If your AI agents reach GitHub, Gmail, or Slack through a hosted integration platform, the Composio incident is the case study of what happens when the place that holds everyone's credentials becomes the target. On May 21, 2026, Composio disclosed unauthorized access to certain internal systems, brought in external incident-response experts, and kept updating the bulletin through May 27.

Nobody here is celebrating. Composio's disclosure was fast and unusually candid, and the failure mode it documents is not unique to Composio — it is the failure mode of centralized credential custody itself. Here is the plain version.

What actually happened

By Composio's own account, the attacker probed extensively — hammering at exploit combinations generated with LLM assistance — until gaining a foothold in an internal agentic tool used to monitor infrastructure and report connector failures. From there they escalated into the automated remediation systems that fix connector errors, registered malicious tool definitions inside the sandboxed execution environment, and chained steps until they had arbitrary code execution inside the tool-execution sandbox. Composio called the sophistication "consistent with a highly skilled actor, likely augmented by advanced AI systems."

Separately, in a notice on a distinct threat vector, Composio says the attacker compromised auxiliary systems by abusing magic-link sign-in after compromising the Gmail OAuth token of certain employees — a vector abused from Composio's staging system.

One point of genuine disagreement is worth flagging. Material Security's third-party analysis — the one whose headline arrives at a figure of 10,242 exposed doors — presents that Gmail token as the initial skeleton key that opened everything. Composio's own timeline starts at the internal monitoring tool instead, and treats the Gmail/magic-link vector as a separate finding about auxiliary systems. That is Material's reconstruction versus the first-party account, and the honest position is that the exact entry sequence is contested. The blast radius is not.

The numbers

Leaked connections were about 0.3% of Composio's active connections — small as a percentage, not small in absolute terms. The per-connector table: 5,001 GitHub connections, 12 Gmail, a handful of Strava and Jira, and one each across 22 other connectors, the majority of those marked as internal test accounts. Every affected connection was revoked immediately.

Separately, an auxiliary cache service the attacker likely had access to held 5,241 API keys during the breach window. Composio's wording is careful — it says only that those keys stand a higher chance of having been compromised — and it revoked all of them preventatively while saying plainly that it does not yet know the full scope. It also has not characterized what data was actually accessed; the investigation is ongoing and affected customers were contacted directly.

One detail that should make every platform operator wince: one leaked GitHub token was an internal Composio token with access to its own production codebase. Composio responded by obfuscating that codebase, starting with authentication systems, and ate intentional dashboard downtime to do it.

What Composio got right

Credit where it is due, because this part matters for the whole industry:

  1. Fast, public disclosure. The bulletin went up May 21 and was updated in public, timestamped increments through May 27.
  2. Actionable indicators. Composio published 25 attacker IP addresses as indicators of compromise so customers could search their own logs.
  3. Aggressive revocation. Access tokens revoked across roughly 100 toolkits, all API keys created before its late-May-22 cutoff deleted on a mandatory rotation deadline, and the account-lookup API changed to redact access tokens even when secret-masking is off.
  4. Structural hardening. IP allowlisting on API keys and the dashboard, honeypot routes, and a commitment to a zero-trust KMS that lets customers hold their own encryption keys.
  5. Warning the neighbors. Composio proactively notified more than 50 third-party providers so they could flag or revoke exposed credentials on their side.

Also note the limits, because they are instructive: Composio says under 5% of affected connections could not be revoked from its side at all, and it cannot revoke most API-key-scheme connections — only the end user can rotate those with the provider. Even a well-run platform cannot fully clean up a leak of credentials it holds on your behalf.

The real lesson: custody is blast radius

Strip away the forensics and the incident reduces to one architectural fact: thousands of customers' live credentials sat behind a single vendor perimeter, so one intrusion — whatever its exact entry point — put all of them in play at once. That is credential sprawl at platform scale: the sprawl is consolidated, but the blast radius is consolidated with it.

P0 Security's read — analysis, not disclosed fact — is that the root failure was ungoverned standing privilege in internal automation rather than agentic tooling itself. It rhymes with the first-party timeline: the systems that watched the credentials could reach the credentials.

For an individual operator, the question the incident forces is simple: when a vendor you rely on has a bad week, are your keys part of the story? Where your credentials physically live — on your machine or in someone else's cloud — decides that answer before any attacker shows up.

What you should actually do

  1. If you used Composio: rotate every API key that touched the platform (keys created before its late-May-22 cutoff were deleted for you), re-authorize OAuth connections, and rotate any API-key-scheme connection yourself — Composio cannot do that one for you. Search your GitHub audit logs for the May 21 window and the 25 published IPs.
  2. Whether or not you used Composio: inventory where your keys live today. Every third party holding a live credential is part of your attack surface.
  3. Scope per agent. One shared key across agents means one leak compromises everything. A credential broker gives each agent its own revocable identity, so cutting one agent off is a click, not a rotation project.
  4. Prefer custody models where a vendor breach is not your breach. The fewer perimeters your real keys sit behind, the fewer incidents can reach them.

This is the pattern Agent Master Key is built around: your real keys stay in an encrypted local vault (AES-256-GCM) on your own Mac, agents get scoped, revocable keys through a local broker, every call lands in a redacted local audit trail, and a kill switch cuts everything instantly. Built-in connectors today are GitHub and Telegram, with bring-your-own-key templates for the rest — and it is free for a limited time. (Disclosure: Agent Master Key is built by AM Accelerated LLC, the company that publishes The AMA Hub.)

Bottom line

Composio handled its disclosure better than most companies twice its size, and it still could not spare its customers the rotation fire drill — because no custodian can. The lesson is not "avoid Composio"; it is that centralized custody makes someone else's intrusion your emergency. Keep your real keys where a vendor's bad week cannot reach them, give every agent a scoped, revocable credential, and a headline like this one becomes a non-event.

Want someone to audit where your keys actually live — and exactly what to fix? That is the $99 AI Agent Security & Setup Audit.