Security & supply chain

OpenAI ships GPT-Red to automate prompt-injection testing against AI agents

OpenAI ships GPT-Red to automate prompt-injection testing against AI agents

Every AI agent you wire into your pipeline is a new confused deputy sitting between your issues, your logs, your git tree, and a shell. (Charming, isn't it?) So when the vendor that put this pattern on the map ships a tool aimed squarely at the pattern's worst failure mode, it is worth clocking. OpenAI has released GPT-Red, a tool that automates prompt-injection testing against AI agents, per The New Stack.

The framing in the piece is the one security teams have been repeating for a while. Agents used to generate text. Now they take actions in real systems, on real repos, with real tokens. That changes what a bad prompt is. A poisoned string in a comment thread used to be a chatbot party trick. Aimed at an agent with tools, it is a request to open a PR, exfiltrate a secret, or push to a branch you never authorised.

Where this lands in a CI/CD threat model

Automating this class of test is welcome. It is not a substitute for the underlying fix.

Prompt injection is a data-provenance problem. Every string an agent ingests (an issue, a Slack message, a Sentry error, a README from a fresh dependency) has a source, and the source is either trusted, quarantined, or (usually) neither. A fuzzer that shakes the tree before you ship is useful. A fuzzer that lets you treat the agent's input feeds as a solved problem is dangerous.

The other honest limit: automated adversarial testing catches known-shape attacks well and unknown-shape attacks by accident. Pipelines that hand agents write access to production still need scoped tools, human approval gates on side-effecting actions, and separate identities for reading telemetry versus pushing code.

You cannot regex your way out of prompt injection, and after this release you cannot pretend nobody is trying either. Wire the tool in. Keep the sandbox on.

Source: The New Stack (thenewstack.io)

Related
Security & supply chain

GhostApproval: six AI coding agents shipped a permission dialog that was reading the wrong path

Researchers at Google-owned Wiz disclosed GhostApproval, a class of flaw across six AI coding tools in which symbolic links redirect the agent's file writes while the human approval prompt shows the pre-resolution path. The mechanism is thirty years old; the CI/CD lesson is newer.

July 10, 2026
Security & supply chain

Tenet's 'Agentjacking' research turns Sentry error data into a prompt-injection vector for AI coding agents

Security firm Tenet has demonstrated an indirect prompt-injection technique it calls Agentjacking, malicious instructions hidden inside Sentry error data that get executed by an AI coding agent with shell access. The operational read is that any third-party telemetry an agent ingests is now untrusted input.

June 16, 2026
Code quality & testing

GitLab Duo Security Review Flow goes after the logic bugs SAST leaves on the floor

GitLab moved Security Review Flow into public beta on the Duo Agent Platform. You add it to a merge request like a human reviewer, and it focuses on authorization and business-logic bugs that pattern-based scanners typically miss.

July 17, 2026

Turn this into your pipeline. Build it on Buddy.

Start free