GhostApproval: AI coding assistants approve malicious actions without showing users what they approved

etcd 3.7 lands with streaming ranges, Cloudflare bets on global consensus, and a disgruntled OpenMandriva contributor reminded everyone why least-privilege still matters.

// SECURITY FOCUS

GhostApproval: AI coding assistants approve malicious actions without showing users what they approved

The attack targets the gap between what an AI assistant shows the human and what it actually executes – the human approves a summary, not the full action. Teams running Copilot, Cursor, or similar tools in repos with CI/CD write access are the exposed surface; the breakage shows up as unexpected commits or pipeline runs, not as an obvious security alert.

What to do: Audit what write permissions your AI coding assistant tokens hold today, and scope them to the minimum branch/repo needed.

  1. Announcing etcd v3.7.0 — etcd · Jul 8
    SIG etcd released v3.7.0, the biggest change being RangeStream: instead of buffering an entire large result set before sending, the server now streams it in chunks, reducing latency and making memory usage more predictable – available to Kubernetes users in the upcoming v1.37 via the EtcdRangeStream feature gate. Kubernetes control-plane operators should also see a meaningful drop in etcd CPU usage, driven partly by a keys-only range optimization that reads solely from the in-memory index rather than hitting bbolt for every request, and by protobuf library replacements (github.com/golang/protobuf and gogo/protobuf swapped for google.golang.org/protobuf) that shave additional CPU overhead. The server now boots entirely from v3store, completing a multi-release effort to retire the legacy v2 store – though v2 snapshot generation and –snapshot-count stick around one more cycle and will be removed in v3.8. Before upgrading, read the upgrade guide: all –experimental-* flags are gone (migrate to feature gates), architecture-specific container images are gone (multiarch only), and non-blocking client creation behavior has changed. The release ships with bbolt v1.5.1 and raft v3.7.0, and golang.org/x/crypto was bumped to v0.52.0 for a CVE fix.
  2. Cloudflare Meerkat: a global consensus service built on QuePaxa — Cloudflare Blog · Jul 8
    Cloudflare’s Research team has spent the past year building Meerkat, an internal consensus service running atop QuePaxa – a leaderless consensus algorithm published by EPFL researchers in 2023. The motivation is practical: Raft-based systems, which rely on a single leader and timeouts, have caused multiple availability incidents across Cloudflare’s 330+ global data centers, where unpredictable wide-area latencies make timeout tuning unreliable. QuePaxa lets all replicas accept writes simultaneously and never stalls waiting for a leader election, which maps better to Cloudflare’s network reality. Meerkat exposes a consensus log on which applications – starting with a linearizable key-value store and a leasing system – are layered, and tolerates up to f failures in a 2f+1 replica cluster without losing write availability. It’s still experimental and internal-only for now, with Cloudflare claiming this will be the first production deployment of QuePaxa at global scale – a claim worth watching as they publish follow-up posts.
  3. OpenMandriva GitHub disrupted by disgruntled contributor with admin credentials — LWN.net · Jul 8
    A departing OpenMandriva contributor used retained admin access to delete repo content and push an empty package set designed to obsolete all GNOME and COSMIC packages – a clean case study in why offboarding credential revocation needs to happen before, not after, the difficult conversation.
  4. Rewriting Bun in Rust: how Jarred Sumner used agentic engineering to migrate from Zig — Simon Willison · Jul 8
    Jarred Sumner rewrote Bun from Zig to Rust in roughly 11 days using an agentic workflow powered by Claude, and the result has been running in production inside Claude Code since June 17th. The motivation was memory safety: a large portion of Bun’s bug backlog was use-after-free, double-free, and missed-free errors that safe Rust’s borrow checker and Drop-based cleanup turn into compile-time failures. The enabling factor wasn’t the agent alone – it was that Bun’s existing TypeScript test suite could serve as a conformance harness, letting the agent loop run, fail, and self-correct without human intervention on every iteration. Review strategy for a +1 million line PR relied on adversarial automated code review and fixing the code-generation process rather than patching individual outputs by hand. The pre-merge run consumed 5.9 billion uncached input tokens and 690 million output tokens, estimated at $165,000 at API pricing – a bill Sumner notes is easier to absorb when you work at Anthropic. Startup time on Linux improved 10%; otherwise the migration was invisible to users, which Sumner treats as the success condition.
  5. Eric Biggers on modernizing the Linux kernel cryptography API — LWN.net · Jul 8
    At Linux Security Summit NA, Biggers walked through how the old kernel crypto API forces developers into fragile callback chains and showed the new library API that lets code call crypto functions directly – relevant for anyone writing kernel modules that touch crypto today.

// In other news

ai

  • Separating signal from noise in coding evaluations (OpenAI Blog) · Jul 8 — OpenAI’s own analysis found reliability and accuracy problems in SWE-Bench Pro, worth reading before citing benchmark numbers in any model comparison.
  • Quoting Kenton Varda (Simon Willison) · Jul 8 — Cloudflare’s Kenton Varda declared a moratorium on AI-written PR and commit descriptions – a concrete policy decision with immediate implications for teams debating where to draw the line on AI-generated artifacts.
  • Native-speed vLLM transformers modeling backend (Hugging Face Blog) · Jul 8 — HuggingFace’s native-speed vLLM transformers backend lands as an alternative inference path worth benchmarking if you’re currently running transformers-based serving.
  • Why AI Infrastructure must evolve for Agent Experience — Akshat Bubna, Modal CTO (Latent Space) · Jul 8 — Modal CTO Akshat Bubna argues agent workloads need a different infrastructure contract than human-interactive ones – cold-start latency, billing granularity, and isolation all change when the caller is an agent loop rather than a person.

cloud

culture

  • Experiences with local models for coding (Martin Fowler) · Jul 8 — Hands-on assessment of local models for coding from a Martin Fowler contributor – covers which tasks held up and where the gap versus hosted models remains practically significant.
  • If anyone can vibe code a product, who needs developers? (LeadDev) · Jul 7 — LeadDev asks what developer value looks like when prototyping is no longer a differentiator – more grounded than the usual takes, focusing on review, judgment, and ownership rather than raw construction.

dev

  • Node.js 26.5.0 (Current) (Node.js Blog) · Jul 8 — Node.js 26.5.0 is out on the Current release line – review the changelog for any breaking changes before updating CI pipelines pinned to the 26.x track.

iac

k8s

  • Announcing etcd v3.7.0 (Kubernetes Blog) · Jul 8 — etcd v3.7.0 is released by SIG etcd – any Kubernetes cluster operator should review the changelog before planning their next control-plane upgrade.
  • Save the Address, Save the Cloud (KubeVirt VM Migration Story) (Tigera Calico) · Jul 8 — Tigera walks through the networking challenges of live-migrating KubeVirt VMs in Calico-managed clusters, specifically IP address persistence across nodes – useful if you’re mixing VMs and containers on the same cluster.
  • Why sandboxing your agent is not enough (CNCF Blog) · Jul 7 — CNCF post argues that sandboxing alone doesn’t contain agentic AI risk and walks through the additional network, RBAC, and policy controls that need to accompany it.

linux

obs

sec

  • Felons, Fraudsters Flog Offensive Cybersecurity Startup (Krebs on Security) · Jul 8 — Krebs identifies a zero-day acquisition startup whose principals are convicted felons with far-right conspiracy ties – relevant due diligence reading before any researcher considers selling to them.
  • Mutation testing comes to DAML (Trail of Bits) · Jul 8 — Trail of Bits extended their Mewt mutation-testing engine to DAML smart contracts, surfacing test-suite gaps that standard coverage metrics miss – technical writeup with concrete examples.
  • The CISO’s guide to post-quantum mandates and migrations (AWS Security) · Jul 8 — AWS’s PQC migration guide acknowledges that the hard part isn’t the algorithm swap but finding all the places classical crypto is embedded in your stack – useful checklist framing even if you’re not on AWS.
  • Cybersecurity and the Gap Between Skill and Ability (Schneier on Security) · Jul 8 — Schneier riffs on a Five Eyes joint advisory, distinguishing between security knowledge and operational capacity to act – the gap he describes is the reason patching cadences slip despite teams knowing better.

web

Revoke before you resign. See you tomorrow.

Leave a comment