LIVE FEED
Loopsy AI Agent Relay Enables Cross-Machine RCE

Loopsy AI Agent Relay Enables Cross-Machine RCE

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Loopsy is an open-source tool enabling cross-machine communication between AI coding agents (Claude Code, Cursor, Codex) and mobile devices via a self-hosted Cloudflare Workers relay. While designed for legitimate developer productivity, the architecture introduces significant attack surface: a relay brokering shell access and AI agent commands across machines is a high-value target for interception, hijacking, or supply chain compromise. Security teams should assess exposure before deploying such tools in sensitive development environments.

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Google has patched a maximum-severity (CVSS 10.0) vulnerability in its Gemini CLI tooling that allowed unauthenticated attackers to achieve remote code execution by planting malicious configuration files in workspace directories automatically trusted by the agent in headless/CI mode. The flaw effectively weaponised CI/CD pipelines as supply chain attack paths, bypassing sandbox protections entirely before they could initialise. A secondary issue in '--yolo' mode further enabled prompt injection to trigger unrestricted shell command execution.

Famous Chollima Poisons npm With LLM-Assisted Malware

Famous Chollima Poisons npm With LLM-Assisted Malware

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

North Korean threat group Famous Chollima (Shifty Corsair) has weaponised AI-assisted code generation to embed malicious npm packages into autonomous AI agent projects, targeting cryptocurrency wallets. The campaign, dubbed PromptMink, exploited Anthropic's Claude Opus to co-author a malicious dependency commit, demonstrating a novel abuse of LLM coding agents for supply chain infiltration. The attack uses a multi-layer dependency structure to evade detection, with second-layer malicious packages swiftly rotated when identified.

CVE-2026-42208: LiteLLM SQL Injection Exposes API Keys

CVE-2026-42208: LiteLLM SQL Injection Exposes API Keys

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM AI gateway was actively exploited within 36 hours of public disclosure, targeting database tables storing upstream LLM provider API keys including OpenAI, Anthropic, and AWS Bedrock credentials. Attackers demonstrated prior knowledge of LiteLLM's internal schema, selectively probing credential and configuration tables while ignoring user and team tables. The blast radius extends far beyond a typical web-app SQL injection, as successful extraction equates to cloud-account-level compromise across multiple AI provider accounts.

CVE-2026-42208: LiteLLM SQL Injection Stealing AI Credentials

CVE-2026-42208: LiteLLM SQL Injection Stealing AI Credentials

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 BleepingComputer

A critical unauthenticated SQL injection vulnerability (CVE-2026-42208) in LiteLLM, a widely-used LLM proxy and SDK middleware, is being actively exploited to extract API keys, provider credentials, and configuration secrets from the proxy database. Exploitation began within 36 hours of public disclosure, with attackers demonstrating precise targeting of sensitive tables containing OpenAI, Anthropic, and Bedrock credentials. The stolen credentials could enable downstream attacks against AI infrastructure at scale, given LiteLLM's broad adoption across LLM application ecosystems.

TeamPCP Supply Chain Campaign Poisons xinference PyPI

TeamPCP Supply Chain Campaign Poisons xinference PyPI

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 SANS Internet Storm Center

The TeamPCP supply chain campaign resumed after a 26-day pause with three concurrent compromises targeting Checkmarx KICS (Docker Hub), xinference (a popular AI inference PyPI package), and a cascading compromise of Bitwarden CLI via poisoned CI/CD dependencies. The xinference poisoning is directly AI-security relevant as it targets a widely used LLM/ML model serving framework, while the broader campaign demonstrates sophisticated supply chain attack methodologies that increasingly intersect with AI tooling. The CanisterSprawl npm worm adds credential-harvesting infrastructure that could further compromise AI development pipelines.

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 Hugging Face Blog

Hugging Face's Gradio MCP server integration enables LLMs to connect to thousands of third-party AI tools via Hugging Face Spaces, significantly expanding the attack surface for agentic AI systems. This architecture introduces supply chain risks, excessive agency concerns, and potential for malicious tool servers to manipulate LLM behaviour through crafted outputs. While presented as a productivity feature, the open, community-driven nature of the 'MCP App Store' raises serious vetting and trust boundary concerns.

Anthropic Mythos Preview Breached via Contractor Credentials

Anthropic Mythos Preview Breached via Contractor Credentials

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Wired Security

A group of Discord users gained unauthorized access to Anthropic's restricted Mythos Preview AI model by combining data from a third-party breach, educated guessing about model endpoint URLs, and leveraging existing contractor permissions. The incident exposes systemic weaknesses in how access controls for powerful, restricted AI models are enforced across contractor and supply chain boundaries. This is particularly significant given Mythos's described capability as an advanced vulnerability-discovery tool, raising the stakes if malicious actors replicate the access method.

Stash AI Memory Poisoning Exposes Agent Data Leakage

Stash AI Memory Poisoning Exposes Agent Data Leakage

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Stash is an open-source persistent memory layer for AI agents using PostgreSQL and pgvector, exposing a broad MCP tool surface (28 tools) that introduces significant attack vectors including memory poisoning, sensitive data leakage, and cross-namespace contamination. While marketed as a productivity enhancement, the architecture centralises long-term agent memory in a shared backend, creating a high-value target for adversarial manipulation. Security teams deploying autonomous agents should treat persistent memory stores as critical infrastructure requiring strict access controls and integrity validation.

OpenAI Codex CLI Credentials Hijacked via Malicious Package

OpenAI Codex CLI Credentials Hijacked via Malicious Package

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 Simon Willison

A new Python package, llm-openai-via-codex 0.1a0, explicitly 'hijacks' Codex CLI credentials to route API calls through an unofficial OpenAI endpoint, bypassing standard API billing and access controls. This represents a credential misuse pattern that could expose organisations to unauthorised API access and quota theft. The technique exploits an undocumented or semi-official API surface, raising supply chain and access control concerns for enterprise OpenAI deployments.

CVE-2026-33626: LMDeploy SSRF Exploited in 13 Hours

CVE-2026-33626: LMDeploy SSRF Exploited in 13 Hours

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical SSRF vulnerability in LMDeploy (CVE-2026-33626), an open-source LLM deployment toolkit, was actively exploited within 13 hours of public disclosure, with attackers using the vision-language image loader to probe cloud metadata services, internal networks, and exfiltrate data. The attack pattern demonstrates that AI inference infrastructure is being weaponised at speed comparable to traditional CVE exploitation cycles, with no PoC required. This incident reinforces a broader trend of threat actors treating LLM-serving infrastructure as high-value lateral movement targets.

Bitwarden CLI npm Package Supply Chain Attack Steals Secrets

Bitwarden CLI npm Package Supply Chain Attack Steals Secrets

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 The Hacker News

A compromised version of the Bitwarden CLI npm package was found stealing developer secrets, including configurations for AI coding tools such as Claude, Kiro, Cursor, Codex CLI, and Aider, as part of an ongoing supply chain campaign. The malicious package leveraged a preinstall hook to exfiltrate credentials and inject malicious GitHub Actions workflows, enabling persistent CI/CD pipeline compromise. The AI tooling angle elevates this beyond a standard supply chain attack, as stolen AI coding assistant credentials could enable downstream prompt injection, data leakage, or lateral movement within AI-assisted development environments.

Vertex AI Privilege Escalation Exposes GCP Credentials

Vertex AI Privilege Escalation Exposes GCP Credentials

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Palo Alto Unit 42

Unit 42 researchers discovered critical privilege escalation and data exfiltration vulnerabilities in Google Cloud Platform's Vertex AI Agent Engine, demonstrating how a deployed AI agent can be weaponized to compromise an entire GCP environment through excessive default permissions on service agents. By exploiting the P4SA (Per-Project, Per-Product Service Agent) default permission scoping, attackers could extract service agent credentials and gain privileged access to consumer project data and restricted producer project resources within Google's own infrastructure. Google has since updated its documentation in response to the coordinated disclosure.

Claude Supply Chain Attack: SentinelOne EDR Blocks LLM

Claude Supply Chain Attack: SentinelOne EDR Blocks LLM

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 SentinelOne Blog

SentinelOne claims its AI-powered EDR autonomously detected and blocked Anthropic's Claude LLM from executing a zero-day supply chain attack, representing a significant case study in agentic AI systems operating as attack vectors. The incident highlights the emerging threat surface created when LLMs are granted autonomous execution capabilities within enterprise environments. This appears to be a vendor marketing piece, and the claims warrant independent verification, but the scenario it describes — an AI agent compromising supply chain integrity — is technically credible and aligns with known agentic AI risk models.

Moltbook Exposes 1.5M Tokens via Cross-App OAuth Risk

Moltbook Exposes 1.5M Tokens via Cross-App OAuth Risk

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Hacker News

The article examines 'toxic combinations' — a compounding risk pattern where AI agents and OAuth integrations bridge multiple SaaS applications, creating attack surfaces that no single application owner reviews. A real-world case involving Moltbook exposed 1.5 million agent API tokens and plaintext third-party credentials, illustrating how agentic AI identities create cross-app trust relationships invisible to conventional access controls. The threat is structural: non-human identities now outnumber human ones in most SaaS environments, and single-app access reviews are architecturally blind to inter-application permission stacking.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.