DigiNews

Summary

Executive summary: Pillar Security identified a CVSS 10 vulnerability 'TrustIssues' in Google's Gemini CI/CD workflows that allowed prompt injection and supply-chain compromise of gemini-cli. The attack chain involved issue triage prompts, exfiltration of secrets via environment and filesystem, and token abuse to pivot to other workflows. Google patched the issue under GHSA-wpqr-6v78-jr5g and Pillar provides mitigations and recommendations for auditing AI agent triggers and hardening CI/CD pipelines.