LIVE FEED
Amazon Bedrock Prompt Injection Traverses Agent Hierarchies

Amazon Bedrock Prompt Injection Traverses Agent Hierarchies

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Palo Alto Unit 42

Unit 42 researchers conducted red-team analysis of Amazon Bedrock's multi-agent collaboration framework, demonstrating how attackers can systematically exploit prompt injection to traverse agent hierarchies, extract system instructions, and invoke tools with attacker-controlled inputs. The research reveals that multi-agent architectures introduce compounded attack surfaces through inter-agent communication channels, though no underlying Bedrock vulnerabilities were identified. Properly configured Guardrails and pre-processing stages effectively mitigate the demonstrated attack chains.

Brex CrabTrap: LLM Proxy Blocks Agentic AI Prompt Injection

Brex CrabTrap: LLM Proxy Blocks Agentic AI Prompt Injection

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 HN AI Security

Brex has open-sourced CrabTrap, an HTTP proxy that uses an LLM-as-a-judge architecture to intercept, evaluate, and block or allow requests made by AI agents in real time against configurable policies. The tool targets a critical gap in agentic AI deployments — the lack of runtime guardrails for autonomous agent actions — and represents a practical defensive control against excessive agency and prompt injection exploitation. Its production-oriented design positions it as a notable contribution to the emerging agentic AI security toolchain.

Google Patches Prompt Injection RCE in Agentic AI

Google Patches Prompt Injection RCE in Agentic AI

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 Dark Reading

Google has patched a critical prompt injection vulnerability in an agentic AI tool designed for filesystem operations, where insufficient input sanitisation enabled sandbox escape and arbitrary code execution. The flaw highlights the compounding risk surface of agentic AI systems that interface directly with operating system resources. This is a significant example of how LLM-native vulnerabilities can translate into traditional high-severity RCE outcomes.

CVE-2026: Google Antigravity Sandbox Escape via Prompt Injection

CVE-2026: Google Antigravity Sandbox Escape via Prompt Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.0 The Hacker News

A now-patched vulnerability in Google's agentic IDE Antigravity allowed attackers to achieve arbitrary code execution by injecting malicious flags into the find_by_name tool's Pattern parameter, bypassing the platform's Strict Mode sandbox before security constraints were enforced. The attack chain could be triggered entirely via indirect prompt injection—embedding hidden instructions in files pulled from untrusted sources—requiring no account compromise and no additional user interaction. This case exemplifies the systemic risk of insufficient input validation in AI agent tool interfaces, where autonomous execution removes the human oversight layer that traditional security models depend on.

CVE-2026: Anthropic MCP SDK Remote Code Execution

CVE-2026: Anthropic MCP SDK Remote Code Execution

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.4 The Hacker News

A systemic 'by design' vulnerability in Anthropic's Model Context Protocol (MCP) SDK enables arbitrary remote code execution across all supported language implementations via unsafe STDIO transport defaults, affecting over 7,000 publicly accessible servers and 150 million downloads. The flaw has been independently confirmed across 10+ popular AI frameworks including LiteLLM, LangChain, and Flowise, with Anthropic declining to modify the protocol's architecture. This represents a significant AI supply chain risk with cascading exposure to sensitive data, API keys, and internal systems.

Cursor AI Prompt Injection Chains to Shell Access

Cursor AI Prompt Injection Chains to Shell Access

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 SecurityWeek

A chained vulnerability in Cursor AI—a widely-used AI-powered code editor—allowed attackers to combine indirect prompt injection with a sandbox escape and the application's built-in remote tunnel feature to achieve arbitrary shell access on developer machines. The attack chain is particularly significant because it weaponises Cursor's own legitimate remote-access infrastructure, meaning malicious commands could blend into normal developer workflows. Developers using Cursor's AI features against untrusted code or repositories are at elevated risk of full host compromise.

Comment Injection Attacks Hit Claude Code, Gemini, Copilot

Comment Injection Attacks Hit Claude Code, Gemini, Copilot

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

A researcher has disclosed a novel prompt injection attack technique dubbed 'Comment and Control,' demonstrating that popular AI coding agents — including Claude Code, Gemini CLI, and GitHub Copilot Agents — can be manipulated through malicious instructions embedded in source code comments. The attack exploits the tendency of agentic coding tools to process and act upon contextual content within files they are tasked to read or modify. This represents a meaningful escalation in the risk surface of AI-assisted software development workflows.

SUPPLY CHAINSecurityWeekCRITICALAnthropic MCP Supply Chain Flaw EnablesCommand Injection

Anthropic MCP Supply Chain Flaw Enables Command Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.1 SecurityWeek

A structural vulnerability in Anthropic's Model Context Protocol (MCP) allows unsanitized commands to be executed silently within AI environments, potentially enabling full system compromise. Researchers classify the flaw as 'by design,' meaning it stems from architectural decisions rather than implementation bugs, making it particularly difficult to patch without protocol-level changes. The breadth of MCP adoption across agentic AI toolchains significantly amplifies the supply chain risk.

0x4F0x3A0xFF0x0D0x7B0xC20xA10x550x0D0x7B0xC20xA10x550xE80x120x9F0xA10x550xE80x120x9F0xD40x2E0x880x120x9F0xD40x2E0x880x610xB30x4F0x2E0x880x610xB30x4F0x3A0xFF0x0D0xB30x4F0x3A0xFF0x0D0x7B0xC20xA10xFF0x0D0x7B0xC20xA10x550xE80x12LLM SECURITYDark ReadingHIGHPrompt Injection Flaws in Salesforce and AIMicrosoft

Prompt Injection Flaws in Salesforce and Microsoft AI

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

Prompt injection vulnerabilities in Salesforce Agentforce and Microsoft Copilot were patched after researchers demonstrated that external attackers could exploit them to exfiltrate sensitive user data. The flaws highlight systemic risks in enterprise AI agent deployments, where insufficient input sanitisation allows malicious content to hijack agent behaviour. Both vendors have issued patches, but the incidents underscore the growing attack surface introduced by agentic AI systems operating with elevated privileges.

GPT-5.4-Cyber Jailbreak and Prompt Injection Risks

GPT-5.4-Cyber Jailbreak and Prompt Injection Risks

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

OpenAI has launched GPT-5.4-Cyber, a cybersecurity-optimised model variant, alongside an expanded Trusted Access for Cyber (TAC) programme targeting authenticated defenders and security teams. While the initiative is framed as a defensive measure, the dual-use nature of a vulnerability-detection model introduces significant risk of adversarial inversion — where threat actors could exploit the same capabilities to discover and weaponise unpatched vulnerabilities at scale. OpenAI acknowledges this risk and states it is iteratively strengthening safeguards against jailbreaks and adversarial prompt injection as access broadens.

Anthropic Claude Mythos Sparks AI Vulnerability Storm Warning

Anthropic Claude Mythos Sparks AI Vulnerability Storm Warning

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

The Cloud Security Alliance has issued a warning about an anticipated 'AI vulnerability storm' following the release of Anthropic's Claude Mythos model, urging CISOs to prepare defensive postures in advance of expected exploit activity. The advisory signals growing institutional concern that major LLM releases create systemic risk windows as adversaries probe new model capabilities and attack surfaces. Security leaders are being advised to treat post-release periods of frontier AI models as high-alert intervals requiring elevated monitoring and response readiness.

botctl Process Manager Enables Prompt Injection Attacks

botctl Process Manager Enables Prompt Injection Attacks

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

botctl is an open-source process manager that enables persistent, autonomous AI agents (currently Claude-backed) to run continuously as background daemons with tool access, file system write permissions, and internet connectivity. While marketed as a productivity tool, the architecture introduces substantial attack surface through unattended agentic execution, a skills marketplace with third-party prompt injection, and a locally-exposed web dashboard. The combination of persistent autonomy, extensible skill modules from arbitrary GitHub repositories, and session memory creates compounding risk vectors relevant to agentic AI security.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.