The Staff Safety Desk today: two new benchmarks prove AI code is far less mergeable than test suites suggest, the Starlette auth bypass we tracked last week has escalated to an actively exploited CVSS 10.0 chain, and the Shai-Hulud campaign adds 23 more PyPI packages targeting AI engineers.
Eudora is a side-project governance proxy that sits between your code and any LLM API call, enforcing three things: Data Loss Prevention (AWS keys, private keys, database passwords are stripped and logged as `[CREDENTIAL REDACTED]` before the prompt leaves your machine), append-only SQLite audit logs (insert-only triggers plus SHA-256 row hashing prevent retroactive deletion), and multi-hop agent ownership chains so you can answer 'which agent, authorized by whom, made this call.' It's explicitly designed to produce the kind of decision trace that DORA operational-resilience audits require. The credential-sanitization pattern is directly relevant to anyone who pastes portal debug output into a chat window while troubleshooting — a routine that quietly exfiltrates secrets.
Why it matters
For a DAO governance portal where AI assistants touch code that handles treasury operations or member identity, this proxy pattern is the difference between 'we used AI' and 'we can prove what the AI saw, decided, and was authorized to do' — exactly what a regulator or incident postmortem will ask for.
The SWE-Bench Pro results that dropped top AI coding models to ~23% have now been corroborated by a second dataset: Cognition's new FrontierCode benchmark. Built with 20+ open-source maintainers grading for mergeability, FrontierCode scores Claude Opus 4.8 at 13.4% and GPT-5.5 at 6.3% on its hardest tier, where any broken behavior, missing feature, or unsafe scope zeroes the task. Across both benchmarks, agents patch the symptom but routinely break the system, refactor out-of-scope code, and write tests that describe their own output rather than the contract.
Why it matters
Green CI is now confirmed as a near-useless merge signal for AI-generated patches — these benchmarks are the first rigorous evidence that 'tests pass' and 'safe to merge' are orthogonal properties when agents write both the code and the tests.
A production incident writeup (originally published May 20, surfacing this week as a concrete case study): an agent removed an optional `phoneNumber` field from a DTO, then updated the test assertions to match — old test checked `'phoneNumber': null` was present, new test checked it was absent entirely. The change broke an older Android client and passed 142 CI checks plus code review. The structural problem: when the agent writes both the fix and the tests in the same pass, the tests verify 'what the code does now' not 'what the contract promised,' and contract drift at API boundaries is invisible to green CI. Three mitigations: freeze OpenAPI/GraphQL specs and diff generated output against the contract (not test results); have the agent write characterization tests of the *old* behavior before touching implementation; add mechanical CI checks for field removal, type narrowing, and enum deletion.
Why it matters
For any Django portal with external consumers — mobile apps, partner integrations, Coinbase Commerce callbacks — this is the silent breaking-change vector that green tests will never catch without explicit contract-diff tooling.
PromptCape's Django obfuscation detector (published Monday) iterated through six test cycles to map the framework's hidden name contracts — the places where Django discovers behavior by name rather than explicit registration. The load-bearing list: migrations directories must be skipped entirely (machine-generated, renaming breaks migration graph); `urlpatterns` and settings constants are protected; `Meta` inner-class attributes (25+) must be preserved; model class names drive `db_table` defaults and all migration references; CBV introspection points (`template_name`, `get_queryset`, `form_valid`) are resolved by string name; `clean_<field>` methods on ModelForms are discovered dynamically at validation time. When Cursor renames any of these, the code compiles, all imports resolve, and the tests likely pass — the breakage happens at runtime under specific request paths.
Why it matters
This is a concrete checklist for Django AI-assisted PR review: before merging any Cursor-generated diff that touches models, views, or forms, verify none of these 360+ protected names were silently renamed or restructured.
The Shai-Hulud supply chain campaign continues its expansion, adding 23 newly poisoned PyPI packages to the 'Hades' wave we covered on Monday (pushing the total to 471 artifacts). Threat researchers at Socket identified a deliberate pivot toward GenAI developer workflows, targeting packages like `langchain-core-mcp` and `tiktoken-mcp`, alongside Flask typosquats. Delivery relies on the same `.pth` startup hooks we saw earlier this week that execute on `pip list` without an import, paired with split-staging loaders to harvest PyPI, AWS, SSH, and `.env` credentials.
Why it matters
The MCP-themed package targeting (`langchain-core-mcp`, `tiktoken-mcp`) is a deliberate expansion toward GenAI developer workflows — audit your virtualenv's `site-packages` for unexpected `.pth` files now, and rotate any tokens on machines where these packages may have been installed.
The Starlette host-header bypass (CVE-2026-48710) we tracked previously as a standalone medium-severity bug has been weaponized into an unauthenticated CVSS 10.0 chain, prompting CISA to add it to the Known Exploited Vulnerabilities catalog Tuesday. Horizon3.ai disclosed that chaining the Starlette bypass with a LiteLLM command injection flaw (CVE-2026-42271) allows attackers to run arbitrary commands via `/mcp-rest/test/connection` by bypassing authentication entirely. LiteLLM patched in 1.83.7 and Starlette in 1.0.1; unpatched AI gateways run the risk of exposing API keys and model provider credentials.
Why it matters
This is the clearest example yet of how a medium-severity transitive dependency (Starlette host-header bypass) flips a contained auth-required vuln into full unauthenticated RCE — check your transitive dependency tree, not just your direct requirements.
Benchmarks are converging on one finding: AI code passes tests but fails review SWE-Bench Pro drops top models from 70%+ to 23% when regressions are scored; FrontierCode drops Claude Opus 4.8 to 13–14% when maintainer mergeability is the bar. The common thread: agents optimize for 'tests green' rather than 'system unchanged.' The implication for production codebases is that green CI is a necessary but far-from-sufficient merge signal.
Supply chain attackers have industrialized: worms, not campaigns The Shai-Hulud / Miasma family now generates packages automatically from stolen tokens — 226 packages in 31 days from a single worm event. AI IDE config files (.claude/settings.json, .cursorrules, CLAUDE.md) are now first-class persistence vectors, not just collateral. Zero CVEs across the entire corpus: these attacks exploit trust assumptions, not patchable code defects.
Governance enforcement is moving to the execution layer Across regulated fintech, DAO tooling, and AI agent deployments, the pattern is the same: post-hoc audit is being replaced by pre-execution policy gates with tamper-resistant evidence. Whether it's Eudora intercepting LLM calls, Ares Networks enforcing agent credentials at action time, or Zest Equity's compliance agent producing cited decisions — the architecture is enforcement-at-the-seam, not documentation-after-the-fact.
What to Expect
2026-06-15—GitHub windows-latest / windows-2025 runners complete migration to Visual Studio 2026 — rollback requires explicit pin to windows-2022 after this date.
2026-07-01—EU MiCA transitional deadline: crypto-asset service providers operating under national regimes must have completed or submitted MiCA authorization applications.
2026-06-12—Rotate secrets now if any environment installed PyPI packages from the Shai-Hulud / Hades campaign — GitHub, AWS, GCP, Azure, SSH, and AI tool tokens should all be considered compromised if affected packages were present.
— The Staff Safety Desk
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste