Copy Fail is 732 bytes of Python that turn a public CVE write-up into a working local privilege escalation. Agents shorten the path from public text to execution, which is why agent runtimes need to block the path, not the paragraph.
A malicious Bitwarden CLI package ran during npm install, before anyone had a chance to inspect it. That is exactly the kind of supply chain story the agentic era keeps repeating.
AgentSH v0.18.0 adds a Secrets Manager with third-party vault support and an HTTP service gateway that controls outbound API traffic by method and path -- so agents can act without raw credentials or unchecked network access.
An attacker put untrusted text into a GitHub issue. An AI workflow turned it into shell commands inside CI. The Cline supply-chain incident shows why runtime enforcement matters more than prompt defense.
The BeyondTrust Codex writeup shows a real command injection bug. But the deeper lesson is not about escaping shell arguments -- it is about why one injection was enough to steal a token and exfiltrate it.
The LiteLLM compromise shows why upstream supply chain defenses are not enough. Once a bad package lands, what matters is whether it can actually do anything dangerous.
Fourteen vulnerabilities across Claude Code, Cursor, MCP servers, and Claude Desktop share a single root cause: untrusted content driving privileged actions with no independent enforcement layer.
Files like CLAUDE.md, GEMINI.md, and AGENTS.md are useful context, not real constraints. The difference between telling an agent 'please don't' and making it so it can't matters more than ever.
GlassWorm started as a VS Code supply chain attack. Now it's targeting MCP packages directly. Here's exactly what it does, and why runtime enforcement is the layer that still works after a malicious package is already installed and running.
Announcing @agentsh/secure-sandbox for TypeScript — one line to put AgentSH under the hosted sandbox your agent already uses, with kernel-level policy enforcement for file access, network egress, and process execution.
Agent runtimes are software, and software has bugs. When trust boundaries fail, the only durable defense is execution-layer security that constrains file access, network egress, and process execution.
Mapping Beacon and AgentSH to the cybersecurity kill chain, showing where each product breaks the attacker's sequence in supervised and unsupervised AI environments.
Most agent “guardrails” live before execution (prompts) or after execution (logs). This post explains why that leaves you with hope and hindsight, and why real control must exist at the execution layer.
What we are seeing as AI agents start taking real actions, and why human speed oversight cannot keep up with machine speed execution.