LIVE FEED
HIGH LLM Hallucinated Domains Create Exploitable Supply Chain Attack Surface // FIRST LOOK First Look: Google Launches Gemini Spark Agentic Assistant on Mac with File and App Access // FIRST LOOK First Look: AWS Brings NVIDIA Nemotron and OpenAI GPT OSS Models to GovCloud // CRITICAL AI-Hallucinated Domains Weaponised in Active Software Supply Chain Attacks // FIRST LOOK Anthropic Restores Global Access to Mythos and Fable Models After Export Restrictions … // FIRST LOOK First Look: Token Security Surfaces Agentic AI Identity Risks Across Enterprise … // HIGH AI Tools Discover WebKit Vulnerabilities as Apple Accelerates Patch Cadence // HIGH BioShocking Attack Exploits Indirect Prompt Injection to Steal Credentials via AI Browsers // HIGH Indirect Prompt Injection in Repositories Gives Claude Code Full Shell Access // FIRST LOOK First Look: JustVugg Releases NanoEuler GPT-2 Scale LLM Built in Pure C/CUDA //
FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.2

First Look: Google Launches Gemini Spark Agentic Assistant on Mac with File and App Access

ATTACK SURFACE BRIEF HIGH ↗ RAPID
  • What shipped: Google's Gemini Spark agentic assistant launches on Mac with local file access, third-party app integrations, MCP support, and real-time topic monitoring.
  • Who's now exposed: Google AI Ultra subscribers using Spark on Mac, particularly enterprise users whose local files and connected SaaS apps (Dropbox, Workspace, Keep) are now within the agent's action scope.
  • Assess now: Audit which files and directories Gemini Spark can access and apply least-privilege folder permissions before deployment · Treat any custom MCP integration as an untrusted third-party plugin — require security review before connection · Establish policies governing what data Spark is permitted to push into Google Workspace documents or share with third-party services
First Look: Google Launches Gemini Spark Agentic Assistant on Mac with File and App Access

Capability Overview

Google has shipped Gemini Spark for macOS, folding its agentic assistant into the existing Gemini desktop application. The release extends Spark’s reach to local file system operations — reading, sorting, and transforming files on the user’s Mac — and introduces integrations with Google Tasks, Google Keep, Dropbox, Canva, Instacart, OpenTable, and Zillow Rentals. Critically, Google is also rolling out support for custom Model Context Protocol (MCP), enabling users to connect arbitrary third-party tools directly into the agent. A forthcoming feature will allow mobile-to-desktop task delegation, letting a phone-based prompt trigger file retrieval and processing on a remote Mac. For defenders, this release marks a meaningful shift: Gemini Spark is no longer a cloud-sandboxed chatbot but a locally-rooted agent with persistent connections to file systems, cloud services, and an extensible tool ecosystem.

Attack Surface Analysis

Local file system as a prompt injection surface. Spark can now ingest files from the Mac to produce Workspace documents. An attacker who places a maliciously crafted file — a weaponised invoice, a PDF with embedded instructions, or a poisoned note synced from a compromised cloud — can inject instructions that redirect Spark’s actions. The agent has no reliable way to distinguish authoritative user intent from attacker-controlled file content.

MCP as an unvetted plugin layer. Custom MCP support is the highest-risk addition in this release. Users can connect arbitrary applications into Spark with what appears to be minimal centralised vetting. This mirrors the early BYOP (bring-your-own-plugin) risks seen in ChatGPT’s plugin ecosystem: a malicious or poorly-secured MCP server can exfiltrate data, execute unauthorised actions, or serve as a pivot point into the broader Google account.

Cross-platform lateral movement. Spark’s simultaneous access to Google Workspace, Dropbox, Keep, and external booking/commerce platforms means a single compromised agent session has blast radius across multiple services. An attacker manipulating Spark could silently exfiltrate Dropbox files into a Workspace document, forward sensitive data via a third-party integration, or corrupt shared content.

Real-time monitoring as a persistent inbound channel. The topic-tracking feature ingests social media, blogs, news, and online shopping signals continuously. This represents a persistent, low-friction vector for delivering prompt injection payloads via attacker-controlled web content that Spark monitors autonomously.

Forthcoming mobile-to-desktop bridge. The announced phone-initiated desktop task feature, while not yet live, will create a cross-device trust boundary that deserves early scrutiny — compromising the mobile device or intercepting the task delegation channel could trigger file access or exfiltration on the desktop.

Framework Mapping

  • AML.T0051 (LLM Prompt Injection): File-based and web-sourced content ingestion provides direct injection pathways into agent task execution.
  • AML.T0010 (ML Supply Chain Compromise): Custom MCP integrations introduce unvetted third-party components into the agent’s tool chain.
  • AML.T0057 (LLM Data Leakage): Agent-mediated file-to-Workspace transfers and third-party app actions risk unintended sensitive data exposure.
  • LLM08 (Excessive Agency): Spark can take real-world actions (booking tables, ordering groceries, managing files) with limited human confirmation steps described in the announcement.
  • LLM07 (Insecure Plugin Design): MCP integrations lack described permission scoping or sandboxing, consistent with historical plugin security gaps.

Threat Scenarios

  1. Weaponised invoice attack: An attacker emails a target a PDF invoice. The user saves it to their Mac. Spark, asked to convert invoices to a budget spreadsheet, processes the file and its embedded prompt injection — silently forwarding the spreadsheet (and other file contents) to an attacker-controlled email via a connected Workspace action.

  2. Malicious MCP server: A developer publishes a popular-looking MCP integration for a productivity tool. The server logs all queries Spark sends through it, harvesting file names, content summaries, and user intent signals over time.

  3. Real-time monitoring poisoning: An attacker publishes SEO-optimised blog content containing hidden prompt instructions. Spark, monitoring that topic for a target user, ingests the content and executes embedded commands — such as sharing a sensitive file to an external address.

Defender Checklist

  • Restrict file system access: Configure macOS permissions to limit Spark’s accessible directories to the minimum necessary; avoid granting access to sensitive directories (SSH keys, credential stores, source code).
  • Treat MCP integrations as third-party code: Apply the same vetting process as browser extensions or SaaS app approvals before any custom MCP connection is authorised.
  • Audit connected app permissions: Review OAuth scopes granted to Spark across Google Workspace, Dropbox, and any third-party integrations; revoke excessive permissions.
  • Establish data-handling policies: Define which data categories Spark is permitted to include in auto-generated Workspace documents or share externally.
  • Monitor agent-initiated outbound actions: Log and alert on Spark-triggered file transfers, document creations, and third-party API calls as you would any privileged service account activity.
  • Prepare for mobile-desktop bridge: Before the forthcoming phone-to-Mac feature ships, define acceptable use policies and authentication requirements for remote task delegation.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.