AI Agents as Force Multipliers — The Next Evolution of Supply Chain Attacks

The tj-actions incident was the dress rehearsal. An AI-orchestrated version would be the main event - faster, stealthier, and hitting orders of magnitude more targets simultaneously.

The Setup

In our anatomy of a CI/CD chain attack, we walked through the five steps from reconnaissance to exfiltration. That chain - as it exists today - is manual. A human attacker identifies targets, compromises an account, writes a payload, and monitors the exfiltration. The tj-actions/changed-files incident in March 2025 followed this playbook. It was discovered and contained within days because human-paced attacks leave human-sized gaps.

AI agents change the calculus. Every step of the chain attack can be automated, parallelized, and adapted in real time. The skill barrier drops from “APT group with months of planning” to “motivated individual with API access.” The speed shifts from days to hours. The scale shifts from one action to hundreds simultaneously.

This isn’t speculation. Our scan - the reconnaissance phase of exactly this kind of attack - ran autonomously across 50,012 repos and identified 20,265 vulnerable targets with 192,776 findings in days with minimal human effort. We built it to find vulnerabilities. An adversary would build it to exploit them.

How AI Amplifies Each Step

Step 1: Reconnaissance - From Days to Hours

Traditional recon requires an attacker to manually scan repositories, map dependencies, and prioritize targets. An AI agent does this at API speed. It scans millions of repos in hours, builds dependency graphs automatically, and ranks targets by blast radius - how many downstream consumers each action has, how many forks each repo has, how sensitive the CI environment appears to be.

Our Runner Guard scan proves this is already feasible with today’s tooling. 50K repos scanned, 20,265 vulnerable targets mapped, compound vulnerability patterns identified - all automated. An attacker with similar tooling would have the same output but a different objective.

Step 2: Compromise - Personalized at Scale

AI-generated phishing campaigns can be personalized from a maintainer’s public footprint - their GitHub activity, conference talks, blog posts, LinkedIn profile. The targeting isn’t generic “Dear User” - it’s contextual, referencing the maintainer’s recent commits, their open issues, the specific projects they work on.

For high-value single-maintainer targets - action-gh-release (1,405 repos), rust-toolchain (989 repos), setup-php (1,147 repos) - the AI agent can research the maintainer’s public presence and craft targeted approaches that feel like legitimate community interaction. A well-crafted issue about a specific edge case in the maintainer’s action, linking to a page that harvests credentials. The social engineering is the same; the personalization scales with AI.

Step 3: Payload - Polymorphic Code Generation

Here’s where AI creates a qualitatively new threat. An AI agent can generate payload code that matches the target action’s existing code style - variable naming conventions, comment patterns, error handling approach, formatting. The malicious commit looks like it belongs in the codebase. Human review, if it happens, is less likely to flag code that “looks normal.”

The payload can be polymorphic - different for each target action, adapting to the codebase it’s injecting into. Traditional payloads are detectable because they’re static patterns. AI-generated payloads are detectable only by behavior analysis, which most CI/CD environments don’t perform.

Step 4: Propagation - Real-Time Monitoring

An AI agent can monitor CI runs across the compromised action’s consumers in real time. It can confirm which repos have triggered, verify exfiltration success, and adapt if a payload is detected or blocked. If one approach fails for a specific consumer, the agent can regenerate and push an updated payload within minutes.

From our data: docker/login-action@v3 alone would hit 1,848 repos. An AI agent monitoring those 1,848 CI runs could triage exfiltrated credentials by value - prioritizing cloud production credentials over development tokens, registry push tokens over read-only access - and begin lateral movement on the highest-value targets within the same time window.

Step 5: Lateral Movement - Autonomous Pivoting

Stolen credentials become the input to the next agent loop. Cloud credentials → enumerate infrastructure → identify sensitive data → exfiltrate. Registry tokens → push backdoored packages → impact downstream consumers. GITHUB_TOKEN → push code to the downstream repo → establish persistent access.

An AI agent can perform this lateral movement autonomously, pivoting from one compromised environment to the next without human direction. Each credential opens a new branch of the attack tree. The agent explores all branches simultaneously.

Step 6: Covering Tracks

A human attacker might forget to restore the original action code after the exfiltration window closes. An AI agent won’t. It can move the tag back to the legitimate commit, clean up artifacts, and close the window - leaving minimal forensic evidence that the attack ever occurred.

The Data Backs It Up

Our scan contains the evidence that this threat model is real and the attack surface is already in place:

The reconnaissance phase works. 20,265 vulnerable repos identified with 192,776 findings from public data, automated, in days. The tooling to map the entire GitHub Actions supply chain already exists.

The targets are concentrated. Single-maintainer chokepoints and organizational concentration mean an attacker doesn’t need to compromise hundreds of accounts. A handful of high-value targets - action-gh-release, rust-toolchain, Docker - cover thousands of downstream repos.

The compound vulnerabilities are pre-staged. 3,172 repos have the complete attack chain already assembled: unpinned action + write permissions. 611 have the triple compound. These aren’t targets that need exploitation - they’re targets that need one compromised dependency to cascade into full compromise.

AI is already in CI/CD. anthropics/claude-code-action is used unpinned in 175 repos, nearly doubling during our scan from 77 to 175 repos. Hundreds of claude-*.yml, copilot-*.yml, and ai-*.yml workflows exist across top repos. AI in CI is mainstream - and growing faster than security awareness.

The AI-in-CI Paradox

The most ironic dimension of this threat isn’t AI attacking CI/CD - it’s AI defending CI/CD while simultaneously creating new attack surfaces.

Repos are deploying AI agents - Claude, Copilot, and others - to review pull requests automatically. These agents load configuration files from the repository checkout: CLAUDE.md, .cursorrules, copilot-instructions.md. When the workflow trigger is pull_request_target, the checkout includes untrusted fork code.

The attack chain:

1. Attacker submits a PR to a repo using AI-powered PR review
2. The PR includes a malicious AI config file (CLAUDE.md with adversarial instructions)
3. The AI agent loads the config during automated review on pull_request_target
4. The AI follows the attacker’s instructions - approving the PR, exfiltrating secrets, or modifying the review output
5. The AI agent designed to improve security becomes the attack vector

RGS-010 - our detection rule for this class of attack - found 5 findings across 4 repos, including a leading Python AI framework (4 findings) and a major browser organization. Runner Guard is currently the only scanner detecting AI config injection in CI/CD.

The AI tools being deployed to defend pipelines are themselves creating novel attack surfaces that traditional scanners don’t detect. The paradox: the more AI we deploy in CI/CD for security, the more AI-specific attack surface we create.

claude-code-action: Case Study in AI Supply Chain Growth

anthropics/claude-code-action provides the clearest growth trajectory data in our scan:

The breakdown at 100%: - @v1 - 140 repos (standard release channel) - @beta - 35 repos (early adopters on unstable channel) - @eap - 3 repos (early access preview) - @main - 1 repo (branch-pinned - worst case)

Adoption nearly doubled during our scan period. A major database company forked claude-code-action and runs their own copy at @v1. The action itself isn’t the vulnerability - it does what it’s designed to do. The vulnerability is 175 repos trusting mutable tags for code that executes on every pull request with CI secrets access.

This is the pattern playing out in real time: a new AI tool gains traction, developers adopt it quickly, nobody SHA-pins it. The supply chain problem repeats faster than the ecosystem can learn from each iteration.

AI Tools as OIDC Targets

Several of the most popular AI tooling repositories have RGS-009 OIDC misconfigurations - cloud credential theft vectors sitting inside the AI ecosystem:

• A popular AI chat interface (85K-90K stars) - unsafe checkout with cloud credential access
• A popular multi-agent AI framework (60K-65K stars) - OIDC misconfig
• A popular AI desktop client (40K-45K stars) - 10 different rule categories, broadest profile

These repos are building the tools that will power autonomous AI agents. Their own build pipelines are exploitable. An attacker who compromises the CI of an AI tool gains influence over every user of that tool - and the AI tool’s own behavior in downstream environments.

The AI Ecosystem’s Blind Spot

There’s a pattern across the AI repos in our dataset that’s worth naming explicitly: teams building AI tools focus intensely on model safety - alignment, guardrails, content filtering, prompt injection defenses - while paying almost no attention to the CI/CD pipeline that builds and deploys the tool itself.

The numbers tell the story. A popular LLM web interface (120K-130K stars) has 172 findings across 4 rule categories. A popular LLM inference engine (90K-100K stars) has 181 findings across 4 rules. A popular local LLM runtime (150K+ stars) has 36 findings across 3 rules. These are the repos building the AI infrastructure the industry depends on, and their CI/CD pipelines have taint-to-execution chains where untrusted input flows to code execution.

The AI safety community has spent enormous effort on making models safe to use. Almost none of that effort has been directed at making the build systems that produce those models safe from supply chain compromise. A backdoored CI/CD pipeline in an AI framework doesn’t care about model alignment - it has access to everything the build system touches.

This blind spot is particularly dangerous because AI repos tend to have complex CI/CD configurations - model training workflows, GPU-accelerated builds, multi-platform distribution, automated benchmarking - all of which create more action dependencies, more permission grants, and more attack surface.

The HackerClaw Precedent

Vigilant open-sourced Runner Guard’s CI/CD scanning capabilities from the ThreatCert platform specifically because of the HackerClaw campaign - an attack operation that demonstrated AI agents being used to exploit CI/CD pipelines at scale. The attack combined automated reconnaissance with LLM-generated social engineering to compromise action maintainers, using techniques nearly identical to the amplified chain attack we describe above.

HackerClaw proved that AI-orchestrated supply chain attacks aren’t a theoretical future risk - they’re a present reality. The campaign used AI for exactly the steps we outlined: automated target identification, personalized compromise attempts, and adaptive payload generation. The main difference between HackerClaw and the fully-autonomous scenario we describe is scale - HackerClaw still had humans directing the AI agents. The fully-autonomous version is an engineering problem, not a research one.

This is why Vigilant released Runner Guard as a free, open-source tool. The attack tooling is already being built. The defense tooling needs to be equally accessible.

What This Means for Defense

The AI force multiplier changes the defensive calculus in two ways:

Speed of response matters more. A human-paced attack gives defenders days to detect and respond. An AI-paced attack compresses that window to hours. The tj-actions incident was detected relatively quickly because the attack was crude - credentials were exfiltrated to a public gist. An AI-orchestrated version would use encrypted channels, rate-limited exfiltration, and adaptive payloads that change when detection seems likely.

Point-in-time scanning isn’t enough. If an attack can execute and clean up within hours, a weekly or monthly scan will miss it entirely. Continuous monitoring - scanning every hour, correlating CI/CD changes with other threat signals - is the defensive answer to AI-paced attacks. ThreatCert’s Temporal Shift Analysis detects when pipeline configurations change rapidly, flagging the velocity of change as a risk signal separate from the change itself.

The chain attack described in our anatomy piece is the current threat. AI force multiplication is the near-future evolution. The defenses that work against both are the same: SHA-pin your actions (eliminating the entry point), scope your permissions (limiting the blast radius), and monitor continuously (detecting the attack in progress). The difference is urgency - the window for getting these basics right is closing faster than most teams realize.

What You Can Do About It

1. SHA-pin every action now. Not next quarter. Not after the next sprint. The AI force multiplier compresses timelines. The supply chain that was “probably fine” when attacks were human-paced becomes critically exposed when attacks are AI-paced.

2. Audit AI tool deployments in CI/CD. If your repos use claude-code-action, copilot-review, or any AI-powered PR review tool, verify they’re SHA-pinned and running on pull_request (sandboxed) not pull_request_target (secrets access). If they must run on pull_request_target, add explicit authorization checks.

3. Treat AI config files as untrusted input. CLAUDE.md, .cursorrules, copilot-instructions.md - any file that configures an AI agent’s behavior should be treated with the same caution as executable code when checked out from untrusted sources (forks).

4. Monitor for velocity changes. An AI-orchestrated attack moves faster than human attacks. Temporal Shift Analysis - tracking how quickly pipeline configurations change - catches the rapid modifications that characterize automated attacks. Changes that happen faster than your team could plausibly make them are a signal.

5. Assume the attack surface will grow. The number of AI tools in CI/CD is increasing month over month. Each new tool is another potential configuration injection target, another unpinned action reference, another supply chain dependency. Build the scanning habit now, before the attack surface outpaces your visibility.

6. Explore the data. Our interactive dashboard lets you filter the full 50K-repo dataset by rule category - including RGS-010 (AI config injection) and the repos where AI tools create novel attack surfaces. See which AI actions are most widely adopted and how fast the adoption curve is moving.

Scan your repos today. Runner Guard is Vigilant’s free, open-source CI/CD security scanner - the same tool that powered this research. Install it in under a minute:

brew install Vigilant-LLC/tap/runner-guard
runner-guard scan github.com/owner/repo

14 security rules. Zero configuration. One command.