Top AI Coding Agent security resources — July 2026

Coding Agent Security Digest Sergey todayJuly 9, 2026

Background
share close

July 2026 exposed a harsh reality for developer productivity tools: AI coding agents are actively expanding our attack surface faster than we can patch them. This month was dominated by catastrophic supply chain flaws, notably the poisoning of the Claude Code GitHub Action and the revelation of GuardFall, a universal shell injection design flaw affecting over half a million open-source deployments. Agents became fully autonomous teammates executing commands in CI/CD pipelines, and legacy security paradigms like string-based denylists and static skill scanning are proving completely obsolete against dynamic, compositional attacks.

Statistics

Total resources: 19
Category breakdown:

Category Count
Attack technique 6
Coding agent vulnerability 4
Coding agent defense 3
Coding agent security resource 2
Threat modelling 1
CISO resources 1
Training materials 1
Coding agent security 101 1

Coding Agent security resources:

Attack technique

The sorry state of skill distribution

Researchers trivially bypassed ClawHub, Cisco’s skill scanner, and all three skills.sh scanners in under an hour. The simplest bypass involved prepending 100,000 newlines, which caused the VirusTotal and GPT-5.5 guards to truncate the file before the payload and falsely mark it safe.

Clone this repo and I own your machine

Mozilla’s 0DIN research shows how a perfectly clean GitHub repo can hijack Claude Code by throwing a fake setup error. The agent is prompted to run an init script that fetches a reverse-shell payload from a DNS TXT record, rendering the attack invisible to standard scanners.

Agentjacking: A fake bug report hijacks your AI coding agent

A proof-of-concept attack managed to plant malicious instructions in Sentry error events via a public DSN. Consequently, MCP-connected agents like Claude Code, Cursor, and Codex executed the attacker code at 85% success across thousands of exposed organizations.

One goal, many commands: Characterizing denylist fragility in AI agents

An empirical study of command-denylist bypasses in terminal coding agents focuses specifically on Claude Code’s built-in denylist. A custom ShellSieve pipeline analyzing 1,709 real-world denylists proves how fundamentally shell semantics defeat static string-based security guards.

PhantomSkill: Malicious code injection in agent skill ecosystems

The VulMask attack framework successfully hides malicious behavior in a coding-agent skill’s auxiliary resources by disguising it as vulnerability-shaped code. This technique effortlessly evades skill scanners and automated reviewers across major coding agents.

Computer-use and TOCTOU: What you click is not what you get!

Johann Rehberger demonstrates a severe time-of-check/time-of-use (TOCTOU) attack against computer-use and coding agents. By altering the UI between the agent’s visual check and its physical action, the agent is tricked to click or approve something unintended.

Coding agent vulnerability

GuardFall: a universal shell injection vulnerability in open-source AI agents

Adversa AI demonstrated that decades-old shell-quoting bypasses easily defeat pattern-based command guards in 10 out of 11 popular open-source coding agents. This is a severe structural design flaw lacking a formal CVE, leaving thousands of deployments critically exposed.

Poisoning Claude Code: One GitHub issue to break the supply chain

Security researchers successfully chained an authorization bypass, indirect prompt injection, and environment-variable exfiltration within the Claude Code GitHub Action. This meant a single public GitHub issue could compromise any repo utilizing the workflow.

Securing CI/CD in an agentic world: Claude Code GitHub Action case

Microsoft Threat Intelligence revealed that the un-sandboxed Read tool in the Claude Code GitHub Action could arbitrarily read /proc/self/environ. This critical flaw leaked the ANTHROPIC_API_KEY via prompt injection hidden within untrusted GitHub content.

Benign in isolation, harmful in composition: Security risks in agent skill ecosystems

SCR-Bench systematically measures how individually-benign coding-agent skills can compose into highly harmful behaviors when chained together. The research exposes a vast compositional attack surface that traditional per-skill scanning architectures completely miss.

Coding agent defense

Lingering authority: Revocable resource-and-effect capabilities for coding agents

PORTICO introduces a reference monitor that issues coding agents epoch-bound, fully revocable capability handles. This framework effectively closes the dangerous lingering authority gap where an agent’s tool access outlives the specific subgoal that originally required it.

Detecting malicious agent skills in the wild using attention

‘Locate-and-Judge’ proposes a novel two-stage attention-based detector designed specifically for malicious skills loaded by agents like Claude Code and Gemini CLI. It provides a robust defense mechanism against the escalating skill supply-chain threat emerging from third-party marketplaces.

ActPlane: Programmable OS-level policy enforcement for agent harnesses

This solution leverages an eBPF and information-flow-control DSL to enforce CLAUDE.md and AGENTS.md-style security policies directly at the OS kernel level. Evaluated across coding and safety benchmarks, it rigorously hardens coding-agent harnesses to prevent unauthorized execution.

Coding agent security resource

MalSkillBench: A runtime-verified benchmark of malicious agent skills

This comprehensive benchmark comprises 3,944 runtime-verified malicious skills specifically targeting coding-agent ecosystems like Claude Code. It allows security teams to conduct a systematic evaluation of skill scanners against authentic, real-world malicious behaviors.

10 security & QA skills for AI coding agents

A highly curated resource detailing ten in-loop security skills and MCP servers that coding agents can proactively invoke mid-session. It features rigorous hands-on testing alongside honest capability assessments for both Claude Code and Cursor.

Threat modelling

Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us

Microsoft AI Red Team’s v2.0 taxonomy update formally adds seven new agentic failure modes, including supply-chain compromise and excessive agency. Backed by 12 months of operational data, it highlights that consent-fatigue bypass remains the most actively exploited vulnerability.

CISO resources

State of Agentic AI security and governance 2.01

The OWASP GenAI Security Project’s latest update catalogs real-world incidents, CVEs, and vendor advisories strictly mapped to the Top 10 for Agentic Applications. It provides security leaders with a much-needed governance maturity matrix and detailed regulatory landscape overview.

Training materials

Claude Code sandboxing: A complete guide for enterprise teams

An exhaustive enterprise guide detailing how to properly run Claude Code in a restricted sandbox, encompassing deep filesystem and network isolation strategies. It covers essential corporate configurations integrating Zscaler, Intune/Jamf, and AWS Bedrock.

Coding agent security 101

AI coding agents in 2026: A practical roadmap from autocomplete to cloud teammates

This practical roadmap frames 2026 as the definitive agent-engineering phase, explicitly outlining why a system’s blast radius inherently grows alongside its autonomous capabilities. It relies heavily on Anthropic’s sandboxing methods and OWASP’s MCP Top 10 to establish guidelines for secure cloud teammates.

Kill the denylist, enforce the sandbox

The incidents this month confirm that attempting to secure coding agents through model-level filters, command denylists, and isolated code/skill scanning is a failed strategy. Attackers are easily traversing trust boundaries using DNS TXT records, UI manipulation, and compositional logic that bypasses these guards entirely. Security engineering teams must complement existing filters with hard OS-level enforcement, runtime security aware of agentic execution chain, ephemeral capabilities that revoke automatically, and comprehensive network sandboxing for all agent harnesses in the CI/CD pipeline.

Written by: Sergey

Rate it
Previous post