Weekly Musings Top 10 AI Security Wrapup: Issue 28 February 27, 2026 - March 5, 2026
When AI Attacks AI: The Agentic Threat Era Arrives in Full
This week handed security leaders something they’ve been theorizing about for two years: autonomous AI agents attacking other autonomous AI agents in live production environments. No thought experiment, no conference demo. A malicious bot using Claude Opus 4.5 compromised five major open-source repositories. An AI-native offensive platform compromised 600 firewalls across 55 countries. Developer tools turned into attack vectors by opening a Git repo.
The practitioner community doing the real work on these problems gathered at [un]prompted in San Francisco. The rest of the week’s news served as a live demonstration of why that conference needed to exist. Attackers aren’t waiting for frameworks to catch up. Your AI tools are the attack surface now. The developers building them are the initial targets. The agents those tools spawn are the next ones.
1. [Un]Prompted Delivers the AI Security Conference the Industry Needed
The first [un]prompted conference ran March 3-4 at The Hibernia in San Francisco (unpromptedcon.org). Gadi Evron of Knostic, who chaired the conference, received nearly 500 talk submissions and built a program spanning offense, defense, DFIR, and governance. No vendor theater. Confirmed speakers included Heather Adkins from Google on advancing code security, Joshua Saxe from Meta on agent evaluation, Paul McMillan from OpenAI on securing software in the agentic era, and Nicholas Carlini from Anthropic on black-hat LLMs finding zero-days in production codebases. Dan Guido closed Day Two, explaining how Trail of Bits rebuilt around AI to reach 200 bugs per engineer per week. Sergej Epp from Sysdig presented primary forensic evidence from an 8-minute AWS escalation and EtherRAT, a blockchain C2 campaign. Gadi even stepped in for Avishai Efrat and Michael Barugy from Zenity…a direct competitor… who could not get out of Israel, to drop PleaseFix.
Why it matters
The field now has a practitioner-grade conference built for people doing actual work, from red teamers to governance leads, not vendor keynotes disguised as research.
The offensive capability context is essential. Carlini showed current models finding zero-days. Guido showed 200 bugs per engineer per week. Defenders need this before building programs.
The governance track didn’t retreat into frameworks. Healthcare and large enterprise practitioners spoke about what actually works in production.
What to do about it
Read the full agenda at unpromptedcon.org. The talk abstracts contain more actionable signal than most vendor white papers.
Follow the researchers presenting there. Those names are shaping the actual threat landscape.
Prioritize the Stripe threat modeling talks and the Snap capability-based authorization session if your team hasn’t treated AI agents as first-class attack surfaces yet.
Rock’s Musings
Rob T. Lee’s line on Stage 2 deserves repeating. Anthropic’s own GTG-1002 report showed adversaries running Claude Code at 80-90% autonomous execution. Your adversary has an AI. If you’re at tab-completion for defense, that’s a strategic failure, not a skills gap.
I’ve been going to security conferences for a long time. Most are marketing events with technical content as decoration. [un]prompted felt different because Gadi built it explicitly for people who know what a YAML file does. That’s a rare thing and worth supporting. Start planning for year two.
2. Hackerbot-Claw Proved Autonomous AI Can Systematically Destroy Your CI/CD Pipeline
Between February 21 and March 1, 2026, a GitHub account called hackerbot-claw ran an autonomous campaign against public repositories (StepSecurity). The account describes itself as an “autonomous security research agent powered by claude-opus-4-5,” maintains a vulnerability pattern index with 9 classes and 47 sub-patterns, and claims to have scanned 47,391 repositories. The bot achieved remote code execution in at least four of seven targeted repositories, including Microsoft, DataDog, CNCF, and Aqua Security’s Trivy scanner. In the Trivy compromise, it stole a Personal Access Token with broad write permissions, deleted all 178 GitHub releases, wiped repository content, and published a malicious VSCode extension to OpenVSX under Trivy’s trusted publisher identity. OpenSSF issued a TLP:CLEAR advisory March 1.
The single defining moment: the bot attempted prompt injection against a Claude-based CI workflow at ambient-code/platform. Claude, running claude-sonnet-4-6, classified it as “a textbook AI agent supply-chain attack via poisoned project-level instructions” and refused. The only target the bot failed to compromise was protected by another AI model recognizing the attack.
Why it matters
CI/CD misconfigurations are now mass-exploitable at machine speed without a single CVE. Five documented exploitation techniques, all using known patterns, all automatable.
Supply-chain compromise at scale doesn’t require sophisticated malware. It requires systematic scanning and pull request automation. The bot scanned 47,000 repos in a week.
AI-versus-AI defense is no longer theoretical. The ambient-code defense worked because someone built proper tool allowlisting with prompt injection detection.
What to do about it
Audit every pull_request_target workflow in your repositories this week. Move PR metadata into environment variables. Scope tokens to minimum permissions.
Verify your AI-based code review toolchain has prompt injection detection and tool allowlisting. Configuration matters as much as the model.
Check the OpenSSF advisory for the specific pattern list hackerbot-claw exploited. These are all preventable and all still present in thousands of active repositories.
Rock’s Musings
The “security research” framing in the account bio is working hard. Deleting 32,000 stars from Trivy and pushing a malicious extension to OpenVSX isn’t research. The creator remains unidentified. The domain name, the “molt” naming, and the OpenClaw ecosystem references point to infrastructure being assembled and tested in the open because the operators know defenders aren’t watching yet. We’re watching the emergence of an offensive AI toolkit in real time.
3. CyberStrikeAI: A Chinese-Linked Offensive Platform Hit 600 Firewalls Across 55 Countries
Team Cymru published research on March 3, naming CyberStrikeAI as the AI-native offensive tool behind the FortiGate campaign disclosed by Amazon Threat Intelligence in February (BleepingComputer, The Hacker News). The campaign ran from January 11 to February 18, 2026, comprising over 600 FortiGate devices across 55 countries. CyberStrikeAI is built in Go, integrates 100-plus security tools, and uses any OpenAI-compatible model, including Claude and DeepSeek, through an MCP orchestration engine. The developer, alias Ed1s0nZ, submitted the tool to Knownsec 404’s Starlink Project in December 2025 and briefly posted a CNNVD vulnerability credential to their GitHub profile before deleting it. CNNVD operates under oversight by China’s Ministry of State Security. Team Cymru detected 21 unique IPs running CyberStrikeAI between January 20 and February 26, primarily on Chinese cloud infrastructure. No zero-days exploited. The actor succeeded through exposed management interfaces and weak credentials.
Why it matters
AI-native offensive platforms are open-source and in active deployment. The barrier to running a 600-device campaign across 55 countries is now a GitHub clone and a cloud account.
State-adjacent tooling proliferates fast. Zero deployments in November to 21 active servers by late February is an adoption curve worth tracking.
The entry point remains unchanged. Sophisticated AI orchestration amplified the attacker. Exposed management interfaces created the opportunity. Harden the basics first.
What to do about it
Pull the FortiGate management interface exposure from public networks immediately (seriously… who do we have to keep saying this?). Apply all current firmware patches.
Add CyberStrikeAI IOCs from the Team Cymru report to your threat intelligence feeds.
Add AI-native offensive tooling as a threat category in your risk model. The economics of running large-scale exploitation campaigns changed this quarter.
Rock’s Musings
The credential scrub tells you something about the actor’s maturity. Ed1s0nZ posted the CNNVD award, realized the optics problem, and deleted it. Git commit history preserved both moves. This is someone running a 600-device campaign across 55 countries who doesn’t understand basic operational security hygiene. The AI amplified a low-to-medium capability actor significantly. That’s the real threat vector here, not the sophisticated attacker getting more powerful. It’s the mediocre attacker becoming operationally dangerous.
4. Claude Code Let Attackers Own Developer Machines by Opening a Git Repo
Check Point Research disclosed two critical vulnerabilities in Anthropic’s Claude Code around February 25-27, 2026, widely covered through March 4 (Dark Reading, Security Affairs, The Hacker News). CVE-2025-59536 (CVSS 8.7) allows code injection via the Hooks feature and MCP server initialization. CVE-2026-21852 (CVSS 5.3) allows API key exfiltration by manipulating ANTHROPIC_BASE_URL before the trust dialog appears. Both trigger on opening an untrusted repository with no further user interaction. Researchers Oded Vanunu and Aviv Donenfeld at Check Point found that .claude/settings.json, .mcp.json, and CLAUDE.md function as active execution layers. Stolen API keys in Anthropic Workspaces expose all project files shared across that workspace, creating team-wide compromise from one developer’s action. All issues are patched: CVE-2025-59536 fixed in version 1.0.111, CVE-2026-21852 fixed in 2.0.65.
Why it matters
AI coding tools are now supply-chain attack vectors. Cloning a malicious repository used to mean running attacker code. Now it means letting an AI agent run attacker code with your credentials before any warning appears.
Repository configuration files are execution logic. Add .claude/, .mcp.json, and CLAUDE.md to your code review checklist alongside source code.
The Workspaces blast radius multiplies team exposure. One stolen key can expose shared project files and generate unauthorized API costs across an entire engineering organization.
What to do about it
Verify all Claude Code users are on 1.0.111 or later for the hook vulnerability and 2.0.65 or later for the API key issue. Both patches deliver via auto-update.
Rotate Anthropic API keys for any team that cloned untrusted repositories before the patches were applied.
Extend your security review process to cover AI tool configuration files in every repository the tool touches.
Rock’s Musings
“Trust dialog bypass” shouldn’t appear in the threat model of a professional developer tool in 2026. The design assumption that config files are passive was wrong, and it costs a CVSS 8.7. The governance question is broader: how many of your developers are running AI coding tools that weren’t through your security approval process? Claude Code, Cursor, Copilot. Each one has deep access to local filesystems, shell execution, and credentials. Your endpoint protection almost certainly has no visibility into what they’re doing. This disclosure is the clean example of why that matters.
5. GlicJack: Chrome’s Gemini Panel Let Malicious Extensions Steal Your Camera and Files
Palo Alto Networks Unit 42 published CVE-2026-0628 on March 2, 2026 (SC Media, The Hacker News). CVSS 8.8. Researcher Gal Weizman discovered that a Chrome extension with basic declarativeNetRequest permissions could inject JavaScript into Gemini Live’s side panel and inherit all of its elevated privileges: camera, microphone, local file reads, screenshot capability. The flaw arose because Chrome’s Gemini panel loads gemini.google.com inside a chrome://glic WebView component. Extension isolation rules that protect privileged browser pages didn’t apply to this component. An extension influencing a website is expected behavior. An extension influencing a component baked into the browser is a security flaw. Google patched this January 5, 2026 in Chrome 143.0.7499.192/.193. Unit 42 reported it October 23, 2025.
Why it matters
AI features embedded in the browser create privilege escalation paths that didn’t exist before. The capabilities granted to make the assistant useful become the attacker’s gain.
The declarativeNetRequest API is used by millions of legitimate extensions. Any extension holding that permission could have exploited this.
Enterprise Chrome fleets may lag on patches. Individual users update automatically. Managed deployments need active verification.
What to do about it
Confirm Chrome is at 143.0.7499.192 or later across all enterprise endpoints.
Audit installed extensions with declarativeNetRequest permissions. Remove anything not explicitly approved.
Add AI browser panels to your ongoing threat model. The same architectural pattern exists in Copilot in Edge and other embedded AI assistants.
Rock’s Musings
This vulnerability pattern will repeat. Every vendor shipping an embedded AI assistant is granting that panel elevated access to make it useful, then relying on the browser’s isolation model to prevent exploitation. The Gemini panel inherited browser-level privileges while the security policy hadn’t caught up. That’s not a Google-specific design flaw. It’s the natural consequence of rushing AI features into security models built for a different threat landscape. GlicJack was found and patched responsibly. The next one in a competitor’s AI browser feature might not be.
6. ClawJacked: Any Malicious Website Can Own Your Local AI Agent
Oasis Security disclosed a high-severity flaw on February 28, 2026 allowing any malicious website to connect to a locally installed OpenClaw AI agent via WebSocket and take full control (WIU Cybersecurity Center, Sysdig). The attack required nothing beyond loading a malicious webpage. An attacker’s JavaScript opened a WebSocket to the agent’s localhost port and brute-forced the gateway password with no rate limiting. Once authenticated, full access: interact with the agent, dump configuration, enumerate connected devices, read logs. A companion log poisoning vulnerability allowed indirect prompt injection through data the agent processed. OpenClaw patched ClawJacked in version 2026.2.25 and the log poisoning in 2026.2.13. The same disclosure cycle included seven additional CVEs against OpenClaw: CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, and CVE-2026-26329.
Why it matters
Local AI agents create new cross-context attack surfaces. The browser’s isolation model doesn’t extend to local services. A webpage can reach localhost.
Seven CVEs in one disclosure cycle against the same product signals early-stage software with an immature security posture deployed in enterprise environments.
Log poisoning via indirect prompt injection generalizes to any agent that processes external data. The agent becomes the vehicle for attacker instructions delivered through normal telemetry.
What to do about it
Update OpenClaw to version 2026.2.25 or later. Non-negotiable if your organization deploys it.
Inventory which local AI agents your developers are running and what ports they’re listening on. Most users don’t understand that local agents accept browser connections.
Require rate limiting on local service authentication endpoints in any AI agent development your organization does or procures.
Rock’s Musings
Seven CVEs in one batch tells you about the security review process that went into building the product, or its absence. OpenClaw is representative of a broader pattern: AI agent frameworks are shipping at startup velocity with security addressed after product-market fit. The problem is that product-market fit now means enterprise deployment, which means these vulnerabilities sit inside corporate networks before anyone notices.
7. North Korea’s Contagious Interview Campaign Is Back With 26 npm Packages
Socket researchers disclosed March 2, 2026 a new iteration of the Contagious Interview campaign from North Korean threat group Famous Chollima, deploying 26 malicious npm packages targeting cryptocurrency and Web3 developers (The Hacker News). Packages masquerade as developer utilities. Install scripts execute automatically and fetch C2 server addresses from Pastebin content, a dead-drop resolver technique that makes the C2 infrastructure resilient: blocking domains doesn’t neutralize active infections because attackers update the Pastebin content with new addresses. The actual payload pulls from Vercel deployments, making traffic look like legitimate developer tool usage. The cross-platform RAT targets Windows, Linux, and macOS with keylogging, browser credential theft, and cryptocurrency wallet exfiltration.
Why it matters
Publishing 26 plausible-looking packages to npm is a low-barrier operation that bypasses most enterprise code review.
Pastebin dead-drop C2 is a detection evasion technique most organizations haven’t built specific detection logic for.
Crypto and Web3 developers are the named target, but the payload works on any developer machine in any organization.
What to do about it
Implement package manifest review for new installs in developer environments. Untrusted packages entering your toolchain require explicit approval.
Block or alert on Pastebin traffic from developer machines that don’t require it for work. Pastebin as a C2 dead drop is an established pattern.
Brief cryptocurrency and Web3 development teams directly. They are specifically targeted.
Rock’s Musings
Famous Chollima runs this playbook on a near-quarterly cadence and the success rate isn’t declining. Crypto theft funds sanctions-constrained North Korean government operations. This isn’t opportunistic. It’s state-directed revenue generation with a consistent target profile and consistent tooling. Your security awareness training hasn’t stopped it because awareness doesn’t change the attack surface. The attack surface is npm, Pastebin, and Vercel. Those require technical controls, not training slides.
8. The Average Enterprise Has 1,200 Unauthorized AI Applications and 14% Visibility Into Them
A briefing published March 3, 2026, by the AIUC-1 Consortium, developed with input from Stanford’s Trustworthy AI Research Lab and more than 40 security executives from Confluent, Elastic, UiPath, and Deutsche Börse, put concrete numbers to the enterprise AI governance gap (Help Net Security). Average enterprise: 1,200 unofficial AI applications; 86% of organizations report no visibility into AI data flows; shadow AI breaches cost $670,000 more than standard incidents due to delayed detection; one in five organizations report a breach linked to unauthorized AI use.
Stanford’s Sanmi Koyejo contributed research showing fine-tuning attacks bypassed Claude Haiku in 72% of cases and GPT-4o in 57%, confirming that model-level safety controls are insufficient as standalone defenses. Actual defense requires input validation, action-level guardrails, and reasoning chain visibility operating independently of model behavior.
Why it matters
1,200 unofficial AI applications per enterprise means most identity programs have a blind spot. You can’t govern what you can’t see, and you can’t detect a breach in a system you don’t know exists.
The $670,000 additional breach cost from shadow AI is the board's number. Frame AI governance conversations around detection delay, not abstract risk.
Model-level safety is not a security control you present to auditors. It’s a product feature. The bypass rates confirm it degrades under targeted attack.
What to do about it
Use SaaS discovery tools and proxy logs to inventory actual AI application usage, not self-reported usage. The gap between what employees say they use and what they actually use is where the exposure lives.
Define what an AI agent identity means in your IAM framework before your agents define it for you. Include API keys, OAuth grants, and service accounts belonging to AI agents.
Document controls at the input, action, and output layers separately from model behavior. Auditors need evidence that doesn’t depend on the model refusing bad requests.
Rock’s Musings
The $670,000 additional breach cost from shadow AI is entirely attributable to one thing: time to detect. You can’t detect what you’re not monitoring. The 86% visibility gap translates directly into investigation time, which in turn translates into breach cost. The governance conversation isn’t about restricting AI use. It’s about making AI use visible enough that your SOC can respond when something goes wrong. Start there.
9. NIST Wants to Know How to Secure AI Agents. The Comment Window Closes Monday.
NIST’s Center for AI Standards and Innovation published an RFI on January 8, 2026, seeking practitioner input on securing AI agent systems, with comments due March 9, 2026 (Federal Register). This is the first formal federal RFI focused specifically on agentic AI security. The comment deadline falls four days from the publication of this newsletter. The RFI asks respondents to identify the biggest security risks unique to AI agents, what defenses actually work, how to test and constrain these systems, and what standards and policy coordination are needed. A companion initiative from NIST’s National Cybersecurity Center of Excellence on AI agent identity and authorization has a separate April 2 deadline. The Trump administration renamed the AI Safety Institute as CAISI to reflect a shift from existential risk evaluation to practical standards and measurement.
You can read more about my submission in “NIST AI Agent RFI (2025-0035): Human Oversight Is the Wrong Fix”
Why it matters
The standards that emerge from this process will shape federal procurement requirements, contracting baselines, and eventually insurance and regulatory frameworks. Practitioner input now affects what you’ll be measured against in two to three years.
The practitioners who will respond by default are academics, system integrators, and AI vendors with commercial interests in the outcome. Independent CISO voices are underrepresented in federal standards work.
NIST standards carry weight across the federal supply chain. If you sell to or partner with federal agencies, the guidance coming from this process will affect your requirements.
What to do about it
Submit a comment before March 9 at regulations.gov under docket NIST-2025-0035. Specific examples from your actual environment are more valuable than polished organizational submissions with no concrete data.
Flag the April 2 deadline for the companion paper on AI agent identity and authorization to whoever owns your IAM program.
Engage legal or policy counsel if your organization wants a formal submission. The deadline for that conversation is today.
Rock’s Musings
Most security executives I know haven’t heard of this RFI. That’s a problem. The reason the resulting standards will be shaped by vendors instead of practitioners is that practitioners don’t show up to the process. I’m not asking you to become a standards wonk. I’m asking you to spend 30 minutes writing down what you’re actually seeing in production, the Claude Code RCE, the OpenClaw WebSocket exposure, the shadow AI breach cost, and submit it at regulations.gov. The comment period was designed for exactly that. Use it.
The One Thing You Won’t Hear About But You Need To
OpenSSF’s TLP:CLEAR Advisory Means 47,000 Repos Are Still Exposed Right Now
On March 1, 2026, the Open Source Security Foundation issued a TLP:CLEAR advisory prompted by the hackerbot-claw campaign, documenting the specific misconfiguration classes exploited: unsafe pull_request_target trigger configurations, overprivileged GITHUB_TOKEN scopes, unsanitized inputs in shell execution contexts, and dynamic shell execution patterns (Threat Landscape Blog). TLP:CLEAR means no restrictions on distribution. It was published specifically so every organization running public GitHub Actions workflows could read it and fix their exposure.
The bot’s profile claims 47,391 repositories scanned. That number isn’t independently verified, but StepSecurity’s analysis confirms five of seven analyzed targets were compromised during a nine-day campaign that defenders didn’t detect while it was running. No CVEs. No zero-days. Documented, preventable misconfigurations. New repositories with the same patterns are being created today.
Why it matters
The advisory is available and actionable. The barrier isn’t information access. It’s distribution through the security team to the platform engineers who control the workflows.
The attack surface isn’t shrinking. Hackerbot-claw found 47,000 potentially vulnerable repositories in a week. The automation will get rerun.
Undetected campaigns running for nine days means your current GitHub Actions monitoring isn’t catching this class of attack.
What to do about it
Get the OpenSSF advisory to your DevSecOps and platform engineering teams today. It contains the specific patterns to search for and the specific remediation steps.
Run StepSecurity harden-runner or equivalent tooling against your public repositories. The vulnerability patterns are enumerable. Find them before the next scanner does.
Require security review for new GitHub Actions workflows before merge. The misconfigurations hackerbot-claw exploited are consistently introduced during workflow creation.
Rock’s Musings
TLP:CLEAR means the government cleared the information for public release with no restrictions. It was published so practitioners could act on it. The fact that it’s “the thing you won’t hear about” is an indictment of how security information moves through the industry. Your platform engineers are shipping features. Nobody is reading OpenSSF advisories in real time unless someone built a process for it.
The hackerbot-claw campaign didn’t require a zero-day. It required patient scanning of publicly available information about CI/CD pipeline configurations. The attacker had that process. The question for your organization is whether you have the equivalent on defense. The OpenSSF advisory is the starting point. If you want additional context on building CI/CD security programs that account for this threat class, the practitioner content at rockcybermusings.com covers it. The attack surface is documented. Close it.
If you found this analysis useful, subscribe at rockcybermusings.com for weekly intelligence on AI security developments.
👉 Visit RockCyber.com to learn more about how we can help you in your traditional Cybersecurity and AI Security and Governance Journey
👉 Want to save a quick $100K? Check out our AI Governance Tools at AIGovernanceToolkit.com
👉 Subscribe for more AI and cyber insights with the occasional rant.
References
Awesome Agents. (2026, March 2). An AI agent just pwned Trivy’s 32K-star repo via GitHub Actions. https://awesomeagents.ai/news/hackerbot-claw-trivy-github-actions-compromise/
BleepingComputer. (2026, March 2). CyberStrikeAI tool adopted by hackers for AI-powered attacks. https://www.bleepingcomputer.com/news/security/cyberstrikeai-tool-adopted-by-hackers-for-ai-powered-attacks/
Check Point Research. (2026, February 25). Caught in the hook: RCE and API token exfiltration through Claude Code project files. https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
Cybernews. (2026, March 4). AI bot compromises five major GitHub repositories. https://cybernews.com/security/claude-powered-ai-bot-compromises-five-github-repositories/
Cybernews. (2026, March 4). Open some code, Claude Code runs with hacker’s instructions. https://cybernews.com/security/claude-code-critical-vulnerability-enabled-rce/
Dark Reading. (2026, February 28). Flaws in Claude Code put developers’ machines at risk. https://www.darkreading.com/application-security/flaws-claude-code-developer-machines-risk
Federal Register. (2026, January 8). Request for information regarding security considerations for artificial intelligence agents (Docket NIST-2025-0035). https://www.federalregister.gov/documents/2026/01/08/2026-00206/request-for-information-regarding-security-considerations-for-artificial-intelligence-agents
Help Net Security. (2026, March 3). AI went from assistant to autonomous actor and security never caught up. https://www.helpnetsecurity.com/2026/03/03/enterprise-ai-agent-security-2026/
NIST Center for AI Standards and Innovation. (2026, January 12). CAISI issues request for information about securing AI agent systems. https://www.nist.gov/news-events/news/2026/01/caisi-issues-request-information-about-securing-ai-agent-systems
Orca Security. (2026, March 3). HackerBot-Claw: An AI-assisted campaign targeting GitHub Actions pipelines. https://orca.security/resources/blog/hackerbot-claw-github-actions-attack/
Palo Alto Networks Unit 42. (2026, March 2). Taming agentic browsers: Vulnerability in Chrome allowed extensions to hijack new Gemini panel. https://unit42.paloaltonetworks.com/gemini-live-in-chrome-hijacking/
SC Media. (2026, March 2). Google Chrome vulnerability risked hijacking Gemini panel by rogue extension. https://www.scworld.com/news/google-chrome-vulnerability-risked-hijacking-gemini-panel-by-rogue-extension
Security Affairs. (2026, March 2). Untrusted repositories turn Claude Code into an attack vector. https://securityaffairs.com/188508/security/untrusted-repositories-turn-claude-code-into-an-attack-vector.html
StepSecurity. (2026, March 3). Hackerbot-claw: An AI-powered bot actively exploiting GitHub Actions. https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
Sysdig. (2026, March 4). Security briefing: February 2026. https://www.sysdig.com/blog/security-briefing-february-2026
The Hacker News. (2026, March 3). Open-source CyberStrikeAI deployed in AI-driven FortiGate attacks across 55 countries. https://thehackernews.com/2026/03/open-source-cyberstrikeai-deployed-in.html
The Hacker News. (2026, March 3). New Chrome vulnerability let malicious extensions escalate privileges via Gemini panel. https://thehackernews.com/2026/03/new-chrome-vulnerability-let-malicious.html
The Hacker News. (2026, February 28). Claude Code flaws allow remote code execution and API key exfiltration. https://thehackernews.com/2026/02/claude-code-flaws-allow-remote-code.html
The Hacker News. (2026, March 2). North Korean hackers publish 26 npm packages hiding Pastebin C2 for cross-platform RAT. https://thehackernews.com/2026/03/north-korean-hackers-publish-26-npm.html
Threat Landscape Blog. (2026, March 5). Hackerbot-Claw: AI bot exploiting GitHub Actions CI/CD misconfigs for repo takeover. https://threatlandscape.io/blog/hackerbot-claw-ai-bot-github-actions-supply-chain-attack
[un]prompted. (2026). Agenda — [un]prompted, The AI Security Practitioner Conference, March 3-4, 2026.
https://unpromptedcon.org/
WIU Cybersecurity Center. (2026). Cybersecurity news. Western Illinois University. https://www.wiu.edu/cybersecuritycenter/cybernews.php
Really nice round up.
`Claude Code Let Attackers Own Developer Machines by Opening a Git Repo`
This was the most interesting one to me. it hit pretty hard. Thanks for the post!