LIVE FEED
Microsoft MDASH Brings AI-Powered Windows Vulnerability Discovery

Microsoft MDASH Brings AI-Powered Windows Vulnerability Discovery

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 BleepingComputer

Microsoft has deployed MDASH (Multi-model Agentic Scanning Harness), an AI-powered agentic system that autonomously scans Windows binaries for vulnerabilities and validates findings through multiple AI models before human engineer review. The accelerated discovery pipeline means defenders will see a higher volume of Patch Tuesday fixes, compressing patch deployment windows and increasing pressure on enterprise patch management processes. Simultaneously, the same AI-accelerated vulnerability discovery capability is available to adversaries, raising the risk that threat actors identify and weaponise flaws faster than Microsoft's pipeline can remediate them.

AI Agents Emerge as a New Identity Class Orgs Must Secure

AI Agents Emerge as a New Identity Class Orgs Must Secure

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

AI agents are being recognised as a distinct identity type that cannot be adequately governed using legacy service account or API token frameworks, requiring purpose-built identity and access management approaches. For defenders, this gap means agents operating today are likely over-privileged, under-monitored, and outside existing IAM policy scope. Security teams face an immediate challenge in extending least-privilege, auditability, and lifecycle management controls to autonomous agent identities before adversaries exploit the blind spot.

The Security Analyst's Claude Code Playbook

The Security Analyst's Claude Code Playbook

DEEP SIGNAL

A practitioner's guide to deploying Claude Code in security operations — threat intelligence automation, compliance gap analysis, token management, and enterprise hardening.

CVE-2026-12958: GhostApproval Symlink Attack on Coding Agents

CVE-2026-12958: GhostApproval Symlink Attack on Coding Agents

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.7 The Hacker News

Wiz researchers disclosed GhostApproval, a symlink-based attack affecting six AI coding assistants — Amazon Q Developer, Claude Code, Augment, Cursor, Google Antigravity, and Windsurf — that allows malicious repositories to write attacker-controlled content to sensitive files such as SSH authorized_keys or shell startup scripts. The core failure is an informed-consent bypass: the agent's approval dialog names a harmless file while the write targets a sensitive one, or in some tools the write completes before any prompt appears. Three vendors have patched, two have not, and Anthropic disputes the classification as a vulnerability.

Prompt Injection Attacks Claude Code and Codex Execution

Prompt Injection Attacks Claude Code and Codex Execution

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.2 The Hacker News

Researchers at the AI Now Institute have demonstrated a proof-of-concept attack dubbed 'Friendly Fire' that tricks AI coding agents — specifically Anthropic's Claude Code and OpenAI's Codex in autonomous mode — into executing malicious binaries while performing routine security reviews. The attack embeds a disguised payload inside an open-source library and uses a plain README.md instruction to direct the agent to run a malicious shell script, bypassing existing trust-prompt defences. Because the weakness is architectural rather than version-specific, no patch exists; mitigation requires workflow changes.

DPAPI Abuse in Claude Code and Cursor Triggers EDR

DPAPI Abuse in Claude Code and Cursor Triggers EDR

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Hacker News

Sophos telemetry from June 2026 reveals that AI coding agents including Claude Code, Cursor, and OpenAI Codex are triggering endpoint detection rules designed to catch human attackers, performing actions such as DPAPI-based credential decryption, Windows Credential Manager enumeration, and persistence via startup folder writes. The behaviour is not malicious in intent, but the agents exhibit attacker-like pivot-when-blocked logic and abuse legitimate Windows utilities in ways indistinguishable from living-off-the-land intrusions. This blurring of the line between benign automation and attack tradecraft creates significant noise for defenders and may erode confidence in high-fidelity detection rules.

AWS Launches Multi-Turn RL for Amazon Nova

AWS Launches Multi-Turn RL for Amazon Nova

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 AWS Machine Learning Blog

AWS has released a production-grade, event-driven multi-turn reinforcement learning training infrastructure for Amazon Nova models on SageMaker HyperPod, enabling enterprises to train agents that learn tool orchestration, error recovery, and sequential decision-making at scale. This materially expands the attack surface by introducing complex reward-routing pipelines, ephemeral compute provisioning, and environment-facing reward workers as new targets for poisoning and manipulation. Defenders must scrutinise the trust boundaries between the Nova Forge SDK, ECS reward workers, and HyperPod training pods, as a compromised reward signal can silently shape model behaviour across entire interaction sequences.

OfficeCLI Brings Microsoft Office Automation to AI Agents

OfficeCLI Brings Microsoft Office Automation to AI Agents

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 HN AI Security

OfficeCLI is an open-source, single-binary tool that enables AI agents to programmatically read, write, and automate Microsoft Word, Excel, and PowerPoint files without requiring a local Office installation. This dramatically expands the file-system attack surface for agentic AI systems, enabling prompt injection via document content, automated exfiltration of sensitive Office files, and weaponisation of documents as a persistent injection vector. Defenders operating AI agent pipelines that touch file systems must now treat any Office document as a potential adversarial input channel.

Prompt Injection Attacks Manipulate AI Crypto Agents

Prompt Injection Attacks Manipulate AI Crypto Agents

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers identified two active campaigns embedding indirect prompt injection payloads in malicious websites to manipulate autonomous AI agents into executing unauthorised cryptocurrency transactions. The attacks exploit the growing deployment of agentic AI systems that browse the web and take real-world actions with minimal human oversight. This represents a concrete, financially motivated escalation of prompt injection from data exfiltration to direct fund theft.

Langflow LLM Agents Exploited for Ransomware Delivery

Langflow LLM Agents Exploited for Ransomware Delivery

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A documented ransomware attack leveraged agentic AI infrastructure — specifically the Langflow LLM orchestration platform — to automate multi-stage intrusion chains combining known exploitation techniques with real-time LLM reasoning. This marks a significant escalation in threat actor capability, demonstrating that agentic AI can serve as an autonomous attack coordinator rather than merely an assistant. Security teams running self-hosted AI orchestration platforms now face an expanded attack surface where the AI layer itself can be both the entry point and the execution engine.

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers have demonstrated how attackers can embed hidden instructions inside MCP tool descriptions to covertly redirect AI agents into exfiltrating sensitive business data. Because each individual action the agent takes appears legitimate — using approved tools and the user's own permissions — default security controls generate no alerts. The attack exploits a fundamental design tension in MCP: tool descriptions simultaneously carry operational instructions and attacker-controlled data, collapsing a critical trust boundary.

Agentjacking: Prompt Injection via Malicious Bug Reports

Agentjacking: Prompt Injection via Malicious Bug Reports

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A technique dubbed 'agentjacking' exploits the inability of AI coding agents to distinguish between legitimate content and embedded instructions, allowing attackers to hijack agent behaviour through maliciously crafted bug reports. The attack represents a scalable, low-barrier prompt injection vector targeting developer workflows that rely on autonomous AI agents. As AI coding assistants gain broader adoption and elevated system permissions, this class of attack poses a significant risk to software supply chain integrity.

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A set of vulnerabilities dubbed 'DuneSlide' in the Cursor AI code editor allow attackers to conduct zero-click prompt injection attacks that escape the application's sandbox and execute arbitrary code at the operating system level. The flaws represent a critical escalation of AI-native attack surface risks, targeting developers who rely on AI-assisted coding environments. Because exploitation requires no user interaction, the attack chain is particularly dangerous in supply chain and watering-hole scenarios.

CVE-2026-50548: Cursor IDE Prompt Injection RCE

CVE-2026-50548: Cursor IDE Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI code editor allow prompt injection attacks delivered via MCP services or web search results to escape the editor's terminal sandbox and execute arbitrary commands on a developer's machine without any user interaction. Both flaws abuse the sandbox's write-permission logic — one through a misconfigured working directory parameter, the other through a symlink-resolution fallback — ultimately allowing overwrite of the sandbox helper binary itself. The attack surface is significant given Cursor's reported adoption across more than half of Fortune 500 companies; all versions prior to 3.0 remain vulnerable.

IGA Platforms Add AI Agent Governance and Access Control

IGA Platforms Add AI Agent Governance and Access Control

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 The Hacker News

A new analysis published via The Hacker News details how traditional Identity Governance and Administration (IGA) frameworks — built around HR-driven, human-centric lifecycle events — are fundamentally unequipped to govern AI agents acting as autonomous principals in enterprise environments. Security teams face a growing blind spot: AI agents acquire, retain, and exercise entitlements without triggering the joiner-mover-leaver workflows, manager attestations, or termination events that IGA tooling depends on. Defenders must now treat AI agent identities as a separate governance tier, requiring purpose-built provisioning, audit, and deprovisioning logic that existing platforms like Workday, SailPoint, and Azure AD connectors were never designed to provide.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.