LIVE FEED
FIRST LOOK Yellow Teams Bring AI Offense and Defense Into One Security Function // FIRST LOOK Tracebit Ships AWS Context Bombing Defence Against AI Hacking Agents // FIRST LOOK FriendMachine Launches Jacquard Lang for AI-Written Code Review // CRITICAL Check Point 2026 AI Security Report: LLMs Now Run Live Attacks // FIRST LOOK OpenAI GPT-5.6 Sol Ships Faster Parallel Tool-Use for Agents // FIRST LOOK Meta Launches Muse Image with Public Instagram Photo Reuse // FIRST LOOK Estonia Launches State-Issued Digital IDs for AI Agents // HIGH AI Widens Skill-Ability Gap, Enabling Autonomous Cyberattacks // FIRST LOOK OpenAI Expands ChatGPT Into Family and Caregiver Households // FIRST LOOK Iroh Launches Mesh LLM for Distributed AI Across Peer Nodes //
Anthropic Claude Code Prompt Injection Leaks Secrets

Anthropic Claude Code Prompt Injection Leaks Secrets

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Microsoft Threat Intelligence disclosed a vulnerability in Anthropic's Claude Code GitHub Action whereby prompt injection via untrusted GitHub content — issue bodies, PR descriptions, and comments — could cause the AI agent to read sensitive environment variables, including the ANTHROPIC_API_KEY, from /proc/self/environ. The flaw stemmed from inconsistent sandboxing: while subprocess execution paths like Bash were scrubbed of environment variables, the Read tool had no equivalent restriction. Anthropic patched the issue in Claude Code version 2.1.128 by blocking access to sensitive /proc filesystem paths.

Vercel Breach: Context.ai OAuth Token Hijack Exposes Credentials

Vercel Breach: Context.ai OAuth Token Hijack Exposes Credentials

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 The Hacker News

Vercel suffered a breach originating from a compromised third-party AI tool, Context.ai, where an employee's OAuth token was hijacked to access Vercel's Google Workspace and internal environment variables. The incident highlights the systemic risk of granting broad OAuth permissions to AI productivity tools, particularly when employees use enterprise credentials with 'Allow All' permission scopes. ShinyHunters has claimed responsibility and is reportedly selling the stolen data for $2 million.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.