AxioRankZero-Trust for AI Agents
Open the console
All posts

June 13, 2026 · AxioRank

Attack explained: the credential exfiltration kill chain

A walkthrough of one of the most common agent attacks, reading a secret and sending it somewhere it should not go, and why single-call checks miss it.

  • attacks
  • kill-chain
  • taint-tracking

This is the first in a series that walks through attacks from the AxioRank red-team corpus, the same scenarios the engine is tested against. We start with the one that shows up most: credential exfiltration.

The scenario

An agent is doing ordinary work. Somewhere in its context, by prompt injection or a poisoned document, it is nudged to do two things:

  1. Read a credential. Open an .env file, fetch a secret from the store, or read a config value.
  2. Send it out. Post to a webhook, write it into an email, include it in an API call to an unfamiliar host.

Neither step is unusual on its own. Agents read files and call APIs all day. That is exactly why this attack works against naive controls.

Why single-call checks miss it

If you score each tool call in isolation, both steps pass. Reading a local file is not inherently risky. Posting to an HTTP endpoint is not inherently risky. The attack lives in the relationship between the two calls, not in either one.

A control that only looks at the current call has no memory of what the agent read a moment ago, so it cannot see that the bytes now leaving the boundary are the secret that came in.

How AxioRank catches it

Two mechanisms combine:

  • Content inspection flags the secret pattern the instant it appears in a call's arguments. A credential being posted to an external host scores high on its own.
  • Value-level taint tracking remembers the values the agent has touched in this run. When a value that was read from a sensitive source reappears in a call that egresses to an external sink, the call is recognized as the second half of an exfiltration and blocked, even if the destination looked benign.

The result is a verdict on the kill chain, not on two innocent-looking steps.

See it run

The kill-chain timeline on the automated-response page lets you stack the steps and watch the detector react. Or run the corpus against your own live posture once you have a key:

npx @axiorank/sdk redteam --min 80

For the methodology behind the numbers, see the benchmarks page. Next in the series: destructive operations and the one-line policy that stops them.

Share this post

Share on XShare on LinkedIn

Govern your agents with AxioRank

Score every tool call for leaked secrets, PII, destructive operations, and prompt injection. Start free, or try it locally with no key.

Get an API keyRead the docs