{"id":5492,"date":"2026-07-12T19:32:39","date_gmt":"2026-07-13T00:32:39","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5492"},"modified":"2026-07-12T19:32:39","modified_gmt":"2026-07-13T00:32:39","slug":"devsecops-weekly-july-12-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5492","title":{"rendered":"DevSecOps Weekly &mdash; July 12, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<div class=\"container\">\n<div class=\"banner\">\n<p class=\"kicker\">Security Radar &middot; Issue 7<\/p>\n<h1 style=\"color:#ffffff !important;\">DevSecOps Weekly<\/h1>\n<p class=\"date\" style=\"color:#e0f2fe !important;\">July 12, 2026 &middot; Weekly Edition<\/p>\n<p class=\"tagline\" style=\"color:#f0f9ff !important;\">Six npm and PyPI packages compromised this week &mdash; and four separate attacks built specifically to fool the AI agents reviewing your code, not the developers running it.<\/p>\n<\/p><\/div>\n<div class=\"content\">\n<h2 class=\"section\">At a glance<\/h2>\n<p class=\"lead\">Package registries took another beating this week, but the shape of the damage varied. OX Security found paperclip2 and two companion npm packages hiding a reverse shell inside a bare package.json postinstall script &mdash; no JavaScript files at all, a deliberate dodge around scanners tuned to flag executable code rather than config-file trickery. Socket flagged a 17-package wave of fake Paysafe, Skrill, and Neteller SDKs across npm and PyPI within minutes of publication, built to harvest CI\/CD secrets and API keys from payment-integration developers. Attackers compromised Injective Labs&rsquo; own GitHub repository and pushed a malicious SDK release through the project&rsquo;s trusted-publisher OIDC pipeline under a real maintainer&rsquo;s identity, and a day later the official jscrambler npm CLI shipped a Rust infostealer across five consecutive versions via what looks like a compromised maintainer account rather than a source-code breach.<\/p>\n<p class=\"lead\">More striking is a second, distinct cluster: four independent research teams disclosed attacks this week engineered to trick the AI coding agent itself rather than the human at the keyboard. HalluSquatting (Tel Aviv University, Technion, Intuit) weaponizes the fact that Cursor, Copilot, Gemini CLI, and similar tools reliably hallucinate the same fake package and repo names &mdash; register those names first and the assistant fetches your malware for you. Wiz&rsquo;s GhostApproval abuses an unchecked symlink to make six leading coding assistants, including Claude Code, write an attacker&rsquo;s SSH key straight into a developer&rsquo;s login file while asking for &ldquo;approval&rdquo; on a lie. The AI Now Institute&rsquo;s Friendly Fire hides a prompt injection in a repo README so that asking Claude Code or OpenAI Codex to review the code for security problems is exactly what triggers the malicious payload. And Noma Security&rsquo;s GitLost showed a public GitHub Issue could talk GitHub&rsquo;s own Agentic Workflows feature into leaking private repository contents. Four different lenses, one shared finding: the tools built to write, review, and gatekeep code are becoming the attack surface.<\/p>\n<p class=\"lead\">On the hardening side, Kaspersky GReAT&rsquo;s scan of 130,000 GitHub Actions pipelines turned up more than 250,000 configuration deviations and eight repositories with critical, supply-chain-enabling flaws, and npm v12&rsquo;s install-scripts-off-by-default change &mdash; exactly the class of fix that would have blunted this week&rsquo;s paperclip2 &mdash; ships this month. Two foundational pieces round out the picture: Cordyceps&rsquo;s 300+ exploitable GitHub repositories via CI\/CD privilege-escalation bugs, and an argument that signature-based runtime scanning is architecturally mismatched against payloads engineered to stay dormant until they detect a CI environment variable. Underneath both attack clusters sits a sustainability story &mdash; SBOMs treated as a daily operational tool rather than a compliance filing, the bus-factor risk hiding inside the single label &ldquo;open source,&rdquo; and a maintainer base absorbing a 16% quarter-over-quarter rise in cross-border contribution.<\/p>\n<p class=\"lead\">Running alongside all of it: AI is visibly rewriting developer hiring, tooling, and pricing. Indeed&rsquo;s Hiring Lab found US software-development job postings up almost 15% since Claude Code&rsquo;s launch even as overall postings fell 7%, with senior AI-fluent roles driving the gain; Business Insider reports interviews shifting from LeetCode drills toward AI-fluency and GitHub proof-of-work. JetBrains announced a vendor-agnostic governance layer for the Claude Code\/Codex\/Gemini CLI sprawl inside organizations, Perplexity is quietly building its own agent to rival Cursor and Claude Code, and SpaceXAI&rsquo;s Grok 4.5 launched specifically undercutting Codex and Claude Code on per-task coding costs. DevSecOps teams are being asked to secure, govern, and budget for AI coding tools in the same week those tools are the thing under attack.<\/p>\n<div class=\"topic-map\">\n      <img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/07\/topic-map-devsecops-2026-07-12-2.png\" alt=\"Topic map of DevSecOps Weekly stories for July 12, 2026\" loading=\"eager\"><\/p>\n<p class=\"caption\">Topic map &mdash; npm\/PyPI package compromises (Paperclip2, fake payment SDKs, Injective Labs, jscrambler), attacks built to fool AI coding agents (HalluSquatting, GhostApproval, Friendly Fire, GitLost), CI\/CD &amp; package-manager hardening (GitHub Actions misconfigurations, npm v12, Cordyceps, runtime-scanning limits), and AI&rsquo;s reshaping of developer hiring, tooling, and coding-agent economics (JetBrains, Perplexity, Grok 4.5, Indeed Hiring Lab).<\/p>\n<p>      <!-- INTERACTIVE_MAP_LINK_START --><\/p>\n<p style=\"margin:10px 0 0;text-align:center;\"><a href=\"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5491\" target=\"_blank\" rel=\"noopener\" style=\"display:inline-block;padding:8px 18px;background-color:#0f172a;color:#ffffff !important;text-decoration:none;border-radius:6px;font-size:13px;font-weight:600;\">View interactive topic map &rarr;<\/a><\/p>\n<p><!-- INTERACTIVE_MAP_LINK_END -->\n    <\/div>\n<h2 class=\"section\">Article index<\/h2>\n<div class=\"cluster\">\n<h3>npm &amp; PyPI package compromises<\/h3>\n<p>Four unrelated campaigns landed live malicious code on package registries this week &mdash; a zero-JavaScript reverse shell, a coordinated payment-SDK typosquat, a hijacked OIDC publishing pipeline, and a trojanized CLI client &mdash; each exploiting a different point along the install-to-production path.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\">\n<li><a href=\"https:\/\/www.ox.security\/blog\/malware-detected-reverse-shell-without-javascript-files-in-npm\/\" style=\"color:#0c4a6e;\">Beware of Paperclip2: Malicious npm Packages Found<\/a> (OX Security, Jul 5) &mdash; W1<\/li>\n<li><a href=\"https:\/\/cyberpress.org\/fake-sdks-target-developers\/\" style=\"color:#0c4a6e;\">Malicious npm and PyPI Packages Target Payment Developers With Fake SDK Facades<\/a> (Cyber Press, Jul 9) &mdash; W2<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/07\/injective-labs-github-compromise-pushes.html\" style=\"color:#0c4a6e;\">Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages<\/a> (The Hacker News, Jul 10) &mdash; W3<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/07\/compromised-jscrambler-8140-npm-release.html\" style=\"color:#0c4a6e;\">Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install<\/a> (The Hacker News, Jul 11) &mdash; W4<\/li>\n<\/ol><\/div>\n<div class=\"cluster\">\n<h3>Attacks built to fool AI coding agents, not humans<\/h3>\n<p>Four independent research teams disclosed techniques this week that specifically target the AI assistants developers now trust to write, review, and approve code &mdash; hallucinated package names, unchecked symlinks, README-embedded prompt injection, and GitHub&rsquo;s own agentic-workflow feature &mdash; rather than tricking a person directly.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\" start=\"5\">\n<li><a href=\"https:\/\/thehackernews.com\/2026\/07\/new-hallusquatting-attack-could-trick.html\" style=\"color:#0c4a6e;\">New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware<\/a> (The Hacker News, Jul 8) &mdash; W5<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/07\/ghostapproval-symlink-flaws-could-let.html\" style=\"color:#0c4a6e;\">GhostApproval: Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents<\/a> (The Hacker News, Jul 9) &mdash; W6<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/07\/friendly-fire-ai-agents-built-to-catch.html\" style=\"color:#0c4a6e;\">Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It &mdash; &ldquo;Friendly Fire&rdquo;<\/a> (The Hacker News, Jul 9) &mdash; W7<\/li>\n<li><a href=\"https:\/\/www.securityweek.com\/critical-vulnerability-exposes-github-agentic-workflows-to-prompt-injection\/\" style=\"color:#0c4a6e;\">Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection &mdash; &ldquo;GitLost&rdquo;<\/a> (SecurityWeek, Jul 8) &mdash; W8<\/li>\n<\/ol><\/div>\n<div class=\"cluster\">\n<h3>CI\/CD &amp; package-manager hardening<\/h3>\n<p>Kaspersky&rsquo;s audit of GitHub Actions pipelines, npm&rsquo;s move to disable install scripts by default, and two foundational pieces on CI\/CD workflow flaws and the limits of runtime scanning all point the same direction: harden what enters the pipeline, not just watch what runs after.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\" start=\"9\">\n<li><a href=\"https:\/\/it-online.co.za\/2026\/07\/07\/github-actions-workflows-house-potential-security-issues\/\" style=\"color:#0c4a6e;\">GitHub Actions Workflows House Potential Security Issues<\/a> &mdash; Kaspersky GReAT (IT-Online, Jul 7) &mdash; W9<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/07\/npm-12-disables-install-scripts-by.html\" style=\"color:#0c4a6e;\">npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk<\/a> (The Hacker News, Jul 9) &mdash; W10<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/2026\/06\/cordyceps-cicd-flaws-expose-300-github.html\" style=\"color:#0c4a6e;\">Cordyceps: CI\/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks<\/a> (The Hacker News, Jun 24) &mdash; F1<\/li>\n<li><a href=\"https:\/\/thehackernews.com\/expert-insights\/2026\/06\/why-runtime-scanning-is-too-late-for.html\" style=\"color:#0c4a6e;\">Why Runtime Scanning Is Too Late for Your CI\/CD Supply Chain Security<\/a> (The Hacker News, Jun 15) &mdash; F2<\/li>\n<\/ol><\/div>\n<div class=\"cluster\">\n<h3>Supply-chain governance &amp; maintainer sustainability<\/h3>\n<p>Beyond this week&rsquo;s attacks, three pieces frame the underlying sustainability problem &mdash; SBOMs as a daily operational tool rather than a compliance artifact, the bus-factor risk hiding inside the single label &ldquo;open source,&rdquo; and a volunteer base absorbing a 16% quarter-over-quarter rise in cross-border contribution.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\" start=\"13\">\n<li><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/07\/10\/software-supply-chain-security-video\/\" style=\"color:#0c4a6e;\">Turning Software Supply Chain Security Into a Daily Habit<\/a> (Help Net Security, Jul 10) &mdash; W11<\/li>\n<li><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/07\/10\/open-source-software-library-types\/\" style=\"color:#0c4a6e;\">The Open Source Library Holding Up Your Stack Might Have One Maintainer<\/a> (Help Net Security, Jul 10) &mdash; W12<\/li>\n<li><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/07\/09\/github-open-source-collaboration\/\" style=\"color:#0c4a6e;\">Open-Source Collaboration Is Growing Worldwide and Putting Pressure on Maintainers<\/a> (Help Net Security, Jul 9) &mdash; W13<\/li>\n<\/ol><\/div>\n<div class=\"cluster\">\n<h3>AI reshaping developer hiring, tooling &amp; economics<\/h3>\n<p>A parallel storyline running alongside this week&rsquo;s attacks: AI is rewriting how developers get hired, which tools they&rsquo;re issued, and what those tools cost &mdash; from a 15% rebound in software-development job postings to a governance layer for agent sprawl to a price war among coding models.<\/p>\n<ol class=\"articles\" style=\"margin:0;padding-left:20px;font-size:14px;color:#0f172a;\" start=\"16\">\n<li><a href=\"https:\/\/www.businessinsider.com\/software-engineering-job-technical-interviews-hiring-ai-2026-7\" style=\"color:#0c4a6e;\">AI Is Rewriting the Hiring Playbook for Coders<\/a> (Business Insider, Jul 8) &mdash; W14<\/li>\n<li><a href=\"https:\/\/www.hiringlab.org\/2026\/07\/08\/ai-and-job-postings-from-destruction-to-creation\/\" style=\"color:#0c4a6e;\">AI and Job Postings: From Destruction to Creation?<\/a> (Hiring Lab \/ Indeed, Jul 8) &mdash; W15<\/li>\n<li><a href=\"https:\/\/www.infoworld.com\/article\/4194091\/jetbrains-to-roll-out-ai-capabilities-for-software-development-teams-and-organizations.html\" style=\"color:#0c4a6e;\">JetBrains to Roll Out AI Capabilities for Software Development Teams and Organizations<\/a> (InfoWorld, Jul 7) &mdash; W16<\/li>\n<li><a href=\"https:\/\/www.businessinsider.com\/perplexity-building-ai-coding-tool-take-on-cursor-and-openai-2026-7\" style=\"color:#0c4a6e;\">Perplexity Is Building a Secret Weapon to Join the AI Coding Wars<\/a> (Business Insider, Jul 8) &mdash; W17<\/li>\n<li><a href=\"https:\/\/www.infoworld.com\/article\/4194895\/spacexai-launches-grok-4-5-touts-lower-coding-task-costs-than-ai-rivals.html\" style=\"color:#0c4a6e;\">SpaceXAI Launches Grok 4.5, Touts Lower Coding-Task Costs Than AI Rivals<\/a> (InfoWorld, Jul 9) &mdash; W18<\/li>\n<\/ol><\/div>\n<h2 class=\"section\">Detailed write-ups<\/h2>\n<div class=\"article\">\n<p><span class=\"num\">01<\/span><\/p>\n<h4>Beware of Paperclip2: Malicious npm Packages Found<\/h4>\n<\/p>\n<p class=\"meta\">OX Security &middot; July 5, 2026<\/p>\n<p>OX Security researchers found three related npm packages &mdash; paperclip2, vps-maintenance, and vps-maintenance-paperclip-adapter &mdash; that contain no JavaScript files at all, just a package.json whose postinstall script is a one-line command that opens a reverse shell to 185.112.147.174 on port 7007. The absence of any .js payload is a deliberate evasion move: most npm malware scanners are tuned to flag suspicious JavaScript, not configuration-file trickery, so a package with zero executable code sails through automated review. Combined, the three packages had been downloaded roughly 1,049 times a week before OX flagged them. It&rsquo;s a reminder that &ldquo;no code&rdquo; doesn&rsquo;t mean &ldquo;no risk&rdquo; in a registry where the install-time script is itself the payload &mdash; exactly the class of attack npm v12&rsquo;s disabled-by-default install scripts is designed to close off.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/www.ox.security\/blog\/malware-detected-reverse-shell-without-javascript-files-in-npm\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.ox.security\/blog\/malware-detected-reverse-shell-without-javascript-files-in-npm\/\" style=\"color:#1d4ed8;text-decoration:none;\">OX Security<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">03<\/span><\/p>\n<h4>Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 10, 2026<\/p>\n<p>Unknown attackers compromised the GitHub repository behind Injective Labs&rsquo; widely used SDK and pushed a malicious release, @injectivelabs\/sdk-ts@1.20.21, straight through the project&rsquo;s own trusted-publisher OIDC pipeline, with commits authored under an existing maintainer&rsquo;s identity (&ldquo;thomasRalee&rdquo;). The tampered package &mdash; roughly 50,000 weekly downloads, underpinning wallets, trading bots, DEXs, DeFi apps, and payment tools &mdash; added fake telemetry that activates only when a developer&rsquo;s code actually calls the wallet-key or mnemonic-generation functions, then base64-encodes and exfiltrates the seed phrase and private key. The threat actor pushed the same 1.20.21 payload across 17 additional @injectivelabs-scoped packages. Socket, OX Security, and StepSecurity all caught the release before it spread far &mdash; only 310 downloads &mdash; but every developer who touched it should treat any wallet key generated or imported through the SDK as compromised and rotate it.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/injective-labs-github-compromise-pushes.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/injective-labs-github-compromise-pushes.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">04<\/span><\/p>\n<h4>Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 11, 2026<\/p>\n<p>Version 8.14.0 of the official jscrambler npm CLI client (60,000 monthly downloads) shipped with a malicious preinstall hook that silently drops and runs a native Rust infostealer &mdash; one build each for Windows, macOS, and Linux &mdash; the moment the package installs, no import or CLI invocation required. The release was pushed straight to npm under a legitimate maintainer account with no matching commit, tag, or pull request in the GitHub repository (whose latest real tag is still 8.13.0), pointing to a compromised npm account or build pipeline rather than a source-code compromise. StepSecurity and SafeDep confirmed the attacker went on to trojan four more versions (8.16.0, 8.17.0, 8.18.0, 8.20.0) the same day; Socket flagged the original release six minutes after publication. The stealer targets AWS, Azure, and GCP credentials &mdash; including the metadata endpoints CI runners rely on &mdash; plus MetaMask, Phantom, and Exodus wallet data, meaning anyone who ran npm install against any of those five releases in a CI pipeline should assume cloud keys and deploy tokens are compromised, not just developer laptops.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/compromised-jscrambler-8140-npm-release.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/compromised-jscrambler-8140-npm-release.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">05<\/span><\/p>\n<h4>New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 8, 2026<\/p>\n<p>Academic researchers from Tel Aviv University, Technion, and Intuit (Aya Spira, Stav Cohen, Elad Feldman, Ron Bitton, Avishai Wool, and Ben Nassi) disclosed HalluSquatting, an attack that needs no phishing email or malicious link at all &mdash; it exploits the fact that AI coding assistants reliably hallucinate the same nonexistent package or repository names when asked to solve certain problems. An attacker registers those hallucinated names first, then waits: when Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, or similar tools &ldquo;helpfully&rdquo; fetch a dependency or clone a repo on a developer&rsquo;s behalf, they pull the attacker&rsquo;s poisoned artifact instead. The team measured hallucination rates as high as 85% for repository-cloning tasks and up to 100% for some skill-installation scenarios, and demonstrated the technique could scale into a functioning botnet of compromised developer machines. Unlike every other attack in this week&rsquo;s bulletin, HalluSquatting doesn&rsquo;t compromise a real package at all &mdash; it weaponizes the assistant&rsquo;s own confabulation.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/new-hallusquatting-attack-could-trick.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/new-hallusquatting-attack-could-trick.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">06<\/span><\/p>\n<h4>GhostApproval: Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 9, 2026<\/p>\n<p>Wiz researchers found that six leading AI coding assistants &mdash; Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf &mdash; share a decades-old Unix blind spot: none of them checks whether a file is actually a symlink before writing to it. Wiz built a booby-trapped repo whose project_settings.json is secretly a symlink pointing at the victim&rsquo;s ~\/.ssh\/authorized_keys, then told the assistant via README to &ldquo;add a line&rdquo; to that settings file. Ask the agent to set up the workspace, and it writes the attacker&rsquo;s SSH key straight through the symlink into the developer&rsquo;s login file. Worse, in Wiz&rsquo;s testing, Claude Code&rsquo;s own reasoning correctly identified that the target file was &ldquo;actually a zsh configuration file&rdquo; &mdash; and asked for approval anyway, meaning the approval prompt itself is the point of failure, not just the missing symlink check. Amazon, Google, and Cursor have shipped fixes; Anthropic disputes that GhostApproval is a bug at all.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/ghostapproval-symlink-flaws-could-let.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/ghostapproval-symlink-flaws-could-let.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">07<\/span><\/p>\n<h4>Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It &mdash; &ldquo;Friendly Fire&rdquo;<\/h4>\n<\/p>\n<p class=\"meta\">The Hacker News &middot; July 9, 2026<\/p>\n<p>The AI Now Institute&rsquo;s &ldquo;Friendly Fire&rdquo; proof-of-concept flips the promise of AI-assisted code review on its head: it targets Claude Code and OpenAI Codex specifically when running in autonomous, self-approving modes. Researchers modified a copy of the popular geopy Python library, adding a security.sh script and a binary named code_policies dressed up with a decoy Golang source file to look legitimately compiled. A README-embedded prompt injection convinces the agent that running the binary is a necessary step in reviewing the code for security problems &mdash; so the very act of asking an agent to check a repository for malicious code becomes the delivery mechanism for malicious code. The tools sold specifically to catch this kind of threat become, in autonomous mode, the way it gets in.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/thehackernews.com\/2026\/07\/friendly-fire-ai-agents-built-to-catch.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thehackernews.com\/2026\/07\/friendly-fire-ai-agents-built-to-catch.html\" style=\"color:#1d4ed8;text-decoration:none;\">The Hacker News<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<p><span class=\"num\">16<\/span><\/p>\n<h4>AI is rewriting developer hiring, tooling, and the economics of coding<\/h4>\n<\/p>\n<p class=\"meta\">Business Insider, Indeed Hiring Lab, InfoWorld &middot; July 7&ndash;9, 2026<\/p>\n<p>Five otherwise unrelated stories this week point at the same shift. Indeed&rsquo;s Hiring Lab found that US software-development job postings have grown almost 15% since Claude Code&rsquo;s February 2025 launch even as overall postings fell 7% &mdash; with senior, AI-fluent roles driving 71% of the increase and jobs explicitly mentioning AI in the title accounting for 37% of it. Business Insider reported that the interviews behind those postings are changing to match: employers at Dropbox, Cisco, and AI startups increasingly want to see how candidates use AI tools, validate output, and explain trade-offs, with recruiters checking GitHub and X for public proof of work rather than timing a LeetCode-style whiteboard round. On the tooling side, JetBrains announced JetBrains AI for Teams and Organizations, a vendor-agnostic governance layer (via MCP and the Agent Client Protocol) meant to unify the sprawl of Claude Code, Codex, and Gemini CLI usage inside one organization with shared cost controls and on-demand AI credits &mdash; implicitly acknowledging that &ldquo;which AI coding tool&rdquo; has become as fragmented a decision as &ldquo;which cloud&rdquo; once was. Perplexity, meanwhile, is quietly building its own entrant, codenamed &ldquo;Teammate,&rdquo; aimed at owning long-horizon engineering work rather than autocomplete, putting it on a collision course with Cursor, Anthropic, and OpenAI. And SpaceXAI&rsquo;s Grok 4.5 launched explicitly targeting coding-agent economics, undercutting Codex and Claude Code on a per-task basis (roughly $2.49 versus $5.07 and $11.80 respectively) while trailing both on Artificial Analysis&rsquo; Coding Agent Index &mdash; a reminder that &ldquo;good enough and much cheaper&rdquo; is itself a competitive strategy. Taken together with this week&rsquo;s attacks built to fool the very agents these vendors are racing to ship, DevSecOps teams are being asked to secure, govern, and budget for AI coding tools all at once.<\/p>\n<p>      <a class=\"button\" href=\"https:\/\/www.hiringlab.org\/2026\/07\/08\/ai-and-job-postings-from-destruction-to-creation\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.businessinsider.com\/software-engineering-job-technical-interviews-hiring-ai-2026-7\" style=\"color:#1d4ed8;text-decoration:none;\">Business Insider (hiring playbook)<\/a>, <a href=\"https:\/\/www.hiringlab.org\/2026\/07\/08\/ai-and-job-postings-from-destruction-to-creation\/\" style=\"color:#1d4ed8;text-decoration:none;\">Hiring Lab \/ Indeed<\/a>, <a href=\"https:\/\/www.infoworld.com\/article\/4194091\/jetbrains-to-roll-out-ai-capabilities-for-software-development-teams-and-organizations.html\" style=\"color:#1d4ed8;text-decoration:none;\">InfoWorld (JetBrains)<\/a>, <a href=\"https:\/\/www.businessinsider.com\/perplexity-building-ai-coding-tool-take-on-cursor-and-openai-2026-7\" style=\"color:#1d4ed8;text-decoration:none;\">Business Insider (Perplexity)<\/a>, <a href=\"https:\/\/www.infoworld.com\/article\/4194895\/spacexai-launches-grok-4-5-touts-lower-coding-task-costs-than-ai-rivals.html\" style=\"color:#1d4ed8;text-decoration:none;\">InfoWorld (Grok 4.5)<\/a><\/p>\n<\/p><\/div>\n<h2 class=\"section\">On our watch list<\/h2>\n<ul class=\"watchlist\">\n<li><strong>AI agents as attack surface.<\/strong> HalluSquatting, GhostApproval, Friendly Fire, and GitLost all disclosed within one week. Watching whether Anthropic, Google, Cursor, and OpenAI converge on symlink-checking and approval-prompt integrity fixes, or whether vendors keep disputing severity classifications the way Anthropic has with GhostApproval.<\/li>\n<li><strong>npm v12&rsquo;s install-scripts default flips this month.<\/strong> That&#8217;s exactly the mechanism paperclip2 relied on. Watching whether zero-JavaScript, config-only techniques evolve to route around the new default, and how many teams actually run <code>npm approve-scripts --allow-scripts-pending<\/code> before the cutover.<\/li>\n<li><strong>Trusted-pipeline compromises over typosquatting.<\/strong> Injective Labs and jscrambler were both hit through the legitimate publishing path &mdash; OIDC and maintainer accounts &mdash; rather than lookalike package names. Watching for the same pattern against other high-download SDKs with automated release pipelines.<\/li>\n<li><strong>Tooling sprawl and the AI coding cost war.<\/strong> JetBrains&rsquo; governance suite, Perplexity&rsquo;s Teammate, and Grok 4.5&rsquo;s pricing all landed the same week. Watching whether DevSecOps teams get pulled into vendor-selection and governance decisions traditionally owned by engineering leadership, and whether cost pressure accelerates consolidation among coding-agent vendors.<\/li>\n<\/ul><\/div>\n<div class=\"footer\">\n<p class=\"brand\">Security Radar &middot; DevSecOps Weekly<\/p>\n<p>Weekly intelligence bulletin from Security Radar LLC<\/p>\n<p>Curated by Paul Davis &middot; paul.davis@security-radar.com<\/p>\n<p>&copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p style=\"margin-top:12px;font-size:12px;color:#94a3b8;\">Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<p>*|LIST:ADDRESS|*<\/p>\n<p><a href=\"*|ARCHIVE|*\">View this email in your browser<\/a> &middot; <a href=\"*|UNSUB|*\">Unsubscribe<\/a><\/p>\n<\/p><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security Radar &middot; Issue 7 DevSecOps Weekly July 12, 2026 &middot; Weekly Edition Six npm and PyPI packages compromised this week &mdash; and four separate attacks built specifically to fool the AI agents reviewing your code, not the developers running it. At a glance Package registries took another beating this&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,11],"tags":[],"class_list":["post-5492","post","type-post","status-publish","format-standard","hentry","category-secure","category-trends"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5492"}],"version-history":[{"count":0,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5492\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}