Gadi Evron
LightNews LightNews
gadievron.bsky.social
Gadi Evron
@gadievron.bsky.social
130 followers 110 following 830 posts
CEO & Co-Founder at Knostic, CISO-in-Residence for AI at Cloud Security Alliance. Former Founder @Cymmetria (acquired). Host at Prompt||GTFO. Threat hunter, scifi geek, dance teacher. Opinions my own.
Posts Media Videos Starter Packs
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 4h
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
You can also check us out here:
www.knostic.ai/ai-coding-se...
Securing AI Coding Assistants | Kirin
Protect AI coding workflows with Kirin. Real-time firewall, governance, and data protection for secure development.
www.knostic.ai
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
And, if you read this far:
Would you like me to show you a demo of how we defend AI coding agents at Knostic? Message me!
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
From this attack we learn it’s not just about security lagging behind: the AI field moves so quickly that brand-new features become core in days to weeks, which makes it difficult for defense to keep up, and for attackers?

Velocity itself is now an exploit discovery path
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
Developers and AI coding agents/IDEs represent a major risk and you should definitely pay attention

Just yesterday I wrote on how VS Code extensions propagated like a worm, and just before that I shared about five new Cursor vulnerabilities
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
Check out Josh’s blog and demo video here:
securetrajectories.substack.com/p/claude-ski...
How We Hijacked a Claude Skill with an Invisible Sentence
A logic-based attack bypasses both the human eyeball test and the platform's own prompt guardrails, revealing a critical flaw in today's agent security model.
securetrajectories.substack.com
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
How the attack works:
- The technique: hide text that survives parsing
- Parsers don’t see “white-on-white”; they just emit tokens
- The agent treats those tokens as legitimate context and follows the rule
- Indirect prompt injection
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
What are these Skills you speak of?
Skills let you teach Claude repeatable procedures it can load on demand, callable, shareable, and composable
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
At Knostic, we dedicate much of our effort to defending the IDE and the Developer. Coding agents aren’t just productivity tools anymore. Actively exploited, they expanded the CI/CD security boundary to the IDE and challenge cyber defense as a new gateway to the network
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
The developer and IDE are under constant attack and exploited in the wild, much due to the incredible success of coding agents like Copilot, Claude Code, Cursor, and Windsurf
1 1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
Josh Devon pulled off a slick one. He hijacked the “Skills” capability with a classic technique, now applied to the latest tech: white-on-white font, in a PDF. Cool
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 6h
Another day, another attack on AI coding agents and IDEs: Claude Code’s Skills capability 🧅 securetrajectories.substack.com/p/claude-ski...
How We Hijacked a Claude Skill with an Invisible Sentence
A logic-based attack bypasses both the human eyeball test and the platform's own prompt guardrails, revealing a critical flaw in today's agent security model.
securetrajectories.substack.com
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Circa 2015. Thank you for Participating in security. Still true.
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Send me a message and I’ll be happy to show you how we stop these attacks cold, defending developers and AI coding agents.

You can also check us out here:
www.knostic.ai/ai-coding-se...

Wiz’s research blog: www.wiz.io/blog/supply-...
Securing AI Coding Assistants | Kirin
Protect AI coding workflows with Kirin. Real-time firewall, governance, and data protection for secure development.
www.knostic.ai
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Our software supply chain now includes extensions, MCP servers, and random rules or prompts.
When a publisher token leaks, attackers can silently push malware through an update. Dev boxes get compromised, pipelines get poisoned, production feels it.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Microsoft enabled blocking secret scanning on September 22, 2025 to stop new extensions with live secrets.
Open VSX added token prefixing (ovsxp_) to improve detection.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Wiz identified 550+ embedded secrets, exposing 67 secret types, AI API keys (OpenAI, Anthropic, Gemini), cloud credentials (AWS, GCP, Azure), and database tokens.
Attackers could use 100+ publisher tokens in the Microsoft Marketplace and 30+ in Open VSX to push malicious updates.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
An evolving attack surface
Our developers and AI coding agents now form an actively exploited attack surface. They stretch the CI/CD boundary and open direct paths into the network, which makes cyber defense harder.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Just the other day, we talked about this same issue when the GlassWorm self-propagating malware exploited VS Code extensions, first reported by Koi.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 1d
Another day, another blow to dev security. Wiz uncovered hundreds of VS Code extensions containing their own update credentials, ready to be used to exploit users, a snapshot of how fragile our developer infrastructure has become.

A thread.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 2d
By abusing compromised developer accounts, the malware uses a simple but effective technique that turns the IDE into a Trojan horse controlled by the attacker.

Knostic protects your developers and AI coding agents against attacks like this. To learn more, visit www.knostic.ai/ai-coding-se...
Securing AI Coding Assistants | Kirin
Protect AI coding workflows with Kirin. Real-time firewall, governance, and data protection for secure development.
www.knostic.ai
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 2d
The user is alerted instantly and advised to remove it, stopping the threat before it spreads.

GlassWorm, a new malware campaign discovered by Koi Security, spreads through the OpenVSX registry, which feeds both standard VS Code IDEs and AI coding assistants such as Cursor and Windsurf.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 2d
Developers targeted again — this time the malware spreads itself. See how we catch.

Knostic catches the GlassWorm VS Code malware the instant it lands. In the video below, see how Knostic detects a malicious VS Code extension, in this case GlassWorm, the moment it’s installed.
1
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 2d
And, if you like, message me and I’ll show you a demo of what we do at Knostic to protect your developers, and AI coding agents, against attacks such as these
gadievron.bsky.social
Gadi Evron @gadievron.bsky.social · 2d
Agentic tools made us faster but expanded our perimeter to the developer’s machine in the process.
Treat these as untrusted, fully privileged components in your environment
1