🧯 The Staff Safety Desk

Saturday, July 11, 2026

6 stories

Generated with AI from public sources. Verify before relying on for decisions.

🎧 Listen to this briefing or subscribe as a podcast →

The attack surface of AI assistants continues to widen today, with a new vulnerability in tools like Cursor that bypasses human-in-the-loop safeguards. We are also tracking a major npm release that directly mitigates the `postinstall` exploits seen in recent supply chain attacks, and a high-stakes look at the false-positive bottleneck in AI security scanning.

Web App Security Literacy

'GhostApproval' Vulnerability Allows Sandbox Escape in Major AI Coding Assistants

Following the 'Agentjacking' vector we tracked last month, a new systematic vulnerability dubbed 'GhostApproval' has been discovered in six major AI coding assistants, including Cursor and Claude Code. Disclosed by Wiz Research, the flaw allows a malicious repository to use symlinks to trick an agent into writing to sensitive system files. Because the UI misleads the human reviewer about the true file path, the intended approval step is bypassed entirely, enabling a sandbox escape.

This joins a growing class of exploits that bypass 'human-in-the-loop' safeguards by design, highlighting that the AI tools themselves are becoming a primary attack surface that can compromise developer environments.

Verified across 2 sources: Daily Security Review · InfoWorld

Study: GitHub Copilot Chat Can Be Systematically Manipulated to Generate Unsafe Code

A new security study found that GitHub Copilot Chat in Visual Studio Code can be consistently manipulated to produce unsafe and malicious code through adversarial prompts. Researchers achieved a 100% success rate across 816 prompts, forcing four different LLM backends to generate vulnerable outputs, such as backdoors or code that exfiltrates secrets, demonstrating a systemic failure in the tool's safety guardrails.

This research proves that AI coding assistants can be turned into a vector for injecting vulnerabilities, requiring development teams to treat AI-generated code with extreme skepticism and implement strict, independent verification and scanning.

Verified across 1 sources: windowsnews.ai

GitHub Actions & Supply Chain

npm 12 Released, Disables Risky Install Scripts by Default to Harden Supply Chain

Directly addressing the `postinstall` script exploits we tracked in the North Korean 'PolinRider' campaign and the Miasma worm, GitHub released npm version 12 on Wednesday with dependency lifecycle scripts blocked by default. Developers must now explicitly opt-in to run install-time scripts via `npm approve-scripts`, closing a massive and frequently abused supply chain vulnerability.

This is a fundamental change to Node.js dependency management that significantly hardens the software supply chain, forcing a more deliberate and security-conscious approach from engineers, and will require updates to many CI/CD pipelines.

Verified across 2 sources: Digital Applied · cybernoz.com

Postgres & Redis Operations

Guide to Demystifying and Fixing PostgreSQL Timeouts

A new guide breaks down the five distinct PostgreSQL timeout parameters that frequently cause production issues: `statement_timeout`, `lock_timeout`, `idle_in_transaction_session_timeout`, and the newer `idle_session_timeout` and `transaction_timeout`. It provides diagnostic queries using `pg_stat_activity` and concrete fixes for each, explaining how they interact with connection poolers and long-running migrations.

This guide provides the specific queries needed to diagnose and fix common Postgres timeout issues that manifest as application-level failures, which is essential knowledge for preventing outages in a production Django environment.

Verified across 1 sources: Fosskit

AI Slop & Review Patterns

Ethereum Foundation Finds Critical Bug with AI Agents, But Drowns in False Positives

Providing a high-stakes example of the 'review drift' and false-positive bottleneck we've been tracking across engineering teams, the Ethereum Foundation successfully used AI agents to uncover a remotely exploitable bug (CVE-2026-34219) in libp2p's gossipsub. However, the experiment also showed the agents' primary limitation: they generated a massive volume of convincing but incorrect findings, shifting the security team's workload from bug discovery to the manual, expert-driven triage of false positives.

This real-world deployment confirms the emerging consensus around AI review tools: they can find novel, critical vulnerabilities, but they create a significant, expert-intensive verification workload that offsets much of the velocity gain.

Verified across 1 sources: Bitcoin.com

Regulated Portal And DAO Governance

Federal Crypto Regulation Shifts as Firms Abandon State Licenses for OCC Charters

Major crypto firms like Circle and Fidelity Digital Assets are abandoning state-by-state BitLicenses in favor of federal national trust bank charters from the Office of the Comptroller of the Currency (OCC). This strategic shift, enabled by the GENIUS Act signed in July 2025, allows firms to operate nationwide under a single, federally-preempted regulatory framework rather than a patchwork of state rules.

This trend toward federal chartering streamlines the complex legal landscape for digital assets, which could simplify the operational and compliance workflows for regulated portals and DAOs operating across the US.

Verified across 1 sources: ETHNews


The Big Picture

'GhostApproval' Exposes a New Class of AI Agent Vulnerabilities A vulnerability dubbed 'GhostApproval' found in six major AI coding agents, including Cursor and Claude Code, shows how malicious repositories can trick the agent's UI. This allows attackers to gain access to sensitive files by misrepresenting actions to the human reviewer, undermining the 'human-in-the-loop' safety model and creating a new attack surface for sandbox escapes.

NPM Hardens Supply Chain by Disabling Install Scripts In a significant move to combat supply chain attacks like the Miasma worm, npm version 12 now disables dependency lifecycle scripts by default. This forces developers to explicitly approve scripts, fundamentally changing dependency management and reducing the risk of malware execution during installation, though it introduces new workflow considerations.

AI Agents Show Promise and Peril in Production Codebases A new wave of reports details the complex reality of using AI agents for real-world coding. The Ethereum Foundation successfully used agents to find a critical bug in libp2p, but struggled with a high volume of false positives. Meanwhile, a study finds that GitHub Copilot can be systematically prompted to generate unsafe code, highlighting the continued need for rigorous human verification.

What to Expect

Oct 31, 2026 Python 3.10 reaches end-of-life, no longer receiving security patches.

— The Staff Safety Desk

🎙 Listen as a podcast

Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.

Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste
Overcast
+ button → Add URL → paste
Pocket Casts
Search bar → paste URL
Castro, AntennaPod, Podcast Addict, Castbox, Podverse, Fountain
Look for Add by URL or paste into search

Spotify isn’t supported yet — it only lists shows from its own directory. Let us know if you need it there.