{"id":107445,"date":"2026-03-05T05:19:11","date_gmt":"2026-03-05T03:19:11","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?post_type=zero-post&#038;p=107445"},"modified":"2026-03-06T10:48:23","modified_gmt":"2026-03-06T08:48:23","slug":"ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026","status":"publish","type":"zero-post","link":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/","title":{"rendered":"AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026"},"content":{"rendered":"<style type=\"text\/css\">\n@import url(\"https:\/\/cmxiv.net\/cxzero\/cxzero-blog-styles-inject.extracted.css\");\n@import url(\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/styles\/vs2015.min.css\");\n<\/style>\n<script src=\"https:\/\/cdnjs.cloudflare.com\/ajax\/libs\/highlight.js\/11.11.1\/highlight.min.js\" integrity=\"sha512-EBLzUL8XLl+va\/zAsmXwS7Z2B1F9HUHkZwyS\/VKwh3S7T\/U0nF4BaU29EP\/ZSf6zgiIxYAnKLu6bJ8dqpmX5uw==\" crossorigin=\"anonymous\" referrerpolicy=\"no-referrer\"><\/script>\n<script>hljs.highlightAll();<\/script>\n\n\n\n\n<p class=\"print-source-info\"><script>\n    document.write(\"&copy;&nbsp;Checkmarx, all rights reserved. Retrieved \" + new Date().toLocaleDateString() + \" from<br\/>\" + window.location.href)<\/script>\n    <noscript>This document &copy;&nbsp;Checkmarx, all rights reserved.<\/noscript>\n<\/p>\n\n\n\n<h2 id=\"now-the-ais-are-fighting\" class=\"article-anchor\">Now the AIs are fighting<\/h2>\n<p>\n  Two themes stood out this week:\n  <strong>automation attacking automation<\/strong> (AI-driven bots and agent\n  frameworks turning CI\/CD into an always-on exploit surface), and\n  <strong>trusted developer plumbing being repurposed<\/strong> (package\n  registries, plugins, and \u201chelpful\u201d tooling paths becoming execution paths).\n<\/p>\n<p>\n  For giggles, I let an AI generate the summary this week (the following bullets\n  are <mark class=\"ai-content\">AI-generated with human tweaks<\/mark>) &#8212; but don&#8217;t worry, the details below this list are all human-written:\n<\/p>\n<ul>\n  <li>\n    <p>\n      <strong>AI bot \u201chackerbot-claw\u201d actively exploited GitHub Actions\n        misconfigs<\/strong>\n      to get\n      <abbr title=\"Remote Code Execution\"><abbr title=\"Remote Command Execution\"><abbr title=\"Remote Command Execution\">RCE<\/abbr><\/abbr><\/abbr>\n      in multiple repos and exfiltrate a write-scoped\n      <code>GITHUB_TOKEN<\/code>.\n      <a href=\"https:\/\/www.stepsecurity.io\/blog\/hackerbot-claw-github-actions-exploitation\">stepsecurity.io<\/a>\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>OpenClaw \u201cClawJacked\u201d chain let a malicious website take over a local\n        AI agent<\/strong>\n      by abusing localhost exposure (WebSocket + brute force), collapsing\n      \u201cbrowser tab\u201d \u2192 \u201cagent control.\u201d\n      <a href=\"https:\/\/www.oasis.security\/blog\/openclaw-vulnerability\">oasis.security<\/a>\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>ModelScope MS-Agent bug (CVE-2026-2256) enabled OS command execution\n        via the Shell tool<\/strong>\n      due to improper input sanitization\u2014exactly the kind of footgun that turns\n      \u201cagent tooling\u201d into a direct host compromise path.\n      <a href=\"https:\/\/www.securityweek.com\/vulnerability-in-ms-agent-ai-framework-can-allow-full-system-compromise\/\">SecurityWeek<\/a>\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>StegaBin: 26 malicious npm packages tied to the \u201cContagious Interview\u201d\n        ecosystem<\/strong>\n      used multi-stage install-time execution with Pastebin\/Vercel tradecraft to\n      deploy credential theft +\n      <abbr title=\"Remote Access Trojan\">RAT<\/abbr> payloads.\n      <a href=\"https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html\">The Hacker News<\/a>\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>SiteOrigin Page Builder (WordPress) Local File Inclusion\n        (CVE-2026-2448)<\/strong>\n      gave authenticated (Contributor+) attackers a route to include\/execute\n      server-side files\u2014high blast radius given the plugin\u2019s install base.\n      <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-2448\">NVD<\/a>\n    <\/p>\n  <\/li>\n<\/ul>\n\n\n    <div class=\"section-zero-article light-theme\">\n        <div class=\"section-zero-article__wrapper\">\n            <div class=\"section-zero-article__nav-wrapper\">\n\t\t\t\t<div class=\"section-article-title\">Get notified of new research and analysis, without the marketing<\/div>\n                <button class=\"section-article-button\">Subscribe to Checkmarx Zero                    <img decoding=\"async\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/right_up_big.svg\" alt=\"right\">\n                <\/button>\n            <\/div>\n            <img decoding=\"async\" class=\"visual-image\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/visual-article.png\" alt=\"visual\">\n        <\/div>\n    <\/div>\n\t<!-- zero-subscribe-form-modal -->\n<div class=\"modal zero-subscribe-modal\" id=\"zero-subscribe-modal\">\n    <div class=\"modal__overlay modal__header-overlay\" tabindex=\"-1\">\n        <div class=\"modal__container\">\n            <header class=\"modal__header\" tabindex=\"2\">\n                <button class=\"modal__close-zero\" title=\"Close window\" aria-label=\"Close window\"><\/button>\n                <div class=\"section-subscribe\">\n                    <div class=\"section-subscribe__wrap-form\">\n                        <div class=\"section-subscribe__leftPart\">\n                            <div class=\"zero-modal-container\">\n                                <span class=\"zero-modal-container__title\">Never Miss Checkmarx <br> Zero Research Updates.<\/span>\n                                <span class=\"zero-modal-container__description\">Subscribe today!<\/span>\n                            <\/div>\n                            <img decoding=\"async\" class=\"zero-visual\" src=\"https:\/\/checkmarx.com\/wp-content\/themes\/checkmarx\/assets\/images\/subscribe-zero\/cx_zero_subscribe_visual.webp\" alt=\"visual\">\n                        <\/div>\n                        <div class=\"section-subscribe__form hbsp-form form-with-multi-tags-select\">\n                            <script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script>\n                            <script>\n                                hbspt.forms.create({\n                                    region: \"na1\",\n                                    portalId: \"146169\",\n                                    formId: \"fefb6730-994f-41bf-84ae-79460279a306\",\n                                    onFormReady: function ($form) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'none');\n\n\n                                    },\n                                    onFormSubmit: function ($form) {\n                                        document.querySelector('.zero-visual').style.display = 'none';\n                                        document.querySelector('.section-subscribe__leftPart').style.display = 'none';\n                                        document.querySelector('.form-description').style.display = 'none';\n                                        document.querySelector('.section-subscribe__form').style.margin = 0;\n                                        document.querySelector('.section-subscribe__form').style.padding = 0;\n                                        document.querySelector('.section-subscribe').style.minHeight = '132px';\n                                        document.querySelector('.section-subscribe__wrap-form').style.minHeight = '132px';\n                                        document.querySelector('.subscribe-zero-button__description-wrapper')\n                                            .classList\n                                            .add('subscribe-zero-button__description-hide');\n                                    }\n                                });\n                                document.addEventListener('change', (e) => {\n                                    if (e.target.closest('.hs-input')) {\n                                        [\n                                            ...document.querySelectorAll('.hs_firstname'),\n                                            ...document.querySelectorAll('.hs_lastname'),\n                                            ...document.querySelectorAll('.hs_company'),\n                                            ...document.querySelectorAll('.hs_jobtitle'),\n                                            ...document.querySelectorAll('.hs-dependent-field')\n                                        ].forEach(elem => elem.style.display = 'block');\n                                    }\n\n                                })\n                            <\/script>\n                            <p class=\"form-description\">By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the <a href=\"\/legal\/privacy-policy\/\" target=\"_blank\">Checkmarx\u00a0Privacy\u00a0Policy<\/a> and to the processing of my personal data as described therein. By clicking submit above, you consent to allow Checkmarx to store and process the personal information submitted above to provide you the content requested.<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n            <\/header>\n        <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h2 id=\"feature-hackerbot-claw-showed-why-cicd-needs-default-deny-guardrails\" class=\"article-anchor\">\n  Feature: hackerbot-claw showed why CI\/CD needs \u201cdefault-deny\u201d guardrails\n<\/h2>\n<p>\n  The tail end of February brought us an active attack campaign from an AI bot\n  called <strong>hackerbot-claw<\/strong>, and claiming to be a \u201cfriendly\u201d\n  security bot powered by the Clade-Opus-4.5 model; I\u2019m sure Anthropic is\n  <em>thrilled<\/em> for the association (that\u2019s sarcasm, folks).\n<\/p>\n<p>\n  The \u201cfriendly\u201d nature of it is disputed, since it scanned GitHub Actions\n  workflows that are subject to various weaknesses like the well-known\n  <a href=\"https:\/\/medium.com\/@cx0-darren\/github-actions-vs-supply-chain-attacks-using-pull-request-target-6b1569edf503\">challenges with Actions that use <code>pull_request_target<\/code><\/a>. And it didn\u2019t just flag them, it opened PRs designed to exploit them,\n  successfully <strong>executing arbitrary code<\/strong> in CI\/CD pipelines and\n  <strong>exfiltrating privileged GitHub tokens<\/strong> (by reading\n  <code>GITHUB_TOKEN<\/code>, mainly).\n<\/p>\n<p>\n  According to\n  <a href=\"https:\/\/www.stepsecurity.io\/blog\/hackerbot-claw-github-actions-exploitation\">Step Security<\/a>, several high-profile organizations disclosed impact. And there seem to be\n  weak indications of many more attempts \u2014 I suspect many more orgs were\n  impacted than just those who responsibly disclosed the attacks and breaches.\n<\/p>\n<h3 id=\"important-things-to-learn-from-this-campaign\">\n  Important things to learn from this campaign\n<\/h3>\n<ul>\n  <li>\n    <p>\n      <strong>CI is increasingly a continuous attack surface, and AI is accelerating\n        that<\/strong>. Nothing about this attack <em>requires<\/em> AI: traditional automation\n      would work just fine. But available evidence suggests that architecting it\n      around AI has several significant benefits for the attacker, including\n      rapid adaptability, shorter scaling paths, and greater difficulty\n      establishing IoC\u2019s (Indicators of Compromise) for defenders.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>Token exfil <em>sucks<\/em><\/strong>. CI\/CD tokens (like <code>GITHUB_TOKEN<\/code>), even when managed using\n      a secrets vault, are by necessity exposed during key parts of CI\/CD runs.\n      When those tokens have higher privileges (such as repo-write or release\n      privileges), a compromise of a sandboxed CI runner is suddenly an\n      elevation of privilege. Even without exfiltration, attacker-controlled\n      code in CI has elevated access. But <em>with<\/em> exfiltration, attackers\n      can launch further, more-targeted attacks until you notice and revoke the\n      credential.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>CI isn\u2019t the only risk<\/strong>. GitHub tokens are bad enough to\n      exfiltrate, but we should take note that some of the compromised Actions\n      also had access to deployment keys and other third-party service\n      credentials. This is a good reminder of the importance of ensuring that\n      attackers can\u2019t influence your CI: something especially relevant to\n      organizations that maintain open-source projects that accept public\n      contributions.\n    <\/p>\n  <\/li>\n<\/ul>\n<h3 id=\"what-do-you-have-to-do\">What do you have to do?<\/h3>\n<ol type=\"1\">\n  <li>\n    <p>\n      <strong>Eliminate the whole \u201cpwn request\u201d vulnerability class.<\/strong>\n      Just don\u2019t use <code>pull_request_target<\/code> for untrusted\n      contributions. Or, if there\u2019s really important value to it, at least fully\n      define and document the trust boundary, so you can keep the scope narrow\n      so that Actions implementing it also don\u2019t have elevated privileges.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>Review your token scopes.<\/strong> Use least-privilege\n      <code>GITHUB_TOKEN<\/code> permissions; avoid broadly-scoped PAT (Personal\n      Access Token) use and grant tokens only the minimum permissions. Make sure\n      \u201cwrite\u201d and \u201crelease\u201d tokens are narrowly-scoped and not triggered by\n      untrusted users or workflows (which is, I understand, kind of restating\n      the last point a bit).\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>Lock your runners down tight.<\/strong> Make sure container images\n      you use for CI are locked down. Put endpoint controls on them. Control\n      egress. Sandbox as much as possible in ways that code inside can\u2019t have\n      access to.\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>Put CI configs into your security review process.<\/strong> Build\n      up security champions within DevOps, and build processes to regularly\n      review and test CI configurations with an explicit, security-focused\n      scope. It\u2019s honestly some of your most important \u201ccode\u201d (yeah, it\u2019s\n      low-code or no-code, but you know what I mean).\n    <\/p>\n  <\/li>\n  <li>\n    <p>\n      <strong>Invest in reproducible builds.<\/strong> Not that this is\n      <em>easy<\/em>, mind you. But investing in reproducibility so you can audit\n      <em>what happened<\/em> during a build and recreate it if needed helps with\n      reducing response costs and with the testing I recommended above. The best\n      time to start working towards\n      <a href=\"https:\/\/slsa.dev\/spec\/v1.2\/build-requirements#build-levels\">SLSA Level 2<\/a>\n      builds was a year ago; the second best time is now.\n    <\/p>\n  <\/li>\n<\/ol>\n<h2 id=\"openclaw-clawjacked-turned-a-browser-visit-into-agent-takeover\" class=\"article-anchor\">\n  OpenClaw \u201cClawJacked\u201d turned a browser visit into agent takeover\n<\/h2>\n<p>\n  I generally avoid saying \u201cdon\u2019t use this\u201d, but OpenClaw is tempting me. Among\n  the many serious flaws that have been reported in OpenClaw components,\n  <a href=\"https:\/\/www.securityweek.com\/openclaw-vulnerability-allowed-malicious-websites-to-hijack-ai-agents\/\">SecurityWeek reports<\/a>\n  an issue where attacker access to a gateway\/agent service can turn into\n  arbitrary\n  <abbr title=\"Remote Command Execution\"><abbr title=\"Remote Command Execution\">RCE<\/abbr><\/abbr>.\n<\/p>\n<p>\n  If you use OpenClaw, update to fixed versions (v2026.2.25+ is explicitly\n  called out), and treat agent\/gateway services like privileged admin\n  interfaces: bind ports tightly, require strong authentication and\n  authorization, and add rate-limiting\/lockouts. And honestly, please please run\n  it in a very hardened, carefully-scoped container. I trust Docker (or\n  whatever) to sandbox resources a heck of a lot more than I trust OpenClaw.\n<\/p>\n<h2 id=\"modelscope-ms-agent-shell-tool-command-execution\" class=\"article-anchor\">\n  ModelScope MS-Agent Shell tool command execution\n<\/h2>\n<div id=\"CVE-2026-2256\" class=\"cxzero-cve-block\">\n  <p>\n    <a href=\"https:\/\/devhub.checkmarx.com\/cve-details\/CVE-2026-2256\/\" class=\"vulnid\">CVE-2026-2256<\/a>\n    <span class=\"cvss\">CVSS v3.1 =6.5<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N\">CVSS:3.1\/&#8230;<\/a><\/span>\n  <\/p>\n<\/div>\n<p>\n  Whoops. Some users of the <strong>MS-Agent<\/strong> AI framework found\n  themselves on the short end of a prompt-injection-to-arbitrary-command-exec\n  pipeline last week. And it comes with a\n  <a href=\"https:\/\/github.com\/Itamar-Yochpaz\/CVE-2026-2256-PoC\">ready-made, public proof of concept<\/a>\n  too.\n<\/p>\n<p>\n  <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/431821\">US-CERT has a great technical write-up<\/a>. The short of it is the <code>check_safe()<\/code> routine that\u2019s supposed\n  to, as the name implies, check to see if something is safe to pass to the\n  framework\u2019s embedded shell execution hook is actually safe, didn\u2019t really do a\n  great job.\n<\/p>\n<p>\n  Update to v1.6.0rc1 or later, but also make sure you are deploying agents in\n  trusted contexts with appropriate sandboxing and related controls. I\u2019m\n  sounding like a broken record, but we really need to make this the default\n  advice.\n<\/p>\n<h2 id=\"stegabin-malicious-npm-packages-with-install-time-execution-staged-payload-delivery\" class=\"article-anchor\">\n  StegaBin: malicious npm packages with install-time execution + staged payload\n  delivery\n<\/h2>\n<p>\n  Checkmarx Zero\n  <a href=\"https:\/\/x.com\/CheckmarxZero\/status\/2027414543001870750\">warned in February<\/a>\n  that there was a resurgence of the malicious npm package campaign that was\n  previously dubbed \u201cContagious Interview.\u201d And it seems like at almost exactly\n  the same time,\n  <a href=\"https:\/\/kmsec.uk\/blog\/dprk-text-steganography\/\">kmsec.uk<\/a> was\n  digging deep into the campaign\u2019s techniques.\n<\/p>\n<p>\n  This hit the news last week, despite being largely already contained, as it\n  entered the realm of Security Journalism via [The Hacker News](<a href=\"https:\/\/thehackernews.com\/2026\/03\/north-korean-hackers-publish-26-npm.html\">The Hacker News<\/a>\n  and some clever naming campaign work.\n<\/p>\n<p>\n  Nevertheless, it\u2019s worth it for defenders to continue to be vigilant and take\n  actions to\n  <a href=\"https:\/\/checkmarx.com\/zero-post\/protecting-yourself-against-malicious-open-source-packages\/\">protect yourself from malicious packages<\/a>, including campaigns like this.\n<\/p>\n<h2 id=\"wordpress-page-builder-by-siteorigin-local-file-inclusion\" class=\"article-anchor\">\n  WordPress Page Builder by SiteOrigin Local File Inclusion\n<\/h2>\n<div id=\"CVE-2026-2448\" class=\"cxzero-cve-block\">\n  <p>\n    CVE-2026-2448\n    <span class=\"cvss high\">CVSS v3.1 =8.8<\/span>\n    <span class=\"vector\"><a href=\"https:\/\/www.first.org\/cvss\/calculator\/3-1#CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H\">CVSS:3.1\/&#8230;<\/a><\/span>\n  <\/p>\n<\/div>\n<p>\n  This WordPress plugin vulnerability in SiteOrigin versions through (and\n  including) 2.33.5 may seem run-of-the-mill at a time of targeted malicious\n  packages and AI-driven attacker campaigns; but it\u2019s a solid reminder that the\n  importance of basic supply-chain security in your AppSec program hasn\u2019t\n  disappeared.\n<\/p>\n<p>\n  Fortunately, this vulnerability is only exploitable by an attacker who has at\n  least Contributor access. But since there is a path to code execution, it\u2019s\n  still worth prioritizing the patch.\n<\/p>\n<p>\n  The core issue is that <code>locate_template()<\/code>, which is presumed to\n  only load approved template files, had an issue where it can be tricked into\n  loading nearly any file on the server; and if a PHP file, executing it.\n<\/p>\n<p>\n  Upgrade the plugin if you have it, and review logs on impacted servers to\n  identify any indicators of attack attempts.\n<\/p>\n\n\n\n<style type=\"text\/css\">.cxzero-social{margin-top:1em;padding-top:1em;border-top:1px solid #121086;border-bottom:1px solid #121086;padding-bottom:1em}.cxzero-social p{padding-top:.8em}.cxzero-social .cxzero-social-links{margin-left:.8em}.cxzero-social .social-link{margin-left:.6em}.cxzero-social .social-button{padding:.6em;margin:.2em .2em .2em .2em;white-space:nowrap}.cxzero-social .social-button svg,.cxzero-social .social-link svg{vertical-align:middle;height:1.3em}.cxzero-social .social-button a,.cxzero-social .social-link a{text-decoration:none !important}<\/style> <div class=\"cxzero-social\">\n<p> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url={url}\" onload=\"\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"LinkedIn Icon\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> Share on LinkedIn<\/a><\/span> <span class=\"social-button\"><a class=\"social-action\" href=\"https:\/\/bsky.app\/intent\/compose?text=I%20just%20read%20%22{title}%22%20from%20Checkmarx%20Zero%20{url}\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Bluesky Icon\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> Share on Bluesky<\/a><\/span> <\/p>\n<p class=\"cxzero-social-links\">Follow <a href=\"\/zero\/\">Checkmarx Zero<\/a>: <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/www.linkedin.com\/showcase\/checkmarx-zero\"><svg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" alt=\"Checkmarx Zero on LinkedIn\" viewbox=\"0 0 122.88 122.31\"><defs><style>.cls-1{fill:#0a66c2}.cls-1,.cls-2{fill-rule:evenodd}.cls-2{fill:#fff}<\/style><\/defs><title>linkedin-app<\/title>\n<path class=\"cls-1\" d=\"M27.75,0H95.13a27.83,27.83,0,0,1,27.75,27.75V94.57a27.83,27.83,0,0,1-27.75,27.74H27.75A27.83,27.83,0,0,1,0,94.57V27.75A27.83,27.83,0,0,1,27.75,0Z\"><\/path><path class=\"cls-2\" d=\"M49.19,47.41H64.72v8h.22c2.17-3.88,7.45-8,15.34-8,16.39,0,19.42,10.2,19.42,23.47V98.94H83.51V74c0-5.71-.12-13.06-8.42-13.06s-9.72,6.21-9.72,12.65v25.4H49.19V47.41ZM40,31.79a8.42,8.42,0,1,1-8.42-8.42A8.43,8.43,0,0,1,40,31.79ZM23.18,47.41H40V98.94H23.18V47.41Z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-icon\" href=\"https:\/\/bsky.app\/profile\/checkmarxzero.bsky.social\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" alt=\"Checkmarx Zero on Bluesky\" viewbox=\"0 0 511.999 452.266\"> <path fill=\"#0085FF\" fill-rule=\"nonzero\" d=\"M110.985 30.442c58.695 44.217 121.837 133.856 145.013 181.961 23.176-48.105 86.322-137.744 145.016-181.961 42.361-31.897 110.985-56.584 110.985 21.96 0 15.681-8.962 131.776-14.223 150.628-18.272 65.516-84.873 82.228-144.112 72.116 103.55 17.68 129.889 76.238 73 134.8-108.04 111.223-155.288-27.905-167.385-63.554-3.489-10.262-2.991-10.498-6.561 0-12.098 35.649-59.342 174.777-167.382 63.554-56.89-58.562-30.551-117.12 72.999-134.8-59.239 10.112-125.84-6.6-144.112-72.116C8.962 184.178 0 68.083 0 52.402c0-78.544 68.633-53.857 110.985-21.96z\"><\/path><\/svg> <\/a><\/span> <span class=\"social-link\"><a class=\"social-con\" href=\"https:\/\/x.com\/CheckmarxZero\"><svg alt=\"Checkmarx Zero on X\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" shape-rendering=\"geometricPrecision\" text-rendering=\"geometricPrecision\" image-rendering=\"optimizeQuality\" fill-rule=\"evenodd\" clip-rule=\"evenodd\" viewbox=\"0 0 512 462.799\"><path fill-rule=\"nonzero\" d=\"M403.229 0h78.506L310.219 196.04 512 462.799H354.002L230.261 301.007 88.669 462.799h-78.56l183.455-209.683L0 0h161.999l111.856 147.88L403.229 0zm-27.556 415.805h43.505L138.363 44.527h-46.68l283.99 371.278z\"><\/path><\/svg> <\/a><\/span> <\/p> <script>function social_action_template(a){const b=encodeURIComponent(window.location.href);const c=document.querySelector(\"h1\");let headContent=(c==null?\"\":c.textContent);let processed=a.replace(\/\\{title\\}\/g,encodeURIComponent(headContent));processed=processed.replace(\/\\{url\\}\/g,b);return processed}var socialAction=document.getElementsByClassName(\"social-action\");console.log(socialAction);for(e=0;e<socialAction.length;e++){element=socialAction.item(e);console.log(element);element.href=social_action_template(element.href)};<\/script> <\/div>\n\n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Last week: an \u201cAI bot\u201d abusing GitHub Actions to run code and steal tokens, agent takeover paths from a single browser visit, and fresh reminders that npm packages and WordPress plugins can still become execution paths.<\/p>\n","protected":false},"author":137,"featured_media":107446,"template":"","zero-category":[1176,1333],"zero-tag":[1097,1500,1277,1084,1501],"class_list":["post-107445","zero-post","type-zero-post","status-publish","has-post-thumbnail","hentry","zero-category-security-blogs","zero-category-security-news","zero-tag-ai","zero-tag-github","zero-tag-malicious-packages","zero-tag-vulnerability","zero-tag-wordpress"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026 - Checkmarx<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026 - Checkmarx\" \/>\n<meta property=\"og:description\" content=\"Last week: an \u201cAI bot\u201d abusing GitHub Actions to run code and steal tokens, agent takeover paths from a single browser visit, and fresh reminders that npm packages and WordPress plugins can still become execution paths.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-06T08:48:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/\",\"url\":\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/\",\"name\":\"AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026 - Checkmarx\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp\",\"datePublished\":\"2026-03-05T03:19:11+00:00\",\"dateModified\":\"2026-03-06T08:48:23+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp\",\"width\":2560,\"height\":1280,\"caption\":\"Alt text: Stylized cyberpunk illustration of two hostile AI figures battling over developer infrastructure in a dark cityscape. On the left, a red-and-black clawed machine lunges toward a laptop and CI\/CD conveyor-like pipeline; on the right, a larger green robotic figure strikes back near burning servers and racks. Below them are glowing cubes, code screens, cables, and a spider-like malware motif, suggesting attacks moving through build systems, tokens, and developer tooling.\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026 - Checkmarx","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/","og_locale":"en_US","og_type":"article","og_title":"AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026 - Checkmarx","og_description":"Last week: an \u201cAI bot\u201d abusing GitHub Actions to run code and steal tokens, agent takeover paths from a single browser visit, and fresh reminders that npm packages and WordPress plugins can still become execution paths.","og_url":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_modified_time":"2026-03-06T08:48:23+00:00","og_image":[{"width":2560,"height":1280,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp","type":"image\/webp"}],"twitter_card":"summary_large_image","twitter_site":"@checkmarx","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/","url":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/","name":"AI fights and more attacks on dev infrastructure: Last Week in AppSec for 4. March 2026 - Checkmarx","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp","datePublished":"2026-03-05T03:19:11+00:00","dateModified":"2026-03-06T08:48:23+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/zero-post\/ai-fights-and-more-attacks-on-dev-infrastructure-last-week-in-appsec-for-4-march-2026\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2026\/03\/cxzero-feature_2026-03-05_last-week-in-appsec.webp","width":2560,"height":1280,"caption":"Alt text: Stylized cyberpunk illustration of two hostile AI figures battling over developer infrastructure in a dark cityscape. On the left, a red-and-black clawed machine lunges toward a laptop and CI\/CD conveyor-like pipeline; on the right, a larger green robotic figure strikes back near burning servers and racks. Below them are glowing cubes, code screens, cables, and a spider-like malware motif, suggesting attacks moving through build systems, tokens, and developer tooling."},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post\/107445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-post"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/zero-post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/137"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/107446"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=107445"}],"wp:term":[{"taxonomy":"zero-category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-category?post=107445"},{"taxonomy":"zero-tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/zero-tag?post=107445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}