Content
Technical articles on AI agent security, MCP scanning, supply-chain threat research, and the engineering behind Aguara. Grounded in shipped detections, no fluff.
Aguara v0.27.0: A Fuzz Harness for Every Untrusted-Input Parser
22 native Go fuzz targets now cover every parser that reads attacker-controlled files, running nightly. The terminal also grows up: color and spinner adapt to pipes and CI, one verdict language across commands.
2026-06-11 ReleaseAguara v0.26.0: 228,000 Known-Malicious Packages, Offline
v0.26.0 understands OSV advisories that affect every version of a package and bounded npm semver ranges. Around 196,000 npm and 6,400 PyPI packages previously invisible to a check now flag offline.
2026-06-11 EngineeringMost Malicious Packages Are Malicious at Every Version
We were about to build seven version-comparison grammars to match OSV range advisories. A measurement pass showed over 99% of malicious range advisories mark every version affected. The data picked a much smaller project.
2026-06-11 Supply Chainnpm v12 Makes Install-Time Trust Explicit. Review It Before It Ships.
npm v12 blocks dependency scripts, git deps, and remote tarballs unless project policy allows them. The policy lives in files the repo ships. What Aguara checks, and the readiness list for the July upgrade.
2026-06-10 ReleaseAguara v0.24.0: The Agent Trust Layer
Aguara v0.24.0 checks the agent configuration a cloned repo ships: Claude Code settings, instruction files like .cursorrules, pnpm policy, and Bun and Yarn Berry lockfiles. What it catches, with real rule IDs.
2026-06-10 SecurityYour Repo Ships a .claude/settings.json. Your Editor Obeys It.
Claude Code reads project settings from the repo you clone. Hooks run on session start, env vars inject into subprocesses, permission rules pre-approve actions. The threat model, the 8 checks, and what we deliberately do not flag.
2026-06-10 Security.cursorrules Is a Prompt Surface
Agent instruction files are loaded as persistent context and obeyed. A prompt injection in .cursorrules is not documentation, it is configuration for a system that acts. Why these files now scan and score differently.
2026-06-09 Supply Chainpnpm v11 Gave You Supply-Chain Controls. One YAML Line Turns Them Off.
pnpm v11 ships the strongest default supply-chain posture of any package manager. It is configured in a file the repo controls. The 9 weakenings worth flagging, the kebab-case trap, and lockfile alias resolution.
2026-06-08 ResearchThe Miasma Worm, Mapped to Detections
The Red Hat npm worm chained install-time execution, GitHub as C2, host tampering, and destructive cleanup. Stage by stage, mapped to the six behavioral rules it motivated, with honest limits.
2026-06-06 EssayThe Trust Layer: The Part of Your Stack Nobody Audits
Between your code and its execution sits a layer of artifacts your tools obey without review: lockfiles, install scripts, CI workflows, MCP configs, agent instructions. Naming the layer is the first step to defending it.
2026-06-04 ResearchInstall-Time Code Is the Attack Surface: JavaScript, Python, Rust
npm lifecycle hooks, setup.py, and build.rs all execute code before you run anything. How flow-sensitive analysis catches the malicious shapes in each, and why co-presence rules were not enough.
2026-05-21 IncidentMini Shai-Hulud: 317 Packages in 22 Minutes
The AntV npm compromise published 637 malicious versions in one automated burst, aimed at GitHub Actions runners and their process memory. Why technique rules outlive IOC lists.
2026-05-18 EngineeringThreat Intel That Works Offline
Most scanners phone home for advisory data. Aguara embeds its snapshot in the binary: checks run with zero network calls, refreshes are explicit, and an empty refresh is refused. The design and its tradeoffs.
2026-05-16 Incidentnode-ipc, Again: Anatomy of the May 2026 Compromise
Three malicious node-ipc versions landed on npm via an expired maintainer domain. The payload harvests 100+ credential patterns and exfiltrates over DNS TXT. What happened, and the behavioral rule it motivated.
2026-05-14 SecurityYour CI Trusts Pull Requests More Than You Do
Four GitHub Actions trust-chain failures hide in workflow YAML: pwn requests, cache poisoning across fork boundaries, OIDC token surface, persisted credentials. What each looks like and how to catch them in review.
2026-03-09 Research30 MCP CVEs in 60 Days: The Attack Surface That Keeps Growing
The MCP ecosystem accumulated 30 CVEs in 60 days. We break down every vulnerability category, analyze the root causes, map them to Aguara detection rules, and show what the data tells us about AI agent security.
2026-03-05Aguara Is Now a GitHub Action — Security Scanning for AI Agent Repos in One Linehistorical
Aguara Security Scanner is now available as a GitHub Action on the GitHub Marketplace. Add one line to your workflow to scan AI agent skills and MCP servers for prompt injection, data exfiltration, tool shadowing, and 170+ more threat patterns. Results appear directly in GitHub Code Scanning.
2026-03-03Aguara v0.5.0: 173 Rules, Confidence Scoring & Configurable Limitshistorical
Aguara v0.5.0 ships 20 new detection rules across 8 categories (153 to 173 total), a confidence scoring system on every finding, configurable max file size limits, and atomic state file writes. The largest rule expansion in a single release.
2026-03-01 SecurityAI Agents Don't Understand Secrets: What Aguara Detects and Why It Matters
23.8M secrets leaked on GitHub in 2024. Copilot-using repos show 40% higher leak rates. Five vulnerability paths let credentials leak through AI agents. Here's what Aguara detects and how to fix it.
2026-03-01 ResearchThe Promptware Kill Chain: 7 Stages from Prompt Injection to Full Compromise
Schneier's Promptware Kill Chain reframes prompt injection as a 7-stage APT. 21 documented attacks traverse 4+ stages. Here's how each stage works, what Aguara detects, and where to break the chain.
2026-02-28 ResearchAcademic Paper Validates Aguara's Detection Approach: Mapping the Agentic AI Attack Surface
A new paper from Northeastern, NYU, UCSD, and UIUC maps the agentic AI attack surface across data and tool supply chains. We map every attack class to Aguara's 13 detection categories and 153 rules.
2026-02-28 Security AdvisoryCVEs in Anthropic's Own MCP Servers: When Reference Implementations Teach the Ecosystem to Be Insecure
Anthropic created MCP, then shipped reference servers with path traversal, argument injection, SQL injection, and sandbox escapes. We analyze every CVE, the attack chains, and what Aguara detects.
2026-02-28 GuideSecuring Your OpenClaw Setup: 7 Checks and How to Automate Scanning with Aguara
OpenClaw's security team has shipped 40+ patches in weeks, but the skill ecosystem is still your responsibility. 7 practical security checks plus step-by-step Aguara integration for scanning skills, configs, and CI/CD pipelines.
2026-02-28Aguara v0.4.0, MCP v0.3.0 & Watch Expansion — Coordinated Releasehistorical
Simultaneous releases across three projects: Aguara v0.4.0 with 153 rules and file hardening, Aguara MCP v0.3.0 on official SDK, and Aguara Watch expansion to 42,969 skills across 7 registries. Zero community forks remain.
2026-02-27 SecurityYour AI Agent Config is a Security Liability
MCP configuration files are the most dangerous files on developer machines. Hardcoded secrets, npx -y without version pins, Docker with --privileged, shell metacharacters in args. A practical guide to finding and fixing insecure AI agent configs.
2026-02-27 ResearchDocker Sandboxes Are Not Enough: Why AI Agents Need Static Analysis Before Runtime Isolation
Docker Sandboxes isolate AI agents at runtime. But a sandboxed agent running malicious skills is still a compromised agent. Why you need static analysis before you hit docker sandbox run.
2026-02-27 SecurityKali Linux + Claude Desktop: When Offensive Security Meets MCP, Scanning Becomes Non-Negotiable
Kali Linux officially integrates Claude Desktop via MCP to control nmap, metasploit, and hydra through natural language. If legitimate MCP servers give agents access to pentesting tools, imagine what a malicious one can do.
2026-02-27 ResearchNIST Asks How to Secure AI Agents. We Already Have Answers.
NIST's NCCoE published a concept paper on AI agent identity and authorization. Their 6 open questions map directly to what Aguara and the MCP ecosystem are building today.
2026-02-27 ResearchOWASP Agentic Top 10 Mapped to Aguara Detection Rules
Every risk in the OWASP Top 10 for Agentic Applications mapped to specific Aguara detection rules. 173 rules across 13 categories covering all 10 OWASP risks with real examples from 40,000+ scanned skills.
2026-02-27 EngineeringThe Security Flywheel: How Scanner, Observatory, and MCP Server Compoundhistorical
How a single security scanner became a full feedback loop: observatory crawling 42,655 skills, 4 rounds of FP reduction, and an MCP server that gives agents access to the entire cycle. The engineering story behind Aguara.
2025-02-25 ResearchMCP Tool Poisoning: Beyond Descriptions — Full-Schema Injection Attacks Explained
MCP tool poisoning goes far beyond injecting malicious instructions in tool descriptions. Every field the LLM processes is an injection point: parameter names, enum values, error messages, return values, even tool names. Full technical breakdown with detection strategies.
2025-02-25 Securitynpx -y Considered Harmful: Supply Chain Risks in MCP Server Configurations
npx -y is the default way MCP servers are installed. It auto-downloads and executes code without checksum verification, version pinning, or user review. Here's why that's a supply chain nightmare and how to fix it.
2025-02-25 GuideFrom SKILL.md to Shell: A Security Audit Guide for AI Agent Skills
A practical, step-by-step guide for auditing AI agent skill files for security threats. Covers prompt injection, credential exfiltration, hidden content, command execution, and automated scanning with real examples from 40,000+ skills.
2025-02-22 ResearchWe Scanned 28,000 AI Agent Skills for Security Threatshistorical
We scanned 31,000+ AI agent skills across 5 registries with Aguara. 485 critical-severity findings including prompt injection, credential leaks, and supply chain attacks. Here's what the data shows.
2025-02-20 EngineeringHow I Built a Semgrep-Like Scanner for AI Agent Skillshistorical
Deep dive into building Aguara, an open-source static security scanner for AI agent skills and MCP servers. 173 rules, 3 detection layers, zero dependencies.