LIVE FEED
Mistral AI Ships OCR 4 with Document Extraction

Mistral AI Ships OCR 4 with Document Extraction

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 Mistral AI (via HN)

Mistral OCR 4 is a production-grade document intelligence model delivering bounding boxes, block classification, inline confidence scores, and 170-language OCR optimised for enterprise RAG and search ingestion pipelines. For defenders, the model's role as a trusted ingestion component in downstream retrieval pipelines creates a high-value attack surface: adversarially crafted documents can now influence RAG context, citations, and automated redaction decisions at scale. The self-hosted single-container deployment option further expands the supply chain and misconfiguration risk surface for organisations running document intelligence internally.

Cordyceps Campaign Poisons CI/CD Workflows in Open Source

Cordyceps Campaign Poisons CI/CD Workflows in Open Source

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

A campaign dubbed 'Cordyceps' is exploiting weaknesses in CI/CD workflows to inject malicious pull requests into high-profile open-source projects, including Google's AI Agent Development Kit and Microsoft's Azure Sentinel. The attack surface spans multiple trusted ecosystems, meaning poisoned code could propagate into AI tooling, cloud infrastructure, and widely-used developer utilities before detection. The breadth of targets — including Python's Black formatter — signals a supply chain strategy designed to maximise downstream blast radius.

Anthropic's Mythos AI Breached Classified US Government Systems in Hours

Anthropic's Mythos AI Breached Classified US Government Systems in Hours

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.1 SecurityWeek

Anthropic's Mythos AI model identified vulnerabilities in classified US government computer systems within hours during a government-sanctioned testing exercise under Project Glasswing. A senior US official confirmed the findings to the Associated Press, corroborating statements made by Sen. Mark Warner that the model 'broke into almost all of our classified systems.' The incident marks a landmark demonstration of AI-enabled offensive cyber capability at the highest sensitivity levels of government infrastructure.

Anthropic Enhances AI Agent Skill Scanner Security

Anthropic Enhances AI Agent Skill Scanner Security

FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Security firm AIR demonstrated that a malicious AI agent skill, disguised as a Google Stitch landing-page builder, passed every major skill scanner including Cisco's, NVIDIA's, and skills.sh integrations, reaching approximately 26,000 agents before its payload was activated. The attack exploits a structural gap: scanners evaluate a static package at submission time, while the external URL the skill instructs the agent to fetch can be silently swapped post-install to deliver arbitrary instructions. Defenders relying on marketplace reputation signals, GitHub star counts, or one-time scanner verdicts to gatekeep agent skills have no meaningful protection against this class of supply-chain attack.

AI Agent Hijacking via Legacy Infrastructure Exploits

AI Agent Hijacking via Legacy Infrastructure Exploits

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 The Hacker News

Attackers are bypassing AI-layer defences entirely by exploiting unpatched legacy infrastructure — misconfigured Active Directory, stale credentials, and over-privileged IAM roles — to hijack the resources AI agents depend on. Research cited in the article shows 70% of organisations grant AI systems more access than a human in the same role, driving a 76% incident rate among over-privileged deployments. The article argues that securing AI agents requires closing the underlying infrastructure exposure gap, not just hardening the model layer.

LLM Role Confusion Attack Bypasses Safety at 61%

LLM Role Confusion Attack Bypasses Safety at 61%

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Simon Willison

New research from Ye, Cui, and Hadfield-Menell demonstrates that LLMs prioritise the stylistic format of text over its structural role tags, enabling attackers to craft injected content that mimics internal reasoning blocks and bypasses safety guardrails. The study found attack success rates of 61% when injected text stylistically matched model-internal formats, dropping to just 10% after 'destyling'. The authors conclude that without genuine role perception in models, prompt injection defences will remain fundamentally reactive.

OpenAI Launches Patch the Planet Vulnerability Initiative

OpenAI Launches Patch the Planet Vulnerability Initiative

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 TechCrunch AI

OpenAI has partnered with Trail of Bits to launch 'Patch the Planet,' an initiative using AI-assisted tooling (including Codex Security) to help open-source maintainers find and patch vulnerabilities at scale. While the defensive intent is clear, the program introduces new attack surface considerations: AI-generated patches applied to widely-used open-source projects create a high-value supply chain target, and the triage/remediation pipeline itself could be manipulated to introduce subtle flaws. Defenders should monitor open-source dependencies that receive AI-assisted patches and assess the integrity guarantees of the remediation workflow.

AutoJack: Microsoft AutoGen Studio RCE via MCP WebSocket

AutoJack: Microsoft AutoGen Studio RCE via MCP WebSocket

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 BleepingComputer

A three-flaw vulnerability chain dubbed AutoJack in Microsoft's AutoGen Studio allowed attackers to execute arbitrary commands on a developer's host system by manipulating a browsing AI agent into connecting to a malicious webpage. The attack exploited missing authentication on MCP WebSocket routes combined with unsanitised base64-encoded parameters to launch arbitrary processes. Microsoft confirmed the flaw was patched before any PyPI release, limiting exposure to developers building directly from the main GitHub branch.

AWS Launches Bedrock AgentCore for Autonomous Payments

AWS Launches Bedrock AgentCore for Autonomous Payments

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 AWS Machine Learning Blog

AWS has launched Amazon Bedrock AgentCore Payments, a managed infrastructure layer that enables AI agents to autonomously transact with external model providers and services using the x402 payment protocol, without human intervention. This capability introduces a new class of financial attack surface where compromised or manipulated agents can autonomously spend real funds, exfiltrate value, or be redirected to malicious service endpoints. Defenders must now treat agent payment credentials and spending budgets as first-class financial controls, on par with cloud IAM policies.

OpenAI's ChatGPT Image Generation Fails Content Moderation

OpenAI's ChatGPT Image Generation Fails Content Moderation

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 OpenAI (via HN)

Mindgard researchers demonstrated that ChatGPT's image generation pipeline can be manipulated through an indirect, socially-engineered prompt to produce violent and sexually explicit content without users directly requesting it, exposing a significant failure in OpenAI's content moderation controls. Defenders and enterprise operators of ChatGPT-integrated products face a newly validated attack class where innocuous-looking prompt patterns — potentially spreading virally — can systematically strip safety guardrails from image generation. This finding signals that content filter bypasses in multimodal systems are reproducible at scale, raising urgent questions about the adequacy of output-layer filtering as a sole defence mechanism.

Bayer and Thoughtworks Ship PRINCE Agentic RAG Platform

Bayer and Thoughtworks Ship PRINCE Agentic RAG Platform

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

Bayer AG and Thoughtworks have published a detailed case study on PRINCE, a production agentic RAG system combining multi-agent orchestration, Text-to-SQL, and human-in-the-loop workflows to answer complex pharmaceutical preclinical research questions and draft regulatory documents. The system's architecture — spanning intent clarification, planning, retrieval, reflection, and writing agents with access to decades of safety study data — introduces a broad attack surface including prompt injection across agent boundaries, SQL injection via natural language, and sensitive data exfiltration through compromised agent outputs. Defenders evaluating similar agentic platforms should treat each inter-agent handoff as a trust boundary requiring independent validation and focus on data leakage controls given the sensitivity of preclinical regulatory data.

Anthropic Launches Claude Code with Local Memory Layer

Anthropic Launches Claude Code with Local Memory Layer

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 Anthropic (via HN)

Recall is an open-source, fully-local memory layer for Anthropic's Claude Code that persists and summarises project context across coding sessions without sending data to external services. For defenders, the introduction of a persistent, file-based context store creates a new attack surface: a poisoned or tampered memory file can silently inject malicious instructions into every subsequent Claude Code session. Security teams should treat the local memory store as a trusted-input boundary and apply appropriate file-integrity and access controls.

OpenAI Ships GPT-5.5 Instant with Health Intelligence

OpenAI Ships GPT-5.5 Instant with Health Intelligence

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 OpenAI Blog

OpenAI has upgraded ChatGPT's health and wellness response capabilities via GPT-5.5 Instant, incorporating stronger reasoning, physician-informed evaluations, and improved contextual understanding for medical queries. This expansion into high-stakes health guidance raises meaningful concerns for defenders, as improved fluency and authority in medical responses increases the risk of user overreliance and lowers the perceived threshold for trusting AI-generated health advice. Security and trust-safety teams should evaluate how this capability interacts with prompt injection, social engineering chains, and the broader risk of AI-mediated medical misinformation at scale.

Malware Uses Prompt Injection in JavaScript to Evade LLM Tools

Malware Uses Prompt Injection in JavaScript to Evade LLM Tools

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Schneier on Security

A malware developer has been observed embedding fake system instructions and policy-triggering content — including references to nuclear and biological weapons — inside JavaScript comment blocks to confuse or trigger refusal behaviour in LLM-powered security analysis pipelines. The technique does not affect code execution but is specifically designed to disrupt naive AI-first triage tools that feed raw file content to language models without isolating it as untrusted data. Traditional static analysis methods remain unaffected, but the approach signals an emerging class of anti-AI-analysis evasion techniques.

Enterprise Security Platforms Ship Autonomous Threat Response

Enterprise Security Platforms Ship Autonomous Threat Response

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

A new class of agentic AI security platforms is emerging that autonomously correlates threat intelligence, validates controls, and prioritizes remediations across siloed enterprise security tooling — moving beyond assistive chatbot interfaces to continuous, multi-step autonomous action. This shift introduces significant new attack surface: an AI system with persistent access to live exposure data, security telemetry, and remediation workflows becomes a high-value target for adversarial manipulation. Defenders must assess trust boundaries, prompt injection risks, and the consequences of autonomous action taken on poisoned or manipulated inputs before deploying these systems.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.