LIVE FEED
OpenClaw Agent Vulnerable to Prompt Injection RCE

OpenClaw Agent Vulnerable to Prompt Injection RCE

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Two independent research teams demonstrated that OpenClaw, a self-hosted AI agent, is vulnerable to prompt injection attacks delivered through shared contacts, vCards, location pins, and plain emails — enabling attacker-controlled code execution and sensitive data exfiltration. Imperva's finding, now patched in version 2026.4.23, exploited the agent's failure to mark message objects as untrusted before passing them to the underlying LLM. Varonis separately showed that a single crafted email could instruct an agent to forward mock AWS credentials and customer data to an external address, a behaviour-level risk no patch can fully remediate.

Claude Fable 5 Jailbreak Extracts System Prompts

Claude Fable 5 Jailbreak Extracts System Prompts

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 SecurityWeek

Security researcher Pliny the Liberator claimed a prompt-based jailbreak of Anthropic's newly launched Claude Fable 5 model, allegedly extracting the internal system prompt and eliciting responses on high-risk topics including bioweapons and cyberattacks. Anthropic disputed the claim, arguing the technique merely coaxes conversational continuation rather than bypassing core safety classifiers. The incident highlights ongoing tension between AI safety assurances at launch and real-world adversarial probing, particularly for Mythos-class models with elevated capability ceilings.

OpenClaw AI Agent Vulnerable to Phishing, Leaks AWS Credentials

OpenClaw AI Agent Vulnerable to Phishing, Leaks AWS Credentials

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 BleepingComputer

Varonis Threat Labs demonstrated that the OpenClaw open-source AI agent framework is vulnerable to social engineering attacks analogous to those used against human targets, successfully tricking the agent into exfiltrating AWS credentials, database secrets, and CRM exports to attacker-controlled addresses. The research tested two LLMs (Gemini 3.1 Pro and GPT-5.4) across generic and phishing-aware configurations, finding that even the hardened profile did not fully prevent data leakage. These findings highlight that autonomous AI agents with broad tool access and insufficient identity verification represent a significant and largely unaddressed attack surface in enterprise environments.

Microsoft 365 Copilot Prompt Injection Threats in Enterprise

Microsoft 365 Copilot Prompt Injection Threats in Enterprise

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 Microsoft Security Blog

Microsoft has released a structured investigator playbook for reconstructing AI-related activity across Microsoft 365 Copilot and Azure AI services, addressing the challenge of converting raw telemetry into coherent incident timelines. The playbook targets threats already observed in enterprise deployments, including prompt injection attempts and unauthorized data access, and operationalizes a scope–context–signal methodology across Purview, Defender, and Sentinel. This guidance directly supports security teams responding to AI-specific incidents where unstructured telemetry has previously hindered attribution and impact assessment.

Anthropic Claude Code Prompt Injection Leaks Secrets

Anthropic Claude Code Prompt Injection Leaks Secrets

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Microsoft Threat Intelligence disclosed a vulnerability in Anthropic's Claude Code GitHub Action whereby prompt injection via untrusted GitHub content — issue bodies, PR descriptions, and comments — could cause the AI agent to read sensitive environment variables, including the ANTHROPIC_API_KEY, from /proc/self/environ. The flaw stemmed from inconsistent sandboxing: while subprocess execution paths like Bash were scrubbed of environment variables, the Read tool had no equivalent restriction. Anthropic patched the issue in Claude Code version 2.1.128 by blocking access to sensitive /proc filesystem paths.

Deepfakes and Prompt Injection Top AI Security Threats

Deepfakes and Prompt Injection Top AI Security Threats

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

Gartner analysts have identified deepfakes and prompt injection as two of four critical emerging threats where attackers currently hold a structural advantage over defenders. The advisory signals growing institutional recognition that AI-native attack vectors are maturing faster than enterprise defenses. Organizations are urged to treat these threats as priority items requiring immediate defensive investment.

ChatGPT Prompt Injection Enables Data Exfiltration

ChatGPT Prompt Injection Enables Data Exfiltration

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 Simon Willison

OpenAI has rolled out 'Lockdown Mode' for ChatGPT personal and self-serve business accounts, a deterministic control designed to block the data exfiltration leg of prompt injection attacks. The feature directly addresses the 'Lethal Trifecta' — the combination of private data access, untrusted content exposure, and an outbound exfiltration channel — by restricting outbound network requests at the infrastructure level rather than relying on AI-evaluated guardrails. Critically, OpenAI's own documentation acknowledges the feature's existence implies that default ChatGPT settings do not robustly prevent determined data exfiltration attacks.

Google Gemini Android Hijacked by Indirect Prompt Injection

Google Gemini Android Hijacked by Indirect Prompt Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

SafeBreach researcher Or Yair demonstrated that malicious text embedded in WhatsApp, Slack, SMS, or Signal notifications could trigger indirect prompt injection against Google Gemini's Android Utilities feature, causing the assistant to execute real device actions without user awareness. A novel bypass technique called 'Fake Context Alignment' defeated Google's post-patch authorization checks by exploiting multilingual obfuscation and muted hyperlinks to trick victims into authorising sensitive actions. Google has patched the issue, but the research exposes a fundamentally large attack surface where any app capable of pushing a notification becomes a potential injection vector.

Adversa AI: 89% of AI Agents Fail Security Tests

Adversa AI: 89% of AI Agents Fail Security Tests

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Adversa AI's AI Risk Quadrant report evaluated 100 AI agents across ten categories, finding that only 11 qualify as both capable and well-defended. The research identifies a structural 'power-protection inversion' where the most capable agents also present the widest attack surface, driven by a 'lethal trifecta' of private data access, exposure to untrusted content, and outbound action capability. Computer and coding agents showed the most severe exposure, raising urgent concerns about autonomous agent deployment in enterprise environments.

Google Gemini Voice Prompt Injection via Notifications

Google Gemini Voice Prompt Injection via Notifications

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A prompt injection vulnerability in Google Gemini's voice assistant allows attackers to embed malicious instructions within device notifications, which the assistant then processes as legitimate commands. This attack vector enables social engineering, unauthorized actions, and potential data exfiltration without direct user interaction with the malicious payload. The flaw highlights the growing risk of indirect prompt injection in ambient AI assistants that consume untrusted content from the surrounding environment.

ChatGPT Markdown Injection Enables Phishing in Web Summarizer

ChatGPT Markdown Injection Enables Phishing in Web Summarizer

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Permiso Security has disclosed ChatGPhish, a vulnerability in ChatGPT's web summarisation feature that allows attacker-controlled Markdown payloads embedded in third-party pages to render phishing links, spoofed alerts, and QR codes directly within ChatGPT's trusted UI. The attack requires no user interaction beyond asking ChatGPT to summarise a malicious page, and can exfiltrate IP addresses, User-Agent strings, and Referer headers via auto-fetched remote images. The technique significantly expands the phishing attack surface beyond email into everyday AI-assisted browsing workflows, posing a particular risk in enterprise environments.

Robinhood Prompt Injection Enables Autonomous Trade Attacks

Robinhood Prompt Injection Enables Autonomous Trade Attacks

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

Robinhood has launched agentic trading and a virtual credit card that allow third-party AI agents to autonomously execute stock trades and payments on behalf of users via a Model Context Protocol (MCP) integration. This architecture introduces significant attack surface through prompt injection, excessive agency, and insecure plugin design risks inherent to LLM-driven autonomous financial action. The delegation of real financial authority to AI agents with limited human-in-the-loop controls represents a systemic risk to retail investors if agent pipelines are compromised or manipulated.

SentinelOne Warns on Prompt Injection Risks in AI Agents

SentinelOne Warns on Prompt Injection Risks in AI Agents

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SentinelOne Blog

SentinelOne has published guidance on securing agentic AI systems, framing unverified trust in AI agents as a core enterprise risk. The piece promotes their Prompt Security product as a control layer for AI tools, agents, and pipelines deployed across the enterprise. While primarily a product-focused announcement, it highlights the genuine security challenge of blind trust in autonomous AI agents executing actions on behalf of users and systems.

Gemini Spark Prompt Injection Exposes Enterprise Gmail Data

Gemini Spark Prompt Injection Exposes Enterprise Gmail Data

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 Simon Willison

Google's newly announced Gemini Spark personal AI agent, integrated with Gmail, Drive, Calendar, and other sensitive Google services, presents a significant prompt injection attack surface as it processes user data at scale. The article highlights that Google's published security mitigations — ephemeral VMs, Agent Gateway, and DLP policies — address infrastructure isolation but do not directly address the prompt injection vector inherent to LLM-powered agents processing untrusted content. Additionally, the transition from open-source Gemini CLI to a closed-source Antigravity CLI raises supply chain transparency concerns.

Microsoft RAMPART Tests AI Agents for Prompt Injection

Microsoft RAMPART Tests AI Agents for Prompt Injection

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 The Hacker News

Microsoft has released two open-source tools, RAMPART and Clarity, aimed at embedding security testing into AI agent development workflows. RAMPART extends the existing PyRIT framework with a Pytest-native harness for running adversarial and safety tests against AI agents, explicitly covering cross-prompt injection, data exfiltration, and behavioural regression scenarios. Clarity operates as a pre-code design analysis tool, helping teams surface and challenge unsafe assumptions before an agentic system is built.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.