- AI agents such as Copilot, Claude Code, and Codex can now build, test, and deploy software end-to-end.
- Machine Control Protocols (MCPs) form the control layer that governs what agents can execute, call, and access.
- The incident tracked as CVE-2025-6514 shows how a trusted OAuth proxy became a remote code execution path when controls failed.
- Risks include shadow API keys, permission sprawl, and insufficient auditing of agent actions.
First reported on Jan 13, 2026, engineers increasingly use agentic AI that does more than generate code; it executes tasks across pipelines. Tools like Copilot, Claude Code, and Codex can now perform build, test, and deployment steps in minutes, shifting both speed and risk into automation layers.
A central risk stems from the layer that mediates agent actions: Machine Control Protocols (MCPs). These systems decide which commands an agent may run, which tools it may invoke, which APIs it may call, and which infrastructure it may touch. When that control plane is misconfigured or compromised, agents act with the permissions they are granted rather than the intent operators assume.
Security teams saw this in practice with CVE-2025-6514, where a flaw in a widely used OAuth proxy turned a trusted component into a remote code execution path. The issue did not require exotic exploits; automation executed allowed actions at scale, converting benign workflows into attack vectors.
The piece notes a focused educational session led by the author of the OpenID whitepaper Identity Management for Agentic AI. That session outlines how MCP servers operate in real environments, how shadow API keys appear, how permissions sprawl, and why traditional identity and access models can fail when agents act on behalf of users. More information about that session is available here: https://thehacker.news/securing-agentic-ai?source=article.
Recommended controls highlighted include auditing agent actions, enforcing policy before deployment, detecting and removing shadow API keys, and applying practical constraints on agent privileges. Related links and feeds: Google News, Twitter, LinkedIn.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Eric Adams Accused of Rug Pulling NYC Coin After Launch Now!
- 2026: Global regulators pivot to pro-innovation crypto rules
- Binance’s CZ Warns: Don’t ‘Ape Into’ Meme Tokens Blindly Now
- Polygon Labs buys Coinme, Sequence in $250M payments push…
- ServiceNow AI critical bug allows impersonation, actions now
