LIVE FEED
FIRST LOOK Yellow Teams Bring AI Offense and Defense Into One Security Function // FIRST LOOK Tracebit Ships AWS Context Bombing Defence Against AI Hacking Agents // FIRST LOOK FriendMachine Launches Jacquard Lang for AI-Written Code Review // CRITICAL Check Point 2026 AI Security Report: LLMs Now Run Live Attacks // FIRST LOOK OpenAI GPT-5.6 Sol Ships Faster Parallel Tool-Use for Agents // FIRST LOOK Meta Launches Muse Image with Public Instagram Photo Reuse // FIRST LOOK Estonia Launches State-Issued Digital IDs for AI Agents // HIGH AI Widens Skill-Ability Gap, Enabling Autonomous Cyberattacks // FIRST LOOK OpenAI Expands ChatGPT Into Family and Caregiver Households // FIRST LOOK Iroh Launches Mesh LLM for Distributed AI Across Peer Nodes //
HalluSquatting Exploits AI Hallucinations for Botnet RCE

HalluSquatting Exploits AI Hallucinations for Botnet RCE

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers have demonstrated a novel attack technique called 'HalluSquatting', which weaponises AI hallucinations by registering fake package names that LLMs fabricate, turning them into malware delivery vectors. When developers trust AI-recommended dependencies and install the squatted packages, attackers can achieve remote code execution and potentially recruit victim machines into botnets. The technique represents a significant escalation in the practical exploitation of LLM hallucinations beyond misinformation into active infrastructure compromise.

Y Combinator Ships Agentic Code Generation at 37K Lines Daily

Y Combinator Ships Agentic Code Generation at 37K Lines Daily

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 HN AI Security

Y Combinator CEO Garry Tan has publicly claimed to ship approximately 37,000 lines of AI-generated code per day using agentic coding tools, and an independent developer analysis has revealed the underlying mechanics of this workflow. This level of AI-assisted code velocity introduces meaningful security concerns around code provenance, supply chain integrity, and the reduced human review time per line of shipped code. Defenders should treat high-velocity AI code pipelines as a new supply chain risk category requiring dedicated SAST/DAST tooling and policy controls.

Anthropic Launches Claude Code with Local Memory Layer

Anthropic Launches Claude Code with Local Memory Layer

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 Anthropic (via HN)

Recall is an open-source, fully-local memory layer for Anthropic's Claude Code that persists and summarises project context across coding sessions without sending data to external services. For defenders, the introduction of a persistent, file-based context store creates a new attack surface: a poisoned or tampered memory file can silently inject malicious instructions into every subsequent Claude Code session. Security teams should treat the local memory store as a trusted-input boundary and apply appropriate file-integrity and access controls.

TanStack Supply Chain Attack Exposes OpenAI Keys

TanStack Supply Chain Attack Exposes OpenAI Keys

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A supply chain attack targeting TanStack via the Mini Shai-Hulud malware compromised two OpenAI employee devices, exposing internal source code repositories and code-signing certificates for macOS, iOS, and Windows apps. While no user data or production systems were breached, OpenAI was forced to revoke and reissue signing certificates, requiring macOS users to update ChatGPT Desktop, Codex, and Atlas apps before June 12, 2026. The incident marks OpenAI's second certificate rotation in two months and is part of a broader campaign by threat actor TeamPCP targeting major AI and open-source ecosystems.

Cursor AI Prompt Injection Chains to Shell Access

Cursor AI Prompt Injection Chains to Shell Access

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 SecurityWeek

A chained vulnerability in Cursor AI—a widely-used AI-powered code editor—allowed attackers to combine indirect prompt injection with a sandbox escape and the application's built-in remote tunnel feature to achieve arbitrary shell access on developer machines. The attack chain is particularly significant because it weaponises Cursor's own legitimate remote-access infrastructure, meaning malicious commands could blend into normal developer workflows. Developers using Cursor's AI features against untrusted code or repositories are at elevated risk of full host compromise.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.