LIVE FEED
Malware Uses Prompt Injection in JavaScript to Evade LLM Tools

Malware Uses Prompt Injection in JavaScript to Evade LLM Tools

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Schneier on Security

A malware developer has been observed embedding fake system instructions and policy-triggering content — including references to nuclear and biological weapons — inside JavaScript comment blocks to confuse or trigger refusal behaviour in LLM-powered security analysis pipelines. The technique does not affect code execution but is specifically designed to disrupt naive AI-first triage tools that feed raw file content to language models without isolating it as untrusted data. Traditional static analysis methods remain unaffected, but the approach signals an emerging class of anti-AI-analysis evasion techniques.

Enterprise Security Platforms Ship Autonomous Threat Response

Enterprise Security Platforms Ship Autonomous Threat Response

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

A new class of agentic AI security platforms is emerging that autonomously correlates threat intelligence, validates controls, and prioritizes remediations across siloed enterprise security tooling — moving beyond assistive chatbot interfaces to continuous, multi-step autonomous action. This shift introduces significant new attack surface: an AI system with persistent access to live exposure data, security telemetry, and remediation workflows becomes a high-value target for adversarial manipulation. Defenders must assess trust boundaries, prompt injection risks, and the consequences of autonomous action taken on poisoned or manipulated inputs before deploying these systems.

GitHub Ships Data Analytics Agent Built on Copilot

GitHub Ships Data Analytics Agent Built on Copilot

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 GitHub Blog

GitHub has published a detailed engineering account of how it built an internal data analytics agent using GitHub Copilot, exposing the architectural patterns — including natural language-to-SQL translation, autonomous tool invocation, and internal data access — that underpin such systems. For defenders, this blueprint highlights concrete risks around prompt injection into analytics pipelines, excessive agency over sensitive internal datasets, and the challenge of auditing LLM-generated queries before execution. Organisations adopting similar agentic analytics patterns should treat this as a reference threat model rather than a safe-to-copy architecture.

AutoGen Studio RCE: AutoJack Exploit Chain Targets Developers

AutoGen Studio RCE: AutoJack Exploit Chain Targets Developers

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers disclosed AutoJack, an exploit chain targeting AutoGen Studio's MCP WebSocket endpoint that allows a single malicious web page to execute arbitrary commands on a developer's host machine via an AI browsing agent. The attack chains three distinct weaknesses — localhost trust bypass, missing authentication on MCP paths, and unsanitised command execution — requiring no credentials or user interaction beyond the agent loading the attacker's URL. While the vulnerable handler was not included in stable PyPI releases, it shipped in two pre-release builds that remain unyanked, leaving anyone who installed those versions exposed.

Delphi Ships AI Karamo Brown Clone for Kē Wellness App

Delphi Ships AI Karamo Brown Clone for Kē Wellness App

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 TechCrunch AI

Karamo Brown's Kē wellness app deploys an AI digital clone of the celebrity — voice, persona, and advisory content — built by Delphi from interviews, podcasts, and public clips, enabling real-time conversational coaching at scale. For defenders, celebrity-clone architectures introduce layered risks: the training corpus is largely public and manipulable, the voice synthesis surface is exploitable for deepfake derivation, and the mental-health context creates elevated harm potential if the persona is hijacked or jailbroken. Security teams evaluating similar deployments should treat the persona boundary as a primary control point, since users in vulnerable emotional states are disproportionately exposed to manipulation if guardrails fail.

AWS Launches Amazon Bedrock AgentCore Harness

AWS Launches Amazon Bedrock AgentCore Harness

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 AWS Machine Learning Blog

AWS has made Amazon Bedrock AgentCore Harness generally available, providing a managed abstraction layer that reduces agent deployment to two API calls while bundling sandboxed compute, persistent memory, tool gateway, browser access, identity management, and observability. For defenders, this dramatically lowers the barrier to deploying autonomous agents with filesystem access, shell execution, web browsing, and multi-provider model switching — compressing what was a weeks-long infrastructure project into minutes. Security teams face an expanded attack surface where prompt injection, tool abuse, cross-session memory poisoning, and supply chain risks through AWS-curated skill catalogs now arrive as a single, tightly integrated managed service rather than individually reviewable components.

Microsoft AutoGen Studio RCE via MCP Bypass

Microsoft AutoGen Studio RCE via MCP Bypass

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Researchers at Microsoft identified a three-stage exploit chain in AutoGen Studio that allows a malicious web page visited by a browsing AI agent to reach the host's local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes. The chain exploits a bypassable origin allowlist, authentication middleware that excluded MCP endpoints, and unsanitised URL-derived command parameters. Although the vulnerable surface was never shipped in a PyPI release, the finding exposes a systemic architectural risk in any agent framework that combines untrusted browsing with privileged localhost services.

AWS Launches Amazon Quick Autonomous Agents

AWS Launches Amazon Quick Autonomous Agents

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 AWS Machine Learning Blog

AWS has shipped autonomous agents in Amazon Quick, an AI assistant that continuously executes tasks — including CRM updates, email drafting, and compliance monitoring — on behalf of users while connected to dozens of enterprise data sources and applications. This dramatically expands the attack surface for business-context compromise: a single successful prompt injection or account takeover can now translate into persistent, automated actions across an organisation's entire connected app ecosystem. Defenders must treat these agents as privileged service accounts with broad, continuous write-access, requiring dedicated monitoring, least-privilege scoping, and explicit human-in-the-loop gates for sensitive actions.

Google Launches Android 17 with Gemini Omni Integration

Google Launches Android 17 with Gemini Omni Integration

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 TechCrunch AI

Android 17 embeds Gemini Omni and multiple AI models (Lyria 3, AudioLM) directly into OS-level functions including video editing, call handling, screen recording, and emergency detection, dramatically expanding the attack surface for AI-assisted exploitation on mobile endpoints. The deep integration of conversational AI with device sensors, media pipelines, and inter-app communication creates novel prompt injection and data exfiltration vectors that existing mobile threat defences were not designed to address. The simultaneous AirDrop interoperability expansion and cross-device Pixel Watch mirroring further widen the lateral movement surface across the Google hardware ecosystem.

NVIDIA Launches XR AI for Agentic AR Glasses

NVIDIA Launches XR AI for Agentic AR Glasses

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 NVIDIA AI Blog

NVIDIA XR AI puts multimodal agentic systems directly into AR glasses, fusing continuous video, audio, depth, and pose data with enterprise knowledge retrieval and tool execution — creating a persistent, always-on sensor exfiltration and prompt injection surface that sits inches from a worker's face. The framework connects to industrial systems, digital twins, and enterprise RAG backends, meaning a compromised agent can pivot from perceptual data into operational technology networks. Because the inputs are environmental and largely uncontrolled, adversarial content placed in the physical world (signage, screens, spoken commands) becomes a viable injection vector against enterprise infrastructure.

Amazon Bedrock AgentCore Ships with RAG and Memory

Amazon Bedrock AgentCore Ships with RAG and Memory

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 AWS Machine Learning Blog

Amazon Bedrock AgentCore now enables production-grade agentic systems that combine RAG retrieval, persistent cross-session memory, and direct user-facing endpoints authenticated only via Cognito Bearer tokens — all surfaced through a single /invocations endpoint. This architecture creates compounded attack surfaces where adversarially crafted content in S3-backed knowledge bases can propagate through the retrieve_and_generate pipeline directly into technician workflows. The persistent AgentCore Memory layer introduces a new cross-session context poisoning vector that does not exist in stateless LLM deployments.

AWS Launches Agent-EvalKit for LLM-Powered Agent Evaluation

AWS Launches Agent-EvalKit for LLM-Powered Agent Evaluation

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 AWS Machine Learning Blog

Agent-EvalKit introduces an open-source evaluation pipeline that integrates LLM-as-judge evaluators and AI coding assistants directly into agent development workflows, creating new attack surfaces where poisoned test cases, manipulated ground-truth datasets, and adversarial evaluation prompts could corrupt agent quality signals. The toolkit's deep code-reading access via Claude Code, Kiro CLI, and Kilo Code means a compromised evaluation run could exfiltrate source code or inject malicious recommendations into the development pipeline. Because evaluation outputs drive concrete code changes, adversarial manipulation of the eval layer has downstream consequences for production agent behaviour.

Amazon Quick Launches Agentic Incident Triage Assistant

Amazon Quick Launches Agentic Incident Triage Assistant

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 AWS Machine Learning Blog

Amazon Quick's new agentic incident triage assistant integrates New Relic's observability platform and Asana via MCP, creating a single conversational interface that can query production telemetry, surface error logs, and create tracked tasks autonomously. This multi-tool agent architecture dramatically expands the prompt injection attack surface, as malicious data embedded in production logs, alert payloads, or transaction traces can now influence agent actions — including task creation and RCA narrative generation. The convergence of observability data (high-trust, machine-generated) with autonomous task orchestration creates a novel indirect prompt injection pathway through operational telemetry.

Google Gemini Prompt Injection Powers Smishing Campaign

Google Gemini Prompt Injection Powers Smishing Campaign

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Hacker News

Google has filed suit against a Chinese cybercrime network operating the Outsider phishing-as-a-service kit, which exploited Gemini AI to generate fraudulent phishing pages and power large-scale SMS phishing attacks against Americans. The network used carefully framed prompts — disguised as benign programming requests — to bypass AI safety controls and produce functional credential-harvesting websites. The case illustrates the growing industrialisation of AI-assisted phishing infrastructure, with over 1.59 million malicious URLs and 100,000 victims attributed to the operation.

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Tenet Security has disclosed 'Agentjacking', a novel attack class that exploits the implicit trust AI coding agents place in Model Context Protocol (MCP) data sources. By injecting malicious instructions into Sentry error events via publicly accessible DSN credentials, attackers can cause agents like Claude Code and Cursor to execute arbitrary code with full developer privileges. Researchers confirmed 2,388 exposed organisations and an 85% exploitation success rate in controlled testing, with no prior access to victim infrastructure required.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.