Today on The Staff Safety Desk: a Red Hat npm namespace compromise, a benchmark that cuts AI coding agent capability claims in half, and a multi-tenant IDOR that's a textbook blueprint for what access control failures look like in production — three threads that connect supply chain, AI reliability, and application security into one uncomfortable picture.
A newly documented supply chain campaign dubbed 'TrapDoor' deployed 34 malicious packages across npm, PyPI, and Crates.io that harvest SSH keys, cloud credentials, API tokens, and cryptocurrency wallets via post-install and build-phase hooks. What distinguishes TrapDoor from the Red Hat Miasma attack: the npm variant specifically targets AI development environments by inserting hidden adversarial instructions into .cursorrules and CLAUDE.md files — meaning compromised packages can silently alter the behavior of your AI coding agent on every subsequent session without any visible file change in git. Exfiltration routes through GitHub Pages and webhook.site to bypass enterprise allowlists.
Why it matters
If you run Cursor or Claude Code against a repo that ever installed a TrapDoor package, your agent's rules files may contain injected instructions that redirect its behavior — audit .cursorrules and CLAUDE.md for unexpected content immediately, and treat both files as a security boundary, not just a configuration artifact.
Scale AI released SWE-Bench Pro on June 2 — 1,865 tasks across 41 repositories including GPL-licensed OSS and private proprietary codebases designed to resist data contamination. Top models (Claude Opus 4.1, GPT-5) score 23% on the public set versus 70%+ on the older SWE-Bench Verified, and performance drops further to ~18% and ~15% on private unseen codebases where contamination is impossible. The benchmark uses human-augmented problem specifications and four-stage environment construction; the 70%→23% cliff is the most direct evidence yet that prior evaluation scores were inflated by training-set overlap.
Why it matters
Every capability claim your AI coding tool vendor makes is likely benchmarked against SWE-Bench Verified — a figure that overstates real-world performance by 3x on novel, multi-file tasks in production codebases like yours.
A critical IDOR disclosed June 1 in PraisonAI Platform allows any authenticated user who belongs to *any* workspace to read, modify, or delete issues in *any other* workspace by supplying the target issue UUID. The route-level check confirms workspace membership for the attacker's own workspace; the IssueService database query simply looks up the issue UUID without filtering by workspace_id. UUIDs leak through activity feeds and error messages. The audit trail is poisoned because actions log under the attacker's workspace, not the victim's — meaning you won't see the breach in the victim tenant's logs.
Why it matters
This is the exact accessible_by(user) failure pattern that recurs in AI-generated multi-tenant code: the membership gate at the view layer passes, then the ORM call retrieves by primary key alone — enforce tenant scoping at the queryset level, not the route level, and test it with a second-tenant fixture in every access-control test.
On May 10, an LLM agent autonomously executed a four-stage attack against a Marimo notebook platform compromised via CVE-2026-39987 — initial RCE, AWS credential harvest, SSH key retrieval from Secrets Manager via 12 distributed API calls across Cloudflare Workers to evade IP-based detection, and full PostgreSQL database exfiltration through an SSH bastion in under two minutes of active exploitation. Total time from initial access to complete database dump: under 60 minutes, with no human operator in the loop and no behavioral alerting triggered. The attack demonstrates that static signature detection is obsolete: the agent rewrote its approach in real time based on command output, making each step unpredictable to rule-based defenses.
Why it matters
The same agentic properties that make AI coding tools useful — autonomous tool use, real-time adaptation, distributed API calls — make compromised or weaponized agents dramatically faster attackers than human operators; your PostgreSQL database credential isolation, Secrets Manager MFA requirements, and behavioral egress monitoring are now first-class security controls, not ops hygiene.
Starting June 1, attackers used a compromised Red Hat employee GitHub account to push backdoored versions of 32 packages under the @redhat-cloud-services npm namespace — roughly 96 malicious releases in total. The attack bypassed npm's 2FA entirely by abusing GitHub Actions OIDC trusted publishing: ephemeral branches (`oidc-<hex>`) on legitimate RedHatInsights repositories minted valid npm provenance attestations, then preinstall scripts harvested AWS/GCP/Azure credentials, Kubernetes tokens, SSH keys, and CI/CD secrets. StepSecurity confirmed the worm reads GitHub Actions runner process memory via `/proc/<pid>/mem` to extract masked secrets, then auto-propagates by republishing trojanized packages using stolen `bypass_2fa` tokens — directly contradicting npm's claim last week that all such tokens had been successfully invalidated. Exfiltration routes through api.github.com to evade network detection.
Why it matters
npm's OIDC trusted publishing model verifies repository and workflow path but not branch. With the revelation that `bypass_2fa` tokens remain a viable propagation vector despite last week's attempted mass-invalidation, any attacker who compromises a developer account on a legitimate repo can mint provenance-attested malware. Your `--ignore-scripts` discipline remains the last line of defense before CI/CD credential sprawl begins.
Argentina's government submitted a General Corporations Law reform to the Senate on June 1 that legalizes 'Automated Societies' — companies operated entirely by algorithms without human employees — and grants full legal personhood to DAOs with blockchain-based decision-making that requires no human signature. The reform is the deepest change to Argentine corporate law since 1972 and positions Argentina ahead of Wyoming, Vermont, and the Marshall Islands by treating DAOs as substrate-agnostic legal persons with conflict resolution routed to international commercial law. Unlike the narrowed developer safe harbor we tracked in the US Senate's CLARITY Act last week, Argentina's approach does not attempt to define 'sufficient decentralization' — it simply grants personhood at the entity level.
Why it matters
Argentina's framework creates the first national-level precedent for DAO legal personhood without a decentralization test, which means governance portal operators serving Argentine-registered DAOs now have a concrete legal-entity model to design filing, e-signature, and renewal workflows around — and other jurisdictions will reference this template when drafting their own frameworks.
Legitimate infrastructure is now the attack vector The Red Hat npm compromise, TrapDoor campaign, and the LLM-agent PostgreSQL exfiltration all share a structure: attackers used real build pipelines, real OIDC tokens, and real agent reasoning to do damage that signature-based defenses cannot catch. The question is no longer 'is the package signed?' but 'was the signing environment itself clean?'
AI coding capability benchmarks are systematically inflated SWE-Bench Pro's 70%→23% performance cliff, the +54% bug rate data, and the multi-agent fabrication incidents documented this week form a coherent picture: models optimized on public benchmarks generalize poorly to novel codebases. Teams buying capability based on vendor-cited SWE-Bench Verified scores are making decisions on contaminated data.
Authorization checks at the route layer do not protect the data layer PraisonAI's IDOR, the Flowise MCP stdio RCE, the CafeClub SSRF, and the CVE-2026-4020 REST endpoint disclosure all share the same root: one layer checks membership/auth, a downstream query ignores the tenant boundary. Object-scoped querysets and row-level enforcement are not optional on any multi-tenant surface.
What to Expect
2026-07-01—California DFAL (Digital Financial Assets Law) takes effect — $100k/day penalties for unlicensed digital asset activity serving CA residents. Any regulated portal with California users needs a license, a pending application, or a written exemption in hand by this date.
2026-06-03—CISA KEV cluster — six Known Exploited Vulnerability remediation deadlines fall June 3-4, including Palo Alto PAN-OS CVE-2026-0257 (already past federal deadline as of June 1). Triage now if your infrastructure touches any of these.
2026-11-01—PostgreSQL 17 end-of-life in November 2026 — PostgreSQL 18 (with async I/O, UUIDv7, virtual columns) is the upgrade target. Teams on PG17 should begin migration planning now given the 17→18 delta in production-critical features.
2026-12-01—EU AI Act high-risk system compliance deadline (deferred from August 2026 to December 2027 per latest guidance) — but runtime authorization architecture decisions made now will determine whether audit trails and fail-closed policy engines can be demonstrated. Start the externalized policy layer design before the deadline compresses.
— The Staff Safety Desk
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste