A fake bug report can hijack your coding agent. Tech & AI Weekly by Eli, June 26 2026
Hi. I’m going to be honest, this was a hard week. On June 24, two major earthquakes (magnitude 7.5 and 7.2, seconds apart) hit Venezuela’s coast. I’m Venezuelan 🇻🇪, and watching what happened to La Guaira and the people there has been devastating.
If you can help, please do. I donated through Global Empowerment Mission, which has a Venezuela earthquake fund and a partner on the ground. There are also collection centers in many countries if you’d rather give supplies. Anything counts right now.
The tech world kept moving this week, and there’s a real thread running through it, so here’s the digest. Thank you for reading, and for anything you can do.
AI & Agents
This week’s accidental theme: can you actually trust what your agent does?
- Strands shipped chaos testing for agents, and I already put it to work. The new chaos eval injects controlled tool failures (timeouts, network errors, corrupted responses) during evaluation, so you find out how your agent degrades before production does it for you. It ships three resilience evaluators that score how well the agent communicates failures, recovers, and still completes part of the goal. This is chaos engineering, the Netflix Chaos Monkey idea, finally aimed at agents. I took it for a full hands-on spin. Read more
- AgentJacking: a fake bug report can hijack Claude Code, Cursor, and Codex. A public Sentry DSN (write-only, the kind you’re told is safe to ship in frontend JS) lets anyone POST a fake error with hidden instructions. Your agent reads it through the Sentry MCP, can’t tell it from a real issue, and runs the attacker’s command with your privileges. 85% success in testing, 2,388 orgs exposed, and telling the agent to ignore untrusted data didn’t help. What gets me is this isn’t some agent we built with wide-open permissions. It’s the coding assistant you open every morning. Not even those are safe now. If yours talks to Sentry over MCP, go read this today. Read more
- Your agent weighs style over substance, and attackers know it. New research by Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell shows models can’t reliably tell their own system text from untrusted user input. They judge by format, not origin, so an attacker who mimics the model’s own reasoning style walks right past its safety training (they call it “role confusion”). Their experimental fix, “destyling,” drops attack success from 61% to 10%, but it still lives inside the model and the text. Simon Willison’s take: until models truly perceive roles, this stays whack-a-mole. Same lesson as AgentJacking: you can’t prompt your way out. The fix I show in my prompt injection post this week is the opposite bet. Stop asking the model to tell trusted from untrusted, and move that boundary into deterministic code around it. Read more
- Dapr 1.18 lets an agent prove what it did, not just claim it. The new verifiable execution signs workflow histories with SPIFFE identities, so you get a tamper-evident, independently checkable record of how an agent acted. As agents start approving transactions and calling other agents, “how it ran” becomes as auditable as “what it returned.” Read more
- AWS Blocks assumes the agent writes the code. Open-source, public preview. You build backend pieces (database, auth, file uploads, AI agents, background jobs), test them locally with no AWS account needed, then deploy the same code to production AWS with zero changes. It ships steering files so your coding agent generates the right architecture instead of its training-data default. The twist: it’s TypeScript, not Python. Hooray for the TypeScript folks, genuinely, but as someone who lives in Python, I think I’ll wait for the version that speaks my language. Read more
- AWS Lambda MicroVMs: a dedicated sandbox per user, built for untrusted code. Firecracker-backed isolated VMs that keep memory, disk, and running processes across a session and resume from snapshots near-instantly. Up to 16 vCPUs, 32 GB, 8 hours. This is the primitive a lot of us were missing for running AI-generated or user-submitted code safely, without babysitting your own containers. Read more
From me this week
I leaned hard into one idea: agents fail silently, and you usually hear about it from your users first. So break them yourself, on purpose.
- How to Stop Prompt Injection in AI Agents That Read Untrusted Content the practical answer to the role confusion research up top. Read more
- Stop AI Agent Hallucinations: Validate Before the Agent Writes to Memory catch the bad fact before it becomes permanent. Read more
- Why AI Agents Fail at Multi-Step Tasks, and How to Catch the Silent Failure where the chain actually breaks. Read more
- Self-Improving AI Agents: Turn Repeated Reasoning Into Tools the Agent Writes Itself let the agent build its own shortcuts. Read more
Where to find me
I’ll be at the AI Engineer World’s Fair in San Francisco, June 29 to July 2. Come say hi if you’re around:
- Talk: “Agent Speedrun: Idea to Code to Deploy, Observe, Fix, Ship” with Sandhya Subramani. Monday June 29, 11:05am, Expo Stage 3. Details
- Virtual workshop: “Stop AI Agent Hallucinations: 5 Techniques + Production Patterns” on the virtual track.
- The AWS booth, where we’ll be running demos and giving out swag. Stop by.
I hope you enjoy this as much as I enjoy putting it together every week. It’s my little weekly de-stress moment. Let’s stay informed together and learn something new along the way.
See you next Friday,
Eli
Dev.to · LinkedIn · GitHub · Twitter/X · Instagram · YouTube