LIVE FEED
Firefox Vulnerabilities Discovered via AI-Assisted Fuzzing

Firefox Vulnerabilities Discovered via AI-Assisted Fuzzing

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Simon Willison

Mozilla used early access to Anthropic's Claude Mythos model to systematically discover and patch hundreds of previously unknown vulnerabilities in Firefox, including bugs over 15–20 years old. The effort demonstrates a step-change in AI-assisted vulnerability research, with April 2026 seeing 423 security fixes compared to a monthly baseline of 20–30. The same capability that empowered Mozilla's defenders also signals that adversaries with similar model access could industrialise exploit discovery against open-source software at scale.

Beagle Backdoor Deployed Through Fake Claude Website

Beagle Backdoor Deployed Through Fake Claude Website

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 BleepingComputer

Threat actors created a convincing fake website impersonating Anthropic's Claude AI to trick developers into downloading a trojanized installer that deploys the new 'Beagle' backdoor alongside a PlugX malware chain. The campaign specifically targets Claude-Code developers by advertising a fraudulent 'high-performance relay service,' suggesting deliberate targeting of the AI developer community. The attack leverages DLL sideloading via a legitimate signed G Data executable to evade detection while establishing persistent remote access.

TrustFall: Repository Poisoning RCE in AI Coding Tools

TrustFall: Repository Poisoning RCE in AI Coding Tools

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Dark Reading

A vulnerability class dubbed 'TrustFall' demonstrates that malicious code repositories can trigger arbitrary code execution in AI-assisted developer tools including Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI, with little to no user interaction required. The attack surface stems from inadequate or easily dismissed warning dialogs that fail to surface the risk of executing untrusted repository content. Developers cloning or opening adversarial repositories are exposed to full host-level compromise through the elevated trust these AI coding agents place in repository-supplied context.

Claude Code OAuth Token Theft via npm Supply Chain

Claude Code OAuth Token Theft via npm Supply Chain

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 SecurityWeek

Mitiga Labs has disclosed a stealthy attack chain targeting Claude Code's MCP infrastructure, allowing adversaries to silently intercept OAuth tokens by redirecting MCP traffic through attacker-controlled infrastructure. The attack requires only the ability to install a malicious npm package, which modifies ~/.claude.json to insert a proxy and pre-sets trust flags to suppress security prompts. Because the OAuth token grants broad access to all connected SaaS tools, successful exploitation effectively hands attackers a persistent master key to the victim's integrated development environment.

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Cisco's AI Threat Intelligence team has demonstrated that bounded pixel-level perturbations can recover the attack effectiveness of degraded typographic images against vision-language models (VLMs), enabling hidden prompt injection that bypasses both human review and content filters. The technique works by optimising perturbations against open-source embedding models and transferring results to proprietary systems like GPT-4o and Claude, exposing a cross-model transferability risk. The attack allows adversaries to embed instructions—such as data exfiltration commands—inside images that appear as visual noise to human observers.

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Microsoft Security Blog

Microsoft's Defender Security Research Team disclosed two CVEs in Semantic Kernel — a widely-used AI agent orchestration framework — demonstrating how prompt injection can escalate to remote code execution via compromised plugins. The vulnerabilities (CVE-2026-26030 and CVE-2026-25592) expose a systemic risk in the agentic AI layer: because frameworks like Semantic Kernel abstract tool orchestration, a single flaw in how LLM outputs are mapped to system tools can propagate across every application built on that foundation. This research signals a critical shift in AI threat modelling, where prompt injection is no longer a content risk but an execution risk.

AI Agent Privilege Escalation Bypasses IAM Visibility

AI Agent Privilege Escalation Bypasses IAM Visibility

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 The Hacker News

Enterprises are deploying AI agents faster than governance frameworks can track them, creating a shadow identity layer that operates outside traditional IAM visibility. These agents run continuously, accumulate permissions opportunistically, and interact with sensitive data at machine speed — largely unmonitored. The structural gap between agent activity and IAM coverage represents a significant and growing attack surface for privilege abuse and data exfiltration.

CVE-2026-7482: Ollama Heap Read Exposes API Keys

CVE-2026-7482: Ollama Heap Read Exposes API Keys

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A critical heap out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.3) in Ollama's GGUF model loader allows unauthenticated remote attackers to exfiltrate sensitive heap memory — including API keys, prompts, and PII — using just three API calls. With approximately 300,000 Ollama instances publicly exposed and no authentication required by default, the attack surface is immediately and broadly exploitable. The vulnerability has been patched in Ollama version 0.17.1, but unpatched internet-facing deployments remain at critical risk.

CrowdStrike Red Teaming: LLM Jailbreak and Data Poisoning

CrowdStrike Red Teaming: LLM Jailbreak and Data Poisoning

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Joey Melo, Principal Security Researcher at CrowdStrike, outlines his methodology for AI red teaming, focusing on manipulating LLM guardrails through jailbreaking and data poisoning without altering underlying source code. His work, rooted in competitive AI hacking challenges, translates classical adversarial thinking into the emerging field of machine learning security. The profile highlights the growing professionalisation of AI red teaming as organisations seek to harden LLM deployments against real-world manipulation attacks.

Flowise and n8n: Auth Bypass in Exposed LLM Services

Flowise and n8n: Auth Bypass in Exposed LLM Services

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A scan of over one million exposed AI services found pervasive security failures including absent authentication, leaked API keys, and exposed business logic across self-hosted LLM deployments. Agent management platforms such as Flowise and n8n were discovered internet-exposed without access controls, revealing credential lists and internal workflows. The findings indicate systemic misconfiguration risk as enterprises race to self-host AI infrastructure without applying baseline security practices.

PyTorch Lightning Package Backdoor Steals Developer Credentials

PyTorch Lightning Package Backdoor Steals Developer Credentials

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 BleepingComputer

A malicious version of PyTorch Lightning (v2.6.3) was published to PyPI, embedding a hidden execution chain that silently downloads a JavaScript runtime and executes a heavily obfuscated credential-stealing payload dubbed 'ShaiWorm'. The attack targeted AI/ML developers who use this popular deep learning framework, exposing cloud credentials, API keys, browser-stored secrets, and GitHub tokens. The package has since been reverted to a safe version, but any developer who imported the compromised version should rotate all secrets immediately.

ML Supply Chain Compromise in DoD AI Integration

ML Supply Chain Compromise in DoD AI Integration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 SecurityWeek

The US Department of Defense has formalised agreements with seven major technology companies — including Google, Microsoft, OpenAI, and Amazon Web Services — to integrate AI into classified military networks for battlefield decision support. The move raises significant AI security concerns around human oversight, adversarial manipulation of high-stakes AI systems, and supply chain risks introduced by multiple commercial vendors operating within classified environments. Notably, Anthropic was excluded following a public dispute over AI safety and ethics in warfare.

Loopsy AI Agent Relay Enables Cross-Machine RCE

Loopsy AI Agent Relay Enables Cross-Machine RCE

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Loopsy is an open-source tool enabling cross-machine communication between AI coding agents (Claude Code, Cursor, Codex) and mobile devices via a self-hosted Cloudflare Workers relay. While designed for legitimate developer productivity, the architecture introduces significant attack surface: a relay brokering shell access and AI agent commands across machines is a high-value target for interception, hijacking, or supply chain compromise. Security teams should assess exposure before deploying such tools in sensitive development environments.

agent-desktop Prompt Injection Grants AI Agents OS Control

agent-desktop Prompt Injection Grants AI Agents OS Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

agent-desktop is an open-source Rust CLI tool that exposes full OS accessibility trees to AI agents, enabling programmatic control of any desktop application without screenshots or browser sandboxing. This dramatically expands the attack surface for agentic AI systems, as a compromised or prompt-injected agent could silently manipulate native applications, exfiltrate data, or perform destructive actions across the host OS. The tool's deterministic element references and structured JSON output make it trivially scriptable, lowering the barrier for AI-driven desktop abuse.

GPT-5.5 and Mythos Execute 32-Step Network Intrusion

GPT-5.5 and Mythos Execute 32-Step Network Intrusion

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 Ars Technica Security

The UK's AI Security Institute (AISI) found that OpenAI's GPT-5.5 matches Anthropic's Mythos Preview on cybersecurity benchmarks, including a 32-step simulated corporate network intrusion. Both models successfully completed the 'The Last Ones' data-extraction simulation — a first for any AI system — suggesting autonomous offensive cyber capability is a general frontier-model property, not a one-vendor breakthrough. The findings raise urgent questions about responsible release practices and the pace at which LLMs can independently execute multi-stage attacks.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.