LIVE FEED
Anthropic Claude Code Prompt Injection Leaks Secrets

Anthropic Claude Code Prompt Injection Leaks Secrets

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Microsoft Threat Intelligence disclosed a vulnerability in Anthropic's Claude Code GitHub Action whereby prompt injection via untrusted GitHub content — issue bodies, PR descriptions, and comments — could cause the AI agent to read sensitive environment variables, including the ANTHROPIC_API_KEY, from /proc/self/environ. The flaw stemmed from inconsistent sandboxing: while subprocess execution paths like Bash were scrubbed of environment variables, the Read tool had no equivalent restriction. Anthropic patched the issue in Claude Code version 2.1.128 by blocking access to sensitive /proc filesystem paths.

AI Worm With Embedded LLM Enables Self-Propagation

AI Worm With Embedded LLM Enables Self-Propagation

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 Schneier on Security

Researchers have prototyped an internet worm that bundles its own large language model, executing it on compromised hosts to enable fully decentralised propagation with no single point of control. The design mirrors John Brunner's 1975 fictional conception of a worm and echoes the destructive potential of WannaCry and NotPetya, but with the added capability of dynamically generating novel attacks by ingesting recent public vulnerability disclosures. The absence of a command-and-control chokepoint makes traditional takedown strategies ineffective, significantly raising the threat posed by AI-augmented malware.

Claude Mythos Unauthorized Access Exposes AI Security

Claude Mythos Unauthorized Access Exposes AI Security

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

A reported unauthorized access to Anthropic's Claude Mythos model within hours of its limited technical preview highlights acute security risks as agentic AI is deployed across classified defense and intelligence networks. The incident underscores vulnerabilities specific to AI infrastructure in high-security environments, including training data poisoning, access control failures, and cross-domain classification boundary erosion. Secure IT infrastructure, governed access, and cross-domain data controls are identified as prerequisites for safe AI deployment at mission scale.

Microsoft Scout Agent Vulnerable to Prompt Injection

Microsoft Scout Agent Vulnerable to Prompt Injection

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Microsoft has launched Scout, an always-on autonomous AI agent built on the OpenClaw framework that operates across Microsoft 365 apps including Teams, Outlook, OneDrive, and SharePoint with its own Entra identity. The agent's persistent, unsupervised access to email, calendar, chat, and external systems via MCP creates a broad new attack surface for prompt injection, privilege abuse, and data exfiltration. As an experimental release with limited deployment controls, security teams should treat Scout as a high-risk agentic surface requiring careful governance before broad adoption.

Excessive Agency in AI Agents Enables Enterprise Breaches

Excessive Agency in AI Agents Enables Enterprise Breaches

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

Enterprises deploying AI agents with elevated permissions and minimal oversight face compounding security risks as agentic systems gain the ability to take real-world actions with limited human intervention. The attack surface expands dramatically when agents can access APIs, execute code, and chain decisions autonomously, making containment of a compromise significantly harder. Security teams must implement least-privilege principles and robust monitoring before agentic deployments scale beyond their ability to govern.

Google Gemini Android Hijacked by Indirect Prompt Injection

Google Gemini Android Hijacked by Indirect Prompt Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

SafeBreach researcher Or Yair demonstrated that malicious text embedded in WhatsApp, Slack, SMS, or Signal notifications could trigger indirect prompt injection against Google Gemini's Android Utilities feature, causing the assistant to execute real device actions without user awareness. A novel bypass technique called 'Fake Context Alignment' defeated Google's post-patch authorization checks by exploiting multilingual obfuscation and muted hyperlinks to trick victims into authorising sensitive actions. Google has patched the issue, but the research exposes a fundamentally large attack surface where any app capable of pushing a notification becomes a potential injection vector.

Adversa AI: 89% of AI Agents Fail Security Tests

Adversa AI: 89% of AI Agents Fail Security Tests

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Adversa AI's AI Risk Quadrant report evaluated 100 AI agents across ten categories, finding that only 11 qualify as both capable and well-defended. The research identifies a structural 'power-protection inversion' where the most capable agents also present the widest attack surface, driven by a 'lethal trifecta' of private data access, exposure to untrusted content, and outbound action capability. Computer and coding agents showed the most severe exposure, raising urgent concerns about autonomous agent deployment in enterprise environments.

Google Gemini Voice Prompt Injection via Notifications

Google Gemini Voice Prompt Injection via Notifications

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A prompt injection vulnerability in Google Gemini's voice assistant allows attackers to embed malicious instructions within device notifications, which the assistant then processes as legitimate commands. This attack vector enables social engineering, unauthorized actions, and potential data exfiltration without direct user interaction with the malicious payload. The flaw highlights the growing risk of indirect prompt injection in ambient AI assistants that consume untrusted content from the surrounding environment.

Shadow-AI Apps Expose Corporate Data via Misconfiguration

Shadow-AI Apps Expose Corporate Data via Misconfiguration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

A Red Access investigation found over 2,000 corporate applications built on AI-assisted 'vibe-coding' platforms publicly accessible on the open internet, many containing sensitive business data with no access controls. These shadow-built apps connect directly to production systems — CRMs, ERPs, BI tools — creating a new class of unaudited attack surface invisible to conventional security stacks. Traditional controls such as CASB, DLP, and EDR are structurally blind to this threat because the risk originates at the application layer, not the identity or network layer.

Claude Sandbox Escape Enables Credential Exfiltration

Claude Sandbox Escape Enables Credential Exfiltration

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 Simon Willison

Anthropic has published detailed documentation of its sandboxing architecture across Claude.ai, Claude Code, and Claude Cowork, including disclosure of a previously identified credential exfiltration vector via the api.anthropic.com/v1/files endpoint. The writeup covers process-level isolation technologies including gVisor, Seatbelt, Bubblewrap, and full VM approaches, and candidly acknowledges security gaps that were missed. This transparency is notable for the agentic AI space, where sandbox documentation is typically sparse and trust is difficult to calibrate.

ChatGPT Markdown Injection Enables Phishing in Web Summarizer

ChatGPT Markdown Injection Enables Phishing in Web Summarizer

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Permiso Security has disclosed ChatGPhish, a vulnerability in ChatGPT's web summarisation feature that allows attacker-controlled Markdown payloads embedded in third-party pages to render phishing links, spoofed alerts, and QR codes directly within ChatGPT's trusted UI. The attack requires no user interaction beyond asking ChatGPT to summarise a malicious page, and can exfiltrate IP addresses, User-Agent strings, and Referer headers via auto-fetched remote images. The technique significantly expands the phishing attack surface beyond email into everyday AI-assisted browsing workflows, posing a particular risk in enterprise environments.

CogCAPTCHA30 Fingerprints AI Agents via Behavioral Analysis

CogCAPTCHA30 Fingerprints AI Agents via Behavioral Analysis

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Researchers have developed CogCAPTCHA30, a 30-task cognitive battery demonstrating that AI agents (GPT, Claude, Gemini) solve CAPTCHAs with statistically distinguishable behavioural patterns despite matching human accuracy. The study introduces a 'Process Turing Test' concept, showing output equivalence and process equivalence are uncorrelated — meaning AI agents can be detected not by what they answer, but by how they answer. This has direct implications for bot detection, anti-automation defences, and the arms race between AI-driven agents and human-verification systems.

Robinhood Prompt Injection Enables Autonomous Trade Attacks

Robinhood Prompt Injection Enables Autonomous Trade Attacks

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

Robinhood has launched agentic trading and a virtual credit card that allow third-party AI agents to autonomously execute stock trades and payments on behalf of users via a Model Context Protocol (MCP) integration. This architecture introduces significant attack surface through prompt injection, excessive agency, and insecure plugin design risks inherent to LLM-driven autonomous financial action. The delegation of real financial authority to AI agents with limited human-in-the-loop controls represents a systemic risk to retail investors if agent pipelines are compromised or manipulated.

FuzzingBrain V2 Discovers 29 Zero-Day Vulnerabilities

FuzzingBrain V2 Discovers 29 Zero-Day Vulnerabilities

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 HN AI Security

Researchers have developed FuzzingBrain V2, a multi-agent LLM system capable of autonomously discovering and reproducing software vulnerabilities with a 90% detection rate on a competitive benchmark dataset. The system discovered 29 zero-day vulnerabilities across 12 open-source projects, all confirmed by maintainers, raising both defensive and dual-use concerns for the security community. While positioned as a defensive research tool, the automation of end-to-end vulnerability discovery at this scale represents a meaningful shift in the offensive capability landscape.

SQLite Blocks AI-Generated Code Contributions

SQLite Blocks AI-Generated Code Contributions

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 Simon Willison

SQLite has formally prohibited agentic code contributions and strengthened its policy language, reflecting growing concern over AI-generated submissions overwhelming open source maintainers. The project was forced to create a separate bug forum after being flooded with AI-generated reports of inconsistent quality. This represents an emerging operational security challenge for critical infrastructure software projects targeted by autonomous AI coding agents.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.