Valid SLSA provenance attestations are providing false comfort in the software supply chain today, as a detailed post-mortem of the AsyncAPI compromise reveals attackers used a project's own trusted release pipeline to ship signed malware. We are also tracking the expanding fallout of a critical 'binary planting' vulnerability, which has broadened beyond the Cursor IDE to expose GitHub Copilot CLI and OpenAI Codex users on Windows.
Building on yesterday's report of the @asyncapi npm compromise, new analysis shows the attackers used the stolen Personal Access Token to inject the Miasma RAT we tracked last month. By hijacking the project's legitimate release pipeline, the malware was distributed with valid SLSA provenance attestations—bypassing typical supply chain safeguards—and executes upon `require()` rather than `npm install`.
Why it matters
This attack demonstrates that valid provenance is not a security guarantee if the build pipeline itself is the attack vector, fundamentally challenging a core assumption of supply chain security.
The zero-click RCE vulnerability disclosed by Mindgard in Cursor yesterday extends much further than initially reported. This 'binary planting' flaw—triggered by opening a repository with a maliciously crafted `git.exe`—actually affects major AI coding tools across Windows, including GitHub Copilot CLI, Gemini CLI, and OpenAI Codex. Despite a seven-month disclosure period, most vendors, including GitHub and OpenAI, have declined to issue a patch.
Why it matters
This unpatched vulnerability creates a severe, immediate risk for any developer using these tools on Windows, where cloning a repository can lead to workstation compromise.
A new analysis details how AI coding agents generate flawed procedural PostgreSQL (PL/pgSQL) code by inappropriately applying Python idioms. Common errors include using costly exceptions for control flow, making raw type casts on user input that lead to server errors, and misplacing validation checks, which creates race conditions. The author proposes a 'four phases' discipline for handler functions to mitigate these patterns.
Why it matters
This highlights a specific pattern of 'AI slop' where syntactically correct code introduces subtle but critical performance and security debt by ignoring the target language's idiomatic practices.
The open-source game engine Godot is revising its contribution policy to ban 'Vibe Coding' and large, unverified AI-generated pull requests. Project leadership stated that the flood of low-quality AI submissions, often submitted by contributors who don't understand the code they are proposing, has pushed maintainers to their limits and increased the project's maintenance burden.
Why it matters
Godot's policy is a high-profile example of a growing backlash in open source against AI-generated 'slop' that prioritizes contribution volume over quality and maintainer capacity.
The Django Steering Council has formally announced its support for the Triptych Project, an initiative proposing three small additions to the HTML standard. The proposals, led by Carson Gross (creator of HTMX), would add `PUT`, `PATCH`, and `DELETE` methods for forms, native button actions, and partial page replacement capabilities directly into HTML, reducing the need for JavaScript.
Why it matters
If adopted, these HTML standard changes would significantly simplify building dynamic interfaces in server-rendered frameworks like Django, aligning with the 'HTML over the wire' philosophy.
A source code review of over 200 multi-tenant AI and SaaS products found that 78 of them suffered from cross-tenant data exposure. The primary cause was an 'un-retrofitted read sibling' vulnerability, where read endpoints lacked the authorization checks that were correctly implemented on corresponding write endpoints, allowing one tenant to view another's data.
Why it matters
This widespread Insecure Direct Object Reference (IDOR) pattern is a critical reminder to apply authorization checks consistently to every data access path, not just write operations.
Software Provenance Fails When the Build Pipeline is the Attack Vector The AsyncAPI npm compromise, where attackers used a legitimate CI/CD workflow to publish malware with valid SLSA provenance, shows that trust attestations are insufficient if the build system itself is compromised. This shifts the security boundary from package signing to the integrity of the build and release automation.
AI Coding Tools Suffer from Unpatched, Foundational Vulnerabilities A critical 'binary planting' vulnerability allows remote code execution on Windows just by opening a repository with popular AI coding tools like Cursor and GitHub's Copilot CLI. Vendors' refusal to patch highlights a significant security gap and accountability problem in the AI developer toolchain.
AI-Generated Code Introduces Idiomatic Bugs Across Language Boundaries AI coding agents are frequently observed transliterating programming patterns from one language (like Python) into another (like PL/pgSQL) where they are inefficient or dangerous. This creates a new class of 'AI slop' that is syntactically correct but architecturally flawed, causing performance and security issues.
What to Expect
2026-07-19—Macao's 'One Account' and 'Business and Associations Platform' will be down for system maintenance.
— The Staff Safety Desk
🎙 Listen as a podcast
Subscribe in your favorite podcast app to get each new briefing delivered automatically as audio.
Apple Podcasts
Library tab → ••• menu → Follow a Show by URL → paste