See what code doesat

Your dependencies and AI agents are running untrusted code in your environment—risking your data and infrastructure to compromise.

Garnet profiles every run and surfaces results in your existing workflows—so you catch issues before they become incidents.

GitHub Actions

- uses: garnet-org/action@v2
  with:
    api_token: ${{ secrets.GARNET_API_TOKEN }}

Start monitoring Read Docs

ai-agent pushed 1 commit 3 minutes ago

Update dependency lockfileVerifiede7b42d1

garnetbotcommented 2 min ago

▌

The Problem

Untrusted code is the new default

Over 90% of the code running in your environment is code you didn’t write or review—pulled in through dependency trees, generated by AI agents, or executed inside build scripts. At runtime, that code has the same access to your secrets, your network, and your infrastructure. Nothing is watching what it actually does.

245K+

Malicious packages published across npm, PyPI, and RubyGems

3×

Year-over-year increase in software supply chain attacks

72%

Organizations using AI coding agents in production

Supply chain attacks

Code you import, running in CI with production secrets and releases

A compromised package can hide an exfiltration hook inside a preinstall script— to tamper a release, harvest ENV vars and POST them to an attacker-controlled domain. Static scanners can't flag malicious behavior that only activates at runtime.

postinstall spawned /bin/sh

2m ago

curl piped to bash from pip script

8m ago

reverse shell → 185.62.190.89:4444

15m ago

go build read /etc/shadow

22m ago

POST secrets → webhook.site

30m ago

gem install DNS lookup xmrig.com

45m ago

xmrig miner process spawned

1h ago

npm install triggered chmod /bin/sudo

2h ago

postinstall spawned /bin/sh

2m ago

curl piped to bash from pip script

8m ago

reverse shell → 185.62.190.89:4444

15m ago

go build read /etc/shadow

22m ago

POST secrets → webhook.site

30m ago

gem install DNS lookup xmrig.com

45m ago

xmrig miner process spawned

1h ago

npm install triggered chmod /bin/sudo

2h ago

postinstall spawned /bin/sh

2m ago

curl piped to bash from pip script

8m ago

reverse shell → 185.62.190.89:4444

15m ago

go build read /etc/shadow

22m ago

POST secrets → webhook.site

30m ago

gem install DNS lookup xmrig.com

45m ago

xmrig miner process spawned

1h ago

npm install triggered chmod /bin/sudo

2h ago

See the Shai-Hulud runtime breakdown

Agentic execution

Code that writes and runs itself in your infrastructure, without a security boundary

AI Agents (claude, cursor, devin, opencode etc.) generate scripts, execute shell commands, and make network calls—all inside your infra with full privileges. When an agent talks to a legitimate destination to exfiltrate data, traditional firewalls and sandboxes can't tell its intent. Only runtime lineage can.

LIVE

Agent session active

01Nov 2025

Shai-Hulud 2.0

Propagating npm worm across 800+ packages (Zapier, Postman, Browserbase). Postinstall hook bootstrapped Bun, ran TruffleHog to harvest runner secrets, then registered a rogue GitHub runner. Impact: broad credential exfiltration and runner hijack.

See the breakdown→

npm install

sh (postinstall)

bun bun_environment.js

trufflehog /home/runner

api.tomorrow.io:443

BLOCKED

02Feb 2026

Clinejection

A Claude-powered issue triage bot with unrestricted bash access processed a malicious GitHub Issue title. Prompt injection triggered code execution, poisoned the Actions cache, and exposed the NPM publish token used to ship cline@2.3.0. Impact: 4,000+ developers received a backdoored package in 8 hours.

View analysis→

Runner.Worker

node (triage-bot)

bun (prompt injection RCE)

actions/cache write

npm publish registry.npmjs.org:443

03Mar 2025

tj-actions/changed-files

Malicious commit in a widely-pinned GitHub Action (v1–v45) injected a base64-encoded payload that downloaded a Python memory scraper from a public Gist, scanned Runner.Worker process memory for secrets, and printed them base64-encoded to public workflow logs. Impact: credentials exposed across 23,000 repos.

gist.githubusercontent.com:443

python memdump.py (mem scan)

04Jul 2025

Amazon Q Developer

A malicious pull request injected a wiper prompt into Amazon Q Developer v1.84.0. The agent was instructed to delete filesystem contents and cloud resources including S3 buckets, EC2 instances, and IAM users. A syntax error in the payload limited actual execution. Impact: ~927,000 VS Code users exposed.

Read analysis→

amazon-q (node)

bash (injected prompt)

aws ec2 terminate-instances

ec2.amazonaws.com:443

05May 2025

GitHub MCP prompt injection

A malicious GitHub Issue in a public repo injected instructions into an MCP-connected coding agent. The agent read private repositories and created a pull request leaking their contents back to the public repo. No permissions were escalated — all calls used legitimate MCP tools. Impact: private code and metadata exfiltrated.

Read the disclosure→

cursor

github-mcp (node)

list_issues (malicious read)

get_repo_contents (private)

create_pull_request api.github.com:443

06Jul 2025

Anthropic Slack MCP

Untrusted data processed by the Slack MCP Server caused the agent to post messages containing crafted URLs with embedded sensitive data. Slack's link preview bots automatically fetched those URLs, exfiltrating private context to attacker-controlled servers. No user action was required. CVE-2025-34072, CVSS 9.3.

Read the advisory→

node (slack-mcp-server)

POST slack.com/chat.postMessage (crafted URL)

Slackbot fetch

attacker-server.io:443

01Nov 2025

How it works

See and assert runtime behavior in your PRs

Garnet profiles kernel-level runtime behavior during execution; maps every outbound connection with its process lineage and source, and delivers verdicts inside the workflows your team already uses.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Deploy runtime sensor

One step in your GitHub Action. Our eBPF agent captures process, network, and file activity in the background to build full runtime lineage. Zero code changes.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Behavioral profiles for every run

Every network call is traced through process ancestry. See the exact lineage—from npm install to the postinstall script or agent task that opened the connection.

github-runner:1

npm install:42

postinstall → /bin/sh:87

curl exfil.sh:91

webhook.site

node payload.js:93

185.62.190.89

node build.js:55

esbuild:60

Review results in your existing workflows

Verdicts surface in PR comments, Step Summary, Slack, or webhooks—with process tree and egress map attached. Flag, block, or update policies without leaving your workflow.

Stop data exfiltration

Detect when compromised dependencies or AI agents harvest secrets, tokens, and sensitive data — whether through supply chain attacks or prompt injection.

Ship secure releases

Catch supply chain tampering — malicious postinstall scripts, injected egress, and backdoored builds — before compromised code reaches production.

Prevent downtime

Catch runtime threats that static scanners miss — from supply chain compromises and vulnerability exploits to rogue agents — before they cause outages.

Automate network policy

Turn runtime profiles into firewall rules and network policies across your stack — from CI agents and sandboxes to cloud environments and Kubernetes with Cilium — so policy stays current without manual toil.

"There are a lot of tools that process security advisory data, but Garnet is the first I've seen that goes a step further, applying behavioral analysis to find issues before they get reported to an advisory database. This is the kind of thing we'd always wanted to do at npm, Inc., but never got around to. It's super exciting to see it come to fruition."

Isaac Z. Schlueter

Creator of NPM, cofounder, Volt.sh

Built for modern engineering and agentic workflows

Gain Visibility. Assert Control. Zero friction.

A new runtime agent, built for ephemeral workloads

Architected for environments that disappear — CI runners, agent sandboxes, short-lived containers. Full context in a single run, no cross-session state.

Managed threat intelligence, zero config

Active C2 infrastructure, cryptominer pools, exfiltration endpoints — blocked from a continuously curated threat feed. New threats covered without config changes.

Runtime assertions as code

Define what your workloads should and shouldn't do. Assertions evaluate every build, fail loudly, and surface in your PR — just like tests.

Run Summary

test-runner • Last 24h

Assertions passed (12)

Assertions failed (3)

New egress connections (7)

Stop running blind.
Build with confidence.

See what your code is talking to. Stop where it shouldn’t.

Start Profiling Your Runs Talk with founders

See and secure untrusted code at runtime.

Product

Company

Security

Trust Center

Legal

See what code doesat

Your dependencies and AI agents are running untrusted code in your environment—risking your data and infrastructure to compromise.

Garnet profiles every run and surfaces results in your existing workflows—so you catch issues before they become incidents.

GitHub Actions

- uses: garnet-org/action@v2
  with:
    api_token: ${{ secrets.GARNET_API_TOKEN }}

Start monitoring Read Docs

ai-agent pushed 1 commit 3 minutes ago

Update dependency lockfileVerifiede7b42d1

garnetbotcommented 2 min ago

▌

The Problem

Untrusted code is the new default

245K+

Malicious packages published across npm, PyPI, and RubyGems

3×

Year-over-year increase in software supply chain attacks

72%

Organizations using AI coding agents in production

Supply chain attacks

Code you import, running in CI with production secrets and releases

postinstall spawned /bin/sh

2m ago

curl piped to bash from pip script

8m ago

reverse shell → 185.62.190.89:4444

15m ago

go build read /etc/shadow

22m ago

POST secrets → webhook.site

30m ago

gem install DNS lookup xmrig.com

45m ago

xmrig miner process spawned

1h ago

npm install triggered chmod /bin/sudo

2h ago

postinstall spawned /bin/sh

2m ago

curl piped to bash from pip script

8m ago

reverse shell → 185.62.190.89:4444

15m ago

go build read /etc/shadow

22m ago

POST secrets → webhook.site

30m ago

gem install DNS lookup xmrig.com

45m ago

xmrig miner process spawned

1h ago

npm install triggered chmod /bin/sudo

2h ago

postinstall spawned /bin/sh

2m ago

curl piped to bash from pip script

8m ago

reverse shell → 185.62.190.89:4444

15m ago

go build read /etc/shadow

22m ago

POST secrets → webhook.site

30m ago

gem install DNS lookup xmrig.com

45m ago

xmrig miner process spawned

1h ago

npm install triggered chmod /bin/sudo

2h ago

See the Shai-Hulud runtime breakdown

Agentic execution

Code that writes and runs itself in your infrastructure, without a security boundary

LIVE

Agent session active

01Nov 2025

Shai-Hulud 2.0

See the breakdown→

npm install

sh (postinstall)

bun bun_environment.js

trufflehog /home/runner

api.tomorrow.io:443

BLOCKED

02Feb 2026

Clinejection

View analysis→

Runner.Worker

node (triage-bot)

bun (prompt injection RCE)

actions/cache write

npm publish registry.npmjs.org:443

03Mar 2025

tj-actions/changed-files

gist.githubusercontent.com:443

python memdump.py (mem scan)

04Jul 2025

Amazon Q Developer

Read analysis→

amazon-q (node)

bash (injected prompt)

aws ec2 terminate-instances

ec2.amazonaws.com:443

05May 2025

GitHub MCP prompt injection

Read the disclosure→

cursor

github-mcp (node)

list_issues (malicious read)

get_repo_contents (private)

create_pull_request api.github.com:443

06Jul 2025

Anthropic Slack MCP

Read the advisory→

node (slack-mcp-server)

POST slack.com/chat.postMessage (crafted URL)

Slackbot fetch

attacker-server.io:443

01Nov 2025

Shai-Hulud 2.0

See the breakdown→

npm install

sh (postinstall)

bun bun_environment.js

trufflehog /home/runner

api.tomorrow.io:443

BLOCKED

02Feb 2026

Clinejection

View analysis→

Runner.Worker

node (triage-bot)

bun (prompt injection RCE)

actions/cache write

npm publish registry.npmjs.org:443

03Mar 2025

tj-actions/changed-files

gist.githubusercontent.com:443

python memdump.py (mem scan)

04Jul 2025

Amazon Q Developer

Read analysis→

amazon-q (node)

bash (injected prompt)

aws ec2 terminate-instances

ec2.amazonaws.com:443

05May 2025

GitHub MCP prompt injection

Read the disclosure→

cursor

github-mcp (node)

list_issues (malicious read)

get_repo_contents (private)

create_pull_request api.github.com:443

06Jul 2025

Anthropic Slack MCP

Read the advisory→

node (slack-mcp-server)

POST slack.com/chat.postMessage (crafted URL)

Slackbot fetch

attacker-server.io:443

How it works

See and assert runtime behavior in your PRs

Garnet profiles kernel-level runtime behavior during execution; maps every outbound connection with its process lineage and source, and delivers verdicts inside the workflows your team already uses.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Deploy runtime sensor

One step in your GitHub Action. Our eBPF agent captures process, network, and file activity in the background to build full runtime lineage. Zero code changes.

Jibril Runtime Agent

v2.8

Connected

Workflows3

build.yml

PASS

test.yml

WARN

cursor-agent-pr.yml

FAIL

Behavioral profiles for every run

Every network call is traced through process ancestry. See the exact lineage—from npm install to the postinstall script or agent task that opened the connection.

github-runner:1

npm install:42

postinstall → /bin/sh:87

curl exfil.sh:91

webhook.site

node payload.js:93

185.62.190.89

node build.js:55

esbuild:60

Review results in your existing workflows

Verdicts surface in PR comments, Step Summary, Slack, or webhooks—with process tree and egress map attached. Flag, block, or update policies without leaving your workflow.

Stop data exfiltration

Detect when compromised dependencies or AI agents harvest secrets, tokens, and sensitive data — whether through supply chain attacks or prompt injection.

Ship secure releases

Catch supply chain tampering — malicious postinstall scripts, injected egress, and backdoored builds — before compromised code reaches production.

Prevent downtime

Catch runtime threats that static scanners miss — from supply chain compromises and vulnerability exploits to rogue agents — before they cause outages.

Automate network policy

"There are a lot of tools that process security advisory data, but Garnet is the first I've seen that goes a step further, applying behavioral analysis to find issues before they get reported to an advisory database. This is the kind of thing we'd always wanted to do at npm, Inc., but never got around to. It's super exciting to see it come to fruition."

Isaac Z. Schlueter

Creator of NPM, cofounder, Volt.sh

Built for modern engineering and agentic workflows

Gain Visibility. Assert Control. Zero friction.

A new runtime agent, built for ephemeral workloads

Architected for environments that disappear — CI runners, agent sandboxes, short-lived containers. Full context in a single run, no cross-session state.

Managed threat intelligence, zero config

Active C2 infrastructure, cryptominer pools, exfiltration endpoints — blocked from a continuously curated threat feed. New threats covered without config changes.

Runtime assertions as code

Define what your workloads should and shouldn't do. Assertions evaluate every build, fail loudly, and surface in your PR — just like tests.

Run Summary

test-runner • Last 24h

Assertions passed (12)

Assertions failed (3)

New egress connections (7)

Stop running blind.
Build with confidence.

See what your code is talking to. Stop where it shouldn’t.

Start Profiling Your Runs Talk with founders

See what code doesat

Untrusted code is the new default

Code you import, running in CI with production secrets and releases

Code that writes and runs itself in your infrastructure, without a security boundary

Shai-Hulud 2.0

Clinejection

tj-actions/changed-files

Amazon Q Developer

GitHub MCP prompt injection

Anthropic Slack MCP

Shai-Hulud 2.0

Clinejection

tj-actions/changed-files

Amazon Q Developer

GitHub MCP prompt injection

Anthropic Slack MCP

See and assert runtime behavior in your PRs

Stop data exfiltration

Ship secure releases

Prevent downtime

Automate network policy

Gain Visibility. Assert Control. Zero friction.

A new runtime agent, built for ephemeral workloads

Managed threat intelligence, zero config

Runtime assertions as code

Run Summary

Stop running blind. Build with confidence.

Product

Company

Security

Legal

See what code doesat

Untrusted code is the new default

Code you import, running in CI with production secrets and releases

Code that writes and runs itself in your infrastructure, without a security boundary

Shai-Hulud 2.0

Clinejection

tj-actions/changed-files

Amazon Q Developer

GitHub MCP prompt injection

Anthropic Slack MCP

Shai-Hulud 2.0

Clinejection

tj-actions/changed-files

Amazon Q Developer

GitHub MCP prompt injection

Anthropic Slack MCP

See and assert runtime behavior in your PRs

Stop data exfiltration

Ship secure releases

Prevent downtime

Automate network policy

Gain Visibility. Assert Control. Zero friction.

A new runtime agent, built for ephemeral workloads

Managed threat intelligence, zero config

Runtime assertions as code

Run Summary

Stop running blind. Build with confidence.

Stop running blind.
Build with confidence.

Stop running blind.
Build with confidence.