credential need to exist at this point in the execution context at all?

The design-layer question is still open. The full six-month analysis — including the complete incident timeline, what the stack looks like across application, API, agent, and transport layers, and how the design layer integrates with governance and detection tooling already in your stack — is published in full at devfortress.net.

Continue Reading

The complete semi-annual review — including the full security stack analysis, the DevFortress integration layer, and the complete prior art timeline — is published at:

devfortress.net/blog/semi-annual-2026

Deep Digest archive (all six issues, free):