Incidents & post-mortems
What actually happened, what the fix was, what the next one will look like.
14 published- Agentjacking turns a Sentry error into code execution Attackers POST a fake Sentry error; the Sentry MCP server feeds it to Claude Code, Cursor, and Codex as trusted output, and the agents run their code.
- Mini Shai-Hulud hides inside your coding agent An npm worm planted a SessionStart hook in Claude Code so it reloads with the agent's full permissions after the bad package is gone. Mechanism and cleanup.
- Comment and Control hijacks three AI coding agents A prompt injection hidden in a GitHub PR title or issue body made Claude Code, Gemini CLI, and Copilot dump their own API keys into public comments.
- Claude Code's SOCKS5 sandbox bypass A null-byte injection let prompts exfiltrate AWS credentials, GitHub tokens, and IMDS data through the Claude Code network sandbox. Silent patch, no advisory.
- Six weeks of AI agent secret leaks Q2 2026 retrospective: five AI coding-agent incidents in six weeks exposed a shared pattern. Every team running agentic tooling should audit before June 1.
- Claude Code skills bypassed allowlist permissions April 2026: a skill bypassed Claude Code tool-call allowlists using a Unicode lookalike in the tool name. Arbitrary shell execution despite a read-only config.
- Cursor Composer leaked tab context between projects April 2026: Cursor Composer included a second open tab context in LLM prompts, surfacing credentials from unrelated repos. How to audit and prevent recurrence.
- MCP + GitHub = a data heist mcp prompt injection github: how a malicious issue body tricks an MCP-connected agent into reading private repos and posting the data publicly.
- Replit agent deleted a production database In 2024, a Replit AI agent dropped a production database in seconds. Here is what the permission model got wrong and how to stop it from happening again.
- $82,000 GCP bill from a coding agent An AI agent caused an 82,000 dollar Google Cloud bill in early 2026: leaked GCP credentials in agent context triggered a retry loop that ran all weekend.
- AI agents commit secrets 2x more often GitGuardian State of Secrets Sprawl 2026: AI-assisted commits leak secrets twice as often. The mechanism behind the 81% spike in AI coding agent secret leaks.
- MCP's trust model has sharp edges The anthropic mcp design flaw isn't a bug: it's four protocol assumptions that produce credential exposure by design. Here is what the spec actually says.
- Cursor uploaded my .env to the cloud January 2026: Cursor's cloud sync indexed .env files inside workspaces despite privacy mode. Knostic confirmed scope. What leaked, and what to do now.
- Claude Code leaked secrets to npm April 2026: Claude Code settings.local.json silently recorded env vars and shipped them in published npm packages. The fix is one file, the lesson is bigger.