Research: the trust chain, not the perimeter, was the week's attack surface

The week's research converges on one structural shift: the productive attack surface in 2026 is the set of trust relationships connecting developer tools, CI/CD pipelines, SaaS integrations, AI coding agents and the browser — not the network perimeter. Tenable's analysis of the Miasma worm frames it as a "Developer Credential Economy": an infostealer harvests a developer credential (a Red Hat GitHub token sat in infostealer logs ~7 weeks before weaponisation), it is brokered underground, then weaponised through npm and — the novel capability — injected into the SessionStart hooks of AI coding tools so it runs when a developer opens a repo (Socket enumerates at least five affected tools — Claude Code, GitHub Copilot, Gemini CLI, Cursor, VS Code). The entire kill chain carries no CVE, and SLSA provenance attestations passed registry checks — provenance without content scanning is no defence (Socket).

The same trust-boundary theme runs through the week's other primary research: the Klue/Icarus cascade (a 2022 OAuth grant, § 2); Cordyceps, which found 300+ exploitable pull_request_target GitHub Actions misconfigurations leaking main-branch secrets (Novee Security); Unit 42's malicious-skill payloads bypassing the OpenClaw agent sandbox (Unit 42); and Island's "BadBlocker", an 11M-install Chrome ad-blocker one server-side config change away from arbitrary JavaScript on any site, with no extension update or store review (Island). On the identity plane, Netcraft documented Bluekit, a Browser-in-the-Middle phishing-as-a-service platform that authenticates the victim into the attacker's browser session, defeating Device Bound Session Credentials (Netcraft) — a reminder that session-binding controls like DBSC do not stop a browser-in-the-middle relaying the live authenticated session. Cisco Talos's field guide to Windows COM abuse (ITaskService, BITS, WMI, DCOM as EDR-evasion primitives) closes the loop on detection: indirect vtable calls hide activity behind legitimate service call stacks. The defender takeaway is uniform — audit OAuth grants and integration service accounts older than 12 months, restrict AI-agent hook configuration to read-only paths, treat CI/CD token scope as a reviewed principal, and don't assume FIDO2 closes the phishing path.