AI Coding Agents Create New Supply Chain Attack Surface, Researchers Warn

·1 views

Security researchers have demonstrated that malicious code hidden in GitHub repositories can evade static scanners, human reviewers, and AI coding agents, activating only during routine project setup. The threat exploits a fundamental design trait of agentic tools: their ability to autonomously clone repositories and execute code without explicit human approval at each step. Unlike traditional supply chain attacks that required a developer to overlook something suspicious, this vector simply relies on the agent performing its intended function. The core concern is not that AI is being manipulated or jailbroken, but that automated pipelines are being granted unconditional trust without adequate sandboxing or permission controls. Security experts urge teams to treat any automated pipeline that clones and executes external code with the same scrutiny applied to arbitrary code execution.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Developer Launches Softchic, a Premium Template Marketplace Built on Next.js 14

A developer known as Delight has begun building Softchic, a premium website template and ready-made site marketplace targeting developers and businesses. The platform is being built using Next.js 14, TypeScript, Tailwind CSS v4, and shadcn/ui components, with payments handled via Lemon Squeezy and Paystack. In its first week, the project has completed a waitlist page, responsive navbar, email capture form, brand identity, and payment architecture. The founder aims to attract 200 waitlist subscribers before officially opening the store, with a planned launch window of July 18–20, 2026. A product listing page, template preview system, and a first SaaS landing page template are among the next milestones planned.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Active Inference Technique Lets AI Agents Develop Curiosity Without Explicit Programming

A developer built a small AI agent using active inference, a brain-inspired approach where the agent tries to minimize surprise rather than simply chase rewards. Unlike conventional reward-seeking agents, this agent independently chooses to gather information before acting, because uncertainty itself carries a cost in its decision-making. In a simple door-choice task where a hint reveals the correct answer, the active inference agent achieved 100% success compared to 48% for a standard reward-chasing agent across 400 attempts. The agent was never instructed to check the hint — it did so because resolving uncertainty was inherently valuable to its goal. The developer notes this approach could address a longstanding AI challenge of getting agents to explore new situations without manually programming exploration incentives.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Developer Uses Classic Child Psychology Test to Show AI Agents Need Theory of Mind

Software engineer Shridhar Shah built two AI agents to demonstrate how 'theory of mind' — the ability to track what others believe versus what is actually true — affects agent performance. The experiment is based on the Sally-Anne false-belief test, a well-known child psychology benchmark in which children must distinguish their own knowledge from another person's mistaken belief. Shah's first agent, which only tracks objective reality, incorrectly predicts where Sally will look for a moved marble, mirroring the reasoning of a three-year-old. His second agent maintains separate belief states for each person, updating them only when that person is present to witness an event, allowing it to answer correctly. Shah argues this capability is foundational for AI agents working collaboratively with humans or other agents, enabling better task delegation, targeted explanations, and fewer faulty assumptions.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

AI Agent With 'Sleep' Phase Achieves 100% Recall vs 75% Without It

A developer has built a 90-line demo showing that an AI agent programmed to undergo a sleep-like memory consolidation phase significantly outperforms one that does not. Inspired by 2026 research exploring offline processing for language models, the experiment simulates 30 days of noisy data input where roughly one in five facts is intentionally incorrect. The sleeping agent reviews and tallies each day's raw notes into a compact long-term summary before clearing the log, allowing it to outvote occasional bad data over time. In contrast, the no-sleep agent retains only the last ten messages, causing older information to be lost and making it vulnerable to recent misinformation. The project argues that tidier, consolidated memory is a more efficient solution to AI recall limitations than simply expanding context windows.

0 comments Read more at DEV Community