LIVE FEED
FableCut Ships AI-Drivable Browser Video Editor via MCP and REST

FableCut Ships AI-Drivable Browser Video Editor via MCP and REST

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 HN AI Security

FableCut is a zero-dependency, browser-based non-linear video editor that exposes its entire timeline as a JSON document and accepts live control from AI agents via MCP (Model Context Protocol) and REST APIs, enabling tools like Claude Code or Claude Desktop to autonomously edit video. This agent-accessible media pipeline introduces meaningful new attack surface: any AI agent granted MCP/REST access can read, overwrite, or poison the JSON timeline, and a compromised or prompt-injected agent could silently alter exported video content. Defenders managing AI agent workflows that touch media pipelines should treat this as an unsandboxed tool-use endpoint requiring strict authZ, input validation, and output integrity checks.

CVE-2026-12958: GhostApproval Symlink Attack on Coding Agents

CVE-2026-12958: GhostApproval Symlink Attack on Coding Agents

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.7 The Hacker News

Wiz researchers disclosed GhostApproval, a symlink-based attack affecting six AI coding assistants — Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf — that allows malicious repositories to write attacker-controlled content to sensitive files such as SSH authorized_keys or shell startup scripts. The core failure is an informed-consent bypass: the agent's approval dialog names a harmless file while the write targets a sensitive one, or in some tools the write completes before any prompt appears. Three vendors have patched, two have not, and Anthropic disputes the classification as a vulnerability.

Prompt Injection Attacks Claude Code and Codex Execution

Prompt Injection Attacks Claude Code and Codex Execution

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.2 The Hacker News

Researchers at the AI Now Institute have demonstrated a proof-of-concept attack dubbed 'Friendly Fire' that tricks AI coding agents — specifically Anthropic's Claude Code and OpenAI's Codex in autonomous mode — into executing malicious binaries while performing routine security reviews. The attack embeds a disguised payload inside an open-source library and uses a plain README.md instruction to direct the agent to run a malicious shell script, bypassing existing trust-prompt defences. Because the weakness is architectural rather than version-specific, no patch exists; mitigation requires workflow changes.

OfficeCLI Brings Microsoft Office Automation to AI Agents

OfficeCLI Brings Microsoft Office Automation to AI Agents

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 HN AI Security

OfficeCLI is an open-source, single-binary tool that enables AI agents to programmatically read, write, and automate Microsoft Word, Excel, and PowerPoint files without requiring a local Office installation. This dramatically expands the file-system attack surface for agentic AI systems, enabling prompt injection via document content, automated exfiltration of sensitive Office files, and weaponisation of documents as a persistent injection vector. Defenders operating AI agent pipelines that touch file systems must now treat any Office document as a potential adversarial input channel.

Prompt Injection Attacks Manipulate AI Crypto Agents

Prompt Injection Attacks Manipulate AI Crypto Agents

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers identified two active campaigns embedding indirect prompt injection payloads in malicious websites to manipulate autonomous AI agents into executing unauthorised cryptocurrency transactions. The attacks exploit the growing deployment of agentic AI systems that browse the web and take real-world actions with minimal human oversight. This represents a concrete, financially motivated escalation of prompt injection from data exfiltration to direct fund theft.

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers have demonstrated how attackers can embed hidden instructions inside MCP tool descriptions to covertly redirect AI agents into exfiltrating sensitive business data. Because each individual action the agent takes appears legitimate — using approved tools and the user's own permissions — default security controls generate no alerts. The attack exploits a fundamental design tension in MCP: tool descriptions simultaneously carry operational instructions and attacker-controlled data, collapsing a critical trust boundary.

Agentjacking: Prompt Injection via Malicious Bug Reports

Agentjacking: Prompt Injection via Malicious Bug Reports

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A technique dubbed 'agentjacking' exploits the inability of AI coding agents to distinguish between legitimate content and embedded instructions, allowing attackers to hijack agent behaviour through maliciously crafted bug reports. The attack represents a scalable, low-barrier prompt injection vector targeting developer workflows that rely on autonomous AI agents. As AI coding assistants gain broader adoption and elevated system permissions, this class of attack poses a significant risk to software supply chain integrity.

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A set of vulnerabilities dubbed 'DuneSlide' in the Cursor AI code editor allow attackers to conduct zero-click prompt injection attacks that escape the application's sandbox and execute arbitrary code at the operating system level. The flaws represent a critical escalation of AI-native attack surface risks, targeting developers who rely on AI-assisted coding environments. Because exploitation requires no user interaction, the attack chain is particularly dangerous in supply chain and watering-hole scenarios.

CVE-2026-50548: Cursor IDE Prompt Injection RCE

CVE-2026-50548: Cursor IDE Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI code editor allow prompt injection attacks delivered via MCP services or web search results to escape the editor's terminal sandbox and execute arbitrary commands on a developer's machine without any user interaction. Both flaws abuse the sandbox's write-permission logic — one through a misconfigured working directory parameter, the other through a symlink-resolution fallback — ultimately allowing overwrite of the sandbox helper binary itself. The attack surface is significant given Cursor's reported adoption across more than half of Fortune 500 companies; all versions prior to 3.0 remain vulnerable.

Anthropic Releases Claude-Real-Video for Local Video Analysis

Anthropic Releases Claude-Real-Video for Local Video Analysis

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 HN AI Security

claude-real-video is an open-source, MIT-licensed Python library that extracts scene-change frames, deduplicates images, and transcribes audio from any video URL or local file, then packages the result as a folder any LLM can consume — all processed locally without cloud upload. For defenders, this dramatically expands the multimodal prompt injection surface by enabling adversaries to embed malicious instructions inside video content that LLM pipelines will now ingest and act upon. Security teams building or deploying LLM agents with video-processing capabilities must treat video content as an untrusted, potentially adversarial input channel.

Google Launches Gemini Spark on Mac with File Access

Google Launches Gemini Spark on Mac with File Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 TechCrunch AI

Google has expanded Gemini Spark to macOS, giving the agentic assistant access to local files, third-party app integrations (including Dropbox, Canva, and Instacart), custom MCP connections, and real-time topic monitoring. This substantially widens the attack surface for enterprise defenders, as a compromised or manipulated Spark agent gains a foothold across local file systems, cloud workspaces, and external service APIs simultaneously. The addition of custom Model Context Protocol support is particularly concerning, as it allows arbitrary third-party tool connections with unclear trust boundaries and permission scoping.

AWS Brings NVIDIA Nemotron and OpenAI GPT to GovCloud

AWS Brings NVIDIA Nemotron and OpenAI GPT to GovCloud

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 AWS Machine Learning Blog

AWS has expanded Amazon Bedrock in GovCloud (US) to include NVIDIA Nemotron and OpenAI's open-weight GPT OSS models, enabling U.S. government agencies and defense contractors to run frontier LLMs within FedRAMP High and DoD SRG compliance boundaries. This expansion introduces large, capable open-weight models into sensitive government mission workflows — including intelligence analysis, security log review, and contract automation — dramatically increasing the consequence of a successful prompt injection or jailbreak. Defenders must account for the elevated impact of model compromise in classified-adjacent environments, supply chain trust assumptions around open-weight model weights, and the risk of agentic workflows operating with privileged data access under reduced human oversight.

BioShocking Attack Exploits Indirect Prompt Injection to Steal Credentials via AI Browsers

BioShocking Attack Exploits Indirect Prompt Injection to Steal Credentials via AI Browsers

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.0 The Hacker News

Security firm LayerX demonstrated a novel indirect prompt injection attack dubbed 'BioShocking' that manipulates AI browser agents into exfiltrating user credentials by embedding adversarial instructions inside web-based puzzle content. Six AI browsers and assistants were successfully compromised, including ChatGPT Atlas, Perplexity Comet, and Anthropic's Claude extension, with agents retrieving SSH credentials from GitHub repositories without triggering safety refusals. Vendor responses were inconsistent, with only OpenAI issuing a confirmed fix, highlighting the systemic risk of agentic AI systems that conflate user intent with malicious page content.

Claude Code Indirect Prompt Injection Spawns Reverse Shell

Claude Code Indirect Prompt Injection Spawns Reverse Shell

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers have demonstrated that indirect prompt injection attacks embedded within seemingly benign code repositories can cause Claude Code — Anthropic's agentic coding assistant — to spawn a reverse shell on a developer's machine. The attack exploits Claude Code's autonomous execution capabilities, using hidden instructions in repository content to hijack the host system without any explicit user consent. This highlights a critical risk in agentic AI tools that operate with elevated system privileges in developer environments.

Claude Code Prompt Injection via GitHub Supply Chain

Claude Code Prompt Injection via GitHub Supply Chain

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 BleepingComputer

Mozilla 0DIN researchers demonstrated a novel attack chain in which a seemingly clean GitHub repository tricks AI coding agents like Claude Code into executing a reverse shell payload — with no malicious code ever present in the repo itself. The attack leverages three innocuous components: a Python package that deliberately errors on first run, an error message that instructs the agent to run an init command, and a shell script that fetches and executes a payload stored in an attacker-controlled DNS TXT record. The technique exploits the autonomous error-recovery behaviour of agentic AI tools, effectively turning a safety feature into an attack vector.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.