aguara v0.27.0

Content

Technical articles on AI agent security, MCP scanning, supply-chain threat research, and the engineering behind Aguara. Grounded in shipped detections, no fluff.

2026-06-12 Release

Aguara v0.27.0: A Fuzz Harness for Every Untrusted-Input Parser

22 native Go fuzz targets now cover every parser that reads attacker-controlled files, running nightly. The terminal also grows up: color and spinner adapt to pipes and CI, one verdict language across commands.

2026-06-11 Release

Aguara v0.26.0: 228,000 Known-Malicious Packages, Offline

v0.26.0 understands OSV advisories that affect every version of a package and bounded npm semver ranges. Around 196,000 npm and 6,400 PyPI packages previously invisible to a check now flag offline.

2026-06-11 Engineering

Most Malicious Packages Are Malicious at Every Version

We were about to build seven version-comparison grammars to match OSV range advisories. A measurement pass showed over 99% of malicious range advisories mark every version affected. The data picked a much smaller project.

2026-06-11 Supply Chain

npm v12 Makes Install-Time Trust Explicit. Review It Before It Ships.

npm v12 blocks dependency scripts, git deps, and remote tarballs unless project policy allows them. The policy lives in files the repo ships. What Aguara checks, and the readiness list for the July upgrade.

2026-06-10 Release

Aguara v0.24.0: The Agent Trust Layer

Aguara v0.24.0 checks the agent configuration a cloned repo ships: Claude Code settings, instruction files like .cursorrules, pnpm policy, and Bun and Yarn Berry lockfiles. What it catches, with real rule IDs.

2026-06-10 Security

Your Repo Ships a .claude/settings.json. Your Editor Obeys It.

Claude Code reads project settings from the repo you clone. Hooks run on session start, env vars inject into subprocesses, permission rules pre-approve actions. The threat model, the 8 checks, and what we deliberately do not flag.

2026-06-10 Security

.cursorrules Is a Prompt Surface

Agent instruction files are loaded as persistent context and obeyed. A prompt injection in .cursorrules is not documentation, it is configuration for a system that acts. Why these files now scan and score differently.

2026-06-09 Supply Chain

pnpm v11 Gave You Supply-Chain Controls. One YAML Line Turns Them Off.

pnpm v11 ships the strongest default supply-chain posture of any package manager. It is configured in a file the repo controls. The 9 weakenings worth flagging, the kebab-case trap, and lockfile alias resolution.

2026-06-08 Research

The Miasma Worm, Mapped to Detections

The Red Hat npm worm chained install-time execution, GitHub as C2, host tampering, and destructive cleanup. Stage by stage, mapped to the six behavioral rules it motivated, with honest limits.

2026-06-06 Essay

The Trust Layer: The Part of Your Stack Nobody Audits

Between your code and its execution sits a layer of artifacts your tools obey without review: lockfiles, install scripts, CI workflows, MCP configs, agent instructions. Naming the layer is the first step to defending it.

2026-06-04 Research

Install-Time Code Is the Attack Surface: JavaScript, Python, Rust

npm lifecycle hooks, setup.py, and build.rs all execute code before you run anything. How flow-sensitive analysis catches the malicious shapes in each, and why co-presence rules were not enough.

2026-05-21 Incident

Mini Shai-Hulud: 317 Packages in 22 Minutes

The AntV npm compromise published 637 malicious versions in one automated burst, aimed at GitHub Actions runners and their process memory. Why technique rules outlive IOC lists.

2026-05-18 Engineering

Threat Intel That Works Offline

Most scanners phone home for advisory data. Aguara embeds its snapshot in the binary: checks run with zero network calls, refreshes are explicit, and an empty refresh is refused. The design and its tradeoffs.

2026-05-16 Incident

node-ipc, Again: Anatomy of the May 2026 Compromise

Three malicious node-ipc versions landed on npm via an expired maintainer domain. The payload harvests 100+ credential patterns and exfiltrates over DNS TXT. What happened, and the behavioral rule it motivated.

2026-05-14 Security

Your CI Trusts Pull Requests More Than You Do

Four GitHub Actions trust-chain failures hide in workflow YAML: pwn requests, cache poisoning across fork boundaries, OIDC token surface, persisted credentials. What each looks like and how to catch them in review.

2026-03-09 Research

30 MCP CVEs in 60 Days: The Attack Surface That Keeps Growing

The MCP ecosystem accumulated 30 CVEs in 60 days. We break down every vulnerability category, analyze the root causes, map them to Aguara detection rules, and show what the data tells us about AI agent security.

2026-03-05

Aguara Is Now a GitHub Action — Security Scanning for AI Agent Repos in One Linehistorical

Aguara Security Scanner is now available as a GitHub Action on the GitHub Marketplace. Add one line to your workflow to scan AI agent skills and MCP servers for prompt injection, data exfiltration, tool shadowing, and 170+ more threat patterns. Results appear directly in GitHub Code Scanning.

2026-03-03

Aguara v0.5.0: 173 Rules, Confidence Scoring & Configurable Limitshistorical

Aguara v0.5.0 ships 20 new detection rules across 8 categories (153 to 173 total), a confidence scoring system on every finding, configurable max file size limits, and atomic state file writes. The largest rule expansion in a single release.

2026-03-01 Security

AI Agents Don't Understand Secrets: What Aguara Detects and Why It Matters

23.8M secrets leaked on GitHub in 2024. Copilot-using repos show 40% higher leak rates. Five vulnerability paths let credentials leak through AI agents. Here's what Aguara detects and how to fix it.

2026-03-01 Research

The Promptware Kill Chain: 7 Stages from Prompt Injection to Full Compromise

Schneier's Promptware Kill Chain reframes prompt injection as a 7-stage APT. 21 documented attacks traverse 4+ stages. Here's how each stage works, what Aguara detects, and where to break the chain.

2026-02-28 Research

Academic Paper Validates Aguara's Detection Approach: Mapping the Agentic AI Attack Surface

A new paper from Northeastern, NYU, UCSD, and UIUC maps the agentic AI attack surface across data and tool supply chains. We map every attack class to Aguara's 13 detection categories and 153 rules.

2026-02-28 Security Advisory

CVEs in Anthropic's Own MCP Servers: When Reference Implementations Teach the Ecosystem to Be Insecure

Anthropic created MCP, then shipped reference servers with path traversal, argument injection, SQL injection, and sandbox escapes. We analyze every CVE, the attack chains, and what Aguara detects.

2026-02-28 Guide

Securing Your OpenClaw Setup: 7 Checks and How to Automate Scanning with Aguara

OpenClaw's security team has shipped 40+ patches in weeks, but the skill ecosystem is still your responsibility. 7 practical security checks plus step-by-step Aguara integration for scanning skills, configs, and CI/CD pipelines.

2026-02-28

Aguara v0.4.0, MCP v0.3.0 & Watch Expansion — Coordinated Releasehistorical

Simultaneous releases across three projects: Aguara v0.4.0 with 153 rules and file hardening, Aguara MCP v0.3.0 on official SDK, and Aguara Watch expansion to 42,969 skills across 7 registries. Zero community forks remain.

2026-02-27 Security

Your AI Agent Config is a Security Liability

MCP configuration files are the most dangerous files on developer machines. Hardcoded secrets, npx -y without version pins, Docker with --privileged, shell metacharacters in args. A practical guide to finding and fixing insecure AI agent configs.

2026-02-27 Research

Docker Sandboxes Are Not Enough: Why AI Agents Need Static Analysis Before Runtime Isolation

Docker Sandboxes isolate AI agents at runtime. But a sandboxed agent running malicious skills is still a compromised agent. Why you need static analysis before you hit docker sandbox run.

2026-02-27 Security

Kali Linux + Claude Desktop: When Offensive Security Meets MCP, Scanning Becomes Non-Negotiable

Kali Linux officially integrates Claude Desktop via MCP to control nmap, metasploit, and hydra through natural language. If legitimate MCP servers give agents access to pentesting tools, imagine what a malicious one can do.

2026-02-27 Research

NIST Asks How to Secure AI Agents. We Already Have Answers.

NIST's NCCoE published a concept paper on AI agent identity and authorization. Their 6 open questions map directly to what Aguara and the MCP ecosystem are building today.

2026-02-27 Research

OWASP Agentic Top 10 Mapped to Aguara Detection Rules

Every risk in the OWASP Top 10 for Agentic Applications mapped to specific Aguara detection rules. 173 rules across 13 categories covering all 10 OWASP risks with real examples from 40,000+ scanned skills.

2026-02-27 Engineering

The Security Flywheel: How Scanner, Observatory, and MCP Server Compoundhistorical

How a single security scanner became a full feedback loop: observatory crawling 42,655 skills, 4 rounds of FP reduction, and an MCP server that gives agents access to the entire cycle. The engineering story behind Aguara.

2025-02-25 Research

MCP Tool Poisoning: Beyond Descriptions — Full-Schema Injection Attacks Explained

MCP tool poisoning goes far beyond injecting malicious instructions in tool descriptions. Every field the LLM processes is an injection point: parameter names, enum values, error messages, return values, even tool names. Full technical breakdown with detection strategies.

2025-02-25 Security

npx -y Considered Harmful: Supply Chain Risks in MCP Server Configurations

npx -y is the default way MCP servers are installed. It auto-downloads and executes code without checksum verification, version pinning, or user review. Here's why that's a supply chain nightmare and how to fix it.

2025-02-25 Guide

From SKILL.md to Shell: A Security Audit Guide for AI Agent Skills

A practical, step-by-step guide for auditing AI agent skill files for security threats. Covers prompt injection, credential exfiltration, hidden content, command execution, and automated scanning with real examples from 40,000+ skills.

2025-02-22 Research

We Scanned 28,000 AI Agent Skills for Security Threatshistorical

We scanned 31,000+ AI agent skills across 5 registries with Aguara. 485 critical-severity findings including prompt injection, credential leaks, and supply chain attacks. Here's what the data shows.

2025-02-20 Engineering

How I Built a Semgrep-Like Scanner for AI Agent Skillshistorical

Deep dive into building Aguara, an open-source static security scanner for AI agent skills and MCP servers. 173 rules, 3 detection layers, zero dependencies.