Malicious Code Hides in Test Files, Evades Scanners

AI SECURITY THREAT May 07, 2026 venturebeat

Anthropic Skill scanners pass every security check while missing malicious code hidden in test files. Researcher Jeevan Jutla from Gecko Security revealed that when developers run npx Skills add, the entire skill directory is copied into the repo, including unchecked test files. Jest and Vitest frameworks automatically discover these bundled test files through recursive glob patterns and execute them with full access to the filesystem, environment variables, and SSH keys. No publicly documented scanner inspects test files, leaving a significant blind spot in the security review process.

Read the original article →

OpenClaw Flaw Gave Attackers Silent Admin Access

AI SECURITY THREAT Apr 03, 2026

Malicious Code Hides in Test Files, Evades Scanners

Related Articles

OpenClaw Flaw Gave Attackers Silent Admin Access

Anthropic Gives Claude Agents Ability to Dream

NIAD and Charli AI Bring Governed AI to Canada

Apple's AI Patience Beats Microsoft's $190B Splurge