Topic
All blog posts, tools, and guides about Security from Developers Digest.
36 resources - 31 posts, 3 tools, 2 guides

Security researchers discovered a prompt injection vulnerability in GitHub's Agentic Workflows that allows attackers to extract private repository contents through public issues.

Flipper Devices announces their firmware hit 1.0 stability and outlines a new community contribution model - while HN debates whether 'done' software is actually a good thing.

A developer reverse-engineered Claude Code and found hidden markers that classify users by timezone, domain, and API keywords - using unicode apostrophe swaps and date format changes.

Semgrep's security research team benchmarked LLMs on IDOR vulnerability detection. The open-weight GLM 5.2 beat Claude Code by 7 points at roughly one-sixth the cost.

OpenAI's June 2026 API changelog looks like scattered platform plumbing. Read together, moderation scores, workload identity, Admin APIs, prompt-cache retention, container billing, and Secure MCP Tunnel are the pieces teams need to run agents with real controls.

Bumblebee is Perplexity's open source scanner for detecting compromised packages, extensions, and MCP configs on developer machines. A read-only Go binary that checks npm, PyPI, Go modules, and 10+ ecosystems against exposure catalogs - without running any install scripts. Here is how to set it up and use it.

Arcade just raised $60M to become the secure action layer for production AI agents. Here is what their MCP runtime actually does, how it differs from rolling your own OAuth, and when to use it.

Filippo Valsorda argues that LLMs have ended the era of treating security researchers with kid gloves. When anyone can discover vulnerabilities with an AI, the old coordinated disclosure model breaks down.

The Linux Foundation's Agent Name Service proposal points at a real gap in AI agent infrastructure: agents need verifiable identity, scoped capabilities, revocation, and audit trails before they can safely act across tools.

AI agents are getting their own computers. Here is how to choose a sandbox architecture: filesystem isolation, network policy, secrets boundaries, snapshots, and when shell access is overkill.

A GitHub-trending library of Anthropic cybersecurity skills points at the next agent security layer: framework-mapped playbooks that need provenance, tests, and abuse boundaries before they become trusted runtime tools.

OpenAI's Daybreak and Patch the Planet point at the real agentic AppSec shift: security agents only matter when they produce validated, reviewable patches maintainers can actually merge.

Stop the approval-fatigue prompts without going full YOLO mode. A hands-on guide to Claude Code's permission system - settings.json scopes, allow/deny/ask rules, tool specifiers, and the headless flags that actually matter.

On June 17, 2026, attackers hijacked a dormant Mastra contributor account and pushed malicious versions of 140+ packages. The payload steals crypto wallets, browser data, and cloud credentials. Here is what happened, how to check your lockfile, and what to do if you installed an affected version.

The viral DN42 AWS bill story is funny until you realize the missing primitive: infrastructure agents need hard cloud-spend guardrails before they touch real accounts.

Security researchers showed a €0.02 bank transfer could compromise a banking AI assistant. Here is the exact attack chain - and what every developer building agents needs to do differently.

Anthropic's Claude Fable 5 mandates 30-day data retention on every platform, overriding existing Zero Data Retention contracts for enterprise API customers. Here is what compliance teams and developers need to audit before their next deployment.

Pricing deadlines, infrastructure funding, a banking prompt injection case, and a 4x speed breakthrough - June 10 was one of the densest single days the AI dev tool market has ever produced.

A Hacker News thread on config files that run code points at the next AI coding risk: agent hooks, skills, and editor rules need review like executable dependencies.

Anthropic's open-source vulnerability harness shows where AI security work is going: reproducible exploit loops, separate verification agents, and patch receipts.

Before an AI agent gets tools, files, APIs, MCP servers, or deployment access, decide what it can read, write, call, log, and roll back.

Anthropic's Project Glasswing update is a useful signal for developer teams: AI can find vulnerability candidates faster than humans can verify, disclose, patch, and ship them.

Runtime's Launch HN thread is a useful signal: teams do not just want isolated coding agents. They want a control plane for approvals, secrets, telemetry, review, and merge policy.

GitHub trending is full of agent skill registries. The winning pattern is not more prompts. It is dependency governance for the instructions your coding agents inherit.

Claude Code's newer plugin URL and hard-deny controls are small release-note items with a big implication: agent extensions now need supply-chain discipline.

The TanStack npm incident was not just a package-security story. It was a reminder that AI agent workflows inherit every weak trust boundary in CI.

OpenAI's May 8 macOS certificate rotation for ChatGPT, Codex, Codex CLI, and Atlas is not just a one-off update. It is a useful test of how your team governs AI developer tools.

Manual approval prompts stop protecting users when coding agents ask too often. The better pattern is risk-aware autonomy: safe defaults, narrow deny rules, and approvals only for meaningful changes.

Microsoft's lib0xc landed on Hacker News with a practical message: safer systems code often means better C APIs, warnings, bounds checks, and incremental adoption, not a heroic rewrite.

OpenAI's Codex Security agent reviews app code for vulns. Here is what it caught and missed on three real production repos.

A practical security playbook for running Codex cloud tasks safely in 2026 using OpenAI docs: internet access controls, domain allowlists, HTTP method limits, and review workflows.
CDN, DNS, DDoS protection, and edge computing. Free tier handles most needs. This site uses Cloudflare for DNS and analytics. Workers for edge compute.
InfrastructureLargest MCP server directory with 17,000+ servers. Security grading (A/B/C/F), compatibility scoring, and install configs. ChatGPT-like UI for browsing and testing.
MCP ToolsOpen-source cloud sandboxes for AI agents. Isolated environments that start in under 200ms, run code in Python, JavaScript, and more, and persist sessions up to 24 hours.
InfrastructureA complete, citation-backed Claude Code course with setup, prompting systems, MCP, CI, security, cost controls, and capstone workflows.
GuideSet up Codex Chronicle on macOS, manage permissions, and understand privacy, security, and troubleshooting.
GuideKeep exploring

New tutorials, open-source projects, and deep dives on coding agents - delivered weekly.
Explore 688 topics
Browse All Topics