LIVE FEED
Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A set of vulnerabilities dubbed 'DuneSlide' in the Cursor AI code editor allow attackers to conduct zero-click prompt injection attacks that escape the application's sandbox and execute arbitrary code at the operating system level. The flaws represent a critical escalation of AI-native attack surface risks, targeting developers who rely on AI-assisted coding environments. Because exploitation requires no user interaction, the attack chain is particularly dangerous in supply chain and watering-hole scenarios.

Current AI Launches Open Source AI Gap Map with 421 Projects

Current AI Launches Open Source AI Gap Map with 421 Projects

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.5 Simon Willison

Current AI has published the Open Source AI Gap Map v0.1, a structured, MIT-licensed index of 421 open-source AI products spanning models, datasets, software tools, and hardware, backed by 1,184 YAML files and tracking over 16,000 GitHub repositories. For defenders, this comprehensive public inventory creates a dual-use intelligence resource: while it aids supply chain visibility, it simultaneously provides adversaries with a curated, machine-readable attack surface map of the open-source AI ecosystem. Security teams should treat this dataset as threat-actor recon material and cross-reference their own AI dependencies against it immediately.

Anthropic Releases Claude-Real-Video for Local Video Analysis

Anthropic Releases Claude-Real-Video for Local Video Analysis

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 HN AI Security

claude-real-video is an open-source, MIT-licensed Python library that extracts scene-change frames, deduplicates images, and transcribes audio from any video URL or local file, then packages the result as a folder any LLM can consume — all processed locally without cloud upload. For defenders, this dramatically expands the multimodal prompt injection surface by enabling adversaries to embed malicious instructions inside video content that LLM pipelines will now ingest and act upon. Security teams building or deploying LLM agents with video-processing capabilities must treat video content as an untrusted, potentially adversarial input channel.

Anthropic Ships Mythos for AI-Driven Bug Discovery

Anthropic Ships Mythos for AI-Driven Bug Discovery

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 Dark Reading

Anthropic's Mythos capability, combined with IBM and Red Hat's Project Lightwell service backed by 20,000 engineers and $5B, introduces an AI-driven pipeline for discovering and remediating bugs in open-source software at industrial scale. This creates a dual-edged attack surface: adversaries who can influence Mythos's findings, its training data, or the remediation pipeline gain a privileged position to inject subtle vulnerabilities into widely-deployed open-source components. Defenders must treat the AI vulnerability-finding and patch-generation pipeline itself as a high-value, high-risk supply chain asset requiring rigorous integrity controls.

Phantom Squatting: LLM Hallucinations Enable Domain Takeover

Phantom Squatting: LLM Hallucinations Enable Domain Takeover

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

Researchers have identified a novel attack vector dubbed 'Phantom Squatting', in which LLMs consistently hallucinate plausible but non-existent web domains for legitimate brands, which attackers can then register and weaponise. Unlike traditional typosquatting, these hallucinated domains carry implicit trust because they originate from AI-generated outputs that users and developers may act upon without verification. The technique is difficult to detect because the domains are not misspellings but plausible inventions, making automated defences less effective.

Google Launches Gemini Spark on Mac with File Access

Google Launches Gemini Spark on Mac with File Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 TechCrunch AI

Google has expanded Gemini Spark to macOS, giving the agentic assistant access to local files, third-party app integrations (including Dropbox, Canva, and Instacart), custom MCP connections, and real-time topic monitoring. This substantially widens the attack surface for enterprise defenders, as a compromised or manipulated Spark agent gains a foothold across local file systems, cloud workspaces, and external service APIs simultaneously. The addition of custom Model Context Protocol support is particularly concerning, as it allows arbitrary third-party tool connections with unclear trust boundaries and permission scoping.

AWS Brings NVIDIA Nemotron and OpenAI GPT to GovCloud

AWS Brings NVIDIA Nemotron and OpenAI GPT to GovCloud

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 AWS Machine Learning Blog

AWS has expanded Amazon Bedrock in GovCloud (US) to include NVIDIA Nemotron and OpenAI's open-weight GPT OSS models, enabling U.S. government agencies and defense contractors to run frontier LLMs within FedRAMP High and DoD SRG compliance boundaries. This expansion introduces large, capable open-weight models into sensitive government mission workflows — including intelligence analysis, security log review, and contract automation — dramatically increasing the consequence of a successful prompt injection or jailbreak. Defenders must account for the elevated impact of model compromise in classified-adjacent environments, supply chain trust assumptions around open-weight model weights, and the risk of agentic workflows operating with privileged data access under reduced human oversight.

Phantom Squatting: LLM Hallucinations in Supply Chain

Phantom Squatting: LLM Hallucinations in Supply Chain

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Palo Alto Unit 42

Unit 42 researchers have documented 'phantom squatting', a novel attack vector where adversaries register domains that LLMs consistently hallucinate when responding to developer queries, intercepting traffic from AI-assisted workflows. Analysis of 913 brands across 685,339 URL queries uncovered 13,229 confirmed malicious URLs and approximately 250,000 unregistered hallucinated domains still available for adversarial pre-registration. A concrete case study reveals a fully operational phishing kit, Montana Empire, built with an AI coding assistant and deployed against a domain Unit 42 had flagged as high-risk 23 days prior.

Claude Code Indirect Prompt Injection Spawns Reverse Shell

Claude Code Indirect Prompt Injection Spawns Reverse Shell

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers have demonstrated that indirect prompt injection attacks embedded within seemingly benign code repositories can cause Claude Code — Anthropic's agentic coding assistant — to spawn a reverse shell on a developer's machine. The attack exploits Claude Code's autonomous execution capabilities, using hidden instructions in repository content to hijack the host system without any explicit user consent. This highlights a critical risk in agentic AI tools that operate with elevated system privileges in developer environments.

NanoEuler Launches GPT-2 LLM Built from Scratch in C/CUDA

NanoEuler Launches GPT-2 LLM Built from Scratch in C/CUDA

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 Cohere AI (via HN)

NanoEuler is an open-source GPT-2-class language model (~116M parameters) built entirely from scratch in C/CUDA, including hand-written backpropagation, a BPE tokenizer, FlashAttention, pretraining, and supervised fine-tuning — with RLHF/DPO planned. For defenders, the significance lies in the democratisation of low-level, dependency-free LLM training infrastructure: adversaries gain a highly portable, auditable, and modifiable training stack that bypasses standard ML framework telemetry and supply chain controls. Security teams should treat this class of 'from-scratch' open-source LLM tooling as a potential foundation for covert fine-tuning pipelines, backdoor insertion, and evasion of model-level safety controls.

Zhipu AI Releases GLM-5.2 Open-Weight Model

Zhipu AI Releases GLM-5.2 Open-Weight Model

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Verge AI

Zhipu AI (Z.ai) has released GLM-5.2, an open-weight model that researchers report matches Anthropic's Mythos in bug-finding and cybersecurity-related tasks, while remaining freely downloadable and runnable on commodity hardware. The open-weight distribution removes access controls and usage monitoring that restrict frontier closed models, enabling unconstrained offensive security use by any actor. Defenders face a materially elevated threat from nation-state and cybercriminal actors who can now fine-tune, deploy, and weaponise a frontier-class vulnerability-discovery model without API gatekeeping or usage telemetry.

Anthropic CEO: Open-Source AI Models Pose Systemic Safety Risk

Anthropic CEO: Open-Source AI Models Pose Systemic Safety Risk

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.2 Meta AI (via HN)

Anthropic CEO Dario Amodei testified to lawmakers that open-source AI models present a systemic safety risk because once released, developers lose the ability to monitor misuse, revoke access, or patch safety guardrails. For defenders, this formalises a long-standing asymmetry: closed-source safety controls (rate-limiting, usage monitoring, kill-switches) become irrelevant once capable weights are publicly distributed. Security teams building on or competing against open-weight models must now treat every downloaded model artifact as a potentially unpatched, unmonitored endpoint that can be fine-tuned to remove safety constraints entirely.

Claude Code Prompt Injection via GitHub Supply Chain

Claude Code Prompt Injection via GitHub Supply Chain

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 BleepingComputer

Mozilla 0DIN researchers demonstrated a novel attack chain in which a seemingly clean GitHub repository tricks AI coding agents like Claude Code into executing a reverse shell payload — with no malicious code ever present in the repo itself. The attack leverages three innocuous components: a Python package that deliberately errors on first run, an error message that instructs the agent to run an init command, and a shell script that fetches and executes a payload stored in an attacker-controlled DNS TXT record. The technique exploits the autonomous error-recovery behaviour of agentic AI tools, effectively turning a safety feature into an attack vector.

Meta Releases AgentKits with 60 Production-Ready Agent Blueprints

Meta Releases AgentKits with 60 Production-Ready Agent Blueprints

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Meta AI (via HN)

AgentKits ships 60 open, free AI agent blueprints covering 30 operational categories — from incident response and access provisioning to HR screening and fraud detection — complete with copyable system prompts, tool definitions, and workflow architectures targeting Claude, OpenAI, LangGraph, and n8n. The free, no-login distribution model dramatically lowers the barrier for adversaries to study, clone, or weaponise production-grade agent architectures, including sensitive categories like SecOps triage, access provisioning, and compliance monitoring. Defenders must treat these blueprints as publicly documented attack playbooks and audit any internally deployed instances against their documented worst-case actions and trust levels.

Sakana AI and 360 Launch Fugu and Tulongfeng Models

Sakana AI and 360 Launch Fugu and Tulongfeng Models

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 Cohere AI (via HN)

Sakana AI's Fugu and Chinese firm 360's Tulongfeng are frontier AI models positioned as functional alternatives to Anthropic's export-restricted Mythos and Fable 5, with Fugu explicitly designed for agentic orchestration across third-party model APIs. For defenders, the proliferation of cybersecurity-focused frontier models outside US regulatory reach removes a key friction point that previously slowed adversary access to high-capability AI offensive tooling. The agentic, multi-model orchestration design of Fugu in particular introduces compounded supply-chain and prompt-injection risk for any enterprise connecting these models to existing tool ecosystems.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.