AI Coding Tools are Becoming a New Persistence Layer
AI coding tools are becoming a new persistence layer”
AI Sec News Weekly #7 — 240 sources scanned
We’ve been busy threat-modeling dependencies and pipelines, while the developer environment quietly becomes the new control plane. New worms don’t just poison packages—they settle into the tools developers open all day, turning editors and AI assistants into a persistence layer. The inner loop is no longer just where code gets written; it’s where trust gets re-established on every open, every prompt, every run.
When that loop is compromised, cleanup isn’t a reset—it’s a replay. You can rotate tokens and patch pipelines, but if the environment itself re-triggers execution, the breach keeps breathing. This week’s twist is a reminder to rethink where execution really begins, and whether “local” still means safe. If your tools can act, who’s actually in control? Keep reading.
This Week's Stories
Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages
On April 29, 2026, attackers published malicious versions of four npm packages in the SAP development ecosystem: mbt, @cap-js/db-service, @cap-js/sqlite, and @cap-js/postgres. Each compromised release ships a preinstall hook that downloads the Bun JavaScript runtime from GitHub Releases and uses it to execute an ~11.6 MB obfuscated credential stealer.
Why it matters: This attack shows how AI coding tools are becoming a new persistence layer—malware can now survive simply by being embedded in the developer environment, not just the codebase.
Snyk Blog by Stephen Thoemmes
PyTorch Lightning 2.6.2–2.6.3 on PyPI Trojanized for Credential Theft
Attackers pushed trojanized PyTorch Lightning 2.6.2 and 2.6.3 to PyPI on Apr 30. A hidden _runtime drops Bun, then runs an 11MB router_runtime.js that steals creds; it validates GitHub tokens at api.github.com/user and upserts a worm to as many as 50 branches per repo, authored to impersonate “Anthropic’s Claude Code.” It also poisons local npm packages with postinstall hooks for cross‑ecosystem spread. PyPI quarantined the builds; maintainers suspect a GitHub account takeover.
Why it matters: Import‑time execution in a top ML package plus npm‑side propagation turns a Python import into a cross‑ecosystem pivot through your dev toolchain.
18 'AI' Extensions Running RATs and MitM
Researchers found 18 'AI helper' browser extensions that are actually RATs, infostealers, and MitM proxies. They surveil email drafts, intercept ChatGPT prompts, and exfiltrate passwords via API interception, passive DOM snooping, traffic proxying, and HTTPS response decryption. Several samples used AI‑generated code. Google removed or warned on all 18 after disclosure.
Why it matters: The browser’s “helpful AI” veneer now masks full‑session interception that reaches into prompts, drafts, and cookies—the exact places your model and SaaS secrets live.
Palo Alto Unit 42 by Shresta Bellary Seetharam, Nabeel Mohamed, Billy Melicher, Oleksii Starov, Qinge Xie, Fang Liu
Tool Spotlight
New repos and releases worth trying.
perplext’s LLMrecon targets OWASP LLM Top 10 with automated attacks
New on GitHub (2026-05-03), LLMrecon bills itself as an enterprise LLM security testing framework implementing the OWASP LLM Top 10. It automates prompt-injection and jailbreak campaigns and hunts for agent/tool misuse to surface exploitable behaviors. With 14 stars, it’s early, but the harness looks usable for red teams and platform engineers to pound on chatbots and agents before they ship.
Why it matters: Automating prompt-style attacks turns LLM testing from vibe checks into repeatable, comparable coverage.
XSafeClaw 1.0.7 adds Nanobot support to live agent defense
XSafeClaw 1.0.7 (PyPI) is a Python agent-security platform with real-time monitoring, guarded chat, and tool-call inspection. The Apr 29 release fully connects to Nanobot alongside OpenClaw and Hermes, unifying mixed runtimes in its “Agent Valley” view. Concrete fit: teams running these stacks who want trajectory-level guards while an agent browses, executes code, or touches assets.
Why it matters: Agent behavior finally has a live dashboard and brakes, not just postmortem logs.
Cisco’s Model Provenance Kit fingerprints model lineage with weight signals
Cisco open-sourced a Python toolkit and CLI that fingerprints models via metadata, tokenizer similarity, and weight-level signals like embedding geometry, normalization layers, energy profiles, and direct weight comparisons. It ships compare and scan modes, the latter matching against a Cisco-curated fingerprint database. Use case: verify a fine-tuned or third-party model is the lineage you expect.
Why it matters: Lineage you can test beats provenance-by-promise and makes model supply-chain risk less hand-wavy.
SecurityWeek by Eduard Kovacs
Community Chatter
What practitioners are debating.
Schneier casts Anthropic’s Mythos as real, incremental—not a rupture
Schneier reacts to Anthropic’s Claude Mythos Preview, which was touted as autonomously finding and weaponizing vulnerabilities and then kept to a limited partner release. He notes the announcement’s thin details fueled split reactions—skeptics guess GPU scarcity; others see safety restraint—while he calls Mythos a real but incremental step. His essay leans on “shifting baseline syndrome” and a taxonomy: some bugs can be auto‑found, verified, and patched; IoT and industrial gear likely can’t. Complex distributed platforms, he adds, make code‑found issues hard to verify in practice.
Why it matters: The center of gravity shifts from whether AI can hack to which classes of systems get scalable fixes versus permanent exposure—and that reprioritizes what’s actually worth hardening.
Schneier on Security by Bruce Schneier
Quick Hits
- Google Patches CVSS 10 Gemini CLI and Action RCE (The Hacker News) — Google patched a CVSS 10 RCE in @google/gemini-cli and its GitHub Action that let untrusted CI workspaces load .gemini configs and run code on the host.
- TeamPCP Poisons SAP npm Packages in Ongoing Campaign (The Register Security) — TeamPCP trojanized SAP npm packages with preinstall malware to steal GitHub/cloud creds and spread via victim repos; intercom-client and PyPI lightning were also hit.
- Firefox 150 Fixes 271 Bugs Found by Mythos (Schneier on Security) — Firefox 150 shipped fixes for 271 vulnerabilities found by Anthropic’s Claude Mythos during a targeted bug‑hunting push.
- Google Revamps Bug Bounties: Android Up, Chrome Down (SecurityWeek) — Google overhauled its bug bounties, boosting top Android/Pixel/Titan M payouts (up to $1.5M) and trimming Chrome memory‑safety rewards with new multipliers and stricter repro expectations.
- Langflow LambdaFilterComponent Eval Bug Enables Code Execution (CVEFeed.io Latest) — CVE‑2026‑7700: Langflow’s LambdaFilterComponent allows code execution by evaling user‑supplied filters.
- Bluekit Phishing Service Launches with Built-in AI Assistant (BleepingComputer) — New Bluekit phishing‑as‑a‑service adds an AI assistant, 40 templates, domain setup, live session control, and Telegram exfiltration.