VIBE CODING SECURITY MONTHLY — JUN 13 - JUL 13, 2026
TEST YOUR APP NOW
Enter your deployed app URL to check for security vulnerabilities.
June ended with the Miasma worm proving that the AI coding agent’s own config files are attack surface. This month the supply chain story kept moving — and got a vocabulary. On July 9, Socket confirmed a compromise of @injectivelabs/sdk-ts, an npm package with ~50,000 weekly downloads, whose malicious release hooks wallet key-derivation functions and exfiltrates private keys and mnemonics through fake telemetry. Four days later, VentureBeat put a name on the AI-native variant of the same threat class: slopsquatting — attackers weaponizing the package names AI coding tools invent. And on the same day the term landed, the defense stack answered: Aptos Labs and Trail of Bits shipped rust-review, a Claude Code plugin for Rust security reviews, while GitLab and Google Cloud announced a fully managed DevSecOps platform built around Gemini and Gemma. The throughline of the month: the software supply chain has absorbed the AI era on both sides — AI output is now a delivery vector, and AI review is now a production defense.
TL;DR — The month in one paragraph
- Injective SDK compromised on npm, Jul 9. Socket detected a supply chain compromise in
@injectivelabs/sdk-ts(~50,000 weekly downloads, 87 npm dependents). The malicious release (v1.20.21) hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them through fake telemetry. Socket’s technical breakdown confirms impact on direct installs plus 17 pinned scoped packages. - “Slopsquatting” enters the vocabulary, Jul 13. VentureBeat frames the successor to typosquatting: AI coding tools hallucinate or recommend package names, attackers publish malware under those names, and the assistant itself becomes the distribution channel.
- rust-review ships, Jul 13. Aptos Labs and Trail of Bits released a security-review plugin for Rust (a Claude Code plugin) targeting exactly what the compiler does not catch: misused
unsafecode, silent overflows, nondeterminism. Shipped alongside a new Testing Handbook chapter. - AI SAST at scale. A ZeroPath case study describes Aptos Labs running AI-powered static analysis across 1M+ lines of Rust, reporting 8x faster vulnerability discovery and 20+ hours/week saved — vendor-reported numbers, directional, but a concrete data point that AI review is in production at L1-blockchain scale.
- GitLab + Google Cloud go managed, Jul 13. Google Open Source announced a fully managed DevSecOps platform pairing GitLab with Gemini and Gemma models, pitched at enterprises that want AI-integrated security with data control and compliance intact.
- The culture layer kept score. The month’s highest-engagement post was a one-liner — “The purpose of the C programming language is to expose memory safety vulnerabilities” — at 5,988 likes and 173k views, while a thread from Inference Labs on attackers targeting AI tooling and development pipelines drew 185 replies on the “secure by design from day one” principle.
What happened to the Injective SDK on npm?
On July 9, Socket reported a software supply chain compromise in @injectivelabs/sdk-ts — the TypeScript SDK for the Injective blockchain, at roughly 50,000 weekly downloads with 87 npm dependents. The malicious release, v1.20.21, does something more surgical than the usual credential-stealer: it hooks the SDK’s own wallet key-derivation functions, records private keys and mnemonics as they are generated or used, and exfiltrates them disguised as telemetry traffic. Socket’s full writeup confirms the blast radius includes direct installs plus 17 pinned scoped packages that carry the compromised version.
Two details make this a vibe-coding story and not just a crypto story. First, the exfiltration channel: fake telemetry is designed to survive exactly the kind of casual review that AI-generated and AI-assisted projects get — an outbound analytics call is the most plausible-looking line of code in any modern SDK. Second, the target selection: an SDK that sits in the key-derivation path is the supply chain equivalent of the Miasma campaign’s agent-config files — code that runs with maximum trust at exactly the moment the most valuable secret exists in memory. June’s waves hit RedHat and Microsoft namespaces; July’s hit a wallet SDK. The pattern — trusted namespace, poisoned release, install-time or runtime harvest — is now monthly cadence, not news.
What to do: if anything in your dependency tree touches @injectivelabs/sdk-ts, treat every key and mnemonic that passed through an affected install as compromised and rotate. More generally: pin versions, put an install cooldown on critical dependencies (block versions younger than 48–72h), and use an SCA layer that flags behavioral changes — a wallet SDK that suddenly grows telemetry is a behavioral diff, not a CVE, and version-number scanning will never catch it.
Why does “slopsquatting” getting a name matter?
On July 13, VentureBeat published “Forget typosquatting; slopsquatting is the software supply chain threat created by AI coding tools.” The mechanic it names: AI coding assistants hallucinate plausible-looking package names or recommend marginal ones, attackers observe which names models repeatedly invent, and publish malware under exactly those names. Typosquatting exploited human fingers; slopsquatting exploits model output — and the developer most likely to npm install an unvetted suggestion is precisely the vibe coder who let the assistant pick the dependency in the first place.
Names matter operationally. “Typosquatting” took years to travel from research curiosity to a default check in registries and SCA tools; a term is what lets a threat get a detection rule, a policy line, and a budget. The concept itself is not new — package hallucination research predates the label, and it is the exact risk our package hallucination scanner exists for — but July 2026 is the month the AI-native supply chain threat became nameable in a security review. It also closes a loop with the month’s other signal: the Inference Labs thread from June 23 (241 likes, 185 replies) arguing that attackers now target AI tooling, development pipelines, and software supply chains as primary infrastructure. Slopsquatting is that thesis reduced to a single word: the AI tool is not adjacent to the supply chain — it is a supply chain node.
What to do: treat AI-suggested dependencies as untrusted input. Gate them the way you gate AI-generated code: verify the package exists, check its age, publisher, and download history before first install, and run a hallucination check on manifests in CI. A package that was first published days ago and matches a name an LLM plausibly invents is a red flag regardless of how clean its README looks.
What does the rust-review launch signal about AI-assisted defense?
The same day the slopsquatting piece ran, the defense side shipped. Aptos Labs announced rust-review, a security-review plugin for Rust built by their security team with Paweł Płatek of Trail of Bits — released as a Claude Code plugin, alongside a new chapter of the Trail of Bits Testing Handbook. The pitch is precise about its lane: Rust’s compiler gives you memory safety, but it will not flag misused unsafe code, silent overflows, or nondeterminism. rust-review targets the gap between the language’s guarantees and the bugs that actually ship.
The context that makes this more than a tool announcement is the ZeroPath case study on the same organization: Aptos Labs running AI-powered static analysis across 1M+ lines of Rust, reporting 8x faster vulnerability discovery and 20+ hours per week saved. Those are vendor-published numbers from a case study — directional, not audited — but the shape of the claim is the story: a security team at an L1 blockchain, one of the highest-stakes codebases there is, is putting AI review into the production path and co-shipping tooling with a firm of Trail of Bits’ reputation. Note the symmetry: the month’s emerging attack (slopsquatting) and its most credible new defense (rust-review) both run through the same interface — an AI coding agent. The agent is the vulnerability injector and the reviewer now.
And the culture already knew. The month’s loudest post was @schteppe’s “The purpose of the C programming language is to expose memory safety vulnerabilities” — 5,988 likes, 173k views — with the obligatory sarcastic rejoinder (“memory safety is not a real problem, you just have to program good \s”) trailing it. Memes are not data, but 173k views on a memory-safety one-liner is a decent proxy for where developer consensus sits: the language-level argument is over, and the fight has moved to what the compiler cannot see.
What to do: if you run Rust, pilot rust-review on your unsafe blocks — that is the exact surface it was built for, and it slots into a Claude Code workflow you may already have. More broadly, add an AI-review gate to the same pipeline that your AI code generation feeds: the SAST tools that understand AI code are no longer speculative, and the teams shipping them are publishing their scaling numbers.
What does GitLab + Google Cloud’s managed DevSecOps platform change?
Also on July 13, Google Open Source announced that GitLab and Google Cloud are delivering a fully managed DevSecOps platform: enterprises get the GitLab pipeline with Gemini and Gemma models integrated, while — per the announcement’s framing — keeping “strict control over data and compliance.” It is the month’s platform-maturity marker: AI-integrated security is no longer a bolt-on scanner or a beta assistant, it is a managed enterprise product category with two major vendors’ names on it.
The security read cuts both ways. For the buy side, this is genuinely useful: most organizations doing vibe-speed development have no dedicated AppSec function, and a managed platform with security in the default path raises their floor. That squares with the month’s talent signal — a widely shared career-paths post (104 likes) put DevSecOps Engineer and Application Security Engineer at the center of the cybersecurity job map, and demand for those roles is precisely why “managed” is the pitch. But the concentration risk is real too: a managed DevSecOps platform with integrated AI models is itself the kind of high-trust, high-privilege supply chain node this month’s incidents teach you to worry about. Eric Wright’s reflection on why “DevSecOps” needed the Sec spelled out — “because we didn’t put Sec into DevOps” — is the historical warning label: security you outsource to a platform default is security you stopped thinking about.
What to do: if you evaluate the GitLab/Google offering (or any managed DevSecOps product), scope it like infrastructure, not like a tool: where do the models run, what code and secrets do they see, what happens to pipeline security when the platform itself has an incident. The vendor’s compliance story is the start of the assessment, not the conclusion.
The month’s smaller stories
- The AppSec-is-doomed take, again. msuiche argued the contrarian line in a thread about frontier-model codegen bugs: “there will be a near future where models write code with no bugs so appsec will die.” It is a minority position — and this month’s dataset is its own rebuttal: the same 30 days produced a new AI-driven attack class (slopsquatting) and a new AI-driven review tool (rust-review). The equilibrium is not fewer bugs, it is a faster loop on both sides.
- The supply chain checklist got a pipeline-shaped update. Umer Alvi’s widely-echoed point: supply chain attacks are no longer about vulnerable libraries — they target CI/CD pipelines, GitHub Actions, and secrets, so workflow-file review, dependency-update audits, and outbound-connection monitoring are baseline now. Veracode’s best-practices guidance — visibility, continuous monitoring, dependency management, secure CI/CD, risk-based remediation — made the rounds via @anthony_barkley as the checklist version of the same shift.
- Secure-by-design found its audience. The Inference Labs thread (Jun 23) on attackers targeting AI tooling and pipelines pulled 185 replies — unusual engagement depth for an AppSec post, and a sign the “AI infrastructure is operational infrastructure” framing is landing outside the security bubble.
Why this month’s stories rhyme
June’s weeklies ended on the agent’s config files as attack surface. This month widened the lens: the whole AI-assisted development loop is now a supply chain, and every node in it got a story.
- The trusted package fell. Injective’s SDK carried a wallet-key harvester to ~50k weekly downloads through the most trusted channel there is:
npm installof a name everyone already depended on. - The AI suggestion became a vector. Slopsquatting names the case where the package was never trustworthy — the assistant invented it, and an attacker was waiting.
- The defense moved into the same loop. rust-review and production AI SAST put the reviewer inside the coding agent; GitLab and Google Cloud put security inside the managed pipeline. Defense is colocating with the threat.
- The culture already priced it in. A memory-safety one-liner outdrew every technical post 25-to-1. Developers know where the bugs live; the open question of the month is whether review — human or AI — moves as fast as generation.
The settled fact of the month: “supply chain security” and “AI coding security” stopped being separate categories. The attacker’s entry points and the defender’s tooling now run through the same agents, the same registries, and the same pipelines.
Manual checklist — 10 things to verify yourself
- Audit your tree for
@injectivelabs/sdk-ts(and its 17 pinned scoped packages). If v1.20.21 was ever installed, rotate every private key and mnemonic that machine could reach — the payload harvested them at derivation time. - Diff the outbound behavior of your critical dependencies, not just their versions. The Injective payload hid in fake telemetry. An SDK that grows a new outbound endpoint is a finding even when no CVE exists.
- Enable an install cooldown (48–72h) on production dependency updates. Every compromise in this month’s and last month’s data had a window measured in hours to days; a cooldown outlives most of them.
- Run a hallucination check on every AI-suggested dependency before first install. Verify registry age, publisher history, and download curve. Days-old package + plausible LLM-shaped name = slopsquatting profile.
- Treat AI-suggested packages as untrusted input in policy, not just in habit. Write it into the review gate: new dependencies proposed by an assistant need the same approval as new vendor code.
- Review your CI/CD workflow files and GitHub Actions permissions this week. The pipeline, not the library, is the modern target — check for over-scoped tokens, unpinned actions, and secrets reachable from PR-triggered workflows.
- If you run Rust, inventory your
unsafeblocks and pilot rust-review against them. That is the surface the compiler does not cover and the tool was built for. - If you adopt AI SAST, demand your own baseline before trusting vendor multipliers. “8x faster discovery” is a case-study number; measure detection and false-positive rates on your codebase first.
- Scope any managed DevSecOps platform as a high-privilege supply chain node. Document what code, secrets, and build artifacts the platform’s AI models can see, and what your blast radius is if the platform itself is compromised.
- Assign explicit ownership for AI-coding-tool risk. The career-path demand signal is real because the gap is real: someone on the team must own “what our agents install, read, and execute” as a standing responsibility, not a side quest.
Related coverage
- Vibe Coding Security Weekly — June 8, 2026 — Sophos catches Cursor+Claude building malware, Miasma plants agent-config payloads in 73 Microsoft repos, RedHat npm falls
- Vibe Coding Security Weekly — June 1, 2026 — OX’s 62%, the Moltbook reference breach, GitHub weighs PR controls
- Package Hallucination Scanner — the free tool for exactly the slopsquatting risk this month named
- Your CLAUDE.md Is Attack Surface — the agent-side threat model that this month’s supply chain stories extend
- SAST Tools for AI-Generated Code — where rust-review and AI-powered SAST fit in a vibe coding pipeline
- The Integration Layer Is the Real Security Gap — why install-time and pipeline-time is where these attacks land
- Poisoned CI and DevOps Leaks — the pattern behind the CI/CD-as-target shift
- 2026 AI Coding Security Report — the year-scale numbers behind this month’s incidents
Sources
- Socket — Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics — July 2026; announcement post, July 9, 2026
- VentureBeat — Forget typosquatting; slopsquatting is the software supply chain threat created by AI coding tools — July 13, 2026
- Trail of Bits — Rust-proof your code with our new Testing Handbook chapter — July 13, 2026; Aptos Labs rust-review announcement
- ZeroPath — How Aptos Labs Scales Application Security Across 1M+ Lines of Rust with AI-Powered SAST — 2026 (vendor case study)
- Google Open Source — GitLab + Google Cloud managed DevSecOps announcement — July 13, 2026
- Veracode — Top Software Supply Chain Security Best Practices — referenced July 2026
- Community posts cited inline: @schteppe, @inference_labs, @ualvi27, @anthony_barkley, @msuiche, @discoposse, @Ahmed___khaan, @maomao_2325
This digest is compiled from a curated set of 12 public X posts (June 13 – July 13, 2026) cross-referenced against official vendor sources — a high-signal sample, not an exhaustive scrape. Engagement figures are point-in-time snapshots. The ZeroPath performance numbers (8x discovery, 20+ hours/week) are vendor case-study claims and should be read as directional. “Slopsquatting” is an emerging term whose usage may evolve. VibeEval is not affiliated with Socket, Injective Labs, Trail of Bits, Aptos Labs, ZeroPath, VentureBeat, GitLab, Google, Veracode, or any other organization cited. Questions? Contact our team.
STOP GUESSING. SCAN YOUR APP.
Join the founders who shipped secure instead of shipped exposed. 14-day trial, no card.