LIVE FEED
AI Code Review Agents: DoS Loop Costs $41K in Inference

AI Code Review Agents: DoS Loop Costs $41K in Inference

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 Simon Willison

A hypothetical but technically grounded incident report depicts two competing AI code review agents entering an uncontrolled disagreement loop over a suspected malicious package, generating 340 comments and $41,255 in inference costs before human intervention. The scenario illustrates real risks of excessive agency, lack of circuit-breakers, and cost-based denial-of-service in multi-agent agentic pipelines. While fictional, the scenario directly mirrors documented failure modes in production AI systems and supply chain security workflows.

OpenAI Workspace Phishing via Fraudulent Tenant Registration

OpenAI Workspace Phishing via Fraudulent Tenant Registration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 BleepingComputer

Threat actors are registering fraudulent OpenAI tenants impersonating legitimate companies and inviting employees to join them, in a campaign dubbed 'Poisoned Tenant' by Push Security. The attack exploits OpenAI's legitimate invitation infrastructure, making phishing emails appear authentic as they pass all email authentication checks. The goal appears to be tricking employees into submitting sensitive corporate information via ChatGPT chats and projects within the attacker-controlled workspace.

Anthropic Releases Claude Mythos 5 Under U.S. Export Controls

Anthropic Releases Claude Mythos 5 Under U.S. Export Controls

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 Anthropic (via HN)

The U.S. Commerce Department has lifted export controls on Anthropic's Claude Mythos 5, permitting access to over 100 vetted U.S. institutions and government agencies under a nascent federal AI licensing regime. For defenders, this tiered-release model introduces a new class of risk: the 'trusted partner' designation becomes a high-value target, as compromise of any listed entity grants implicit legitimacy to interact with a model previously deemed too dangerous for general release. Security teams at approved organizations should treat Mythos 5 access credentials and API endpoints as critical assets, and assume adversaries will probe the boundary between licensed and unlicensed access patterns.

OpenAI Releases GPT-5.6 Under Controlled Access

OpenAI Releases GPT-5.6 Under Controlled Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 TechCrunch AI

OpenAI's GPT-5.6, a frontier model with advanced cyber capabilities, is being released exclusively to vetted partners under a White House-directed limited-access programme coordinated with the Office of the National Cyber Director and OSTP. This controlled rollout signals that the model's offensive cyber potential — including autonomous vulnerability identification and exploitation — is significant enough to warrant government-gated distribution, mirroring Anthropic's Project Glasswing model for Claude Mythos. For defenders, the emergence of a government-approved, partner-tier distribution model creates new supply chain trust questions and raises the stakes around who gains early access and how that access is verified, monitored, and potentially abused.

GitHub Releases Copilot Agentic Harness Evaluation

GitHub Releases Copilot Agentic Harness Evaluation

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 GitHub Blog

GitHub has published an evaluation of its Copilot agentic harness, detailing how the orchestration layer performs across multiple underlying models and coding tasks — effectively documenting the architecture of an autonomous, multi-step code generation and execution system. For defenders, this transparency reveals an orchestration surface where prompt injection, supply chain manipulation, and model-switching logic can be targeted across a broader set of model backends than previously understood. Security teams should treat the harness itself as a critical trust boundary, since compromising task routing or model selection logic could silently redirect agentic workflows to less-safe or adversary-controlled model endpoints.

OpenAI Launches Jalapeño Custom Inference Chip

OpenAI Launches Jalapeño Custom Inference Chip

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 TechCrunch AI

OpenAI has unveiled 'Jalapeño', its first custom-built AI inference processor co-designed with Broadcom, optimised for running large language models at reduced cost and power consumption. The move deepens OpenAI's vertical integration across the full AI stack — from chip silicon through to end-user products — introducing new hardware supply chain dependencies and firmware-level attack surfaces that defenders must now account for. Security teams should treat purpose-built AI silicon as a new tier of the ML supply chain, with unique risks around hardware backdoors, firmware integrity, and reduced hardware diversity.

MoEngage Deploys Autonomous AI Agents via Aampe Acquisition

MoEngage Deploys Autonomous AI Agents via Aampe Acquisition

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 TechCrunch AI

MoEngage has acquired Aampe to deploy individualized AI agents for every customer, enabling autonomous decisions on messaging targeting, timing, and content at enterprise scale across 1,350+ brands globally. This architecture introduces a large, distributed fleet of autonomous agents operating on sensitive behavioral and PII data, dramatically expanding the blast radius of any single compromise. Security teams at enterprises adopting this platform must now reason about agent-level trust boundaries, data inference risks, and the amplification potential of adversarial manipulation across millions of simultaneous decision-making agents.

Dragos Launches EmberAI, an OT-Specific AI Platform

Dragos Launches EmberAI, an OT-Specific AI Platform

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 SecurityWeek

Dragos has launched EmberAI, an AI module embedded within its OT security platform that allows analysts to query threat intelligence, asset data, and network activity in plain language, grounded in a decade of proprietary OT-specific data. The system introduces new attack surface considerations because it aggregates highly sensitive OT network telemetry, vulnerability data, and adversary intelligence into a single AI-queryable layer — making the platform itself a high-value target. Defenders must weigh the risks of prompt injection, over-reliance on AI-generated recommendations in safety-critical environments, and the intelligence value this consolidated dataset represents to nation-state adversaries.

Mistral AI Ships OCR 4 with Document Extraction

Mistral AI Ships OCR 4 with Document Extraction

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 Mistral AI (via HN)

Mistral OCR 4 is a production-grade document intelligence model delivering bounding boxes, block classification, inline confidence scores, and 170-language OCR optimised for enterprise RAG and search ingestion pipelines. For defenders, the model's role as a trusted ingestion component in downstream retrieval pipelines creates a high-value attack surface: adversarially crafted documents can now influence RAG context, citations, and automated redaction decisions at scale. The self-hosted single-container deployment option further expands the supply chain and misconfiguration risk surface for organisations running document intelligence internally.

Cordyceps Campaign Poisons CI/CD Workflows in Open Source

Cordyceps Campaign Poisons CI/CD Workflows in Open Source

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

A campaign dubbed 'Cordyceps' is exploiting weaknesses in CI/CD workflows to inject malicious pull requests into high-profile open-source projects, including Google's AI Agent Development Kit and Microsoft's Azure Sentinel. The attack surface spans multiple trusted ecosystems, meaning poisoned code could propagate into AI tooling, cloud infrastructure, and widely-used developer utilities before detection. The breadth of targets — including Python's Black formatter — signals a supply chain strategy designed to maximise downstream blast radius.

Anthropic Enhances AI Agent Skill Scanner Security

Anthropic Enhances AI Agent Skill Scanner Security

FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Security firm AIR demonstrated that a malicious AI agent skill, disguised as a Google Stitch landing-page builder, passed every major skill scanner including Cisco's, NVIDIA's, and skills.sh integrations, reaching approximately 26,000 agents before its payload was activated. The attack exploits a structural gap: scanners evaluate a static package at submission time, while the external URL the skill instructs the agent to fetch can be silently swapped post-install to deliver arbitrary instructions. Defenders relying on marketplace reputation signals, GitHub star counts, or one-time scanner verdicts to gatekeep agent skills have no meaningful protection against this class of supply-chain attack.

AI Agent Hijacking via Legacy Infrastructure Exploits

AI Agent Hijacking via Legacy Infrastructure Exploits

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 The Hacker News

Attackers are bypassing AI-layer defences entirely by exploiting unpatched legacy infrastructure — misconfigured Active Directory, stale credentials, and over-privileged IAM roles — to hijack the resources AI agents depend on. Research cited in the article shows 70% of organisations grant AI systems more access than a human in the same role, driving a 76% incident rate among over-privileged deployments. The article argues that securing AI agents requires closing the underlying infrastructure exposure gap, not just hardening the model layer.

OpenAI Launches Patch the Planet Vulnerability Initiative

OpenAI Launches Patch the Planet Vulnerability Initiative

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 TechCrunch AI

OpenAI has partnered with Trail of Bits to launch 'Patch the Planet,' an initiative using AI-assisted tooling (including Codex Security) to help open-source maintainers find and patch vulnerabilities at scale. While the defensive intent is clear, the program introduces new attack surface considerations: AI-generated patches applied to widely-used open-source projects create a high-value supply chain target, and the triage/remediation pipeline itself could be manipulated to introduce subtle flaws. Defenders should monitor open-source dependencies that receive AI-assisted patches and assess the integrity guarantees of the remediation workflow.

AutoJack: Microsoft AutoGen Studio RCE via MCP WebSocket

AutoJack: Microsoft AutoGen Studio RCE via MCP WebSocket

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 BleepingComputer

A three-flaw vulnerability chain dubbed AutoJack in Microsoft's AutoGen Studio allowed attackers to execute arbitrary commands on a developer's host system by manipulating a browsing AI agent into connecting to a malicious webpage. The attack exploited missing authentication on MCP WebSocket routes combined with unsanitised base64-encoded parameters to launch arbitrary processes. Microsoft confirmed the flaw was patched before any PyPI release, limiting exposure to developers building directly from the main GitHub branch.

AWS Launches Bedrock AgentCore for Autonomous Payments

AWS Launches Bedrock AgentCore for Autonomous Payments

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 AWS Machine Learning Blog

AWS has launched Amazon Bedrock AgentCore Payments, a managed infrastructure layer that enables AI agents to autonomously transact with external model providers and services using the x402 payment protocol, without human intervention. This capability introduces a new class of financial attack surface where compromised or manipulated agents can autonomously spend real funds, exfiltrate value, or be redirected to malicious service endpoints. Defenders must now treat agent payment credentials and spending budgets as first-class financial controls, on par with cloud IAM policies.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.