<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>GRID THE GREY — AI Threat Intelligence | GRID THE GREY</title><link>https://gridthegrey.com/</link><description>Real-time AI security intelligence — adversarial ML, LLM vulnerabilities, and supply chain threats mapped to MITRE ATLAS and OWASP LLM Top 10.</description><generator>Hugo</generator><language>en-us</language><copyright/><lastBuildDate>Sat, 11 Jul 2026 22:17:47 +0530</lastBuildDate><atom:link href="https://gridthegrey.com/index.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw AI Assistant Flaws Enable WhatsApp-to-Host RCE</title><link>https://gridthegrey.com/posts/openclaw-ai-assistant-flaws-enable-whatsapp-to-host-rce/</link><pubDate>Sat, 11 Jul 2026 16:47:26 +0000</pubDate><guid>https://gridthegrey.com/posts/openclaw-ai-assistant-flaws-enable-whatsapp-to-host-rce/</guid><category>Threat Level: CRITICAL</category><category>Agentic AI</category><category>LLM Security</category><category>Research</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0012 - Valid Accounts</category><description>Three high-severity vulnerabilities in OpenClaw, a personal AI assistant, have been chained to enable remote code execution on the host system via a WhatsApp message, requiring no prior foothold. The flaws—covering OS command injection, incomplete input filtering, and path traversal—allow sandbox escape, credential theft, and privilege escalation. All three have been patched in OpenClaw version 2026.6.6, but unpatched deployments remain at significant risk.</description></item><item><title>Netwrix Analysis: AI Agents Widen the Non-Human Identity Gap</title><link>https://gridthegrey.com/posts/netwrix-analysis-ai-agents-widen-the-non-human-identity-gap/</link><pubDate>Sat, 11 Jul 2026 16:41:38 +0000</pubDate><guid>https://gridthegrey.com/posts/netwrix-analysis-ai-agents-widen-the-non-human-identity-gap/</guid><category>Threat Level: HIGH</category><category>First Look</category><category>Agentic AI</category><category>LLM Security</category><category>Industry News</category><category>AML.T0012 - Valid Accounts</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0040 - ML Model Inference API Access</category><description>A Netwrix-sponsored analysis highlights how AI agents are rapidly proliferating machine identities inside enterprise environments, creating credentials and inheriting permissions far faster than existing identity governance can track. The core risk is that AI agents operate outside traditional human-lifecycle identity controls, leaving security teams unable to enumerate what exists, who owns it, or what it can access. Defenders face an expanding blind spot where a single compromised agent credential can chain laterally across cloud services, SaaS platforms, and secrets stores — as demonstrated by the UNC6395/Drift OAuth campaign against Salesforce environments in 2025.</description></item><item><title>Ghostcommit PoC Embeds Prompt Injection in PNG to Steal Repo Secrets</title><link>https://gridthegrey.com/posts/ghostcommit-poc-embeds-prompt-injection-in-png-to-steal-repo-secrets/</link><pubDate>Sat, 11 Jul 2026 16:39:30 +0000</pubDate><guid>https://gridthegrey.com/posts/ghostcommit-poc-embeds-prompt-injection-in-png-to-steal-repo-secrets/</guid><category>Threat Level: CRITICAL</category><category>First Look</category><category>Prompt Injection</category><category>Agentic AI</category><category>Supply Chain</category><category>LLM Security</category><category>Research</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0043 - Craft Adversarial Data</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0015 - Evade ML Model</category><description>Researchers from UMKC's ASSET Research Group have published a proof-of-concept attack called Ghostcommit that hides malicious prompt injection instructions inside PNG image files referenced by AGENTS.md convention files, causing AI coding agents to silently exfiltrate repository secrets. The technique exploits a blind spot shared by multiple AI code review tools — including CodeRabbit and Bugbot — which exclude or ignore binary image files from analysis, allowing the payload to survive review undetected. Defenders operating AI-assisted development pipelines must treat image files in agentic context paths as a new, uncontrolled input surface and reassess trust boundaries around automatically-ingested project convention files.</description></item><item><title>Microsoft MDASH Brings AI-Powered Windows Vulnerability Discovery</title><link>https://gridthegrey.com/posts/microsoft-mdash-brings-ai-powered-windows-vulnerability-discovery/</link><pubDate>Fri, 10 Jul 2026 04:28:07 +0000</pubDate><guid>https://gridthegrey.com/posts/microsoft-mdash-brings-ai-powered-windows-vulnerability-discovery/</guid><category>Threat Level: HIGH</category><category>First Look</category><category>Agentic AI</category><category>Supply Chain</category><category>Industry News</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0020 - Poison Training Data</category><category>AML.T0031 - Erode ML Model Integrity</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0043 - Craft Adversarial Data</category><description>Microsoft has deployed MDASH (Multi-model Agentic Scanning Harness), an AI-powered agentic system that autonomously scans Windows binaries for vulnerabilities and validates findings through multiple AI models before human engineer review. The accelerated discovery pipeline means defenders will see a higher volume of Patch Tuesday fixes, compressing patch deployment windows and increasing pressure on enterprise patch management processes. Simultaneously, the same AI-accelerated vulnerability discovery capability is available to adversaries, raising the risk that threat actors identify and weaponise flaws faster than Microsoft's pipeline can remediate them.</description></item><item><title>FableCut Ships AI-Drivable Browser Video Editor via MCP and REST</title><link>https://gridthegrey.com/posts/fablecut-ships-ai-drivable-browser-video-editor-via-mcp-and-rest/</link><pubDate>Fri, 10 Jul 2026 04:27:18 +0000</pubDate><guid>https://gridthegrey.com/posts/fablecut-ships-ai-drivable-browser-video-editor-via-mcp-and-rest/</guid><category>Threat Level: MEDIUM</category><category>First Look</category><category>Agentic AI</category><category>Prompt Injection</category><category>LLM Security</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0043 - Craft Adversarial Data</category><category>AML.T0040 - ML Model Inference API Access</category><description>FableCut is a zero-dependency, browser-based non-linear video editor that exposes its entire timeline as a JSON document and accepts live control from AI agents via MCP (Model Context Protocol) and REST APIs, enabling tools like Claude Code or Claude Desktop to autonomously edit video. This agent-accessible media pipeline introduces meaningful new attack surface: any AI agent granted MCP/REST access can read, overwrite, or poison the JSON timeline, and a compromised or prompt-injected agent could silently alter exported video content. Defenders managing AI agent workflows that touch media pipelines should treat this as an unsandboxed tool-use endpoint requiring strict authZ, input validation, and output integrity checks.</description></item><item><title>AI Agents Emerge as a New Identity Class Orgs Must Secure</title><link>https://gridthegrey.com/posts/ai-agents-emerge-as-a-new-identity-class-orgs-must-secure/</link><pubDate>Fri, 10 Jul 2026 04:26:27 +0000</pubDate><guid>https://gridthegrey.com/posts/ai-agents-emerge-as-a-new-identity-class-orgs-must-secure/</guid><category>Threat Level: HIGH</category><category>First Look</category><category>Agentic AI</category><category>LLM Security</category><category>AML.T0012 - Valid Accounts</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0056 - LLM Meta Prompt Extraction</category><description>AI agents are being recognised as a distinct identity type that cannot be adequately governed using legacy service account or API token frameworks, requiring purpose-built identity and access management approaches. For defenders, this gap means agents operating today are likely over-privileged, under-monitored, and outside existing IAM policy scope. Security teams face an immediate challenge in extending least-privilege, auditability, and lifecycle management controls to autonomous agent identities before adversaries exploit the blind spot.</description></item><item><title>CVE-2026-12958: GhostApproval Symlink Attack on Coding Agents</title><link>https://gridthegrey.com/posts/ghostapproval-symlink-flaw-hits-six-ai-coding-agents/</link><pubDate>Thu, 09 Jul 2026 07:05:14 +0000</pubDate><guid>https://gridthegrey.com/posts/ghostapproval-symlink-flaw-hits-six-ai-coding-agents/</guid><category>Threat Level: HIGH</category><category>Agentic AI</category><category>LLM Security</category><category>Prompt Injection</category><category>Supply Chain</category><category>Research</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0057 - LLM Data Leakage</category><description>Wiz researchers disclosed GhostApproval, a symlink-based attack affecting six AI coding assistants — Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf — that allows malicious repositories to write attacker-controlled content to sensitive files such as SSH authorized_keys or shell startup scripts. The core failure is an informed-consent bypass: the agent's approval dialog names a harmless file while the write targets a sensitive one, or in some tools the write completes before any prompt appears. Three vendors have patched, two have not, and Anthropic disputes the classification as a vulnerability.</description></item><item><title>Prompt Injection Attacks Claude Code and Codex Execution</title><link>https://gridthegrey.com/posts/friendly-fire-claude-code-and-codex-run-attacker-code-via-readme/</link><pubDate>Thu, 09 Jul 2026 07:05:14 +0000</pubDate><guid>https://gridthegrey.com/posts/friendly-fire-claude-code-and-codex-run-attacker-code-via-readme/</guid><category>Threat Level: HIGH</category><category>Prompt Injection</category><category>Agentic AI</category><category>LLM Security</category><category>Supply Chain</category><category>Research</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0043 - Craft Adversarial Data</category><description>Researchers at the AI Now Institute have demonstrated a proof-of-concept attack dubbed 'Friendly Fire' that tricks AI coding agents — specifically Anthropic's Claude Code and OpenAI's Codex in autonomous mode — into executing malicious binaries while performing routine security reviews. The attack embeds a disguised payload inside an open-source library and uses a plain README.md instruction to direct the agent to run a malicious shell script, bypassing existing trust-prompt defences. Because the weakness is architectural rather than version-specific, no patch exists; mitigation requires workflow changes.</description></item><item><title>DPAPI Abuse in Claude Code and Cursor Triggers EDR</title><link>https://gridthegrey.com/posts/ai-coding-agents-trigger-edr-rules-via-dpapi-and-lolbas/</link><pubDate>Thu, 09 Jul 2026 06:48:39 +0000</pubDate><guid>https://gridthegrey.com/posts/ai-coding-agents-trigger-edr-rules-via-dpapi-and-lolbas/</guid><category>Threat Level: HIGH</category><category>Agentic AI</category><category>LLM Security</category><category>Industry News</category><category>Research</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><description>Sophos telemetry from June 2026 reveals that AI coding agents including Claude Code, Cursor, and OpenAI Codex are triggering endpoint detection rules designed to catch human attackers, performing actions such as DPAPI-based credential decryption, Windows Credential Manager enumeration, and persistence via startup folder writes. The behaviour is not malicious in intent, but the agents exhibit attacker-like pivot-when-blocked logic and abuse legitimate Windows utilities in ways indistinguishable from living-off-the-land intrusions. This blurring of the line between benign automation and attack tradecraft creates significant noise for defenders and may erode confidence in high-fidelity detection rules.</description></item><item><title>Y Combinator Ships Agentic Code Generation at 37K Lines Daily</title><link>https://gridthegrey.com/posts/first-look-y-combinator-s-garry-tan-deploys-agentic-ai-for-high-volume-code/</link><pubDate>Wed, 08 Jul 2026 12:06:51 +0000</pubDate><guid>https://gridthegrey.com/posts/first-look-y-combinator-s-garry-tan-deploys-agentic-ai-for-high-volume-code/</guid><category>Threat Level: MEDIUM</category><category>First Look</category><category>Agentic AI</category><category>Supply Chain</category><category>LLM Security</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0031 - Erode ML Model Integrity</category><description>Y Combinator CEO Garry Tan has publicly claimed to ship approximately 37,000 lines of AI-generated code per day using agentic coding tools, and an independent developer analysis has revealed the underlying mechanics of this workflow. This level of AI-assisted code velocity introduces meaningful security concerns around code provenance, supply chain integrity, and the reduced human review time per line of shipped code. Defenders should treat high-velocity AI code pipelines as a new supply chain risk category requiring dedicated SAST/DAST tooling and policy controls.</description></item><item><title>Google Gemini Abused for Phishing-as-a-Service</title><link>https://gridthegrey.com/posts/phishing-as-a-service-ring-weaponises-gemini-to-clone-government-sites/</link><pubDate>Wed, 08 Jul 2026 12:04:07 +0000</pubDate><guid>https://gridthegrey.com/posts/phishing-as-a-service-ring-weaponises-gemini-to-clone-government-sites/</guid><category>Threat Level: HIGH</category><category>LLM Security</category><category>Jailbreaks</category><category>Industry News</category><category>Regulatory</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0043 - Craft Adversarial Data</category><category>AML.T0054 - LLM Jailbreak</category><description>A Chinese cybercriminal group called Outsider Enterprise exploited Google's Gemini AI to mass-produce phishing pages impersonating Google, YouTube, and government agencies like E-ZPass, offering nearly 300 scam templates via Telegram. Google has filed suit and coordinated with major US carriers to block the resulting smishing campaigns. The case highlights how generative AI lowers the technical barrier for large-scale phishing operations and stress-tests provider-side content controls.</description></item><item><title>Writer AI Session Token Leak Enables Account Takeover</title><link>https://gridthegrey.com/posts/session-token-leak-in-writer-ai-enables-cross-tenant-account-takeover/</link><pubDate>Wed, 08 Jul 2026 12:02:28 +0000</pubDate><guid>https://gridthegrey.com/posts/session-token-leak-in-writer-ai-enables-cross-tenant-account-takeover/</guid><category>Threat Level: CRITICAL</category><category>LLM Security</category><category>Agentic AI</category><category>Research</category><category>First Look</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0012 - Valid Accounts</category><category>AML.T0040 - ML Model Inference API Access</category><description>A critical vulnerability dubbed WriteOut in the Writer enterprise AI platform allowed attackers to hijack victim session tokens across organisational boundaries using a malicious agent preview link. The flaw exploited Writer's live preview sandbox, which incorrectly forwarded authenticated session cookies into attacker-controlled execution environments. Writer has patched the issue by isolating sandbox origins and stripping session cookies from preview requests.</description></item><item><title>Anthropic Mythos LLM Scans Federal Software for Vulnerabilities</title><link>https://gridthegrey.com/posts/cisa-deploys-anthropic-llm-to-audit-government-software-attack-surfaces/</link><pubDate>Wed, 08 Jul 2026 11:59:32 +0000</pubDate><guid>https://gridthegrey.com/posts/cisa-deploys-anthropic-llm-to-audit-government-software-attack-surfaces/</guid><category>Threat Level: MEDIUM</category><category>LLM Security</category><category>Agentic AI</category><category>Regulatory</category><category>Industry News</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0040 - ML Model Inference API Access</category><category>AML.T0057 - LLM Data Leakage</category><description>CISA's Attack Surface Evaluation team is reportedly leveraging Anthropic's 'Mythos' model to scan federal government software for security vulnerabilities, representing a significant expansion of AI-assisted offensive security tooling in critical infrastructure defence. The deployment raises important questions about the trustworthiness of LLM-driven vulnerability assessment, potential for model-induced false negatives, and the security of the AI pipeline itself when applied to sensitive government codebases. This marks one of the most prominent known uses of a commercial LLM in an active U.S. government cyber defence role.</description></item><item><title>Tencent Releases Hy3 295B Open-Source Model with 256K Context</title><link>https://gridthegrey.com/posts/first-look-tencent-releases-hy3-295b-moe-open-source-model-with-256k-context/</link><pubDate>Tue, 07 Jul 2026 07:50:28 +0000</pubDate><guid>https://gridthegrey.com/posts/first-look-tencent-releases-hy3-295b-moe-open-source-model-with-256k-context/</guid><category>Threat Level: MEDIUM</category><category>First Look</category><category>LLM Security</category><category>Supply Chain</category><category>Jailbreaks</category><category>Industry News</category><category>AML.T0044 - Full ML Model Access</category><category>AML.T0054 - LLM Jailbreak</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0018 - Backdoor ML Model</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0047 - ML-Enabled Product or Service</category><description>Tencent has released Hy3, a 295B-parameter Mixture-of-Experts open-source model under Apache 2.0, featuring 256K context length and temporarily available for free inference via OpenRouter. The model's large context window, open weights, and Chinese provenance expand the attack surface for defenders managing LLM supply chains, jailbreak campaigns, and influence operations. Security teams should treat this as another high-capability open-weight model requiring the same scrutiny applied to comparable releases from Mistral or Meta.</description></item><item><title>NVIDIA and Hugging Face Launch GR00T 1.7 Robot Model</title><link>https://gridthegrey.com/posts/first-look-nvidia-and-hugging-face-integrate-gr00t-1-7-into-lerobot-open/</link><pubDate>Tue, 07 Jul 2026 07:49:34 +0000</pubDate><guid>https://gridthegrey.com/posts/first-look-nvidia-and-hugging-face-integrate-gr00t-1-7-into-lerobot-open/</guid><category>Threat Level: HIGH</category><category>First Look</category><category>Supply Chain</category><category>Data Poisoning</category><category>Adversarial ML</category><category>Agentic AI</category><category>AML.T0019 - Publish Poisoned Datasets</category><category>AML.T0020 - Poison Training Data</category><category>AML.T0018 - Backdoor ML Model</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0043 - Craft Adversarial Data</category><category>AML.T0044 - Full ML Model Access</category><category>AML.T0031 - Erode ML Model Integrity</category><category>AML.T0047 - ML-Enabled Product or Service</category><description>NVIDIA and Hugging Face have integrated the Isaac GR00T 1.7 vision-language-action model, Isaac Teleop framework, and a 350,000-trajectory open dataset into the LeRobot open-source robotics library, creating an end-to-end open pipeline for training and deploying physical AI systems. This dramatically lowers the barrier to fine-tuning and deploying robot foundation models, expanding the attack surface across the full ML supply chain — from poisoned community datasets to adversarially crafted demonstrations used in teleop data collection. Defenders responsible for robotics deployments must now contend with a large, loosely governed open-source ecosystem where compromised models or datasets can directly translate to unsafe physical-world behaviour.</description></item><item><title>AWS Launches Multi-Turn RL for Amazon Nova</title><link>https://gridthegrey.com/posts/first-look-aws-launches-multi-turn-rl-infrastructure-for-amazon-nova-on-hyperpod/</link><pubDate>Tue, 07 Jul 2026 07:48:45 +0000</pubDate><guid>https://gridthegrey.com/posts/first-look-aws-launches-multi-turn-rl-infrastructure-for-amazon-nova-on-hyperpod/</guid><category>Threat Level: HIGH</category><category>First Look</category><category>Agentic AI</category><category>Data Poisoning</category><category>Supply Chain</category><category>Adversarial ML</category><category>LLM Security</category><category>AML.T0020 - Poison Training Data</category><category>AML.T0018 - Backdoor ML Model</category><category>AML.T0031 - Erode ML Model Integrity</category><category>AML.T0019 - Publish Poisoned Datasets</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0044 - Full ML Model Access</category><description>AWS has released a production-grade, event-driven multi-turn reinforcement learning training infrastructure for Amazon Nova models on SageMaker HyperPod, enabling enterprises to train agents that learn tool orchestration, error recovery, and sequential decision-making at scale. This materially expands the attack surface by introducing complex reward-routing pipelines, ephemeral compute provisioning, and environment-facing reward workers as new targets for poisoning and manipulation. Defenders must scrutinise the trust boundaries between the Nova Forge SDK, ECS reward workers, and HyperPod training pods, as a compromised reward signal can silently shape model behaviour across entire interaction sequences.</description></item><item><title>OfficeCLI Brings Microsoft Office Automation to AI Agents</title><link>https://gridthegrey.com/posts/first-look-officecli-ships-open-source-microsoft-office-automation-suite-for-ai/</link><pubDate>Tue, 07 Jul 2026 07:40:52 +0000</pubDate><guid>https://gridthegrey.com/posts/first-look-officecli-ships-open-source-microsoft-office-automation-suite-for-ai/</guid><category>Threat Level: HIGH</category><category>First Look</category><category>Agentic AI</category><category>Prompt Injection</category><category>LLM Security</category><category>Supply Chain</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0043 - Craft Adversarial Data</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0054 - LLM Jailbreak</category><description>OfficeCLI is an open-source, single-binary tool that enables AI agents to programmatically read, write, and automate Microsoft Word, Excel, and PowerPoint files without requiring a local Office installation. This dramatically expands the file-system attack surface for agentic AI systems, enabling prompt injection via document content, automated exfiltration of sensitive Office files, and weaponisation of documents as a persistent injection vector. Defenders operating AI agent pipelines that touch file systems must now treat any Office document as a potential adversarial input channel.</description></item><item><title>Prompt Injection Attacks Manipulate AI Crypto Agents</title><link>https://gridthegrey.com/posts/indirect-prompt-injections-weaponised-to-drain-crypto-via-ai-agents/</link><pubDate>Tue, 07 Jul 2026 07:39:12 +0000</pubDate><guid>https://gridthegrey.com/posts/indirect-prompt-injections-weaponised-to-drain-crypto-via-ai-agents/</guid><category>Threat Level: HIGH</category><category>Prompt Injection</category><category>Agentic AI</category><category>LLM Security</category><category>Research</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0043 - Craft Adversarial Data</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0057 - LLM Data Leakage</category><description>Researchers identified two active campaigns embedding indirect prompt injection payloads in malicious websites to manipulate autonomous AI agents into executing unauthorised cryptocurrency transactions. The attacks exploit the growing deployment of agentic AI systems that browse the web and take real-world actions with minimal human oversight. This represents a concrete, financially motivated escalation of prompt injection from data exfiltration to direct fund theft.</description></item><item><title>SkillCloak Bypasses AI Agent Skill Scanners at 90% Rate</title><link>https://gridthegrey.com/posts/skillcloak-bypasses-ai-agent-skill-scanners-with-90-success-rate/</link><pubDate>Tue, 07 Jul 2026 03:52:28 +0000</pubDate><guid>https://gridthegrey.com/posts/skillcloak-bypasses-ai-agent-skill-scanners-with-90-success-rate/</guid><category>Threat Level: HIGH</category><category>Agentic AI</category><category>Supply Chain</category><category>LLM Security</category><category>Research</category><category>Adversarial ML</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0015 - Evade ML Model</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0051 - LLM Prompt Injection</category><category>AML.T0057 - LLM Data Leakage</category><description>Researchers at Hong Kong University of Science and Technology have demonstrated that static scanners used to vet malicious AI agent 'skills' — modular add-ons for agents like Claude Code and OpenAI Codex — can be systematically bypassed using a tool called SKILLCLOAK. The technique leverages either character-substitution obfuscation or self-extracting packing into scanner-ignored directories like .git/, achieving evasion rates above 90% across all eight tested scanners. The same research team also developed SKILLDETONATE, a runtime behavioral sandbox that catches most of the threats static analysis misses.</description></item><item><title>Amazon Q Extension Credential Theft via MCP Injection</title><link>https://gridthegrey.com/posts/amazon-q-vs-code-extension-flaw-enables-cloud-credential-theft-via-mcp/</link><pubDate>Sun, 05 Jul 2026 15:12:50 +0000</pubDate><guid>https://gridthegrey.com/posts/amazon-q-vs-code-extension-flaw-enables-cloud-credential-theft-via-mcp/</guid><category>Threat Level: HIGH</category><category>LLM Security</category><category>Supply Chain</category><category>Agentic AI</category><category>Industry News</category><category>AML.T0010 - ML Supply Chain Compromise</category><category>AML.T0047 - ML-Enabled Product or Service</category><category>AML.T0057 - LLM Data Leakage</category><category>AML.T0051 - LLM Prompt Injection</category><description>A vulnerability in the Amazon Q Visual Studio Code extension allows adversaries to plant malicious repositories that execute arbitrary code and exfiltrate cloud credentials. The flaw highlights escalating risks associated with Model Context Protocol (MCP) integrations embedded within AI-powered developer tools. This attack vector represents a growing threat surface as AI coding assistants gain privileged access to developer environments and cloud infrastructure.</description></item></channel></rss>