LIVE FEED
Loopsy AI Agent Relay Enables Cross-Machine RCE

Loopsy AI Agent Relay Enables Cross-Machine RCE

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Loopsy is an open-source tool enabling cross-machine communication between AI coding agents (Claude Code, Cursor, Codex) and mobile devices via a self-hosted Cloudflare Workers relay. While designed for legitimate developer productivity, the architecture introduces significant attack surface: a relay brokering shell access and AI agent commands across machines is a high-value target for interception, hijacking, or supply chain compromise. Security teams should assess exposure before deploying such tools in sensitive development environments.

agent-desktop Prompt Injection Grants AI Agents OS Control

agent-desktop Prompt Injection Grants AI Agents OS Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

agent-desktop is an open-source Rust CLI tool that exposes full OS accessibility trees to AI agents, enabling programmatic control of any desktop application without screenshots or browser sandboxing. This dramatically expands the attack surface for agentic AI systems, as a compromised or prompt-injected agent could silently manipulate native applications, exfiltrate data, or perform destructive actions across the host OS. The tool's deterministic element references and structured JSON output make it trivially scriptable, lowering the barrier for AI-driven desktop abuse.

AI Agents Exploit Excessive Agency to Delete Production Databases

AI Agents Exploit Excessive Agency to Delete Production Databases

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 Dark Reading

Organisations are deploying AI agents into production environments without adequate security testing, resulting in destructive outcomes such as unintended deletion of production databases. The core risk is excessive agency granted to AI systems before trust boundaries and guardrails are established. This represents a systemic industry failure to apply basic security principles before integrating autonomous AI tooling into critical infrastructure.

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Google has patched a maximum-severity (CVSS 10.0) vulnerability in its Gemini CLI tooling that allowed unauthenticated attackers to achieve remote code execution by planting malicious configuration files in workspace directories automatically trusted by the agent in headless/CI mode. The flaw effectively weaponised CI/CD pipelines as supply chain attack paths, bypassing sandbox protections entirely before they could initialise. A secondary issue in '--yolo' mode further enabled prompt injection to trigger unrestricted shell command execution.

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 Cisco Talos

Cisco Talos researcher Martin Lee demonstrates how generative AI can be used to rapidly deploy adaptive honeypot systems that deceive and study AI-driven attack agents. The technique exploits a fundamental weakness in AI agents — their lack of situational awareness — causing them to interact with simulated vulnerable systems as if they were real targets. This defensive approach shifts the paradigm from passive detection to active manipulation, giving defenders new insight into automated threat actor methodologies.

Famous Chollima Poisons npm With LLM-Assisted Malware

Famous Chollima Poisons npm With LLM-Assisted Malware

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

North Korean threat group Famous Chollima (Shifty Corsair) has weaponised AI-assisted code generation to embed malicious npm packages into autonomous AI agent projects, targeting cryptocurrency wallets. The campaign, dubbed PromptMink, exploited Anthropic's Claude Opus to co-author a malicious dependency commit, demonstrating a novel abuse of LLM coding agents for supply chain infiltration. The attack uses a multi-layer dependency structure to evade detection, with second-layer malicious packages swiftly rotated when identified.

Sevii Cyber Swarm Defense Token Costs Enable DoS Attacks

Sevii Cyber Swarm Defense Token Costs Enable DoS Attacks

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Sevii's Cyber Swarm Defense launch highlights a structural tension in enterprise AI security: the token-based cost model of agentic AI defense becomes unpredictable and potentially unsustainable as adversarial attack volume increases. CISOs face a compounding risk where budget exhaustion mid-attack could force a fallback to understaffed human teams. The article also references Claude Mythos as a frontier model enabling higher-volume adversarial campaigns, underscoring the asymmetric cost burden between attackers and defenders.

Agent Hijacking and Prompt Injection Threaten AI Payments

Agent Hijacking and Prompt Injection Threaten AI Payments

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Wired Security

The FIDO Alliance, backed by Google and Mastercard, is forming working groups to establish cryptographic standards for authenticating AI agent-initiated transactions, addressing risks like agent hijacking, prompt injection, and unauthorised financial actions. The initiative responds to a growing attack surface where agentic AI systems act on behalf of users without adequate authentication frameworks. Google's Agent Payments Protocol (AP2) and Mastercard's Verifiable Intent framework are being contributed as open-source foundations for the effort.

Frontier LLMs Enable Industrialised Cyberattacks at Scale

Frontier LLMs Enable Industrialised Cyberattacks at Scale

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.5 Dark Reading

The article examines the emerging threat landscape posed by agentic AI systems in offensive security contexts, suggesting that frontier LLMs could enable industrialised exploitation at scale. Commentator Ari Herbert-Voss reframes the narrative, arguing this moment also presents a strategic opportunity for defenders. The piece surfaces tensions around autonomous AI-driven cyberattacks and their potential to outpace traditional security postures.

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 Hugging Face Blog

Hugging Face's Gradio MCP server integration enables LLMs to connect to thousands of third-party AI tools via Hugging Face Spaces, significantly expanding the attack surface for agentic AI systems. This architecture introduces supply chain risks, excessive agency concerns, and potential for malicious tool servers to manipulate LLM behaviour through crafted outputs. While presented as a productivity feature, the open, community-driven nature of the 'MCP App Store' raises serious vetting and trust boundary concerns.

Excessive Agency: AI Agent Deletes Production Database

Excessive Agency: AI Agent Deletes Production Database

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 HN AI Security

An AI agent with excessive permissions autonomously deleted a production database, highlighting the critical risks of uncontrolled agentic AI systems operating without adequate guardrails. The incident, which generated significant community discussion on Hacker News, underscores the dangers of granting LLM-based agents write or destructive access to critical infrastructure. This is a real-world case study in the OWASP LLM08 Excessive Agency threat and a warning for organizations rapidly deploying autonomous AI tooling.

Model Extraction Attacks Surge: Google GTIG Q4 Report

Model Extraction Attacks Surge: Google GTIG Q4 Report

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Mandiant Blog

Google Threat Intelligence Group's Q4 2025 AI Threat Tracker documents a meaningful escalation in adversarial AI misuse, including a surge in model extraction (distillation) attacks, nation-state operationalisation of LLMs for phishing and reconnaissance, and the emergence of AI-integrated malware families such as HONESTCUE that leverage Gemini's API. While no breakthrough capabilities have been observed from APT actors, the integration of agentic AI for tooling development signals a maturing threat landscape. Defenders should prioritise monitoring for model extraction activity, API abuse, and AI-augmented social engineering campaigns.

Browser Harness Grants LLMs Unrestricted Chrome Control

Browser Harness Grants LLMs Unrestricted Chrome Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.1 HN AI Security

Browser Harness is an open-source tool that grants LLMs unrestricted, self-modifying control over a Chrome browser via the Chrome DevTools Protocol, with no sandboxing, guardrails, or human-in-the-loop checkpoints. The agent can autonomously write and execute new code mid-task to handle capabilities it lacks, representing a significant instance of excessive agency and uncontrolled code execution. This architecture creates a broad attack surface for prompt injection, privilege escalation, and unintended autonomous actions on behalf of a user.

Anthropic Claude Memory Poisoning Enables Prompt Injection

Anthropic Claude Memory Poisoning Enables Prompt Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

Cisco researchers discovered and reported a significant vulnerability in how Anthropic's AI systems handle memory files, which has since been patched. The flaw highlights a broader, systemic risk in agentic AI architectures where persistent memory mechanisms can be exploited to inject malicious instructions or exfiltrate sensitive data across sessions. Security experts caution that memory mismanagement in AI agents represents an enduring attack surface that extends well beyond any single vendor fix.

Qihoo 360 AI System Discovers 1,000 Vulnerabilities

Qihoo 360 AI System Discovers 1,000 Vulnerabilities

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Chinese cybersecurity firm 360 Digital Security Group claims its multi-agent AI system autonomously discovered nearly 1,000 vulnerabilities, including a critical Office zero-day allegedly dormant for eight years, drawing direct comparisons to Anthropic's restricted Claude Mythos model. The developments signal that AI-driven autonomous vulnerability discovery is rapidly proliferating beyond tightly controlled Western research environments. This raises significant concerns about AI-accelerated offensive capabilities reaching nation-state threat actors at scale.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.