The problem with AI agents..

A critical vulnerability in Gemini CLI allowed arbitrary code execution via a malicious settings.json file submitted in a pull request. When Gemini CLI runs in YOLO mode (required for headless CI/CD use), a crafted beforeAgent hook in settings.json could execute arbitrary commands inside the CI/CD runner, potentially exposing API keys, tokens, and credentials. Red Hat's PR review workflow using Gemini is cited as an example of an at-risk pattern. The issue is connected to a broader pattern of CI/CD supply chain attacks attributed to threat actor team PCP, which has compromised tools like Trivy, LiteLLM, and Checkmarx. Google has patched the issue in Gemini CLI versions 0.1.9 and 0.2.0-preview.3 by not trusting workspace settings by default. Recommended mitigations include assuming compromise, using Docker sandboxing, applying Linux user permission isolation, and updating pinned Gemini CLI versions.