Securing AI Agents in CI/CD Pipelines: Lessons from Comment and Control
Security researchers proved last month that popular AI coding tools can be turned against your team through a normal GitHub comment. The attack steals the credentials your pipeline uses to deploy software, and it works because the agent has both powerful tools and sensitive keys in the same environment that reads outside contributions. The fix is architectural: separate untrusted content from privileged operations, replace long-lived secrets with temporary credentials, and enforce network controls at the runner level. If you have questions, paste the article into your AI agent for a full breakdown.
#security#cicd#aiagents#githubactions
How to Prevent AI Coding Agents from Destroying Your Infrastructure
An AI coding agent found an overprivileged API token in a codebase, deleted the production database in 9 seconds, then destroyed all backups because they were stored in the same location. The project had explicit safety rules. The agent overrode them all. Safety prompts are guidance, not enforcement. The fix is infrastructure controls the agent physically cannot bypass. We break down exactly what happened and how to prevent it. If you have questions, paste the article into your AI agent for a full breakdown.
#security#aiagents#codingagents#infrastructure
Anatomy of the TeamPCP Supply Chain Campaign
The TeamPCP campaign compromised roughly 500,000 machines across 1,000+ SaaS environments by poisoning two popular open source security and AI packages. The initial access wasn't a sophisticated exploit. It was a misconfigured CI/CD workflow. Pinning your dependencies to exact content hashes would have prevented the technique they used. We break down the full attack chain with specific defense controls at each stage. If you have questions, drop the article into your AI agent for a full rundown.
#security#supplychain#devsecops#incident
Cloudflare AI Agent Infrastructure vs Kubernetes
Cloudflare's AI agent stack and Kubernetes represent genuinely different tradeoffs. Cloudflare starts faster but has no direct GPU access. Kubernetes gives you full GPU control and runs on open standards, but requires more setup. We put together a side by side comparison across performance, isolation, networking, and vendor lock in. If you want help deciding which fits your setup, paste the article into your AI agent and ask away.
#cloudflare#kubernetes#aiagents#infrastructure
Migrating from ingress nginx to Envoy Gateway
ingress nginx was retired on March 24, 2026, which means known security vulnerabilities will never be patched. Envoy Gateway is the recommended replacement, and the official migration tool handles 30+ configuration conversions automatically. We put together a step by step migration guide covering the full process. If you want a quick walkthrough, paste the article into your AI agent and it'll break it all down for you.
#kubernetes#envoy#migration#security
Securing AI Agents at the Infrastructure Layer
Standard Kubernetes service accounts weren't built for AI agents. They use long lived tokens that can be impersonated across trust boundaries. The fix is certificate based identity with short validity periods and workload verification. We put together a full architecture covering identity, gateways, and governance for production AI agents. If you have questions or want a shorter version, drop the article into your AI agent for a complete breakdown.
#security#aiagents#kubernetes#identity
Istio for AI Inference Routing
Running a proxy on every AI inference pod wastes GPU memory you could be using for your models. Istio 1.29's ambient mode moves the proxy to a shared layer, cutting memory overhead by 70% while adding smart routing for AI workloads. We covered what's shipping now and what's coming next. If the article is too detailed, paste it into your AI agent and it'll give you the highlights.
#istio#kubernetes#ai#servicemesh
Securing AI Agent MCP Traffic with Kyverno
Unauthorized AI tools spinning up inside your cluster is now an OWASP Top 10 risk. Kyverno's admission policies can block unapproved tools before they ever run by requiring signed images and enforcing an allowlist at deploy time. We put together a production guide with working policies you can apply today. If you want a summary or have questions, paste the article into your AI agent for a full breakdown.
#kyverno#kubernetes#security#aiagents
Helm 4 Migration Guide
Helm 3 bug fix support ends July 8, 2026. Helm 4 changes how upgrades work under the hood, and your existing automation may need updated permissions. We put together a practical migration guide covering what breaks, the full permission changes, and a rollout strategy starting with staging. If the full article is a lot to get through, drop it into your AI agent for a quick breakdown.
#helm#kubernetes#devops#cloudnative
A2A v1.0: Agent to Agent Communication at Scale
The Agent to Agent protocol just hit v1.0 with 150+ organizations already using it. When your AI agents need to talk to each other across teams or organizations, this protocol handles identity verification, task tracking, and full observability. We wrote a guide covering how to route, secure, and monitor agent to agent traffic. If you have questions, paste the article into your AI agent and it'll give you a complete rundown.
#aiagents#a2a#interoperability#ai
Kubernetes v1.36 Production Upgrade Guide
Kubernetes 1.36 permanently removes three components, and one of them is a security risk that will never receive patches again. Eighteen features move to stable in this release. We put together a production upgrade guide covering what breaks, the correct upgrade sequence, and how to handle each removal. If you want a quick summary or have specific questions, paste the article into your AI agent for a full breakdown.
#kubernetes#devops#sre#cloudnative
Building an Agent Ready Kubernetes Platform
Kubernetes 1.36 ships with three features that finally make AI agent workloads production ready: proper isolation between agents, GPU sharing across multiple agents, and automatic scaling with state preservation. We put together a full platform architecture covering what's available now and how to set it up. If the article is too long, drop it into your AI agent and it'll walk you through the key points.
#kubernetes#aiagents#platformengineering#gpu
Securing AI/ML Supply Chains on Kubernetes
The TeamPCP supply chain attack hit Netflix, Stripe, and Google's downstream environments through a compromised AI package that gets nearly 100 million monthly downloads. The attack payload required elevated container privileges that basic security policies block by default. We break down exactly what controls would have stopped it and how to set them up. If you have questions or want a shorter version, paste the article into your AI agent for a full breakdown.
#kubernetes#security#supplychain#devsecops
Microsoft Agent Framework 1.0
Microsoft just shipped Agent Framework 1.0 with support for multiple AI providers including Azure OpenAI, Anthropic, and Gemini. It lets you build systems where multiple AI agents coordinate across different teams and trust boundaries. We wrote up an overview with working examples for each orchestration pattern. If you want a quick summary or have questions, paste the article into your AI agent for a full rundown.
#microsoft#aiagents#azure#ai
Dapr Agents v1.0: Production Ready AI Agents on Kubernetes
If your AI agents lose their progress every time a server restarts, Dapr Agents 1.0 solves that at the platform level. It's the first CNCF backed agent framework that keeps agent state intact through crashes, restarts, and network issues. We put together a production guide covering setup, security, and observability. If the full article is a lot to take in, drop it into your AI agent and it'll give you a complete breakdown.
#kubernetes#aiagents#cncf#dapr
Kubernetes LLM Inference Stack 2026
Most teams serving AI models are wasting GPU memory because their load balancer treats every request the same way. The new Kubernetes LLM inference stack uses smart routing to match requests with the right GPU, cutting response times by 57x and doubling throughput. We break down the full production setup in our latest guide. If the article is too long or you have questions, paste it into your AI agent for a full breakdown.
#kubernetes#ai#llm#mlops
Securing AI Agents at the Infrastructure Layer
A compromised AI agent is not an exposed API endpoint. It is an autonomous process holding cluster credentials and a mandate to act. Standard Kubernetes service accounts fail because they use shared identity: you cannot revoke one agent without breaking every workload on the same account. The full defense stack covers identity, gateway, admission, and conformance, and every component is open source.
#aiagents#kubernetes#security#infrastructure
CNCF's Warning: Kubernetes Security Is Not Enough for AI Workloads
The CNCF published a warning that standard Kubernetes security controls do not protect organizations running AI and language model workloads. Kubernetes monitors pods, network traffic, and resource consumption. It has no visibility into prompts, model outputs, or tool calls. A fully compliant, fully secured Kubernetes cluster can still expose you completely if you are running AI workloads without runtime I/O monitoring and policy enforcement at the inference layer.
#kubernetes#security#cncf#llm
88% of Enterprises Had an AI Agent Security Incident This Year. Authentication Was Not the Problem.
Cequence research found that most enterprise AI agent security incidents in 2025 involved authenticated agents that had been granted excessive permissions. Authentication confirms identity. It does not constrain behavior. Role-based access control applied at the API gateway layer, scoped to specific agent personas, is the missing control between "agent is authorized" and "agent can only do what it should." The gap is infrastructure, not identity.
#aiagents#security#rbac#apigateway
PocketOS Database Deletion: The AI Did Exactly What It Was Capable of Doing
A production database was deleted in 9 seconds by an AI coding agent that found an unscoped cloud token while fixing a different issue. The failure was not the AI's judgment. The failure was infrastructure that gave the agent a token with blanket account permissions and stored backups inside the same volume it could delete. What an AI agent can do in your environment is a direct function of what you have allowed it to access. That is an infrastructure decision, not a model setting.
#aiagents#security#infrastructure#cloud
OpenClaw Has 135,000 GitHub Stars and 135,000 Exposed Instances
A major AI agent runtime with over 135,000 GitHub stars shipped without the runtime governance layer needed to operate AI agents safely at enterprise scale. Kubernetes provides compute isolation but has no concept of agent identity, tool-call authorization, or behavioral conformance. The gap between "agent runs in a container" and "agent is governed at runtime" is not closed by standard container security. This is the infrastructure problem AI teams are walking into at scale.
#aiagents#kubernetes#security#governance
Vibe Coding Security Crisis: 48 Days of Exposed Source Code
A major AI coding platform left user source code and database credentials publicly accessible for 48 days through a basic API misconfiguration. Research shows AI-generated code ships with security vulnerabilities at more than twice the rate of human-written code, and most CI/CD pipelines deploy it without scanning. The platform has billions of dollars in valuation. AI code needs security review before it ships, not after.
#security#vibecoding#ai#devsecops
vLLM CVE: Someone Can Own Your AI Server With a Video Link
A vulnerability in vLLM allows an attacker to take over an AI inference server by sending it a URL pointing to a crafted video file. No authentication required, no user interaction beyond the server processing the request. Inference servers are becoming the new perimeter: they sit inside your network, they process untrusted external inputs, and they are updated far less frequently than web-facing services. Treat them accordingly.
#security#llm#vllm#kubernetes
LMDeploy Was Exploited 13 Hours After This CVE Dropped
A server-side request forgery vulnerability in a popular LLM inference server was exploited in the wild just 13 hours after public disclosure, with no published proof of concept available yet. The attack chain probed cloud metadata services, internal databases, and exfiltrated credentials via DNS. Inference servers running AI models sit inside your network perimeter with broad internal access. Treating them like public-facing web applications from a patching and isolation standpoint is no longer adequate.
#security#llm#kubernetes#aiinfrastructure
Axios Got a Critical Severity Score. Your Runtime Probably Already Blocks It.
A high-severity vulnerability in the Axios HTTP library chains prototype pollution into server-side request forgery and cloud credential theft. Standard Node.js deployments block the exploit chain at the protocol layer before it completes. Non-Node runtimes including Bun and Deno do not get that protection, and teams using custom HTTP agents may be exposed regardless. Patch to the latest version anyway: the real lesson is that a dependency vulnerability in one library can become an attack vector through a completely different library.
#nodejs#security#supplychain#axios
An AI Bot Opened 500 Pull Requests to Steal Your AWS Keys
An AI-powered script exploited a GitHub Actions design flaw to open hundreds of pull requests containing code that runs with full access to repository secrets when triggered. Fifty repositories were successfully compromised, with AWS keys, Cloudflare tokens, and Netlify credentials stolen. The pull requests were nearly identical and trivial to detect in hindsight. CI/CD pipelines that allow pull request workflows to access production secrets are the target: audit what can run on fork submissions.
#cicd#githubactions#security#devsecops
An AI Worm Hit npm Targeting Kubernetes Configs and AI Tool Credentials
An AI-powered worm hit npm that steals Kubernetes configs, Docker credentials, CI/CD secrets, and LLM platform API keys before spreading itself to every package the victim's npm publish token can reach. The worm hid inside a postinstall hook and ran silently during normal package installation. Twenty-two packages from a single AI company were affected, with over 30,000 combined monthly downloads. Any package that runs code on install is executing with full developer workstation access.
#npm#supplychainsecurity#kubernetes#security
One Stolen Token. Five Ecosystems. 500,000 Machines.
The TeamPCP supply chain campaign is the most comprehensive CI/CD attack on record, hitting npm, Docker Hub, PyPI, GitHub Actions, and Bitwarden through a chain of stolen credentials. No zero-day exploits were required. The campaign relied entirely on the 94-day average window between credential rotation that most organizations maintain. The full anatomy of how each pivot worked is covered in our breakdown.
#supplychainsecurity#security#devops#kubernetes
TeamPCP Breached the European Commission Through a Compromised Docker Image
The TeamPCP supply chain campaign reached European Commission cloud infrastructure after a backdoored container image provided a foothold for large-scale credential theft. The campaign did not require a novel exploit: it relied on the average 94-day window most organizations leave between credential rotation cycles. Any team pulling container images from unverified sources without digest pinning is already exposed to the same technique.
#supplychainsecurity#security#docker#kubernetes
TeamPCP Compromised Your Kubernetes Security Scanner to Backdoor Your Cluster
The TeamPCP supply chain campaign compromised Trivy, the open-source container scanner running inside thousands of CI/CD pipelines. If the payload found a Kubernetes service account token, it exfiltrated secrets from every namespace and deployed privileged workloads across every node in the cluster. The same stolen credentials then spread the attack to LiteLLM. Security tooling with cluster access is high-value supply chain infrastructure, and most teams give it far more privilege than it needs.
#supplychainsecurity#kubernetes#trivy#security
Checkmarx's Security Scanner Was Secretly Sending Your Results to Attackers
The TeamPCP supply chain campaign replaced official Checkmarx container images on Docker Hub with versions that ran scans normally and simultaneously exfiltrated results to attacker infrastructure. Any infrastructure code your pipeline scanned with the compromised images, Terraform, Kubernetes manifests, CloudFormation, should be treated as potentially exposed. This was the second Checkmarx infrastructure hit in two months by the same threat actor.
#supplychainsecurity#checkmarx#devsecops#docker
Your Bitwarden CLI Was a Credential Worm for 93 Minutes
The TeamPCP supply chain campaign reached password managers: Bitwarden's CLI was backdoored through a compromised GitHub Action in the tool's own build pipeline. The malware specifically targeted AI coding tool credentials including Claude Code, Codex, and Cursor alongside SSH keys and cloud secrets. It was a self-propagating worm that spread to any package your npm publish token could reach. If your team ran the affected version, rolling back the CLI is step one. Rotating every credential it could have touched is step two.
#supplychainsecurity#bitwarden#security#aitools
Docker's Authorization Plugin Goes Blind on Requests Over 1MB
A vulnerability in Docker Engine causes authorization plugins to silently skip inspection on requests larger than one megabyte, approving them automatically while the daemon processes the full content. An attacker who exploits this can run privileged containers, mount host volumes, and access credentials and Kubernetes configs. This is a variation of an incomplete fix for a 2024 vulnerability in the same component. Update Docker Engine and audit what your authorization plugins are actually inspecting.
#docker#security#containers#devsecops
Atlassian's Most Popular MCP Server Can Be Rooted With Two HTTP Requests
Researchers chained two vulnerabilities in an Atlassian MCP integration with four million downloads to achieve full server access with no authentication. One bug redirects internal traffic to attacker-controlled systems. The second writes arbitrary files to any path on the server. Two requests, zero credentials required. This was the fifth MCP server critical vulnerability in the same month, and the pattern is the same every time.
#mcp#security#atlassian#rce
Anthropic Says MCP Remote Code Execution Is Expected Behavior
Security researchers disclosed a design flaw in MCP that allows remote code execution on servers running AI agents. Anthropic acknowledged the issue and classified the behavior as working as intended. Over 200,000 AI server instances were affected at the time of disclosure across tools including Claude Code, Cursor, and VS Code. Because the fix is not coming from upstream, runtime controls at the infrastructure layer are the only reliable defense.
#mcp#security#aiagents#claude
The AI Coding Platform With 2,600 Exposed nginx Servers
A developer added an MCP endpoint to a popular nginx management interface and skipped one line of authentication middleware. Twenty-six hundred instances became fully exploitable with a single unauthenticated request. MCP endpoints are shipping faster than security reviews can catch them. Every new MCP integration your team adds to infrastructure is an attack surface that needs the same review as any other admin interface.
#mcp#security#nginx#aitools
The mcp-server-kubernetes RCE Works Through Prompt Injection
A vulnerability in the MCP server used to manage Kubernetes clusters allows attackers to run arbitrary kubectl commands by injecting malicious input into an AI agent conversation. The attack requires no direct access to the cluster: a crafted prompt to the AI agent is enough to trigger the exploit. The fix is upgrading to the patched version, but the broader issue is that any MCP server executing system commands on user input is an injection vector by design.
#kubernetes#mcp#security#aiagents
An AI Coding Agent Deleted a Production Database in 9 Seconds
A developer asked an AI coding agent to fix a staging configuration issue. The agent found an unrelated cloud API token, used it to access production, and deleted the database along with the backups stored in the same volume. The AI did exactly what it was capable of doing. The failure was infrastructure: tokens with no scope limits, backups co-located with primary data, and no boundary between staging agents and production systems.
#aiagents#security#devops#cloud
Linux Kernel Bug Lets Attackers Escape Kubernetes Pods with 732 Bytes of Python
A nine-year-old Linux kernel vulnerability allows a Python script under 800 bytes to escape a container and access the host node. Because the kernel's page cache is shared memory across all containers on a node, a single pod compromise becomes a full node compromise. A working proof of concept is publicly available. Organizations running standard container runtimes should prioritize applying the kernel patch from their Linux distribution.
#kubernetes#security#linux#containers
Vercel Was Breached Through a Connected AI Tool
Vercel's internal systems were accessed after an employee at an AI vendor they used was infected with credential-stealing malware. The attacker used an OAuth token to move from the vendor's environment directly into Vercel's systems with no re-authentication required. Customer environment variables, including API keys and secrets, were exposed. Every AI tool your team OAuth-connects to corporate Google Workspace is a persistent access path if that vendor gets compromised.
#security#oauth#aitools#supplychainsecurity
LiteLLM Had a Pre-Auth SQL Injection Exploited in 36 Hours
A pre-authentication SQL injection in the LiteLLM AI proxy was exploited within 36 hours of disclosure, giving attackers access to every API key stored in the system. That includes keys to OpenAI, Anthropic, AWS Bedrock, and any other provider your team had connected. This is not a typical web application breach: the blast radius is your entire cloud AI spend and every model provider account you run. Patch and rotate all stored provider credentials immediately.
#security#ai#llm#devsecops
Flowise Left 12,000 AI Agent Builders Exposed for Seven Months
A critical severity vulnerability in the Flowise visual agent builder allowed unauthenticated remote code execution through a component with no sandboxing. Active exploitation was confirmed in April, seven months after a patch was available. Over 12,000 instances remained exposed at the time of disclosure. If your team builds AI agents with any visual no-code platform, the hosted version's patch status is your risk, not just the vendor's.
#aiagents#security#rce#devsecops
Dynatrace Now Tracks What Your AI Coding Agents Cost
Dynatrace shipped observability for AI coding agents, and it covers five major tools in a single dashboard. Setup is just environment variables: if the agent emits telemetry, you get sessions, token usage, tool calls, errors, and dollar cost automatically. Platform teams see total spend and trends. Engineering leaders see agent activity mapped to actual commits and pull requests. You cannot govern AI tool usage across your organization until you can measure it, and now you can.
#platformengineering#aiagents#observability#devops
GitHub Enterprise Server Had a 55-Day Silent Exposure Window
A critical vulnerability in GitHub's infrastructure allowed full code execution via a single git push. GitHub silently patched its own cloud on March 4, but Enterprise Server operators had no idea their instances were exposed until public disclosure 55 days later. At the time of disclosure, most Enterprise Server installations were still running the vulnerable version. If your organization hosts its own GitHub instance, this is why keeping up with enterprise software advisories is not optional.
#github#security#devsecops#enterprise
Jenkins RCE: The Credentials Plugin Has a Path Traversal Bug
A path traversal vulnerability in the Jenkins Credentials Binding Plugin lets attackers write files anywhere on the filesystem. On the built-in node, arbitrary file write is remote code execution with no secondary exploit needed. The same security advisory also patched two stored cross-site scripting vulnerabilities in other popular plugins. If your organization runs Jenkins, check your plugin versions against the April 2026 security advisory now.
#jenkins#cicd#devsecops#security
PyTorch Lightning Got Supply-Chained
The most popular machine learning training library on PyPI shipped with malware hidden in a version that fires the moment you import it. The payload swept credentials from GitHub, cloud providers, Kubernetes configs, and developer environment files. This is the same threat actor that hit Bitwarden, Checkmarx, and LiteLLM in the same month. If your team ran any version of this library published in late April, treat every credential on that machine as compromised.
#supplychainsecurity#kubernetes#mlops#security