LIVE FEED
FableCut Ships AI-Drivable Browser Video Editor via MCP and REST

FableCut Ships AI-Drivable Browser Video Editor via MCP and REST

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 HN AI Security

FableCut is a zero-dependency, browser-based non-linear video editor that exposes its entire timeline as a JSON document and accepts live control from AI agents via MCP (Model Context Protocol) and REST APIs, enabling tools like Claude Code or Claude Desktop to autonomously edit video. This agent-accessible media pipeline introduces meaningful new attack surface: any AI agent granted MCP/REST access can read, overwrite, or poison the JSON timeline, and a compromised or prompt-injected agent could silently alter exported video content. Defenders managing AI agent workflows that touch media pipelines should treat this as an unsandboxed tool-use endpoint requiring strict authZ, input validation, and output integrity checks.

AI Agents Emerge as a New Identity Class Orgs Must Secure

AI Agents Emerge as a New Identity Class Orgs Must Secure

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

AI agents are being recognised as a distinct identity type that cannot be adequately governed using legacy service account or API token frameworks, requiring purpose-built identity and access management approaches. For defenders, this gap means agents operating today are likely over-privileged, under-monitored, and outside existing IAM policy scope. Security teams face an immediate challenge in extending least-privilege, auditability, and lifecycle management controls to autonomous agent identities before adversaries exploit the blind spot.

Prompt Injection Attacks Manipulate AI Crypto Agents

Prompt Injection Attacks Manipulate AI Crypto Agents

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers identified two active campaigns embedding indirect prompt injection payloads in malicious websites to manipulate autonomous AI agents into executing unauthorised cryptocurrency transactions. The attacks exploit the growing deployment of agentic AI systems that browse the web and take real-world actions with minimal human oversight. This represents a concrete, financially motivated escalation of prompt injection from data exfiltration to direct fund theft.

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers have demonstrated how attackers can embed hidden instructions inside MCP tool descriptions to covertly redirect AI agents into exfiltrating sensitive business data. Because each individual action the agent takes appears legitimate — using approved tools and the user's own permissions — default security controls generate no alerts. The attack exploits a fundamental design tension in MCP: tool descriptions simultaneously carry operational instructions and attacker-controlled data, collapsing a critical trust boundary.

IGA Platforms Add AI Agent Governance and Access Control

IGA Platforms Add AI Agent Governance and Access Control

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 The Hacker News

A new analysis published via The Hacker News details how traditional Identity Governance and Administration (IGA) frameworks — built around HR-driven, human-centric lifecycle events — are fundamentally unequipped to govern AI agents acting as autonomous principals in enterprise environments. Security teams face a growing blind spot: AI agents acquire, retain, and exercise entitlements without triggering the joiner-mover-leaver workflows, manager attestations, or termination events that IGA tooling depends on. Defenders must now treat AI agent identities as a separate governance tier, requiring purpose-built provisioning, audit, and deprovisioning logic that existing platforms like Workday, SailPoint, and Azure AD connectors were never designed to provide.

Google DeepMind Releases AI Agent Attack Taxonomy

Google DeepMind Releases AI Agent Attack Taxonomy

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.7 SecurityWeek

Google DeepMind researchers have released a structured taxonomy categorising adversarial attacks against autonomous AI agents into six classes — content injection, semantic manipulation, cognitive state poisoning, behavioural control, systemic, and human-in-the-loop traps — formalising an emerging threat model for agentic AI systems. For defenders, this framework codifies attack paths that exploit the agent's inability to distinguish trusted instructions from attacker-controlled data ingested from web pages, emails, documents, and tool outputs. NIST evaluation data cited in the research shows malicious instruction injection succeeded in 57% of tested agent hijacking scenarios on average, underscoring that these are active, high-yield attack vectors rather than theoretical concerns.

MoEngage Deploys Autonomous AI Agents via Aampe Acquisition

MoEngage Deploys Autonomous AI Agents via Aampe Acquisition

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 TechCrunch AI

MoEngage has acquired Aampe to deploy individualized AI agents for every customer, enabling autonomous decisions on messaging targeting, timing, and content at enterprise scale across 1,350+ brands globally. This architecture introduces a large, distributed fleet of autonomous agents operating on sensitive behavioral and PII data, dramatically expanding the blast radius of any single compromise. Security teams at enterprises adopting this platform must now reason about agent-level trust boundaries, data inference risks, and the amplification potential of adversarial manipulation across millions of simultaneous decision-making agents.

AI Agent Hijacking via Legacy Infrastructure Exploits

AI Agent Hijacking via Legacy Infrastructure Exploits

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 The Hacker News

Attackers are bypassing AI-layer defences entirely by exploiting unpatched legacy infrastructure — misconfigured Active Directory, stale credentials, and over-privileged IAM roles — to hijack the resources AI agents depend on. Research cited in the article shows 70% of organisations grant AI systems more access than a human in the same role, driving a 76% incident rate among over-privileged deployments. The article argues that securing AI agents requires closing the underlying infrastructure exposure gap, not just hardening the model layer.

Orphaned AI Agents Bypass SailPoint Identity Controls

Orphaned AI Agents Bypass SailPoint Identity Controls

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

Enterprises deploying internal AI agents face a growing identity accountability gap: when the employee who created an autonomous agent leaves, the agent's access tokens and credentials often remain active and unmonitored. Traditional access management tools fail to detect this risk because they treat AI agents as static software rather than identity-bearing entities capable of exfiltrating sensitive data. The problem compounds at scale as shadow AI deployments proliferate across organizations without centralised visibility or ownership tracking.

Palo Alto Exposes AI Agent Skill Supply Chain Compromise Risk

Palo Alto Exposes AI Agent Skill Supply Chain Compromise Risk

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Palo Alto Unit 42

Palo Alto Unit 42 introduces Behavioral Integrity Verification (BIV), an audit method exposing widespread mismatches between what third-party AI agent skills claim to do and what they actually execute. Applied at registry scale, BIV identifies a dangerous subset of skills carrying multi-stage attack chains capable of credential theft, remote code execution, and silent data exfiltration. The research highlights that the AI agent skill ecosystem has grown rapidly without the supply-chain audit primitives that mobile and browser extension platforms eventually adopted after abuse.

CVE-2025-67644: LangGraph SQLi to RCE via Checkpointer

CVE-2025-67644: LangGraph SQLi to RCE via Checkpointer

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Check Point Research

Check Point Research disclosed three vulnerabilities in LangGraph's persistence layer, two of which chain together to achieve remote code execution: a SQL injection flaw in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization bug (CVE-2026-28277). A third parallel injection vulnerability (CVE-2026-27022) affects the Redis checkpointer. With over 50 million monthly downloads, self-hosted LangGraph deployments exposing user-controlled state history filters are directly at risk.

Claude Mythos Accelerates Automated Vulnerability Discovery

Claude Mythos Accelerates Automated Vulnerability Discovery

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Anthropic's Claude Mythos model is accelerating automated vulnerability discovery to a degree that may fundamentally disrupt the bug bounty and offensive security industries. As AI transitions from a force multiplier to a potential replacement for human security researchers, the economics and structure of vulnerability disclosure programs face significant pressure. The shift raises critical questions about the future of human-led offensive security and whether AI-generated findings will saturate or devalue traditional bounty programs.

Excessive Agency in AI Agents Enables Enterprise Breaches

Excessive Agency in AI Agents Enables Enterprise Breaches

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Dark Reading

Enterprises deploying AI agents with elevated permissions and minimal oversight face compounding security risks as agentic systems gain the ability to take real-world actions with limited human intervention. The attack surface expands dramatically when agents can access APIs, execute code, and chain decisions autonomously, making containment of a compromise significantly harder. Security teams must implement least-privilege principles and robust monitoring before agentic deployments scale beyond their ability to govern.

Adversa AI: 89% of AI Agents Fail Security Tests

Adversa AI: 89% of AI Agents Fail Security Tests

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Adversa AI's AI Risk Quadrant report evaluated 100 AI agents across ten categories, finding that only 11 qualify as both capable and well-defended. The research identifies a structural 'power-protection inversion' where the most capable agents also present the widest attack surface, driven by a 'lethal trifecta' of private data access, exposure to untrusted content, and outbound action capability. Computer and coding agents showed the most severe exposure, raising urgent concerns about autonomous agent deployment in enterprise environments.

CogCAPTCHA30 Fingerprints AI Agents via Behavioral Analysis

CogCAPTCHA30 Fingerprints AI Agents via Behavioral Analysis

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Researchers have developed CogCAPTCHA30, a 30-task cognitive battery demonstrating that AI agents (GPT, Claude, Gemini) solve CAPTCHAs with statistically distinguishable behavioural patterns despite matching human accuracy. The study introduces a 'Process Turing Test' concept, showing output equivalence and process equivalence are uncorrelated — meaning AI agents can be detected not by what they answer, but by how they answer. This has direct implications for bot detection, anti-automation defences, and the arms race between AI-driven agents and human-verification systems.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.