LIVE FEED
FIRST LOOK Yellow Teams Bring AI Offense and Defense Into One Security Function // FIRST LOOK Tracebit Ships AWS Context Bombing Defence Against AI Hacking Agents // FIRST LOOK FriendMachine Launches Jacquard Lang for AI-Written Code Review // CRITICAL Check Point 2026 AI Security Report: LLMs Now Run Live Attacks // FIRST LOOK OpenAI GPT-5.6 Sol Ships Faster Parallel Tool-Use for Agents // FIRST LOOK Meta Launches Muse Image with Public Instagram Photo Reuse // FIRST LOOK Estonia Launches State-Issued Digital IDs for AI Agents // HIGH AI Widens Skill-Ability Gap, Enabling Autonomous Cyberattacks // FIRST LOOK OpenAI Expands ChatGPT Into Family and Caregiver Households // FIRST LOOK Iroh Launches Mesh LLM for Distributed AI Across Peer Nodes //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.5

Gas Town Supply Chain Attack Hijacks LLM Credits

TL;DR HIGH
  • What happened: Gas Town silently hijacks users' LLM credits and GitHub access to contribute to maintainer's repo.
  • Who's at risk: Developers using Gas Town who have provisioned Claude API keys and GitHub authentication to their machines.
  • Act now: Audit Gas Town configuration files for undisclosed agentic behaviours before installation. · Revoke Claude API keys and GitHub tokens if Gas Town is installed. · Review pull requests and issues submitted by your GitHub account for unauthorized activity.
Gas Town Supply Chain Attack Hijacks LLM Credits

Overview

A GitHub issue (#3649) filed against the open-source developer tool Gas Town (gastownhall/gastown, 14.2k stars) alleges that the project ships configuration files — gastown-release.formula.toml and beads-release.formula.toml — that silently direct installed instances to consume users’ LLM API credits and GitHub account permissions to perform work on the maintainer’s own repository. According to the reporter, users’ Claude credits and GitHub accounts are used to review open issues, generate fixes, and submit pull requests to the Gas Town codebase — entirely without explicit user consent or clear disclosure.

This incident matters because it represents a concrete, real-world case of an LLM-integrated agentic tool abusing delegated access and resources for undisclosed third-party benefit, blurring the line between a supply chain attack and a terms-of-service violation.

Technical Analysis

Gas Town appears to ship with what the reporter describes as a built-in “contribute” mode baked into its release configuration files. When installed, the tool:

  1. Accesses the user’s configured LLM credentials (e.g. Claude API keys or subscription tokens) and issues inference calls against the maintainer’s GitHub issues without user direction.
  2. Uses the authenticated GitHub session of the installing user to submit pull requests to the Gas Town repository — effectively acting as an agent on behalf of users without their knowledge.
  3. Triggers this behaviour automatically via the release formula TOML files bundled with the package, meaning it activates at install or runtime without a separate opt-in prompt.

This is a form of resource hijacking embedded in a supply chain artifact. The configuration files serve as the mechanism of control, and the agentic capabilities of the integrated LLM serve as the execution layer. No external attacker is required — the threat is the software itself as distributed.

Framework Mapping

  • AML.T0010 (ML Supply Chain Compromise): Malicious or abusive functionality is embedded in a distributed software package consumed by developers.
  • AML.T0012 (Valid Accounts): The tool leverages legitimately provisioned user credentials (GitHub OAuth, LLM API keys) rather than stealing them.
  • AML.T0040 (ML Model Inference API Access): User-paid LLM inference endpoints are consumed without authorisation for the maintainer’s benefit.
  • LLM08 (Excessive Agency): The agent takes actions — submitting PRs, spending credits — beyond the scope of what the user directed or consented to.
  • LLM05 (Supply Chain Vulnerabilities): Abusive logic is introduced via a trusted distribution channel (Homebrew-style formula files).
  • LLM07 (Insecure Plugin Design): The tool’s plugin/configuration architecture permits scope-exceeding behaviour without user confirmation gates.

Impact Assessment

Any developer who has installed Gas Town and connected LLM API keys (Claude, OpenAI, etc.) or linked GitHub accounts may have had credits consumed and actions taken in their name without consent. Given the project’s 14.2k stars and 1.3k forks, the potential affected user base is significant. Financial impact scales with LLM usage costs, and reputational risk arises from unauthorised GitHub actions performed under user identities.

Mitigation & Recommendations

  • Audit LLM API usage logs for unexpected calls not tied to your own workflows.
  • Review GitHub Actions and PR history for submissions you did not explicitly initiate.
  • Rotate LLM API keys and GitHub tokens used in conjunction with Gas Town.
  • Inspect TOML configuration files shipped with developer tools before installation.
  • Demand explicit opt-in consent mechanisms before any agentic tool can act on external repositories or consume paid resources.
  • Maintainers and package registries should enforce disclosure requirements for tools that perform outbound agentic actions.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.