惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
Project Zero
Project Zero
K
Kaspersky official blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
Y
Y Combinator Blog
Recorded Future
Recorded Future
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
Microsoft Security Blog
Microsoft Security Blog
H
Help Net Security
S
Schneier on Security
P
Palo Alto Networks Blog
H
Hacker News: Front Page
N
News and Events Feed by Topic
N
Netflix TechBlog - Medium
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
SecWiki News
SecWiki News
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The Hacker News
The Hacker News
C
Check Point Blog
L
LangChain Blog
腾讯CDC
小众软件
小众软件
T
Tenable Blog
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
About on SuperTechFans
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
雷峰网
雷峰网
美团技术团队
D
DataBreaches.Net
Martin Fowler
Martin Fowler
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
F
Full Disclosure
博客园_首页

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Beyond SLSA: How to Stop Zero-Click CI/CD Worms with a 9-Step Plan
Mohammad-Ali A'RÂBI · 2026-06-18 · via DEV Community

The security perimeter of modern software development has officially collapsed. Historically, protecting your supply chain meant scanning static containers and blocking typosquatted packages. But between late 2025 and mid-2026, a terrifying paradigm shift occurred: adversaries abandoned passive repository poisoning to deploy autonomous, self-replicating worms directly into developer IDEs and CI/CD pipelines.

When developers are no longer just building software but are themselves the perimeter, tools like SLSA Level 3 and container vulnerability scanning are necessary prerequisites—but they remain blind to pre-build, pre-compilation threats. If a worm steals your credentials or compromises your pipeline cache before a container image is ever built, your final Software Bill of Materials (SBOM) will look perfectly fine while carrying authentic, cryptographically verified malicious payloads.

To bridge this structural gap, we introduce the IX Hexbreaker Aegis Framework—a 9-step active defense architecture designed to sanitize the local developer environment, lock down agentic AI, and stop autonomous worms dead in their tracks. For a formal mapping of these structural vulnerabilities across ecosystems, refer to the research article SoK: Weaponizing the Developer Context: A Taxonomy of Autonomous CI/CD Worms and Remediation Architectures (available on doi.org/10.5281/zenodo.20694817).


Chronology of Chaos: The 6 Modern Worm Campaigns

To understand why traditional perimeter security failed, we must look at the rapid evolutionary velocity of the six defining autonomous campaigns in the Shai-Hulud and Miasma lineages:

Six Worms

1. Shai-Hulud Wave 1 (September 2025)

The sandworm made it debut as the first self-propagating npm supply chain worm on record. Attackers gained initial maintainer access via phishing and credential stuffing. Once inside, the worm stole GitHub Personal Access Tokens (PATs) and cloud provider API keys from local developer environments, uploaded them to a public "dead-drop" repository, and autonomously used the stolen tokens to publish infected updates to every package that developer maintained.

2. Shai-Hulud 2.0 (November 2025)

The second wave scaled massively, compromising around 350 user accounts and spawning over 25,000 malicious repositories. Mechanically, this campaign shifted its execution trigger from postinstall to preinstall to maximize stealth. It also pioneered runtime evasion by dynamically downloading a standalone Bun binary to run its core obfuscated payload, completely dodging traditional security tooling looking only for Node.js child processes.

This was still the time that we could disable lifecycles scripts in package managers and install npm packages with --ignore-scripts to block the attack. As they say, it was the most wonderful time of the year—spoiler alert: it would not last.

3. Mini Shai-Hulud (April–May 2026)

Gord and Rothütle putting a Mini Shai Hulud in a sandbox

Orchestrated by the threat group TeamPCP, this variant targeted the enterprise-grade SAP Cloud Application Programming (CAP) ecosystem. It introduced environmental gating (self-terminating if the system language was Russian) and achieved long-term IDE persistence by planting unauthorized startup hooks inside localized AI settings.

This was a turning point in the attack surface: the worm was no longer just targeting package manager lifecycles, but was instead weaponizing the very context in which code is written. That included the AI agents that developers rely on to write code in the first place. This was also a memorable time for me personally, as the worm was first observed on April 29, 2026—my 35th birthday. I guess the universe wanted to give me a "gift" that year (in its German sense)!

4. The TanStack Cache Poisoning Incident (May 11, 2026)

Assignee of CVE-2026-45321, this campaign proved that sophisticated worms no longer counterfeit trust signals; they commandeer pipelines to earn them. By chaining a pull_request_target misconfiguration with a GitHub Actions cache contamination vector, the worm poisoned a shared dependency store. When a highly privileged release workflow ran, it restored the poisoned cache, allowing the worm to scrape OIDC tokens straight out of the runner's worker process memory to sign and publish 84 malicious packages carrying authentic SLSA Level 3 provenance.

This was another major moment, as with this attack, SLSA Level 3 was officially rendered insufficient as a standalone defense. The attack also proved that even if your final SBOM looks clean, it can still be the product of a compromised build environment.

5. Miasma Wave 1: Red Hat npm Packages (June 1, 2026)

A direct descendant of Shai-Hulud, this worm compromised 32 official packages in the @redhat-cloud-services namespace. Attackers bypassed standard code review by committing malicious code via orphan commits. It featured per-infection payload encryption to blind hash-based detection and included a destructive dead-man's switch: if defenders revoked or touched the honeypot token, a background script immediately wiped the developer's home directory.

This means, the worm would take your entire development environment hostage, threatening to delete the "French language package" from your machine: sudo rm -fr ~.

6. Miasma Wave 2: The Phantom Gyp Exploit (June 3, 2026)

Two days later, Wave 2 compromised 57 packages in under two hours. This campaign introduced the "Phantom Gyp" technique, which completely neutralized the industry's standard defense of using the --ignore-scripts flag. Instead of relying on package.json scripts, it weaponized native binding.gyp command substitution, forcing the package manager to execute an arbitrary shell payload during the initial configuration phase before any C++ compiler was even called.

Phantom Gyp: The Opera Worm


The 4 Overlooked Execution Surfaces

As mapped in the SoK paper, these six campaigns achieved rapid, zero-click propagation by targeting four distinct surfaces that fall entirely outside the scope of static scanners:

  • Zero-Click IDE Execution: Hidden workspace configurations (like .vscode/tasks.json) trigger malicious payloads the absolute millisecond an infected repository folder is opened in code editors like VS Code.
  • AI Context Window Poisoning: In advanced waves like the TrapDoor campaign, attackers plant instructions containing invisible zero-width Unicode characters inside files like .cursorrules or .claude/settings.json. These characters are completely invisible to human reviewers but command local AI agents to execute unauthorized scripts.
  • Pipeline Memory Scraping: Highly privileged Linux CI runners are targeted post-installation. Worms scan the /proc directory to scrape ambient OpenID Connect (OIDC) tokens and secret tokens straight out of active process memory, completely bypassing standard build-log secret masking.
  • Native Build Hijacking (Phantom Gyp): Attackers bypass the standard --ignore-scripts defense by appending a tiny, static binding.gyp file to the published package tarball to hijack native node-gyp execution.

When Your Tools Turn Against You


The IX Hexbreaker Aegis Framework: A 9-Step Active Defense Plan

If you have an army of Shai Huluds and Miasmas marching toward your development environment, you need a cool name for your defense strategy: The IX Hexbreaker Aegis. The 9 is Roman, they're breaking the hex, and an aegis is a shield of protection. Nice, right?

The IX Hexbreaker Aegis architecture layers an active, pre-build defense boundary on top of traditional container hardening practices.

                          [ UNTRUSTED REPOSITORY ]
                                     │
           ┌─────────────────────────┴─────────────────────────┐
           ▼                                                   ▼
 ┌───────────────────┐                               ┌───────────────────┐
 │ Local Development │                               │   CI/CD Pipeline  │
 └─────────┬─────────┘                               └─────────┬─────────┘
           │                                                   │
           ├─► 1. AI Agent Sandboxing (Docker Sandboxes)       ├─► 4. OIDC Scope Minimization
           ├─► 2. Pre-Execution Workspace Parsing              ├─► 5. Immutable CI/CD Caching
           ├─► 3. Ephemeral, Air-Gapped Dev Environments       ├─► 7. Heuristic Build-Time eBPF
           ├─► 6. Hardware-Backed Commit Binding               ├─► 8. Egress Traffic Filtering
           └─► 9. Zero-Trust AI Prompts                        └─────────────────────────────────┘

1. AI Agent Sandboxing via Docker Sandboxes

Running localized AI coding assistants directly on a host machine exposes local credential stores to prompt injection. This step mandates wrapping AI agents inside isolated microVMs via Docker Sandboxes. Each session runs under its own kernel, filesystem, and network stack. Because API keys are never injected into the microVM's environment—and are instead handled by a host-side proxy at the network layer—a compromised AI agent cannot find any raw host credentials to steal.

2. Pre-Execution Workspace Parsing

Manual code reviews fail against steganographic payloads. Organizations must implement automated semantic scanning of all hidden AI configuration files (.cursorrules, .claude/settings.json, etc.) prior to context-loading. Utilizing LLM-based semantic judging helps identify hidden zero-width Unicode instructions and malicious execution trajectories before your primary development AI processes them.

3. Ephemeral, Air-Gapped Development Environments

Replace static, long-lived local development environments with remote, containerized alternatives like Dev Containers or GitHub Codespaces. These environments must enforce strict egress network filtering. By air-gapping the container and explicitly allowlisting only verified registries, a background worm's killchain is severed because it can neither download secondary runtimes nor reach out to an external command-and-control server.

4. Strict OIDC Scope Minimization

The TanStack cache poisoning incident proved that overly broad OIDC permissions allow background malware to hijack trusted publisher workflows. Ensure JSON Web Tokens (JWTs) are generated with the absolute minimum Time-to-Live (TTL) required for a specific job step, and bind them to restricted, precise audiences. Never expose token-writing privileges to general, multi-purpose pipeline jobs.

5. Immutable CI/CD Caching

Internal caching mechanisms often bypass repository workflow boundaries. Under this rule, caches generated by unvetted fork-context pull requests must be completely isolated from high-privilege release workflows. Cryptographic hash verification must be enforced on package manager caches to guarantee that a poisoned pull request cannot inject malicious binaries into a shared repository store.

6. Hardware-Backed Commit Binding

Worms rapidly spread sideways through development environments by stealing local SSH keys or Personal Access Tokens (PATs) to commit code autonomously. This step mandates that all commits and Git tags be cryptographically signed using FIDO2 hardware security keys (e.g., a YubiKey using an sk-ed25519 key format). Because the key requires a physical capacitive touch to sign, an automated background process is structurally blocked from making commits.

7. Heuristic Build-Time Anomaly Detection

Static image analysis cannot catch multi-stage, uniquely encrypted droppers executing in real time. Implement kernel-level observability using eBPF to trace process execution trees inside your build systems. The heuristic engine should immediately flag and quarantine anomalous subprocesses, such as an unprompted node-gyp rebuild on a package containing no legitimate native code.

8. Egress Traffic Filtering in CI Pipelines

CI/CD runners should never operate with unrestricted outbound network access. Enforce a default-deny network egress policy at the runner level during the test and build phases. Limiting outbound communication exclusively to vetted registries blocks a scraping worm from exfiltrating plaintext process memory dumps to external dead-drops.

9. Zero-Trust AI Prompts

Apply Role-Based Access Control (RBAC) directly to the execution profiles of AI coding agents. Rather than giving an LLM tool unfettered terminal access, drop permissions that allow an agent to run arbitrary shell scripts, read .env files, or modify system configurations without direct, human-in-the-loop Multi-Factor Authentication (MFA) approval.


The Hexbreakers fighting giant worms

Actionable Execution Blueprint

If you are defending an enterprise engineering organization, you can implement the IX Hexbreaker Aegis framework in three logical phases to minimize friction:

Phase 1: Immediate Lockdown (Days 1–5)

  • OIDC and Caching: Add permissions: {id-token: none} globally to every GitHub Actions workflow, granting write access only to specific publish steps. Separate cache keys immediately so fork PRs cannot contaminate your release scopes.

  • Dependency Cooldown: Configure Dependabot or Renovate to require a minimum package release age of 5 days before allowing an auto-merge, forcing malicious bursts to be caught by public threat intel beforehand.

  • AI Controls: Set project-level AI settings to deny shell execution without explicit confirmation.

Phase 2: Pipeline Hardening (Weeks 2–4)

  • Network Filters: Deploy default-deny egress firewalls (such as StepSecurity Harden-Runner) on your CI workflows to break potential C2 phone-home logic.

  • Pinning: Audit configuration repositories to substitute mutable action version tags with immutable, cryptographically secure commit SHAs.

Phase 3: Total Isolation (Month 2+)

  • Toolchain Sandboxing: Migrate development workspaces to containerized Dev Containers. Mandate the sbx CLI tool for all local engineer interaction with AI coding assistants to enforce hardware-isolated microVM containment.

  • Hardware Enforcement: Issue FIDO2 security tokens to all core package maintainers, configuring Git to refuse unauthenticated, unsigned commits locally and upstream.

Treating supply chain integrity as a static checkbox will guarantee that you fall victim to the next evolution of automated threats. Moving your active defenses entirely to the left—and protecting the very context in which code is written—is the only way to build software safely in an era of autonomous worms.