惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Register - Security
The Register - Security
IT之家
IT之家
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
I
InfoQ
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
博客园 - Franky
C
Check Point Blog
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog
Recent Announcements
Recent Announcements
云风的 BLOG
云风的 BLOG
美团技术团队
The Cloudflare Blog
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
The GitHub Blog
The GitHub Blog
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
V
V2EX
aimingoo的专栏
aimingoo的专栏
GbyAI
GbyAI
G
Google Developers Blog
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
罗磊的独立博客
量子位
MongoDB | Blog
MongoDB | Blog
Last Week in AI
Last Week in AI
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
D
Docker
人人都是产品经理
人人都是产品经理

The New Stack | DevOps, Open Source, and Cloud Native News

Agentic development hinges on verification. For cloud-native software, that is a runtime problem. AI agents need infrastructure: Why Europe’s regional cloud strategy matters Transform your AI coding agent into a deterministic Java Spring expert WeAreDevelopers is coming to the US to give unsung developers a bigger voice Cleaner AI training data, fewer bugs: Sonar’s SonarSweep explained Observability overload is drowning engineers Google’s DiffusionGemma is 4x faster than its other Gemma models Fable 5: Guardrails and burn rate are annoying users, who say it’s still better than Opus 4.8 The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops. AWS can now mathematically prove your VMs are isolated Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised Databricks wants to kill the “email me a file” problem for AI agent skills Ramp bets forward deployed engineers can do what off-the-shelf finance AI can’t Git real: AI agents aren’t just for solo developers anymore Anthropic launches Claude Mythos/Fable 5, but you better try it soon Spring is 23 years old. AI just made it a security emergency. This AI agent startup ditched Anthropic for DeepSeek — and says it’s saving millions When your data model is the bottleneck: lessons from Medium’s feature store How long before we stop reading the code? The tokenmaxxing party is over, and Revenium is mopping up How AI is solving the memory crunch it created Microsoft’s pitch to enterprises: Ditch Azure Repos for GitHub, despite its rocky reliability record Claude Code’s biggest upgrade yet ran 5 agents at once — here’s what happened Why Anthropic just doubled Claude Cowork limits at no charge For years, Apache Cassandra handed this work to your team — 6.0 takes it back “A dangerous combination”: The 2 factors that can “corrupt” AI agent workflows With Foundry, Microsoft bets the enterprise AI battle is about reliability, not capability Microsoft unlocks Visual Studio for developers left behind by its own AI AI teams now deploy 1,000 times a month. Your pipeline wasn’t built for that. Microsoft just made the agent runtime free — and kept everything around it “Whoever builds the most joyous product wins”: The agent war begins Netlify CTO Dana Lawson: Writing code is no longer the job From Jupyter Notebook to production: How to ship AI systems that actually work OpenClaw used Gavriel Cohen’s code and exposed the AI Agent accountability problem Replit shows how vibe coding is getting its own financial stack — and a path to profit Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle? Cursor cuts prices and adds enterprise spend controls amid “tokenomics” reckoning Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop Snowflake thinks it knows what’s really slowing developers down Autonomous agents have met their biggest challenge yet: The database. Why agentic AI makes the ops platform the most important layer in the enterprise How to dramatically improve enterprise security alert tuning to battle cyberattacks Why the need for humans won’t disappear in the age of autonomous databases How to secure Kubernetes in the age of AI workloads Asana says its new AI “chief of staff” turns your Slack chaos into trackable work Nvidia’s best model is now live Mate Security’s Asaf Wiener made every backend engineer a model router. He’s right to. The AI cost crisis finally has a watchdog — just not the companies causing it How to get operational data off the factory floor without creating an IT breach Why CPUs still matter in the age of AI agents Rayfin: Microsoft’s answer to the gap between vibe coding and enterprise production Microsoft bets the enterprise AI race will be won on data context, not model power “A successful attack could be catastrophic”: Anthropic gives more groups access to Claude Mythos How GitHub plans to win developers back Microsoft really, really, really wants developers to love Windows again With Intelligent Terminal, Microsoft is reinventing the Windows terminal Microsoft debuts “Scout” at Build, a new personal agent for work OpenAI’s Codex adds new tools — Sites, Annotations, more plugins — for knowledge workers GitHub Copilot’s usage-based billing is live: Here’s what you need to know OpenAI, Anthropic, Google, Amazon, and xAI all fail on type of attack, study finds JetBrains open-sources Mellum2 to go where Claude Code can’t Claude Code vs. Cursor vs. Codex vs. Antigravity — six months in This coding agent doesn’t want your feedback — it ships without it “Blowing things up”: The one move vendors got wrong on AI agents At Sapphire, SAP makes the case that enterprise AI is a context problem Gavriel Cohen found his own code inside OpenClaw, so he walked away AI retrieval at scale is becoming a systems problem, not a tooling problem The DIY platform trap that’s burning out engineering teams I tested Cursor’s new Jira integration and it’s 5 stars, no notes. Here’s why. Why GPT-5.4, Claude, and Gemini can’t agree on basic, real-world facts Replit’s vibe coding platform just got a Visa-backed identity layer for AI agents — and it changes how agents spend money Opus 4.8 Made Claude Smarter. Token Discipline Got Urgent. Why Linux creator Linus Torvalds gets angry hearing “99% of code is AI” Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem “The AI did it” won’t save you when EU regulators come knocking The fix for soaring AI cloud bills exists — so why won’t we trust it? AI is shipping code faster than security was built to handle Why AWS scrapped OpenSearch’s architecture to chase agent workloads Claude Opus 4.8 is here: effort controls, dynamic workflows, cheaper fast mode, better honesty, less deception Percona celebrates 20th birthday with new foundation — and a goat cake Why OpenAI and Anthropic are hiring forward deployed engineer teams Claw-style AI agents are coming to the enterprise. The governance infrastructure is still catching up. The agentic identity crisis: Why your security isn’t ready for the AI revolution Debugging the undebuggable: building observability into probabilistic AI systems Snowflake commits $6B to AWS as it pushes deeper into AI Why MotherDuck refuses to fork DuckDB Researcher “gave Claude Code ‘ADHD’… and it thinks 2x better now.” Outside experts want more proof. “Tokenmaxxing is real, expensive & it’s spreading”: AI budgets are exploding With Google’s debut, the most important AI agent feature is now the most boring one Why AI agents need a Context Lake Google ranks the best AI for building Android apps, and the winner isn’t Gemini Google pushes Pro, Ultra, and free users from open-source Gemini CLI to closed-source Antigravity CLI The reason enterprise outages almost never start where ops teams think Taming the agentic influx: a blueprint for AI business observability How the AC/DC framework helps teams govern AI coding agents GitLab 19.0 trades its string section for a full DevSecOps orchestra Who’s monitoring the agents? How Jaeger hit 8.6× compression on 10 million spans with ClickHouse What ClickHouse learned from a year of coding with AI agents OpenClaw passed 300,000 GitHub stars. Then Google launched Spark.
“There is no accountability”: AI coding agents are installing packages no one owns
Darryl K. Taft · 2026-05-28 · via The New Stack | DevOps, Open Source, and Cloud Native News

“There is no accountability.”

It’s how Willem Delbare, co-founder, CTO, and CEO of Aikido Security, describes to The New Stack situations in which an AI agent installs a package and nobody has decided who should be responsible for it.

It exposes enterprises to all manner of attacks as people across the org — marketing, sales, product — use AI.

At most companies right now, no one has made the decision, and no one owns the risk. There’s a gap that has opened up, allowing attacks to slip through, Delbare says.

That is the gap Delbare says his Aikido Security is trying to close. As AI coding agents like Claude Code, GitHub Copilot, and Cursor increasingly pull packages, add dependencies, and install tools autonomously, security teams are flying blind.

Last month, Aikido introduced Aikido Endpoint, which inspects packages, plugins, and IDE and browser extensions before every installation and automatically blocks malware before it’s downloaded.

Endpoint enables enterprises to securely and at scale embrace AI-native software development workflows by providing security teams with real-time monitoring and policy enforcement, while giving developers the flexibility to safely use packages, MCPs, extensions, AI models, and AI agents to meet the demands of modern development.

In March, the company also debuted Aikido Infinite, a continuous AI penetration testing platform designed to make software self-securing. It aims to address the limitations of traditional, manual penetration testing by providing continuous security validation throughout the software development lifecycle.

Akido isn’t alone in this market. Socket, which just closed a $60 million Series C at a $1 billion valuation, focuses on real-time detection and blocking of malicious open source packages — claiming it identified a malicious dependency in the widely used Axios JavaScript package within six minutes and helped organizations block it before it reached production. Endor Labs, meanwhile, launched AURI in March 2026, a Skills plugin, an MCP server, and a CLI designed to detect actual vulnerabilities in real time within coding assistants like Cursor and Claude Code.

Chainguard takes a different angle entirely, providing hardened minimal container images and curated package repositories — securing the infrastructure layer before a line of code is written. Earlier this year, Snyk‘s security researchers completed what they called the first comprehensive audit of the AI agent skills ecosystem, scanning nearly 4,000 skills and finding that more than a third contained at least one security flaw — underscoring how quickly the attack surface is expanding across the entire market. Also, Arcjet provides runtime enforcement inside agentic workflows, prompt injection, and PII blocking. And Mobb Security goes after AI agent skill supply chain vulnerabilities.

Delbare spoke with The New Stack about where Aikido fits in that landscape — and why he thinks the accountability gap is the problem the industry has yet to solve.

The following interview has been edited for clarity and brevity.

Who owns the security policy for what an AI coding agent is allowed to install — is that a developer decision, a security team decision, or is it undefined at most companies right now?

At most companies right now, it’s undefined, and that’s a real risk. When a human developer installs a package, there’s at least implicit accountability. When an agent acts autonomously, there is no accountability unless someone has deliberately assumed ownership.

Our view is that security teams need to set the guardrails (the policies, thresholds, and approved ecosystems), and developers should be able to move freely within them. The agent operates inside that envelope. That’s not a new model; it’s just applying the same shared responsibility model that works for human developers.

Most enterprises have no visibility into agent-initiated installs. Is Aikido seeing this in customer environments — agents quietly pulling in packages that nobody reviewed?

Just today, we had a discussion with a customer who wants to make sure even non-developer devices are covered. Less technical teams in product, sales, and marketing are using AI agents to accomplish work without realizing that packages and agent skills are being installed in their local environments. Security teams have essentially no control or visibility into the risk or a way to identify affected machines after an incident. 

AI coding agents pull packages and add dependencies autonomously — how does Endpoint distinguish between a human-initiated install and an agent-initiated one, and does that distinction change how it responds?

It doesn’t make a distinction. The risk of installing malware is independent of a human or agent-initiated action.

Which AI coding agents (Copilot, Cursor, Claude Code, Devin, etc.) does Endpoint currently monitor, and how does coverage work as new ones ship?

Endpoint monitors AI tools and models across Gemini, OpenAI, GitHub
Copilot, xAI, MCP
Servers, Claude Code, and skills.sh. The agent just needs to be updated when new ones ship.

AI agent skills marketplaces are listed as a coverage area — which ones specifically, and how mature is that coverage?

Currently, we cover skills.sh and the VS Code Marketplace.

Your press release mentions the “$8 ChatGPT subscription,” lowering the barrier to writing supply chain malware. What does AI-generated supply chain malware actually look like differently from human-written — is it harder to detect, more polymorphic, higher volume?

AI is fueling much more sophisticated attacks. In twelve months, we went from single-package compromises to self-replicating worms to full CI/CD pipeline hijacks chaining across registries. The principal changes are a reduced barrier to entry and attack velocity. Where a talented hacker might spend significant time probing for vulnerabilities, this work can now be dispatched to AI agents.

Does Aikido Intel, which cites a 100,000 malicious packages/day figure, use AI detection to keep up with AI-generated malware? What’s the methodology?

Yes, Aikido Intel uses AI and our in-house research team to discover vulnerabilities in the open source supply chain.

Intel works by reviewing all publicly available changelogs and release notes to determine whether security fixes have been made but not disclosed. We use two LLM models to achieve this. One LLM is used to filter the data and remove all unnecessary context. Then, the second LLM focuses on vulnerability analysis. A human security engineer then reviews the LLMs’ discoveries, validates the findings, and releases an Intel when a vulnerability is confirmed.

This methodology has been extremely effective at identifying vulnerabilities while requiring much less computational power than scanning all codebases, systems, or live environments directly for potential security issues with LLMs.

Endpoint enforces a 48-hour install block. That’s a blunt instrument — lots of legitimate packages ship fast. How many false positives does that generate in practice, and how does the request-and-approval workflow handle developer friction?In practice, how often does a developer need the version that shipped this morning rather than the one from last week? Almost never. The install block targets a window in which the vast majority of malicious packages are caught, and legitimate development is almost never blocked.

Endpoint falls back to an allowed package version. In this case, a version older than the 48-hour install block. But the install block is a configurable setting. Teams can match the install block to their risk tolerance per ecosystem. For example, as many attacks have targeted npm, 48 hours might make sense, whereas for Maven Central, with its GPG signing requirements, you may not need an install block.

Packages or entire groups of packages can be whitelisted, which bypasses the install block, and, for installs that need to move faster, developers can request one-off approvals.

YOUTUBE.COM/THENEWSTACK

Tech moves fast, don't miss an episode. Subscribe to our YouTube channel to stream all our podcasts, interviews, demos, and more.

Created with Sketch.