LIVE THREATS
MEDIUM AI Bills of Materials Emerge as Critical Tool for ML Supply Chain Risk // HIGH Anthropic's Claude Mythos Autonomously Uncovers 10,000 Critical Software Flaws // HIGH LLM Coding Agents Collapse Under Structural Constraints, Study Finds // MEDIUM SentinelOne Prompt Security Targets Agentic AI Trust Verification Gap // MEDIUM Google's Gemini Spark Agent Raises Prompt Injection Risks at Enterprise Scale // MEDIUM AI Agent Identity Sprawl Creates New Attack Surface in Enterprise IAM // MEDIUM AI Security Lacks Reliable Measurement: Why Benchmarks Alone Are Insufficient // HIGH Anthropic's Mythos AI Model Used to Find Exploitable macOS Kernel Vulnerability // MEDIUM Microsoft Open-Sources RAMPART and Clarity to Harden AI Agent Security // MEDIUM LLM Activation Steering Goes Local: Security Implications of Direct Model Manipulation //
LIVE THREAT FEED

AI Security News. Framework Analysis.
Structural Insight.

Every article scored, classified, and mapped to MITRE ATLAS and OWASP LLM Top 10 — so you always know what matters and why.

9 feed sources
6.0+ relevance score
daily update cadence
2 frameworks mapped
127 articles published
CISO AI SECURITY BRIEFING

Week 19, 2026 — AI Security Briefing

0:00
Subscribe via RSS ↗

May 09, 2026

ClaudeBleed Flaw Lets Rogue Chrome Extensions Hijack AI Agent

ClaudeBleed Flaw Lets Rogue Chrome Extensions Hijack AI Agent

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 SecurityWeek

A vulnerability dubbed ClaudeBleed in Anthropic's Claude Chrome extension allows any browser extension to inject arbitrary prompts into the Claude AI agent by exploiting lax permission checks and improper trust validation. Attackers can bypass user confirmation protections via DOM manipulation and repeated message forging, enabling full agent takeover for information theft or unauthorized actions. The flaw effectively breaks Chrome's extension security model and exposes users running Claude's agentic capabilities to third-party extension compromise.

AML.T0051 - LLM Prompt Injection AML.T0057 - LLM Data Leakage AML.T0047 - ML-Enabled Product or Service AML.T0043 - Craft Adversarial Data

May 08, 2026

Claude Mythos AI-Assisted Fuzzing Uncovers 423 Firefox Security Bugs in One Month

Claude Mythos AI-Assisted Fuzzing Uncovers 423 Firefox Security Bugs in One Month

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Simon Willison

Mozilla used early access to Anthropic's Claude Mythos model to systematically discover and patch hundreds of previously unknown vulnerabilities in Firefox, including bugs over 15–20 years old. The effort demonstrates a step-change in AI-assisted vulnerability research, with April 2026 seeing 423 security fixes compared to a monthly baseline of 20–30. The same capability that empowered Mozilla's defenders also signals that adversaries with similar model access could industrialise exploit discovery against open-source software at scale.

AML.T0040 - ML Model Inference API Access AML.T0047 - ML-Enabled Product or Service AML.T0043 - Craft Adversarial Data
Fake Claude AI Site Used to Distribute Beagle Backdoor and PlugX Malware

Fake Claude AI Site Used to Distribute Beagle Backdoor and PlugX Malware

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 BleepingComputer

Threat actors created a convincing fake website impersonating Anthropic's Claude AI to trick developers into downloading a trojanized installer that deploys the new 'Beagle' backdoor alongside a PlugX malware chain. The campaign specifically targets Claude-Code developers by advertising a fraudulent 'high-performance relay service,' suggesting deliberate targeting of the AI developer community. The attack leverages DLL sideloading via a legitimate signed G Data executable to evade detection while establishing persistent remote access.

AML.T0047 - ML-Enabled Product or Service AML.T0010 - ML Supply Chain Compromise
Malicious Repos Trigger Silent Code Execution in Claude, Cursor, Gemini CLIs

Malicious Repos Trigger Silent Code Execution in Claude, Cursor, Gemini CLIs

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Dark Reading

A vulnerability class dubbed 'TrustFall' demonstrates that malicious code repositories can trigger arbitrary code execution in AI-assisted developer tools including Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI, with little to no user interaction required. The attack surface stems from inadequate or easily dismissed warning dialogs that fail to surface the risk of executing untrusted repository content. Developers cloning or opening adversarial repositories are exposed to full host-level compromise through the elevated trust these AI coding agents place in repository-supplied context.

AML.T0051 - LLM Prompt Injection AML.T0010 - ML Supply Chain Compromise AML.T0047 - ML-Enabled Product or Service AML.T0043 - Craft Adversarial Data
Mitiga Labs: MCP Hijack Attack Steals Claude Code OAuth Tokens via Silent Man-in-the-Middle

Mitiga Labs: MCP Hijack Attack Steals Claude Code OAuth Tokens via Silent Man-in-the-Middle

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 SecurityWeek

Mitiga Labs has disclosed a stealthy attack chain targeting Claude Code's MCP infrastructure, allowing adversaries to silently intercept OAuth tokens by redirecting MCP traffic through attacker-controlled infrastructure. The attack requires only the ability to install a malicious npm package, which modifies ~/.claude.json to insert a proxy and pre-sets trust flags to suppress security prompts. Because the OAuth token grants broad access to all connected SaaS tools, successful exploitation effectively hands attackers a persistent master key to the victim's integrated development environment.

AML.T0010 - ML Supply Chain Compromise AML.T0012 - Valid Accounts AML.T0047 - ML-Enabled Product or Service AML.T0057 - LLM Data Leakage
Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Cisco's AI Threat Intelligence team has demonstrated that bounded pixel-level perturbations can recover the attack effectiveness of degraded typographic images against vision-language models (VLMs), enabling hidden prompt injection that bypasses both human review and content filters. The technique works by optimising perturbations against open-source embedding models and transferring results to proprietary systems like GPT-4o and Claude, exposing a cross-model transferability risk. The attack allows adversaries to embed instructions—such as data exfiltration commands—inside images that appear as visual noise to human observers.

AML.T0043 - Craft Adversarial Data AML.T0051 - LLM Prompt Injection AML.T0015 - Evade ML Model AML.T0040 - ML Model Inference API Access AML.T0057 - LLM Data Leakage
Prompt Injection Achieves Remote Code Execution in Semantic Kernel Agent Framework

Prompt Injection Achieves Remote Code Execution in Semantic Kernel Agent Framework

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Microsoft Security Blog

Microsoft's Defender Security Research Team disclosed two CVEs in Semantic Kernel — a widely-used AI agent orchestration framework — demonstrating how prompt injection can escalate to remote code execution via compromised plugins. The vulnerabilities (CVE-2026-26030 and CVE-2026-25592) expose a systemic risk in the agentic AI layer: because frameworks like Semantic Kernel abstract tool orchestration, a single flaw in how LLM outputs are mapped to system tools can propagate across every application built on that foundation. This research signals a critical shift in AI threat modelling, where prompt injection is no longer a content risk but an execution risk.

AML.T0051 - LLM Prompt Injection AML.T0047 - ML-Enabled Product or Service AML.T0043 - Craft Adversarial Data AML.T0057 - LLM Data Leakage

May 07, 2026

Unmanaged AI Agents Expose Enterprise Identity Perimeters to Silent Compromise

Unmanaged AI Agents Expose Enterprise Identity Perimeters to Silent Compromise

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 The Hacker News

Enterprises are deploying AI agents faster than governance frameworks can track them, creating a shadow identity layer that operates outside traditional IAM visibility. These agents run continuously, accumulate permissions opportunistically, and interact with sensitive data at machine speed — largely unmonitored. The structural gap between agent activity and IAM coverage represents a significant and growing attack surface for privilege abuse and data exfiltration.

AML.T0012 - Valid Accounts AML.T0040 - ML Model Inference API Access AML.T0047 - ML-Enabled Product or Service AML.T0057 - LLM Data Leakage

May 06, 2026

Bleeding Llama Flaw Exposes 300,000 Ollama Servers to Unauthenticated Data Theft

Bleeding Llama Flaw Exposes 300,000 Ollama Servers to Unauthenticated Data Theft

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A critical heap out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.3) in Ollama's GGUF model loader allows unauthenticated remote attackers to exfiltrate sensitive heap memory — including API keys, prompts, and PII — using just three API calls. With approximately 300,000 Ollama instances publicly exposed and no authentication required by default, the attack surface is immediately and broadly exploitable. The vulnerability has been patched in Ollama version 0.17.1, but unpatched internet-facing deployments remain at critical risk.

AML.T0040 - ML Model Inference API Access AML.T0057 - LLM Data Leakage AML.T0044 - Full ML Model Access AML.T0043 - Craft Adversarial Data
CrowdStrike Researcher Details AI Jailbreaking and Data Poisoning Techniques

CrowdStrike Researcher Details AI Jailbreaking and Data Poisoning Techniques

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Joey Melo, Principal Security Researcher at CrowdStrike, outlines his methodology for AI red teaming, focusing on manipulating LLM guardrails through jailbreaking and data poisoning without altering underlying source code. His work, rooted in competitive AI hacking challenges, translates classical adversarial thinking into the emerging field of machine learning security. The profile highlights the growing professionalisation of AI red teaming as organisations seek to harden LLM deployments against real-world manipulation attacks.

AML.T0054 - LLM Jailbreak AML.T0051 - LLM Prompt Injection AML.T0020 - Poison Training Data AML.T0043 - Craft Adversarial Data AML.T0015 - Evade ML Model
Mass Scan Reveals Widespread Authentication Failures Across Exposed AI Infrastructure

Mass Scan Reveals Widespread Authentication Failures Across Exposed AI Infrastructure

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A scan of over one million exposed AI services found pervasive security failures including absent authentication, leaked API keys, and exposed business logic across self-hosted LLM deployments. Agent management platforms such as Flowise and n8n were discovered internet-exposed without access controls, revealing credential lists and internal workflows. The findings indicate systemic misconfiguration risk as enterprises race to self-host AI infrastructure without applying baseline security practices.

AML.T0040 - ML Model Inference API Access AML.T0044 - Full ML Model Access AML.T0054 - LLM Jailbreak AML.T0057 - LLM Data Leakage AML.T0012 - Valid Accounts AML.T0047 - ML-Enabled Product or Service

May 05, 2026

Backdoored PyTorch Lightning Package Steals Cloud Credentials from AI Developers

Backdoored PyTorch Lightning Package Steals Cloud Credentials from AI Developers

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 BleepingComputer

A malicious version of PyTorch Lightning (v2.6.3) was published to PyPI, embedding a hidden execution chain that silently downloads a JavaScript runtime and executes a heavily obfuscated credential-stealing payload dubbed 'ShaiWorm'. The attack targeted AI/ML developers who use this popular deep learning framework, exposing cloud credentials, API keys, browser-stored secrets, and GitHub tokens. The package has since been reverted to a safe version, but any developer who imported the compromised version should rotate all secrets immediately.

AML.T0010 - ML Supply Chain Compromise AML.T0018 - Backdoor ML Model AML.T0012 - Valid Accounts

May 04, 2026

Pentagon Deploys Classified AI Across Seven Tech Giants for Warfighter Systems

Pentagon Deploys Classified AI Across Seven Tech Giants for Warfighter Systems

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 SecurityWeek

The US Department of Defense has formalised agreements with seven major technology companies — including Google, Microsoft, OpenAI, and Amazon Web Services — to integrate AI into classified military networks for battlefield decision support. The move raises significant AI security concerns around human oversight, adversarial manipulation of high-stakes AI systems, and supply chain risks introduced by multiple commercial vendors operating within classified environments. Notably, Anthropic was excluded following a public dispute over AI safety and ethics in warfare.

AML.T0010 - ML Supply Chain Compromise AML.T0047 - ML-Enabled Product or Service AML.T0040 - ML Model Inference API Access AML.T0043 - Craft Adversarial Data AML.T0057 - LLM Data Leakage

May 03, 2026

Cross-Machine AI Agent Relay Tool Expands Attack Surface for Developer Environments

Cross-Machine AI Agent Relay Tool Expands Attack Surface for Developer Environments

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Loopsy is an open-source tool enabling cross-machine communication between AI coding agents (Claude Code, Cursor, Codex) and mobile devices via a self-hosted Cloudflare Workers relay. While designed for legitimate developer productivity, the architecture introduces significant attack surface: a relay brokering shell access and AI agent commands across machines is a high-value target for interception, hijacking, or supply chain compromise. Security teams should assess exposure before deploying such tools in sensitive development environments.

AML.T0047 - ML-Enabled Product or Service AML.T0010 - ML Supply Chain Compromise AML.T0051 - LLM Prompt Injection AML.T0040 - ML Model Inference API Access
Desktop Automation CLI Grants AI Agents Deep OS-Level Control

Desktop Automation CLI Grants AI Agents Deep OS-Level Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

agent-desktop is an open-source Rust CLI tool that exposes full OS accessibility trees to AI agents, enabling programmatic control of any desktop application without screenshots or browser sandboxing. This dramatically expands the attack surface for agentic AI systems, as a compromised or prompt-injected agent could silently manipulate native applications, exfiltrate data, or perform destructive actions across the host OS. The tool's deterministic element references and structured JSON output make it trivially scriptable, lowering the barrier for AI-driven desktop abuse.

AML.T0051 - LLM Prompt Injection AML.T0047 - ML-Enabled Product or Service AML.T0057 - LLM Data Leakage AML.T0040 - ML Model Inference API Access

Framework Coverage

ATLAS
MITRE ATLAS 58 mapped techniques
OWASP
OWASP LLM Top 10 41 mapped techniques