LIVE FEED
TrustFall: Repository Poisoning RCE in AI Coding Tools

TrustFall: Repository Poisoning RCE in AI Coding Tools

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Dark Reading

A vulnerability class dubbed 'TrustFall' demonstrates that malicious code repositories can trigger arbitrary code execution in AI-assisted developer tools including Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI, with little to no user interaction required. The attack surface stems from inadequate or easily dismissed warning dialogs that fail to surface the risk of executing untrusted repository content. Developers cloning or opening adversarial repositories are exposed to full host-level compromise through the elevated trust these AI coding agents place in repository-supplied context.

Claude Code OAuth Token Theft via npm Supply Chain

Claude Code OAuth Token Theft via npm Supply Chain

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 SecurityWeek

Mitiga Labs has disclosed a stealthy attack chain targeting Claude Code's MCP infrastructure, allowing adversaries to silently intercept OAuth tokens by redirecting MCP traffic through attacker-controlled infrastructure. The attack requires only the ability to install a malicious npm package, which modifies ~/.claude.json to insert a proxy and pre-sets trust flags to suppress security prompts. Because the OAuth token grants broad access to all connected SaaS tools, successful exploitation effectively hands attackers a persistent master key to the victim's integrated development environment.

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Cisco's AI Threat Intelligence team has demonstrated that bounded pixel-level perturbations can recover the attack effectiveness of degraded typographic images against vision-language models (VLMs), enabling hidden prompt injection that bypasses both human review and content filters. The technique works by optimising perturbations against open-source embedding models and transferring results to proprietary systems like GPT-4o and Claude, exposing a cross-model transferability risk. The attack allows adversaries to embed instructions—such as data exfiltration commands—inside images that appear as visual noise to human observers.

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Microsoft Security Blog

Microsoft's Defender Security Research Team disclosed two CVEs in Semantic Kernel — a widely-used AI agent orchestration framework — demonstrating how prompt injection can escalate to remote code execution via compromised plugins. The vulnerabilities (CVE-2026-26030 and CVE-2026-25592) expose a systemic risk in the agentic AI layer: because frameworks like Semantic Kernel abstract tool orchestration, a single flaw in how LLM outputs are mapped to system tools can propagate across every application built on that foundation. This research signals a critical shift in AI threat modelling, where prompt injection is no longer a content risk but an execution risk.

CVE-2026-7482: Ollama Heap Read Exposes API Keys

CVE-2026-7482: Ollama Heap Read Exposes API Keys

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A critical heap out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.3) in Ollama's GGUF model loader allows unauthenticated remote attackers to exfiltrate sensitive heap memory — including API keys, prompts, and PII — using just three API calls. With approximately 300,000 Ollama instances publicly exposed and no authentication required by default, the attack surface is immediately and broadly exploitable. The vulnerability has been patched in Ollama version 0.17.1, but unpatched internet-facing deployments remain at critical risk.

CrowdStrike Red Teaming: LLM Jailbreak and Data Poisoning

CrowdStrike Red Teaming: LLM Jailbreak and Data Poisoning

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Joey Melo, Principal Security Researcher at CrowdStrike, outlines his methodology for AI red teaming, focusing on manipulating LLM guardrails through jailbreaking and data poisoning without altering underlying source code. His work, rooted in competitive AI hacking challenges, translates classical adversarial thinking into the emerging field of machine learning security. The profile highlights the growing professionalisation of AI red teaming as organisations seek to harden LLM deployments against real-world manipulation attacks.

Flowise and n8n: Auth Bypass in Exposed LLM Services

Flowise and n8n: Auth Bypass in Exposed LLM Services

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A scan of over one million exposed AI services found pervasive security failures including absent authentication, leaked API keys, and exposed business logic across self-hosted LLM deployments. Agent management platforms such as Flowise and n8n were discovered internet-exposed without access controls, revealing credential lists and internal workflows. The findings indicate systemic misconfiguration risk as enterprises race to self-host AI infrastructure without applying baseline security practices.

agent-desktop Prompt Injection Grants AI Agents OS Control

agent-desktop Prompt Injection Grants AI Agents OS Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

agent-desktop is an open-source Rust CLI tool that exposes full OS accessibility trees to AI agents, enabling programmatic control of any desktop application without screenshots or browser sandboxing. This dramatically expands the attack surface for agentic AI systems, as a compromised or prompt-injected agent could silently manipulate native applications, exfiltrate data, or perform destructive actions across the host OS. The tool's deterministic element references and structured JSON output make it trivially scriptable, lowering the barrier for AI-driven desktop abuse.

GPT-5.5 and Mythos Execute 32-Step Network Intrusion

GPT-5.5 and Mythos Execute 32-Step Network Intrusion

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 Ars Technica Security

The UK's AI Security Institute (AISI) found that OpenAI's GPT-5.5 matches Anthropic's Mythos Preview on cybersecurity benchmarks, including a 32-step simulated corporate network intrusion. Both models successfully completed the 'The Last Ones' data-extraction simulation — a first for any AI system — suggesting autonomous offensive cyber capability is a general frontier-model property, not a one-vendor breakthrough. The findings raise urgent questions about responsible release practices and the pace at which LLMs can independently execute multi-stage attacks.

Anthropic Releases Claude Security Vulnerability Scanner

Anthropic Releases Claude Security Vulnerability Scanner

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 SecurityWeek

Anthropic has released Claude Security in public beta, a dedicated vulnerability scanning product aimed at countering the accelerating threat of AI-powered exploitation exemplified by its own Mythos model. The tool integrates directly into Claude Enterprise, scanning repositories for vulnerabilities, providing confidence-rated findings, and generating targeted patches — compressing the security team-to-engineer remediation cycle from days to a single session. The launch reflects a broader industry acknowledgment that frontier AI models in adversarial hands are fundamentally shortening time-to-exploit, forcing defenders to adopt equivalent AI-native tooling.

GPT-5.5 Matches Claude Mythos in Vulnerability Discovery

GPT-5.5 Matches Claude Mythos in Vulnerability Discovery

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Simon Willison

The UK's AI Security Institute has evaluated OpenAI's GPT-5.5 for offensive cybersecurity capabilities, finding it comparable to Anthropic's Claude Mythos model in identifying security vulnerabilities. Unlike Mythos, GPT-5.5 is generally available, meaning its vulnerability-discovery capabilities are accessible to a broad population including malicious actors. This raises significant concerns about the proliferation of AI-assisted exploitation tools at scale.

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 Cisco Talos

Cisco Talos researcher Martin Lee demonstrates how generative AI can be used to rapidly deploy adaptive honeypot systems that deceive and study AI-driven attack agents. The technique exploits a fundamental weakness in AI agents — their lack of situational awareness — causing them to interact with simulated vulnerable systems as if they were real targets. This defensive approach shifts the paradigm from passive detection to active manipulation, giving defenders new insight into automated threat actor methodologies.

Llama Guard 4 Jailbreak Detection Vulnerable to Prompt Injection

Llama Guard 4 Jailbreak Detection Vulnerable to Prompt Injection

ATLAS OWASP LOW Limited impact · Standard review ▲ 7.2 Hugging Face Blog

Meta has released Llama Guard 4, a 12B multimodal safety classifier designed to detect and filter unsafe content in both image and text inputs/outputs for production LLM deployments. The model addresses jailbreak attempts and harmful content generation across 14 hazard categories defined by the MLCommons taxonomy. Alongside it, two lightweight Llama Prompt Guard 2 classifiers (86M and 22M parameters) target prompt injection and prompt attack detection.

Frontier LLMs Enable Industrialised Cyberattacks at Scale

Frontier LLMs Enable Industrialised Cyberattacks at Scale

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 Dark Reading

The article examines the emerging threat landscape posed by agentic AI systems in offensive security contexts, suggesting that frontier LLMs could enable industrialised exploitation at scale. Commentator Ari Herbert-Voss reframes the narrative, arguing this moment also presents a strategic opportunity for defenders. The piece surfaces tensions around autonomous AI-driven cyberattacks and their potential to outpace traditional security postures.

Model Extraction Attacks Surge: Google GTIG Q4 Report

Model Extraction Attacks Surge: Google GTIG Q4 Report

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Mandiant Blog

Google Threat Intelligence Group's Q4 2025 AI Threat Tracker documents a meaningful escalation in adversarial AI misuse, including a surge in model extraction (distillation) attacks, nation-state operationalisation of LLMs for phishing and reconnaissance, and the emergence of AI-integrated malware families such as HONESTCUE that leverage Gemini's API. While no breakthrough capabilities have been observed from APT actors, the integration of agentic AI for tooling development signals a maturing threat landscape. Defenders should prioritise monitoring for model extraction activity, API abuse, and AI-augmented social engineering campaigns.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.