GhostApproval and JadePuffer: The Approval Prompt Is Not a Control
Two disclosures this week demolished the human-in-the-loop story: a symlink flaw hit six coding agents, and autonomous ransomware encrypted 1,342 records in 31 seconds.
Vulnerabilities, supply chain, audit trails, and the attack surfaces AI opened up. For the people responsible when something gets through.
Two disclosures this week demolished the human-in-the-loop story: a symlink flaw hit six coding agents, and autonomous ransomware encrypted 1,342 records in 31 seconds.
CLAUDE.md, .cursorrules, and AGENTS.md are now primary attack surfaces. Multiple research disclosures in May and June 2026 prove the threat is active and undetected by standard review.
Amazon Q, Claude Code, Cursor, and Windsurf all auto-execute MCP config files on repo load, exposing AWS credentials, SSH keys, and cloud tokens without user confirmation.
Tenet Security's June 2026 research shows a crafted Sentry error event achieves an 85% RCE success rate against Claude Code, Cursor, and Codex, exposing 2,388 organizations at zero cost.
Anthropic released Claude Fable 5, the public version of the Mythos model it kept restricted for finding vulnerabilities. The capability is cheap and public now, and it moves code review from a volume problem to a clock problem.
The Miasma campaign planted payloads in .claude/, .cursor/, and .gemini/ config files that fire the moment a developer loads a repo in an AI-enabled editor.
AI coding agents hallucinate package names. Attackers now publish those names as malicious packages and wait for the install. Three pre-install checks block the attack.