Hacker NewsClinejection Supply Chain Attack 4000 Developer Machines via Prompt InjectionGrith AI·high signalGitHub issue title prompt injection exploited Cline AI triage bot, poisoned npm cache, published malicious [redacted] to 4000 devsSourceSource pageGrith AI↳ Follow the threadShared entity / Policy dependencyponytail: A 'Laziest Senior Dev' Skill That Cuts Agent-Written Code by ~54% Is the Fastest-Rising Repo on GitHubGitHubPolicy dependency / Stack layerIAPS warns on Kimi Claw: security and governance risks of Chinese-hosted 'always-on' AI agentsIAPSPolicy dependency / Stack layerHalluSquatting weaponizes LLM hallucinations to push botnet malware into agentsThe Hacker NewsStack layer / Threat patternMalicious agent skills evade every scanner: HKUST's SkillCloak beats detectors 90%+ of the time, SkillDetonate catches 97%Help Net SecurityStack layer / Threat patternCodeTracer Performs Forensic Attribution of Backdoored Code CompletionsarXivStack layer / Threat patternNSA issues official MCP hardening guidance after Amazon Q auto-execution CVEs (CVSS 8.5) enable AWS credential theftWizStack layer / Threat patternUnit 42: AI-agent npm packages become a prime supply-chain target in H1 2026Unit 42 (Palo Alto Networks)Stack layer / Threat patternAnthropic's 'J-Space' Interpretability Result Finds a Silent Reasoning Workspace Inside ClaudeAnthropic