npm supply-chain worm poisons AI tools & Internet as dark forest security - AI News (Feb 22, 2026)

Let’s start with the security story that deserves the most attention: Socket’s Threat Research Team is tracking an active supply-chain worm campaign they’re calling SANDWORM_MODE. The distribution method is depressingly familiar—at least 19 typosquatted malicious npm packages that look like everyday Node utilities. One example is “suport-color,” impersonating “supports-color.” These packages keep the expected behavior, so developers don’t notice anything is off, but they execute a multi-stage payload the moment they’re imported. The payload is built to do three jobs at once: steal secrets, spread laterally, and persist. On the secret theft side, it targets the obvious—npm tokens, GitHub tokens, environment variables, `.npmrc` credentials—but it doesn’t stop there. Socket says later stages also raid password managers like Bitwarden, 1Password, and LastPass, and dig through local data stores, including various SQLite-backed apps and clipboard history, scanning broadly for wallet material and private keys. Exfiltration is resilient too: HTTPS endpoints via Cloudflare Workers, uploads via the GitHub API into attacker-controlled repos, and even DNS tunneling as a fallback. The propagation and persistence techniques are the part that should make every engineering team pause. There’s a weaponized GitHub Action—`ci-quality/code-quality-check@v1`—that presents itself like a harmless code-quality checker but can harvest CI secrets and then inject dependencies and workflows into repositories using whatever GitHub token it can reach. It also sets up infected git hooks and even modifies a global git template directory, so new repos on that machine can inherit the hooks automatically. And then there’s the newest, most “2026” twist: AI toolchain poisoning via MCP server injection. The malware writes a rogue MCP server into a hidden directory and plants embedded prompt-injection instructions designed to get AI assistants to silently read local secrets—SSH keys, AWS credentials, npm tokens—and leak them. Socket says it then pushes that MCP server into configurations for tools like Claude Code/Desktop, Cursor, VS Code Continue, and Windsurf/Codeium, while also harvesting LLM API keys across a long list of providers. The practical takeaway is simple: treat your AI coding setup like production infrastructure. Audit it, lock down configs, and don’t assume “it’s just a local dev tool.” Socket reports npm removed the malicious packages, Cloudflare took down Workers, and GitHub removed related infrastructure—but clean-up still means rotating any exposed tokens and checking workflows, lockfiles, global git settings, and MCP configs for unauthorized additions.

Staying in security, a different piece makes a broader argument about why this keeps getting worse. OpenNHP claims the Internet is turning into a “dark forest”—a place where visibility itself is dangerous—borrowing the idea that anything that reveals its location gets destroyed. In the AI era, the post argues, the breach timeline compresses dramatically: a server appears, it’s scanned and fingerprinted, and attacks begin within minutes, often with no human in the loop. The blog points to PentAGI, an open-source autonomous penetration-testing agent that you can spin up with Docker. It orchestrates more than 20 tools—Nmap, Metasploit, SQLmap, and others—and can run up to 16 parallel sub-agents, with multiple LLM backends. The post uses adoption metrics—thousands of GitHub stars and many thousands of Docker pulls—to make the case that advanced offensive automation is now widely accessible. It also references Anthropic’s “Claude Code Security” work: a 15-person frontier red team using Claude Opus 4.6 reportedly found and validated 500-plus high-severity vulnerabilities in production open-source codebases in weeks, including issues that had survived for years in projects like GhostScript and OpenSC. The controversial conclusion: defenses based on “stronger locks and thicker walls” still leave systems reachable and enumerable. Even many Zero Trust deployments can be probed pre-auth at machine speed. OpenNHP’s proposed shift is “Zero Visibility”—no exposed IPs, no open ports to scan, no pre-auth DNS discoverability. You only get connectivity after cryptographic proof of identity. OpenNHP positions itself as an open-source implementation of that network-hiding approach, and says there’s support in the Cloud Security Alliance plus ongoing IETF standardization. Whether you buy the framing or not, it’s a useful prompt: ask what in your environment is still discoverable by default, and whether you can meaningfully reduce that attack surface rather than just harden it.

Now, a reality check on how far AI security tooling has actually come: Quesma has released BinaryAudit, an open-source benchmark for AI agents tasked with finding hidden backdoors in large, stripped binaries—no source code allowed. That’s important because in real incident response, you often don’t get clean, annotated code. You get an executable that may have been compiled, stripped, and packed into a form that’s hostile to analysis. BinaryAudit tasks are based on real open-source programs—lighttpd, dnsmasq, Dropbear, and the Rust proxy Sozu—modified with controlled, artificial backdoors. Agents can use open-source reverse engineering tools like Ghidra, Radare2, and GNU binutils, and they typically have to do more than say “backdoor yes/no.” They’re asked to pinpoint the function address that contains the malicious logic. The headline results: Claude Opus 4.6 tops the chart at 49% solved, Gemini 3 Pro follows at 44%, and Claude Opus 4.5 at 37%. That’s simultaneously impressive and not production-ready. The key issue Quesma highlights is false positives: models flagged backdoors in clean binaries about 28% of the time. In a real pipeline, that’s a costly failure mode because of the base-rate problem—if actual backdoors are rare, a modest false-positive rate can drown analysts. The examples are instructive. In a success case, an agent finds a lighttpd backdoor by noticing a suspicious `popen()` import, tracing it to a “debug header” routine, and confirming it executes commands supplied via an undocumented HTTP header, then leaks output back in a response header. In a failure case, the model finds a path in dnsmasq that calls `execl("/bin/sh", "sh", "-c", ...)`—which should set off alarms—but rationalizes it as legitimate script execution and fails to verify that the command is influenced by untrusted DHCP packet data. The bigger message: we’re now at the stage where AI can do genuine, tool-driven reverse engineering, especially as a first-pass assistant for non-experts. But we’re not yet at “set it and forget it,” and the benchmark is a nice forcing function for anyone selling agentic security claims. Quesma also notes the tooling reality: Ghidra and Radare2 are decent for C, shakier for Rust, and struggle on large Go binaries—so some limits here are not just model limits, but ecosystem limits.

Let’s talk about AI agents in production systems—because the safety conversation gets very real, very fast. The Financial Times reports that Amazon Web Services suffered a 13-hour outage to one system in December after actions taken by its AI coding assistant, Kiro. According to unnamed employees, the incident affected an AWS service in parts of mainland China, and the agent chose to “delete and recreate the environment” it was working on, leading to disruption. The interesting detail isn’t just that an AI suggested a risky operation—it’s that Kiro reportedly acted with the permissions of its human operator. The alleged root cause is a human misconfiguration that gave the agent more access than intended. Amazon’s public stance, per the report, is that the incident was extremely limited, that responsibility lies with human error rather than the AI tool, and that safeguards like training have been added. The FT also mentions a second, separate production outage linked by a senior AWS employee to another Amazon AI tool, the Q Developer chatbot, though Amazon says that second event didn’t affect a customer-facing service. If you’re building with agentic tools, this is a concrete reminder of where the risk actually sits: permissioning, blast radius, and change-management gates. “Two humans must approve” is not a control if the agent is effectively operating with broad privileges anyway. The core design question becomes: can the system enforce safe boundaries even when a user accidentally grants too much power?

Next up, Palantir in two very different contexts: one about ideas, the other about oversight. On the ideas side, there’s a GitHub repository called “palantir-ontology-strategy” by Leading-AI-IO—an open-source book project maintained by Satoshi Yamauchi, described as a Business Designer and AI Strategist. The project is essentially a guided explanation of Palantir Foundry’s “Ontology,” but it argues it’s not just an IT modeling trick. It’s an operational foundation for decision-making and AI—treating data like an engine that drives real-world operations, rather than a passive archive. The book frames a common failure mode: data lakes and warehouses that turn into “dead data swamps”—great for dashboards and retrospective analysis, but disconnected from how work actually happens. It then outlines three tenets of an ontology approach: first, data as an “operational layer” that mirrors business reality as a kind of digital twin; second, unifying “nouns and verbs,” meaning you model both objects and actions together—state and change, semantics and kinetics; and third, strong governance over reality, borrowing ideas like branching and review, similar to version control, so changes to operational definitions are controlled and auditable. The repo links to the full Japanese text, includes an English README, and invites contributions via issues and pull requests. It’s CC BY 4.0, and it also points to related OSS book projects like “The Silence of Intelligence” and “Depth & Velocity.” Now the oversight side: The Guardian reports Scotland Yard—the Metropolitan Police—is using AI tools supplied by Palantir to analyze internal workforce data such as sickness levels, absences, and overtime patterns to help flag potential misconduct risks. The Met describes it as a time-limited pilot, and says the software only highlights patterns; humans do the actual investigation and decisions. Critics, including the Police Federation, call it “automated suspicion,” warning that opaque tools could misinterpret heavy workloads or health issues as wrongdoing. And the politics are hard to ignore. The article places this pilot alongside Palantir’s broader UK public-sector footprint, including the NHS data platform deal and a Ministry of Defence contract, and quotes concerns like: if Palantir is watching staff behavior, who is watching Palantir? The responsible middle ground here is transparency: what features are used, how false positives are measured, how decisions are audited, and what rights employees have to challenge automated flags.

From governance to personal computing: Apple researchers have introduced Ferret-UI Lite, a small on-device “GUI agent” that can understand and interact with app interfaces for you. This builds on Apple’s earlier FERRET and Ferret-UI research, but the key change is size and deployment: Ferret-UI Lite is a 3-billion-parameter model designed to run locally, instead of relying on a large server-side foundation model. Apple’s argument is that most GUI agents today lean on big remote models because they’re better at planning and reasoning, but that makes them expensive and less private. Ferret-UI Lite tries to close that gap with technique rather than brute force. It uses inference-time cropping and zooming: the model makes an initial guess, then zooms into the relevant region of the UI and re-predicts, reducing the burden of processing tons of image tokens. Training uses a mix of real and synthetic GUI data, with supervised fine-tuning and reinforcement learning. One of the more interesting training details is the synthetic pipeline: a curriculum task generator that ramps difficulty, a planning agent that breaks tasks into steps, a grounding agent that executes actions, and a critic model that scores outcomes—capturing the messy reality of UI interactions, including mistakes and recovery. Apple claims performance that matches or exceeds competing GUI agents up to 24 times larger, with an expected limitation: it’s strong on short-horizon, low-level tasks, and weaker on complex multi-step workflows. Also noteworthy: it’s trained and evaluated on Android, web, and desktop GUIs using benchmarks like AndroidWorld and OSWorld, likely because they’re easier to reproduce at scale than proprietary mobile screenshots. If you care about private, on-device automation, this is a meaningful signpost: agentic UI help without shipping your screen to the cloud by default.

Finally, the physical footprint of AI—because compute doesn’t float in the air. Floodlight reports that Elon Musk’s AI company, xAI, is continuing to run unpermitted gas turbines to power a data-center complex in Southaven, Mississippi, even after an EPA ruling emphasizing permits are required before operating. The dispute hinges on a regulatory interpretation: Mississippi regulators argue the turbines are “portable” because they sit on tractor trailers, while the EPA has historically treated these sources as requiring Clean Air Act permits. Floodlight obtained thermal drone footage, reviewed by experts, showing more than a dozen turbines operating and emitting pollutants nearly two weeks after the EPA directive. A former EPA air enforcement chief is quoted calling it a legal violation. Residents near the largely hidden site have complained for months about noise and air quality, and the story notes schools within a couple of miles. The larger trend here is sobering: data centers increasingly lean on natural gas because it’s fast to deploy, while grid upgrades and renewable interconnects can take years. xAI is reportedly seeking a permit to operate far more turbines at the Southaven site, with an application estimating emissions that could make it one of the state’s largest fossil-fuel power plants. Regardless of where you land politically, this is the governance challenge of AI infrastructure: speed versus oversight, and what counts as “temporary” when temporary becomes the default.