10,000 cloned repos weaponize GitHub's trust signals while MCP ships a real identity layer for agents. Provenance is the whole game now.
Two stories this week share one root: trust is a data structure, and we're letting it rot. Ten thousand cloned repos turned GitHub's own credibility signals into a weapon — right as the agent ecosystem finally shipped a serious identity layer. Provenance is the whole game now.
A developer scanning GitHub found 10,000 repositories distributing Trojan malware — about 25% of the 40,000 his script flagged. Each README links to a zip holding four files: a .cmd launcher, a loader.exe (or a renamed luajit.exe), a randomly-named .cso/.txt blob, and lua51.dll. The LuaJIT runtime executes the obfuscated blob, pulling down SmartLoader and StealC. Submit the README link to VirusTotal and it comes back clean; only the archive itself trips detection — so a quick scan reassures the careless.
The clever part isn't the malware. It's the camouflage. Each malicious repo is a clone of a real project — every commit, every contributor, the full history copied over. To a human skimming, and to an agent scraping for examples, it reads as established and trustworthy. The operators clone new (not popular) projects to rank for low-competition search terms, inject them into popular tags for discoverability, and re-push README commits every few hours — all named "Update README.md" — to stay under GitHub's detection heuristics.
This is the supply-chain attack reframed for the agent era. Your coding agent doesn't read commit history with suspicion — it treats a populated repo as signal. We spent a decade teaching developers that stars and contributor graphs mean trust. This campaign monetizes exactly that reflex. And GitHub's response stays reactive: it removed only the repos on the researcher's submitted list, and a re-run of his script immediately surfaced fresh ones still live. A February 2025 Reddit warning and an April scan that found 109 such repos show how long this has compounded — from ~100 to 10,000 in roughly two months.
The Model Context Protocol shipped Enterprise Managed Authorization (EMA) as a stable extension this week (originating from SEP-990). It's the least flashy and most consequential MCP change of the year, because it fixes the thing quietly throttling adoption: the per-server authorization tax.
Standard MCP auth is user-scoped and interactive. Every employee authorizes every server individually — connect Linear, then Asana, then Figma, each with its own consent screen. At scale that friction means "most of them stay switched off," and security teams get no central policy and no audit trail. Worse, nothing stops someone wiring a personal account into a work tool.
EMA makes your identity provider the decision-maker. Admins set policy once; the IdP grants or denies based on group, role, and conditional-access rules. The mechanism is a token exchange built on Okta's Cross App Access (XAA) and the IETF ID-JAG (Identity Assertion JWT Authorization Grant) draft. During SSO, the client gets an ID-JAG from the IdP, then trades it for a server access token — no per-server redirect, no consent click:
The server validates the assertion against the IdP, checks the user's group membership, and returns a scoped token. Authorize once, inherit everywhere.
What makes this real rather than a spec doc: the launch partners. Okta is the first IdP. Anthropic (Claude, Claude Code, Cowork) and VS Code are clients. Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase are live servers, with Slack adding support.
The architectural lesson is one we keep relearning: agents don't get adopted on capability, they get adopted on integration friction. A coding agent that can touch seven internal systems through one corporate login is categorically more useful than one that needs seven OAuth dances per developer per laptop. The capability was already there. The auth layer was the bottleneck — and identity, audit, and least-privilege are exactly what a security team needs before it greenlights agents touching production systems. EMA is plumbing, and plumbing is what turns demos into deployments.
But notice the gap. EMA solves who the user is — strong, centralized, auditable identity for the human (or service) driving the agent. It does nothing for what the content is: the provenance of the repo your agent clones, the package it installs, the README it follows. This week's two big stories are the two halves of the same problem. We're getting rigorous about authenticating the operator and staying credulous about the artifacts. The malware campaign works precisely because content provenance has no IdP — no group claim, no conditional-access rule, just stars and a commit graph an agent reads as truth.
ponytail — A drop-in prompt/config that makes your coding agent "think like the laziest senior dev in the room," biasing toward the smallest change that works over speculative abstraction. It rocketed to ~38,000 stars this week, which says more about how much over-engineering agents do by default than about the code. github.com/DietrichGebert/ponytail
omnigent — An open-source agent framework and meta-harness that orchestrates Claude Code, Codex, and Cursor under one interface (~3,900 stars). The "harness over a harness" pattern is becoming its own category as teams refuse to bet on a single agent vendor. github.com/omnigent-ai/omnigent
lazycodex — An agent harness aimed at large, messy codebases, with persistent project memory plus planning-and-execution loops (~1,300 stars). It's a direct bet that the bottleneck for agents on real repos is context and memory, not raw model quality. github.com/code-yeongyu/lazycodex
The through-line this week is provenance. We built an agent ecosystem on top of trust signals — stars, commit graphs, "this server is connected" — that were never designed to survive adversaries or scale. EMA is what maturing looks like: boring, centralized, auditable identity. The 10k-repo campaign is what not maturing looks like: trust inferred from appearances an agent can't question. Bet on the boring plumbing. The flashy demo is not the moat — the identity layer underneath it is.
— Aaron, from the terminal. See you next Friday.
Ponytail makes AI agents write less code by asking 'can I reuse this?' before generating. Lazy evaluation, context compression, and reuse-first architecture explained.
AI EngineeringCompare pgvector, Pinecone, Qdrant, Weaviate, and Milvus on indexing, filtering, scale, and cost to pick the right vector database for RAG.
AI EngineeringUsing an LLM to authorize agent actions duplicates your attack surface. Why deterministic policy engines like Cedar and OPA belong in the decision path.
AI Engineering