🧯 The Staff Safety Desk

Thursday, July 16, 2026

6 stories

Generated with AI from public sources. Verify before relying on for decisions.

🎧 Listen to this briefing or subscribe as a podcast →

Valid SLSA provenance attestations are providing false comfort in the software supply chain today, as a detailed post-mortem of the AsyncAPI compromise reveals attackers used a project's own trusted release pipeline to ship signed malware. We are also tracking the expanding fallout of a critical 'binary planting' vulnerability, which has broadened beyond the Cursor IDE to expose GitHub Copilot CLI and OpenAI Codex users on Windows.

GitHub Actions & Supply Chain

AsyncAPI npm Packages Compromised via GitHub Actions, Shipped Signed Malware

Building on yesterday's report of the @asyncapi npm compromise, new analysis shows the attackers used the stolen Personal Access Token to inject the Miasma RAT we tracked last month. By hijacking the project's legitimate release pipeline, the malware was distributed with valid SLSA provenance attestations—bypassing typical supply chain safeguards—and executes upon `require()` rather than `npm install`.

This attack demonstrates that valid provenance is not a security guarantee if the build pipeline itself is the attack vector, fundamentally challenging a core assumption of supply chain security.

Verified across 12 sources: Microsoft Security Blog · CSOonline · Suriq · Phoenix Security · Rescana · WindowsNews.AI · Radar Offseq · jenniferwalkerderby.com · dev.to · sectum.ai/research · OffSeq Radar · Hello Recon

AI-Assisted Coding Practice

Critical 'Binary Planting' 0-Day in Cursor, Copilot CLI, and Other AI Tools Unpatched on Windows

The zero-click RCE vulnerability disclosed by Mindgard in Cursor yesterday extends much further than initially reported. This 'binary planting' flaw—triggered by opening a repository with a maliciously crafted `git.exe`—actually affects major AI coding tools across Windows, including GitHub Copilot CLI, Gemini CLI, and OpenAI Codex. Despite a seven-month disclosure period, most vendors, including GitHub and OpenAI, have declined to issue a patch.

This unpatched vulnerability creates a severe, immediate risk for any developer using these tools on Windows, where cloning a repository can lead to workstation compromise.

Verified across 2 sources: ByteIota · CyberNoz

AI Agents Write PostgreSQL Like Python, Causing Performance and Race Condition Bugs

A new analysis details how AI coding agents generate flawed procedural PostgreSQL (PL/pgSQL) code by inappropriately applying Python idioms. Common errors include using costly exceptions for control flow, making raw type casts on user input that lead to server errors, and misplacing validation checks, which creates race conditions. The author proposes a 'four phases' discipline for handler functions to mitigate these patterns.

This highlights a specific pattern of 'AI slop' where syntactically correct code introduces subtle but critical performance and security debt by ignoring the target language's idiomatic practices.

Verified across 1 sources: pgmi

AI Slop & Review Patterns

Godot Engine Restricts AI-Generated Code Contributions, Citing Maintainer Burnout

The open-source game engine Godot is revising its contribution policy to ban 'Vibe Coding' and large, unverified AI-generated pull requests. Project leadership stated that the flood of low-quality AI submissions, often submitted by contributors who don't understand the code they are proposing, has pushed maintainers to their limits and increased the project's maintenance burden.

Godot's policy is a high-profile example of a growing backlash in open source against AI-generated 'slop' that prioritizes contribution volume over quality and maintainer capacity.

Verified across 1 sources: 36氪 (36Kr)

Django & Python Ecosystem

Django Steering Council Backs 'Triptych Project' to Simplify HTML with New Form Methods

The Django Steering Council has formally announced its support for the Triptych Project, an initiative proposing three small additions to the HTML standard. The proposals, led by Carson Gross (creator of HTMX), would add `PUT`, `PATCH`, and `DELETE` methods for forms, native button actions, and partial page replacement capabilities directly into HTML, reducing the need for JavaScript.

If adopted, these HTML standard changes would significantly simplify building dynamic interfaces in server-rendered frameworks like Django, aligning with the 'HTML over the wire' philosophy.

Verified across 1 sources: Django

Web App Security Literacy

78 of 200 Multi-Tenant AI/SaaS Tools Found to Leak Data Across Tenants

A source code review of over 200 multi-tenant AI and SaaS products found that 78 of them suffered from cross-tenant data exposure. The primary cause was an 'un-retrofitted read sibling' vulnerability, where read endpoints lacked the authorization checks that were correctly implemented on corresponding write endpoints, allowing one tenant to view another's data.

This widespread Insecure Direct Object Reference (IDOR) pattern is a critical reminder to apply authorization checks consistently to every data access path, not just write operations.

Verified across 2 sources: dev.to · sectum.ai/research


The Big Picture

Software Provenance Fails When the Build Pipeline is the Attack Vector The AsyncAPI npm compromise, where attackers used a legitimate CI/CD workflow to publish malware with valid SLSA provenance, shows that trust attestations are insufficient if the build system itself is compromised. This shifts the security boundary from package signing to the integrity of the build and release automation.

AI Coding Tools Suffer from Unpatched, Foundational Vulnerabilities A critical 'binary planting' vulnerability allows remote code execution on Windows just by opening a repository with popular AI coding tools like Cursor and GitHub's Copilot CLI. Vendors' refusal to patch highlights a significant security gap and accountability problem in the AI developer toolchain.

AI-Generated Code Introduces Idiomatic Bugs Across Language Boundaries AI coding agents are frequently observed transliterating programming patterns from one language (like Python) into another (like PL/pgSQL) where they are inefficient or dangerous. This creates a new class of 'AI slop' that is syntactically correct but architecturally flawed, causing performance and security issues.

What to Expect

2026-07-19 Macao's 'One Account' and 'Business and Associations Platform' will be down for system maintenance.

— The Staff Safety Desk

🎙 Listen as a podcast

Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.

Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste
Overcast
+ button → Add URL → paste
Pocket Casts
Search bar → paste URL
Castro, AntennaPod, Podcast Addict, Castbox, Podverse, Fountain
Look for Add by URL or paste into search

Spotify isn’t supported yet — it only lists shows from its own directory. Let us know if you need it there.