Today's briefing tracks the widening gap between the code AI agents can write and what's actually secure. The theme is trust boundaries: from AI agents executing malicious code injected into error reports, to a persistent pattern of AI-generated APIs that skip critical ownership checks.
Following yesterday's coverage of New Relic's 'State of AI Coding' report, the scope of the industry's 'agent debt' is becoming clearer: while 94% of tech leaders praise AI-generated code during review, 82% of organizations report subsequent production failures.
Why it matters
This data confirms that the primary challenge of AI coding is the gap between plausible-looking code and production-ready reliability, shifting the bottleneck from writing code to reviewing and testing it.
Security researchers discovered 'Agentjacking,' a novel attack where AI coding assistants like Cursor and Claude Code are tricked into executing arbitrary code. Attackers inject malicious commands into fake Sentry error reports, which the agents process as trusted data, leading to the execution of commands with the developer's full privileges and potential theft of AWS keys or GitHub tokens.
Why it matters
This attack exploits the agent's implicit trust in external data sources, bypassing traditional security and highlighting a critical new vulnerability surface in AI-assisted development workflows.
A developer has highlighted a recurring and critical security flaw (CWE-639, Insecure Direct Object Reference) in APIs generated by AI tools like Cursor. While the generated code often correctly requires authentication, it consistently fails to validate that the authenticated user actually owns the resource they are trying to access, allowing any logged-in user to view or modify any other user's data by simply guessing an ID.
Why it matters
This is a textbook example of 'AI slop' creating severe security vulnerabilities, reinforcing the need for manual, security-aware code review that specifically checks for access control logic in any AI-generated database queries.
NPM v12, scheduled for July 2026, will introduce three breaking security changes by default: it will no longer automatically execute install scripts (`allowScripts`), and will block dependencies from git repositories (`--allow-git`) or remote tarballs (`--allow-remote`). This fundamental shift from implicit trust to explicit opt-in is designed to mitigate supply chain attacks that exploit these features.
Why it matters
This is a necessary hardening of the JavaScript ecosystem, but it requires you to audit your projects and CI/CD pipelines now to explicitly approve these behaviors where needed, otherwise your builds will fail next month.
The popular open-source vulnerability scanner Trivy was compromised, with an attacker force-pushing 75 malicious version tags to its GitHub Actions repositories. The attack distributed an infostealer payload designed to extract sensitive developer secrets like SSH keys and cloud credentials directly from the CI/CD pipelines of users running the action.
Why it matters
This incident is a stark reminder that even security tools can be weaponized in a supply chain attack, making it critical to pin actions to specific commit SHAs and isolate CI/CD secrets from build steps.
The PostgreSQL Global Development Group has released the first beta of PostgreSQL 19, making new features available for public testing ahead of the final release later this year. In parallel, a formal end-of-life date has been set for PostgreSQL 14, which—as we noted during last month's emergency patch cycle—will stop receiving security and bug fixes on November 12, 2026.
Why it matters
The EOL announcement for version 14 is a hard deadline requiring any teams still on that version to begin planning their upgrade to a supported release to maintain security.
Agent Trust Boundaries Are the New Attack Surface A major theme is the exploitation of trust boundaries by AI coding agents. 'Agentjacking' via poisoned Sentry bug reports (c_18) and IDOR flaws in AI-generated APIs that skip ownership checks (c_19) show that agents are a new vector for attack, executing malicious instructions because they implicitly trust their inputs.
AI-Generated Code: Praised in Review, Failing in Production Multiple reports this week (c_118) confirm a recurring thread: AI-generated code is often praised during code review but leads to a spike in production failures and 'agent debt.' This disconnect highlights that plausibility is not correctness, shifting the engineering bottleneck from writing code to exhaustively reviewing and testing it.
Supply Chain Security Hardens by Default Upcoming changes to npm (c_88) to disable automatic script execution and the compromise of the Trivy scanner (c_85) signal a clear trend: supply chain security is moving from an opt-in concern to a default-deny posture. Tooling and package managers are now forcing developers to explicitly approve potentially risky actions, fundamentally changing CI/CD workflows.
What to Expect
2026-06-18—'Hades' PyPI attack targeting Bun runtime expected to be detailed.
2026-07-01—npm v12 releases, breaking builds that rely on automatic install scripts or unapproved git/remote dependencies.
2026-07-01—EU MiCA grace period ends, requiring all EU crypto asset service providers to be licensed or cease operations.
2026-07-01—Visa's new network tokenization rules for card-on-file transactions take effect, likely increasing decline rates for non-compliant merchants.
2026-07-31—GitHub Actions begins enforcing minimum versions for self-hosted runners on Data Residency plans.
— The Staff Safety Desk
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste