Vibe CodingMCP Ecosystem Security Audit 118 Findings 194 Packages AgentAuditDEV Community·high signalAgentAudit scanned 194 MCP packages finding 118 vulnerabilities including 14 critical/high with shell injection and credential leakageSourceSource pageDEV Community↳ Follow the threadStack layer / Threat patternMitigating Taint-Style MCP Server Vulnerabilities Without Touching Server Code (SPELLSMITH)arXivPolicy dependency / Stack layerHalluSquatting weaponizes LLM hallucinations to push botnet malware into agentsThe Hacker NewsStack layer / Threat patternVaronis discloses 'Rogue Agent' — a Dialogflow CX flaw letting one permission poison a shared agent runtimeNxCodeStack layer / Threat patternGhostcommit hides prompt injection in PNG files to make AI coding agents exfiltrate repo secretsSecNewsStack layer / Threat patternGitHub Ships CodeQL 2.26.0 With AI Prompt-Injection Detection for JavaScript/TypeScriptGitHub (CodeQL release notes)Stack layer / Threat patternSWE-bench Verified Under Scrutiny: 60.8% of Commonly Resolved Issues Show Solution LeakageAIware 2026 (SWE-Bench+)Stack layer / Threat patternRun Claude Code's rebuilt /doctor to reclaim context budget from unused skills, MCP servers, and bloated CLAUDE.mdReleasebotStack layer / Threat patternGoose v1.40.0 Adds a Local 'goose review' Command and Peek Mode for Async Background TasksGitHub