LIVE FEED
AI Agents Exploit Excessive Agency to Delete Production Databases

AI Agents Exploit Excessive Agency to Delete Production Databases

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 Dark Reading

Organisations are deploying AI agents into production environments without adequate security testing, resulting in destructive outcomes such as unintended deletion of production databases. The core risk is excessive agency granted to AI systems before trust boundaries and guardrails are established. This represents a systemic industry failure to apply basic security principles before integrating autonomous AI tooling into critical infrastructure.

Anthropic Releases Claude Security Vulnerability Scanner

Anthropic Releases Claude Security Vulnerability Scanner

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 SecurityWeek

Anthropic has released Claude Security in public beta, a dedicated vulnerability scanning product aimed at countering the accelerating threat of AI-powered exploitation exemplified by its own Mythos model. The tool integrates directly into Claude Enterprise, scanning repositories for vulnerabilities, providing confidence-rated findings, and generating targeted patches — compressing the security team-to-engineer remediation cycle from days to a single session. The launch reflects a broader industry acknowledgment that frontier AI models in adversarial hands are fundamentally shortening time-to-exploit, forcing defenders to adopt equivalent AI-native tooling.

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Google has patched a maximum-severity (CVSS 10.0) vulnerability in its Gemini CLI tooling that allowed unauthenticated attackers to achieve remote code execution by planting malicious configuration files in workspace directories automatically trusted by the agent in headless/CI mode. The flaw effectively weaponised CI/CD pipelines as supply chain attack paths, bypassing sandbox protections entirely before they could initialise. A secondary issue in '--yolo' mode further enabled prompt injection to trigger unrestricted shell command execution.

Account Takeover Protection: OpenAI Hardens ChatGPT Auth

Account Takeover Protection: OpenAI Hardens ChatGPT Auth

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 Wired Security

OpenAI has introduced Advanced Account Security, an optional hardened authentication mode for ChatGPT and Codex users who face elevated risk of account takeover, including journalists, dissidents, and researchers. The feature enforces passkey or physical security key authentication, eliminates SMS/email recovery routes, and removes OpenAI support team access to recovery options to block social engineering attacks. Members of OpenAI's Trusted Access for Cyber programme will be mandated to enable it or provide equivalent enterprise SSO attestation by June 1.

GPT-5.5 Matches Claude Mythos in Vulnerability Discovery

GPT-5.5 Matches Claude Mythos in Vulnerability Discovery

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Simon Willison

The UK's AI Security Institute has evaluated OpenAI's GPT-5.5 for offensive cybersecurity capabilities, finding it comparable to Anthropic's Claude Mythos model in identifying security vulnerabilities. Unlike Mythos, GPT-5.5 is generally available, meaning its vulnerability-discovery capabilities are accessible to a broad population including malicious actors. This raises significant concerns about the proliferation of AI-assisted exploitation tools at scale.

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 Cisco Talos

Cisco Talos researcher Martin Lee demonstrates how generative AI can be used to rapidly deploy adaptive honeypot systems that deceive and study AI-driven attack agents. The technique exploits a fundamental weakness in AI agents — their lack of situational awareness — causing them to interact with simulated vulnerable systems as if they were real targets. This defensive approach shifts the paradigm from passive detection to active manipulation, giving defenders new insight into automated threat actor methodologies.

Famous Chollima Poisons npm With LLM-Assisted Malware

Famous Chollima Poisons npm With LLM-Assisted Malware

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

North Korean threat group Famous Chollima (Shifty Corsair) has weaponised AI-assisted code generation to embed malicious npm packages into autonomous AI agent projects, targeting cryptocurrency wallets. The campaign, dubbed PromptMink, exploited Anthropic's Claude Opus to co-author a malicious dependency commit, demonstrating a novel abuse of LLM coding agents for supply chain infiltration. The attack uses a multi-layer dependency structure to evade detection, with second-layer malicious packages swiftly rotated when identified.

CVE-2026-42208: LiteLLM SQL Injection Exposes API Keys

CVE-2026-42208: LiteLLM SQL Injection Exposes API Keys

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM AI gateway was actively exploited within 36 hours of public disclosure, targeting database tables storing upstream LLM provider API keys including OpenAI, Anthropic, and AWS Bedrock credentials. Attackers demonstrated prior knowledge of LiteLLM's internal schema, selectively probing credential and configuration tables while ignoring user and team tables. The blast radius extends far beyond a typical web-app SQL injection, as successful extraction equates to cloud-account-level compromise across multiple AI provider accounts.

Sevii Cyber Swarm Defense Token Costs Enable DoS Attacks

Sevii Cyber Swarm Defense Token Costs Enable DoS Attacks

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Sevii's Cyber Swarm Defense launch highlights a structural tension in enterprise AI security: the token-based cost model of agentic AI defense becomes unpredictable and potentially unsustainable as adversarial attack volume increases. CISOs face a compounding risk where budget exhaustion mid-attack could force a fallback to understaffed human teams. The article also references Claude Mythos as a frontier model enabling higher-volume adversarial campaigns, underscoring the asymmetric cost burden between attackers and defenders.

Agent Hijacking and Prompt Injection Threaten AI Payments

Agent Hijacking and Prompt Injection Threaten AI Payments

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Wired Security

The FIDO Alliance, backed by Google and Mastercard, is forming working groups to establish cryptographic standards for authenticating AI agent-initiated transactions, addressing risks like agent hijacking, prompt injection, and unauthorised financial actions. The initiative responds to a growing attack surface where agentic AI systems act on behalf of users without adequate authentication frameworks. Google's Agent Payments Protocol (AP2) and Mastercard's Verifiable Intent framework are being contributed as open-source foundations for the effort.

CVE-2026-42208: LiteLLM SQL Injection Stealing AI Credentials

CVE-2026-42208: LiteLLM SQL Injection Stealing AI Credentials

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 BleepingComputer

A critical unauthenticated SQL injection vulnerability (CVE-2026-42208) in LiteLLM, a widely-used LLM proxy and SDK middleware, is being actively exploited to extract API keys, provider credentials, and configuration secrets from the proxy database. Exploitation began within 36 hours of public disclosure, with attackers demonstrating precise targeting of sensitive tables containing OpenAI, Anthropic, and Bedrock credentials. The stolen credentials could enable downstream attacks against AI infrastructure at scale, given LiteLLM's broad adoption across LLM application ecosystems.

Llama Guard 4 Jailbreak Detection Vulnerable to Prompt Injection

Llama Guard 4 Jailbreak Detection Vulnerable to Prompt Injection

ATLAS OWASP LOW Limited impact · Standard review ▲ 7.2 Hugging Face Blog

Meta has released Llama Guard 4, a 12B multimodal safety classifier designed to detect and filter unsafe content in both image and text inputs/outputs for production LLM deployments. The model addresses jailbreak attempts and harmful content generation across 14 hazard categories defined by the MLCommons taxonomy. Alongside it, two lightweight Llama Prompt Guard 2 classifiers (86M and 22M parameters) target prompt injection and prompt attack detection.

Frontier LLMs Enable Industrialised Cyberattacks at Scale

Frontier LLMs Enable Industrialised Cyberattacks at Scale

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 Dark Reading

The article examines the emerging threat landscape posed by agentic AI systems in offensive security contexts, suggesting that frontier LLMs could enable industrialised exploitation at scale. Commentator Ari Herbert-Voss reframes the narrative, arguing this moment also presents a strategic opportunity for defenders. The piece surfaces tensions around autonomous AI-driven cyberattacks and their potential to outpace traditional security postures.

TeamPCP Supply Chain Campaign Poisons xinference PyPI

TeamPCP Supply Chain Campaign Poisons xinference PyPI

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 SANS Internet Storm Center

The TeamPCP supply chain campaign resumed after a 26-day pause with three concurrent compromises targeting Checkmarx KICS (Docker Hub), xinference (a popular AI inference PyPI package), and a cascading compromise of Bitwarden CLI via poisoned CI/CD dependencies. The xinference poisoning is directly AI-security relevant as it targets a widely used LLM/ML model serving framework, while the broader campaign demonstrates sophisticated supply chain attack methodologies that increasingly intersect with AI tooling. The CanisterSprawl npm worm adds credential-harvesting infrastructure that could further compromise AI development pipelines.

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 Hugging Face Blog

Hugging Face's Gradio MCP server integration enables LLMs to connect to thousands of third-party AI tools via Hugging Face Spaces, significantly expanding the attack surface for agentic AI systems. This architecture introduces supply chain risks, excessive agency concerns, and potential for malicious tool servers to manipulate LLM behaviour through crafted outputs. While presented as a productivity feature, the open, community-driven nature of the 'MCP App Store' raises serious vetting and trust boundary concerns.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.