defensive.works
ISSUE #002 · 2026-04-28 · AGENT & BOT IDENTITY

The identity acting is not the identity you think.

A Claude Code skill riding authenticated Slack sessions, a Dependabot PR auto-merged 5 minutes after malicious publish, and the AWS pattern that scopes an MCP agent per tool call.

> download one-pager (PDF)

> New here? Get next Tuesday's issue in your inbox.

🎯 Attack of the Week

Idan Cohen and Yael Ben Yair at Mitiga, "License to Skill, Part 2: Slack Compromise Through Claude Code" · 2026-04-15

How the Claude Code skill hijack runs. An attacker publishes a benign-named Claude Code skill to npx. A developer runs it once, like any CLI tool. The skill runs at their request but uses their authenticated Slack session (browser-held, workspace-trusted) to send phishing DMs to coworkers. The messages inherit the developer's identity and reach. Claude Code ran as designed.

The identity acting is not the identity you think. When an agent runs a skill, it reaches every open SaaS session the user has. Tokens the browser holds become tokens the agent can call. Most SaaS trust models assume a human is in the loop for each action. The attack surface moves from the LLM to the developer's browser.

▸ MONDAY CHECK

If anyone on your team runs Claude Code against SaaS integrations (Slack, Jira, Linear, Notion), audit which skills they've pulled in the last 30 days. Cross-reference skill authors against an internal allowlist. If you don't have one yet, pinning skills to reviewed authors is the cheapest control in the queue.

🚨 Rule of the Week

Gaetan Ferry at GitGuardian, "Renovate & Dependabot: The New Malware Delivery System" · 2026-04-10

Detection sketch for bot-PR implicit trust. GitGuardian clocked 895+ public repos that auto-merged the malicious axios within 5 minutes of upstream publish. Alert on any Dependabot or Renovate PR that touches a production-path dependency AND was auto-merged within 6 hours of the upstream version publish time. Six hours sits below human-review speed. Match against your CI dependency graph, not just your GitHub org, to catch indirect pipelines. Cheap to build (most SIEMs can ingest GitHub audit logs today) and catches the whole class, not just this one incident.

🔧 Defender's Corner

Riggs Goodman III at AWS, "Secure AI Agent Access Patterns via MCP" · 2026-04-14

Scope MCP agents with per-tool STS session policies this week. AWS named the pattern: the agent's execution role holds broad permissions; each tool invocation narrows the session via AssumeRole with a session policy matching only that tool's required actions. Session tags let you differentiate AI vs human actors for downstream logging and SCPs. First AWS pattern I've seen that treats the agent as a subject, not a service account. Deployable today with existing primitives; the friction is organizational, not technical.

For your engineer: pick one MCP server in staging and write per-tool session policies for it.

📡 Also on the Radar

Kennedy Toomey at Datadog Security Labs, "Dependency cooldowns post-axios" · 2026-04-16

A 12-hour cooldown blocks axios and s1ngularity both. A week is what most teams set. In Renovate or Dependabot, one config line. The harder problem, cooldowns on transitive deps at build time, still has no clean answer from any tool I've read.

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

By Raajhesh Kannaa, cloud security engineer. OSCP + OAWSP + AWS Security & Advanced Networking Specialties. 15+ years in cloud and systems.

< back to archive