An MCP server you approved last week can mutate its tool descriptions tonight, and most clients won’t tell you. Here’s how the rug pull works, what to log, and what the detection actually looks like before the false positives bury it.
Short-lived OIDC federation from GitHub Actions to cloud IAM roles is the right pattern — and the trust policy condition is exactly where it goes wrong. What the abuse looks like in CloudTrail, why the obvious detection doesn’t fire, and what the first round of tuning has to fix.
Two separate disclosures against Anthropic’s Claude Code GitHub Action show how a single opened issue can walk out with OIDC tokens and an unscrubbed API key. Neither got a CVE, which is its own problem.
A self-propagating npm worm poisoned 32 @redhat-cloud-services packages on June 1, 2026 — and because it published through Red Hat’s own OIDC pipeline, the malicious versions carried legitimate SLSA provenance. Here’s the scope, the mechanism, and the rotation list.
TeamPCP — the supply-chain crew behind the Trivy / Checkmarx / KICS / LiteLLM compromises and the Shai-Hulud worm — surfaced a sale listing on May 19, 2026 claiming roughly 4,000 GitHub private repositories of internal source code. The claim is pending verification, the ESIX score is 7.96, and the group’s track record is exactly the mix of ‘demonstrably capable’ and ‘inclined to repackage’ that makes this kind of listing operationally annoying. Here’s the read.
The uncomfortable part about Mini Shai-Hulud is not the malware itself. Credential stealers are everywhere. Obfuscated JavaScript loaders in npm packages are not exactly new territory either. The problem is that this thing successfully rode through trusted publishing infrastructure and valid provenance paths, which means a lot of the security plumbing people have been congratulating …
A defender-oriented analysis of firmware- and bootloader-resident implants on perimeter network appliances, what they look like in practice, how to detect them, and how to map the response to NIST 800-53.
Model Context Protocol turned every developer’s laptop into a tool-calling agent host. The trust model that came with it is closer to npm circa 2016 than to anything a serious authorizing official would sign.
Trellix has confirmed unauthorized access to part of its source code repository. The disclosure is thin on detail and heavy on implications for every shop running Trellix EDR or XDR.
CNSA 2.0 deadlines are no longer abstract. Here is what crypto inventory, hybrid deployment, and agility actually look like when an assessor walks the floor in 2026.
