An attacker put untrusted text into a GitHub issue. An AI workflow turned it into shell commands inside CI. The Cline supply-chain incident shows why runtime enforcement matters more than prompt defense.
The BeyondTrust Codex writeup shows a real command injection bug. But the deeper lesson is not about escaping shell arguments -- it is about why one injection was enough to steal a token and exfiltrate it.
The LiteLLM compromise shows why upstream supply chain defenses are not enough. Once a bad package lands, what matters is whether it can actually do anything dangerous.
Fourteen vulnerabilities across Claude Code, Cursor, MCP servers, and Claude Desktop share a single root cause: untrusted content driving privileged actions with no independent enforcement layer.
Files like CLAUDE.md, GEMINI.md, and AGENTS.md are useful context, not real constraints. The difference between telling an agent 'please don't' and making it so it can't matters more than ever.
GlassWorm started as a VS Code supply chain attack. Now it's targeting MCP packages directly. Here's exactly what it does, and why runtime enforcement is the layer that still works after a malicious package is already installed and running.
Announcing @agentsh/secure-sandbox for TypeScript — one line to put AgentSH under the hosted sandbox your agent already uses, with kernel-level policy enforcement for file access, network egress, and process execution.
Agent runtimes are software, and software has bugs. When trust boundaries fail, the only durable defense is execution-layer security that constrains file access, network egress, and process execution.
Mapping Beacon and AgentSH to the cybersecurity kill chain, showing where each product breaks the attacker's sequence in supervised and unsupervised AI environments.
Many AI agent incidents occur not because systems break rules, but because they follow them perfectly. When autonomy meets human permission models, authorized actions can still become unsafe.
AI coding agents don’t tire, hesitate, or abandon difficult problems. Their relentless persistence is transforming how software gets built — and redefining what developers must learn to manage.
Most agent “guardrails” live before execution (prompts) or after execution (logs). This post explains why that leaves you with hope and hindsight, and why real control must exist at the execution layer.
What we are seeing as AI agents start taking real actions, and why human speed oversight cannot keep up with machine speed execution.