This week's articles
AI Agent Supply-Chain Malware in Instruction Files
Mitiga Labs scanned 50,000+ AI instruction files across 7,000+ repos, finding prompt-exfiltration malware, ANTHROPIC_BASE_URL MITM overrides, YOLO-mode permission bypasses, and 1,230+ hardcoded API keys. They released Skillgate, a free scanner, to detect these techniques.
|
|
Tools
ponytail
Makes your AI agent think like the laziest senior dev in the room. The best code is the code you never wrote.
package-proxy
Inline proxy for software package registries to provide observability and policy controls to installs. You can also check out the companion blog post.
bagel
A CLI that inventories security-relevant metadata on developer workstations.
|
|
From the cloud providers
#AWS
Governing AI Assets at Scale with MCP Gateway and Registry
Open source MCP Gateway and Registry (Apache 2.0) provides enterprise governance for AI assets (MCP servers, agents, skills) via centralized discovery, fine-grained RBAC, supply-chain security scanning, hybrid semantic/keyword search, OpenTelemetry observability, federation with external registries, and deployable on EKS/ECS/EC2.
#AWS
Introducing AWS Continuum: Security at machine speed
AWS Continuum is a new agentic security product in gated preview that addresses code vulnerability lifecycles at machine speed. It uses multiple frontier models to perform discovery, prioritization, validation, and automated remediation, with graduated trust from human-in-the-loop to enforce mode.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐ If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|