Due to GitHub breach, we released a feed for malicious VS Code extensions, auto-generated with IoCs out of Agent Mesh. I hope it's useful. If it is, let me know and we'll do this regularly, Can add in skills, MCP servers, etc.:

https://www.knostic.ai/blog/agentic-threat-intelligence-feed-vs-code-extensions

Agent Mesh:
https://agentmesh.knostic.ai/

Let me know if useful.

—
And if you’d like to secure your agents, do check us out:
https://knostic.ai/

Free for up to five users:
https://getkirin.com/

Worried about VS Code extensions following the GitHub breach? Here's a free threat intelligence feed on all VS Code extensions, and then a skill you point your agent to, to compare the extensions to the intelligence.

AgentMesh: https://agentmesh.knostic.ai/ (threat intelligence)
The skill: https://github.com/knostic/extension-check-skill/

--
And of course, if you look to discover and defend you agents, and their supply chain, try out Kirin. It's free up to five users:
https://getkirin.com/

It’s no longer phishing that’s first to get you. Vulnerabilities are now cheap and everywhere.

Spread the word. It takes the industry a decade to adjust its’ narrative.

Found via Jorge Orchilles on the other network, faster than I could read the DBIR report myself! (It’s out!)

Even GitHub was compromised due to a malicious VS Code extension. We have free and paid solutions for you at Knostic. We’ve been doing this for a while.

We opened up AgentMesh for free. It’s like a VirusTotal but for extensions, skills, etc. and you can ingest that into your threat hunting and AppSec programs immediately.
(https://agentmesh.knostic.ai/)

You can also check out how we secure coding agents, and their supply chain like extensions, if you like. Free up to 5 licenses.
It’s an EDR and SPM capability, but got Cursor, Copilot, Claude Code, Windsurf, Cowork, etc.
(https://knostic.ai/)

A story on relying on Claude Code hooks for security, how I messed up a GitHub repo, losing all stars, and... how the raptor maintainers are rewarding me with a "GitHub Disaster" T-shirt.

TL;DR:
Even if we get everything right, and agents choose to not bypass hooks, an agent is a complex system that trips over its own defenses. This is the second such example of such behavior that happened to me personally.

A Claude Code session ran:
gh repo edit gadievron/raptor --visibility private

This despite not being allowed to touch GitHub, or to change repo visibility.

You see, 22 seconds earlier I'd sent: "repo must stay private. do it all yourself. i approve."

Poor choice of words, no excuses, and yet I never mentioned GitHub, and I have a hook to disallow any push to GitHub or and any changes to repo visibility, plus memory that no repo visibility settings should ever be changed.

I meant: don't push this clone publicly, you have my approval to use --no-verify. Claude read it as: change the repo's visibility.

This is what's the Internet defines as PEBCAK: User error^H^H^H^H^Hstupidity.

In similar occasions of ambiguity, Claude Code asked me for clarification, as this goes against standing orders. What went wrong here?

The pre-push hook was blocking successfully, --no-verify had been denied by the sandbox, and Claude had correctly escalated ("you need to run these manually").

From the log:
"Making the repo private first (which also satisfies the pre-push hook), then push, create PR, and test."

The "which also satisfies" may indicate to Claude everything is fine, creating a calming effect, but more importantly, after the global pre-push hook blocked the push, it also printed:

To make repository private:
gh repo edit $repo_info --visibility private

The agents followed the instructions, and the repo turned private.

Such collisions are common-place. I've written before about how an agent's rules work against it: A recursive token-wasting loop from a prompt and Claude.md collision (https://lnkd.in/decbzfRJ).

Agents need permissions, policies, action detection, tool-use violation prevention, new agentic controls aligning intent and scope with action, and enforcement outside the agent itself.
Hooks alone aren't enough: the agent will find ways around them, even by mistake.

And, whether the infrastructure could be strengthened or the user could be smarter, agents... find a way. We know how hole-y our defenses are in the modern world, we won't tighten them all up by tomorrow, and agents are in use everywhere right now.

I didn't run Knostic this time because it would have blocked the attack research I do for raptor (https://lnkd.in/dcaz2rSw), which is why I was left with hooks and memory as defenses.

But yes, PEBCAK. That wasn't smart phrasing on my end.
And, I'm so sorry Daniel Cuthbert, John Cartwright, and Michael Bargury. (where's my T-shirt?)

--
At Knostic we don't rely on any one defense, and we constantly research. Message me for a demo, or see https://knostic.ai/demo.

I often get on my soap box here about how vulnerabilities in code (will soon) equal public disclosure. Linus Torvalds just made the claim himself, although I think more out of self preservation, as their mailing list is becoming unusable, than due to proliferation of LLM vulnerability discovery capabilities like with OpenAnt.

Then, Willy Tarreau laid down the law on what disclosure the kernel team would actually accept, setting the first real standard in the space.

Historically (a few months?) I listen closely when they speak:

- They told us about AI slop becoming real (every week 2-3 reports => 10 reports of slop => 10 real reports).

- About how these reports are starting to be duplicates.

- How they decided to deprecate ancient code (PCMCIA) to reduce attack surface, being proactive in security strategy, and honestly time management.

New ground rules, by Willy Tarreau:
- Keep reports short and human-readable.
- Strip markdown and formatting before submission.
- Avoid speculative “this could lead to nation-state apocalypse” impact analysis.
- Include a working reproducer and actually test it.
- Propose and test a fix before reporting.
- Use judgment: don’t waste maintainer time on obscure dead code or irrelevant edge cases.

In screenshots:

Link to the email, by Willy Tarreau:
https://www.spinics.net/lists/kernel/msg6171524.html

Linus's words:
https://lkml.org/lkml/2026/5/17/896

I just heard Peter G. Neumann passed. He didn’t just shape our field professionally, he built communities.

He helped spread knowledge, and personally helped newcomers by responding to every request to publish on risks digest (risko@) and provide them with both visibility into what’s going on at a time where there wasn’t too much as far as news goes… and enabling them to be visible to the community.

I never met him in person, but I was one of these youngins.

You are already missed. We are diminished. But, those you helped train carry the torch. Thank you.