#security
15 items tagged #security.
15 items tagged #security.
A Glasswing-style scan can land hundreds of high-severity findings against your repo in a single run. Anthropic's 90.6% true-positive rate is high — but on a 10,000-finding batch, the 9.4% false-positive remainder is still 940 fires to put out.
Project Glasswing's first month surfaced more than ten thousand high- or critical-severity vulnerabilities. The framing was that AI just closed the security gap. The data, read carefully, is that AI just opened a different one.
Anthropic published the first results from Project Glasswing on May 22. Around fifty partners running Claude Mythos Preview found more than ten thousand high- or critical-severity vulnerabilities in the first month, including 2,000 at Cloudflare and 271 fixed in Firefox 150.
Antigravity 2.0 and Anthropic's Routines let agents run unattended on a schedule or a webhook. With no human at the trigger, scope, a review gate, a cost cap, and a kill switch are the only controls that still work.
GitGuardian found 24,008 secrets in MCP config files on public GitHub. This is the audit pass: find committed config, detect inline keys, convert to environment variables, rotate what leaked, and stop it recurring.
A concrete checklist for the May 2026 failure modes: pin skills and MCP servers, SBOM the agent's dependencies, require auth on MCP, and review config files as code.
Researchers disclosed a cluster of vulnerabilities in AI coding agents in May 2026: prompt-injection-to-RCE in CrewAI, an unauthenticated Azure SRE Agent endpoint, a poisoned AGENTS.md chain against Codex, and over a thousand malicious skills.
Three threat axes in AI coding tools—log exfiltration, tool-call leaks, and supply-chain poisoning—and the mitigations that actually reduce risk.