"… developers who used AI agents to work with them should assume their systems are compromised… Compromised dev creds led to a legitimate GitHub OIDC token bein
A security vulnerability has been discovered where AI agents, when used by developers, can lead to compromised systems. Attackers exploited compromised developer credentials to obtain a legitimate GitHub OIDC token. This allowed them to publish a malicious build with valid SLSA provenance, which was then recognized by conventional scanners as a trusted update, enabling the attackers to act as authenticated publishers. AI
IMPACT Compromised AI agents could be exploited to distribute malware, necessitating enhanced security protocols for developers and users of AI-assisted tools.