v9.5.0 — Trust Boundary: 5 new agents + AIBOM & EU AI Act readiness
The Trust Boundary release — five new agents for the attack surface that moved into the AI developer toolchain, plus an AI Bill of Materials and EU AI Act readiness.
Why this release
Through the first half of 2026, the highest-velocity attacks stopped targeting production apps and moved into the AI developer toolchain itself — the coding agents, package registries, model hubs, and MCP servers teams now build with. Those are exactly the surfaces Ship Safe scans.
v9.5.0 grew coverage from 24 → 29 agents to meet the threats that are landing right now, and adds a compliance track timed to the EU AI Act high-risk deadline (Aug 2, 2026).
New agents
| Agent | Threat it closes | Key rules |
|---|---|---|
| 🧠 ModelScanAgent | ML model supply chain — pickle weights execute on load; malware evades even Hugging Face's PickleScan (which carries CVSS-9.3 CVEs) | Code-execution payloads in .pkl/.pt/.ckpt, torch.load without weights_only, 7z/RAR scanner-evasion |
| 🔗 TrustBoundaryAgent | GhostApproval + Friendly Fire — a malicious repo weaponizes the coding agent's own trust boundary | Symlinks into ~/.ssh/~/.aws/.env, symlinks escaping the repo, curl|bash / run-on-review instructions in agent-read docs |
| 📦 SlopSquatAgent | Slopsquatting — attackers register package names LLMs reliably hallucinate | Imports that are neither declared, installed, nor a builtin; known-hallucinated names |
| 🎣 ClickFixAgent | ClickFix (~517% surge) — fake-error "paste this to fix it" lures and fake npm installers | Fake-error/CAPTCHA framing + Win+R/Ctrl+V/command-bar keystrokes, PowerShell cradles, pre/postinstall fake installers |
| 🪱 InstallGuardAgent | npm worms (Shai-Hulud → Miasma) that run before defenses engage | Lifecycle-script credential harvesting, env exfil, destructive rm -rf, obfuscated node -e, weaponized binding.gyp |
Also: MCPSecurityAgent now flags MCP_AUTO_LAUNCH_ON_TRUST — a repo-local .mcp.json / .cursor/mcp.json that auto-launches a server the moment you accept the editor's folder-trust prompt.
New: AI Bill of Materials + EU AI Act readiness
ship-safe aibom . --ai-act- AIBOM (CycloneDX 1.5) — inventories the AI supply chain an SBOM misses: model weights (pickle vs. safetensors flagged), LLM/ML SDKs & providers (npm + PyPI), MCP servers, agent instruction files.
--ai-act— a heuristic EU AI Act high-risk readiness report mapped to provider obligations (Art. 9–17): risk management, data governance, logging, transparency, human oversight, testing, and AI-specific security — scored with a prioritized gap list. An engineering indicator, not legal advice.
Also in this release
- OWASP Agentic coverage refreshed to the finalized OWASP Top 10 for Agentic Applications 2026 categories.
- Docs encoding fix — repaired 735+ pre-existing mojibake characters (triple-encoded em-dashes) that rendered as garbled text on the docs page.
- Agent count 24 → 29 across the CLI, README, docs, and site.
Install / upgrade
# Run it now, no install
npx ship-safe@9.5.0 audit .
# Scan an ML repo's model files + AI supply chain
npx ship-safe@9.5.0 aibom . --ai-act
# Or upgrade a global install
npm install -g ship-safe@9.5.0Requires Node.js ≥ 18. No signup, no API key required for scanning. Works offline.
Release validation
| Check | Result |
|---|---|
npm test |
✅ 249 passing |
npm run lint |
✅ 0 errors |
ship-safe scan . (self-scan) |
✅ clean |
| Every new agent | ✅ verified end-to-end through the real CLI |
| False-positive discipline | ✅ safetensors skipped, benign symlinks/READMEs quiet, self-package excluded, normal postinstall quiet |
Design notes for defenders
The theme of v9.5.0 is that agents-scanning-agents is now the norm, and the scanner must not become the attack surface. Ship Safe never executes a repo's suggested workflow during a scan — it reads and analyzes, it does not run. If a repository's docs tell an agent to "run this to set up / review," that instruction is treated as untrusted input, not a command.
Full changelog: v9.4.1...v9.5.0
Docs: https://shipsafecli.com/docs · npm: https://www.npmjs.com/package/ship-safe
