{"id":365,"date":"2026-07-12T08:56:00","date_gmt":"2026-07-11T23:56:00","guid":{"rendered":"https:\/\/www.theagenticprotocol.com\/?p=365"},"modified":"2026-07-15T08:39:51","modified_gmt":"2026-07-14T23:39:51","slug":"coding-agent-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/","title":{"rendered":"Coding Agent Supply Chain Attack: Critical July 2026 Warning"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The coding agent supply chain attack just moved from theoretical category to documented production incident \u2014 and this time the target isn&#8217;t the code your agents write, but the tools your team uses to build agents in the first place.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Adversa AI&#8217;s July 2026 security digest, published this week, documents three related findings that together define a new attack surface category. Microsoft Threat Intelligence confirmed that the un-sandboxed Read tool in the Claude Code GitHub Action could arbitrarily read <code>\/proc\/self\/environ<\/code> \u2014 the Linux process environment file that contains every environment variable the process can see, including <code>ANTHROPIC_API_KEY<\/code>. A single public GitHub issue containing hidden prompt injection instructions was sufficient to trigger the exfiltration. Separately, security researchers chained an authorization bypass, indirect prompt injection, and environment-variable exfiltration within the same GitHub Action workflow. Separately again, a universal shell injection design flaw called GuardFall was found to affect more than half a million open-source coding agent deployments \u2014 and the existing skill scanners meant to detect it were bypassed trivially, in some cases by prepending 100,000 newlines to push the payload past the scanner&#8217;s truncation limit.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/www.theagenticprotocol.com\/wp-content\/uploads\/2026\/07\/c8d50748-ddb6-475e-8ec5-3032a25a5aa7-1024x576.jpg\" alt=\"coding agent supply chain attack Claude Code GitHub Action 2026\" class=\"wp-image-366\" srcset=\"https:\/\/www.theagenticprotocol.com\/wp-content\/uploads\/2026\/07\/c8d50748-ddb6-475e-8ec5-3032a25a5aa7-1024x576.jpg 1024w, https:\/\/www.theagenticprotocol.com\/wp-content\/uploads\/2026\/07\/c8d50748-ddb6-475e-8ec5-3032a25a5aa7-300x169.jpg 300w, https:\/\/www.theagenticprotocol.com\/wp-content\/uploads\/2026\/07\/c8d50748-ddb6-475e-8ec5-3032a25a5aa7-768x432.jpg 768w, https:\/\/www.theagenticprotocol.com\/wp-content\/uploads\/2026\/07\/c8d50748-ddb6-475e-8ec5-3032a25a5aa7.jpg 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This post breaks down what the coding agent supply chain attack surface actually looks like now, why the existing mitigation approaches are structurally inadequate, and the hardening checklist that closes the gaps these findings exposed.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#How_the_Coding_Agent_Supply_Chain_Attack_Pattern_Works\" >How the Coding Agent Supply Chain Attack Pattern Works<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#Why_Model-Level_Filters_Failed_Against_the_Coding_Agent_Supply_Chain_Attack\" >Why Model-Level Filters Failed Against the Coding Agent Supply Chain Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#Hardening_Your_CICD_Pipeline_Against_Coding_Agent_Supply_Chain_Attack\" >Hardening Your CI\/CD Pipeline Against Coding Agent Supply Chain Attack<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#Layer_1_%E2%80%94_Credential_Isolation_at_the_CICD_Level\" >Layer 1 \u2014 Credential Isolation at the CI\/CD Level<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#Layer_2_%E2%80%94_Filesystem_and_Network_Sandboxing\" >Layer 2 \u2014 Filesystem and Network Sandboxing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#Layer_3_%E2%80%94_Untrusted_Content_Isolation\" >Layer 3 \u2014 Untrusted Content Isolation<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#The_Immediate_Hardening_Checklist\" >The Immediate Hardening Checklist<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#The_Builders_Takeaway\" >The Builder&#8217;s Takeaway<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/#Continue_in_This_Series\" >Continue in This Series<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_the_Coding_Agent_Supply_Chain_Attack_Pattern_Works\"><\/span>How the Coding Agent Supply Chain Attack Pattern Works<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Previous posts in this security series covered attacks that move through agent pipelines \u2014 a malicious web page reaching an MCP server (<a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/mcp-remote-code-execution\/\">MCP Remote Code Execution<\/a>), a convincing conversation reaching an account-action tool (<a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/ai-agent-social-engineering\/\">AI Agent Social Engineering<\/a>), an autonomous ransomware executing through a compromised orchestration framework (<a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/autonomous-ai-ransomware\/\">JADEPUFFER<\/a>). All of those attacks targeted the agent&#8217;s runtime behavior.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The coding agent supply chain attack targets earlier in the chain \u2014 the CI\/CD infrastructure where agents run as part of automated workflows. A GitHub Action that invokes Claude Code to review pull requests, fix issues, or run tests operates in an environment where the agent has file system access, environment variable access, and network access simultaneously. That&#8217;s the <a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/lethal-trifecta-ai-agents\/\">Lethal Trifecta<\/a> in its most dangerous form: the agent holds private data access (repository code, environment variables), processes untrusted content (public GitHub issues and PR descriptions), and has external communication capability (GitHub API writes, outbound network). An attacker who can influence a public GitHub issue can write an instruction that the agent&#8217;s Read tool picks up as a file, interprets as an instruction, and acts on \u2014 including exfiltrating the API key stored in the environment variable the action was given access to.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_Model-Level_Filters_Failed_Against_the_Coding_Agent_Supply_Chain_Attack\"><\/span>Why Model-Level Filters Failed Against the Coding Agent Supply Chain Attack<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Adversa AI report&#8217;s framing of the fundamental problem is precise: attempting to secure coding agents through model-level filters, command denylists, and isolated skill scanning is a failed strategy. Three specific failure modes document this:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scanner truncation bypass (GuardFall).<\/strong> Skill scanners \u2014 including Cisco&#8217;s ClawHub and the three major skills.sh scanners \u2014 use file-based analysis that truncates inputs above a size threshold. Prepending 100,000 newlines pushes any payload past the truncation limit, causing the scanner to inspect only the harmless preamble and mark the file safe. This bypass required no model knowledge and no zero-day exploit. It required understanding that the scanner had a buffer limit.<\/li>\n\n\n\n<li><strong>SCR-Bench compositional attacks.<\/strong> Individually-benign coding agent skills \u2014 read a file, summarize a document, write an output \u2014 compose into harmful behavior chains that no individual skill analysis would flag. A skill that reads <code>\/proc\/self\/environ<\/code> passes every reasonable security review. A skill that writes to an outbound URL also passes. Combined in a single agent session, they exfiltrate the environment in two steps that each look legitimate in isolation. This is the same compositional vulnerability the <a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/black-hat-2026-ai-agents\/\">Trust Handoff<\/a> post described as a pipeline-stage failure \u2014 now manifesting in the skill composition layer.<\/li>\n\n\n\n<li><strong>Consent fatigue bypass.<\/strong> Microsoft&#8217;s AI Red Team v2.0 taxonomy update, which formally added seven new agentic failure modes including supply-chain compromise, identifies consent-fatigue bypass as the most actively exploited vulnerability. Users who approve agent permissions repeatedly become habituated to doing so and approve without reading \u2014 a behavioral exploit that no technical scanner addresses.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hardening_Your_CICD_Pipeline_Against_Coding_Agent_Supply_Chain_Attack\"><\/span>Hardening Your CI\/CD Pipeline Against Coding Agent Supply Chain Attack<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The correct mitigation stack follows from the NSA&#8217;s official MCP hardening guidelines published this month and the structural conclusions from Adversa AI&#8217;s findings. Three layers are required simultaneously \u2014 none alone is sufficient:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Layer_1_%E2%80%94_Credential_Isolation_at_the_CICD_Level\"><\/span>Layer 1 \u2014 Credential Isolation at the CI\/CD Level<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The <code>ANTHROPIC_API_KEY<\/code> exfiltration worked because the key was present in the process environment where the agent ran. The fix from the <a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/autonomous-ai-ransomware\/\">JADEPUFFER credential isolation<\/a> post applies directly to CI\/CD: the agent should receive only the credentials required for its specific task in that run, scoped to the minimum permissions that task requires.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># .github\/workflows\/agent-pr-review.yml\n# WRONG: passing all secrets into the agent's environment\n# This gives the agent access to every secret the workflow has access to,\n# including secrets it doesn't need for PR review\n\n# - name: Run Claude Code review\n#   env:\n#     ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n#     STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}      # \u2190 not needed\n#     DATABASE_URL: ${{ secrets.DATABASE_URL }}            # \u2190 not needed\n#     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n\n# CORRECT: scope secrets to the exact task\n# The PR review agent needs only the Anthropic key and a read-only GitHub token.\n# It has no legitimate reason to see payment or database credentials.\n\nname: Agent PR Review (Hardened)\non:\n  pull_request:\n    types: &#91;opened, synchronize]\n\njobs:\n  agent-review:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read          # read-only: no writes to repo\n      pull-requests: write    # write comments only, not push code\n    steps:\n      - uses: actions\/checkout@v4\n\n      - name: Run scoped Claude Code review\n        env:\n          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n          # No other secrets. GITHUB_TOKEN is auto-scoped by permissions above.\n        run: |\n          claude --review-only --no-file-write --no-network-outbound \\\n                 \"Review this PR for security issues only. Do not modify files.\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Layer_2_%E2%80%94_Filesystem_and_Network_Sandboxing\"><\/span>Layer 2 \u2014 Filesystem and Network Sandboxing<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># The \/proc\/self\/environ read that leaked the API key\n# required unsandboxed filesystem access. Block it explicitly.\n\n# For GitHub Actions running on Ubuntu:\n# 1. Use a restricted container image that removes \/proc access\n# 2. Or run Claude Code with explicit filesystem restrictions\n\n# claude --allow-paths \".\/src,.\/tests\" prevents the agent from\n# reading \/proc, \/etc, or any path outside the allowed list.\n# This is the single most effective mitigation for the specific\n# \/proc\/self\/environ exfiltration vector.\n\n- name: Run sandboxed agent\n  env:\n    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}\n  run: |\n    claude \\\n      --allow-paths \".\/src,.\/tests,.\/docs\" \\\n      --disallow-read \"\/proc,\/etc,\/sys,\/home\" \\\n      --no-network-outbound \\\n      \"Review the changed files in this PR for security vulnerabilities.\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Layer_3_%E2%80%94_Untrusted_Content_Isolation\"><\/span>Layer 3 \u2014 Untrusted Content Isolation<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The prompt injection that triggered the exfiltration arrived through a public GitHub issue \u2014 untrusted content that the agent&#8217;s Read tool processed as if it were a trusted instruction. This is the <a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/lethal-trifecta-ai-agents\/\">Lethal Trifecta<\/a> trust level problem at the CI\/CD layer: the agent holds API credentials, processes public user-submitted text, and has write access to comment on PRs. Separating untrusted content processing from credential-holding sessions is the structural fix.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from trust_levels import TrustLevel, PipelinePayload, execute_action_stage\n\n# PR description and issue body are UNTRUSTED_EXTERNAL \u2014\n# they come from any public GitHub user, including attackers.\n# This prevents untrusted content from authorizing credentialed actions.\n\npr_description = PipelinePayload(\n    content=github_event&#91;\"pull_request\"]&#91;\"body\"],    # public user input\n    trust_level=TrustLevel.UNTRUSTED_EXTERNAL,\n    source_stage=\"github_event_payload\"\n)\n\n# The review action requires INTERNAL_AGENT_OUTPUT trust minimum \u2014\n# only content produced by the agent's own analysis satisfies this.\n# Raw PR descriptions do not, regardless of what instructions they contain.\ntry:\n    review_comment = execute_action_stage(\n        pr_description,\n        min_required=TrustLevel.INTERNAL_AGENT_OUTPUT\n    )\nexcept Exception as e:\n    # Block: the PR description tried to be treated as an instruction.\n    # Log and continue with human review only.\n    print(f\"&#91;BLOCKED] Untrusted content attempted action authorization: {e}\")<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_Immediate_Hardening_Checklist\"><\/span>The Immediate Hardening Checklist<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit every GitHub Action that invokes an AI coding agent.<\/strong> List every secret the action can access. Remove any secret not required for that specific task.<\/li>\n\n\n\n<li><strong>Add <code>--allow-paths<\/code> and <code>--disallow-read<\/code> flags<\/strong> to Claude Code CLI calls in CI\/CD to prevent <code>\/proc<\/code> and other sensitive paths from being readable.<\/li>\n\n\n\n<li><strong>Set <code>permissions: contents: read<\/code><\/strong> in GitHub Actions workflows where the agent doesn&#8217;t need to push code. Read-only token access limits what a compromised session can do.<\/li>\n\n\n\n<li><strong>Never let PR descriptions, issue bodies, or public user content<\/strong> reach an agent session that holds API credentials without a trust level gate between them.<\/li>\n\n\n\n<li><strong>Treat GuardFall-style scanners as a supplementary layer, not a primary defense.<\/strong> The bypass requires no sophistication. OS-level enforcement and runtime sandboxing are the primary layers.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For the full July 2026 security findings, see <a href=\"https:\/\/adversa.ai\/blog\/top-ai-coding-agent-security-resources-july-2026\/\" target=\"_blank\" rel=\"noopener\">Adversa AI&#8217;s July 2026 coding agent security digest<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_Builders_Takeaway\"><\/span>The Builder&#8217;s Takeaway<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The coding agent supply chain attack surface is the logical endpoint of everything this security series has been building toward. JADEPUFFER showed that agents can execute attacks autonomously. GuardFall and the Claude Code GitHub Action incidents show that the tools used to build and run agents are themselves targets. The attack surface has expanded from &#8220;what your agent does&#8221; to &#8220;how your agent is built and deployed.&#8221; The three-layer mitigation stack \u2014 credential isolation, filesystem sandboxing, and untrusted content isolation \u2014 addresses all three of the specific attack vectors documented this month. None of them requires a new framework or a new model. They require applying the architectural discipline that&#8217;s been the consistent theme of this series to the CI\/CD layer that most builders haven&#8217;t treated as a security surface yet.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><em>This post is part of The Agentic Protocol&#8217;s Work series \u2014 the connective infrastructure layer beneath every autonomous pipeline. See also: <a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/lethal-trifecta-ai-agents\/\">Lethal Trifecta<\/a>.<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Continue_in_This_Series\"><\/span>Continue in This Series<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/langflow-cve-cisa\/\">Langflow CVE CISA Warning<\/a> \u2014 the first AI agent builder on CISA&#8217;s must-patch list<\/li>\n<li><a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/autonomous-ai-ransomware\/\">Autonomous AI Ransomware<\/a> \u2014 JADEPUFFER: the full attack chain that starts with a supply-chain compromise<\/li>\n<li><a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/black-hat-2026-ai-agents\/\">Black Hat 2026 AI Agents<\/a> \u2014 GuardFall and why skill-scanning alone can&#8217;t stop this attack class<\/li>\n<li><a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/mcp-remote-code-execution\/\">MCP Remote Code Execution<\/a> \u2014 the AutoJack variant targeting browsing-capable agent tools<\/li>\n<li><a href=\"https:\/\/www.theagenticprotocol.com\/index.php\/ai-agent-gateway\/\">AI Agent Gateway<\/a> \u2014 enforcing credential scoping at the infrastructure layer<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The coding agent supply chain attack just moved from theoretical category to documented production incident \u2014 and this time the target isn&#8217;t the code your agents write, but the tools your team uses to build agents in the first place. Adversa AI&#8217;s July 2026 security digest, published this week, documents three related findings that together &#8230; <a title=\"Coding Agent Supply Chain Attack: Critical July 2026 Warning\" class=\"read-more\" href=\"https:\/\/www.theagenticprotocol.com\/index.php\/coding-agent-supply-chain-attack\/\" aria-label=\"Read more about Coding Agent Supply Chain Attack: Critical July 2026 Warning\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":366,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[449,447,448,445,446],"class_list":["post-365","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-work-agentic-ai","tag-anthropic_api_key-leak","tag-ci-cd-agent-security","tag-claude-code-github-action-security","tag-coding-agent-supply-chain-attack","tag-guardfall-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/posts\/365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/comments?post=365"}],"version-history":[{"count":2,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/posts\/365\/revisions"}],"predecessor-version":[{"id":403,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/posts\/365\/revisions\/403"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/media\/366"}],"wp:attachment":[{"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/media?parent=365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/categories?post=365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.theagenticprotocol.com\/index.php\/wp-json\/wp\/v2\/tags?post=365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}