LIVE FEED
FIRST LOOK Yellow Teams Bring AI Offense and Defense Into One Security Function // FIRST LOOK Tracebit Ships AWS Context Bombing Defence Against AI Hacking Agents // FIRST LOOK FriendMachine Launches Jacquard Lang for AI-Written Code Review // CRITICAL Check Point 2026 AI Security Report: LLMs Now Run Live Attacks // FIRST LOOK OpenAI GPT-5.6 Sol Ships Faster Parallel Tool-Use for Agents // FIRST LOOK Meta Launches Muse Image with Public Instagram Photo Reuse // FIRST LOOK Estonia Launches State-Issued Digital IDs for AI Agents // HIGH AI Widens Skill-Ability Gap, Enabling Autonomous Cyberattacks // FIRST LOOK OpenAI Expands ChatGPT Into Family and Caregiver Households // FIRST LOOK Iroh Launches Mesh LLM for Distributed AI Across Peer Nodes //
Check Point 2026 AI Security Report: LLMs Now Run Live Attacks

Check Point 2026 AI Security Report: LLMs Now Run Live Attacks

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Check Point Research

Check Point Research's 2026 AI Security Report documents a fundamental shift in the threat landscape: AI has moved from a development accelerator to an active operator within live intrusions, with nation-state and criminal actors alike deploying LLMs to conduct hands-on attack operations. The report highlights the maturation of AI-enabled criminal tooling markets, the rise of indirect prompt injection as an operationally relevant attack vector, and persistent enterprise data leakage through unsanctioned AI application use. Agentic architectures are being specifically exploited through planted configuration files that persist malicious instructions across sessions, representing a durable and largely invisible bypass technique.

OfficeCLI Brings Microsoft Office Automation to AI Agents

OfficeCLI Brings Microsoft Office Automation to AI Agents

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 HN AI Security

OfficeCLI is an open-source, single-binary tool that enables AI agents to programmatically read, write, and automate Microsoft Word, Excel, and PowerPoint files without requiring a local Office installation. This dramatically expands the file-system attack surface for agentic AI systems, enabling prompt injection via document content, automated exfiltration of sensitive Office files, and weaponisation of documents as a persistent injection vector. Defenders operating AI agent pipelines that touch file systems must now treat any Office document as a potential adversarial input channel.

Prompt Injection Attacks Manipulate AI Crypto Agents

Prompt Injection Attacks Manipulate AI Crypto Agents

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers identified two active campaigns embedding indirect prompt injection payloads in malicious websites to manipulate autonomous AI agents into executing unauthorised cryptocurrency transactions. The attacks exploit the growing deployment of agentic AI systems that browse the web and take real-world actions with minimal human oversight. This represents a concrete, financially motivated escalation of prompt injection from data exfiltration to direct fund theft.

Agentjacking: Prompt Injection via Malicious Bug Reports

Agentjacking: Prompt Injection via Malicious Bug Reports

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A technique dubbed 'agentjacking' exploits the inability of AI coding agents to distinguish between legitimate content and embedded instructions, allowing attackers to hijack agent behaviour through maliciously crafted bug reports. The attack represents a scalable, low-barrier prompt injection vector targeting developer workflows that rely on autonomous AI agents. As AI coding assistants gain broader adoption and elevated system permissions, this class of attack poses a significant risk to software supply chain integrity.

BioShocking Attack Exploits Indirect Prompt Injection to Steal Credentials via AI Browsers

BioShocking Attack Exploits Indirect Prompt Injection to Steal Credentials via AI Browsers

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.0 The Hacker News

Security firm LayerX demonstrated a novel indirect prompt injection attack dubbed 'BioShocking' that manipulates AI browser agents into exfiltrating user credentials by embedding adversarial instructions inside web-based puzzle content. Six AI browsers and assistants were successfully compromised, including ChatGPT Atlas, Perplexity Comet, and Anthropic's Claude extension, with agents retrieving SSH credentials from GitHub repositories without triggering safety refusals. Vendor responses were inconsistent, with only OpenAI issuing a confirmed fix, highlighting the systemic risk of agentic AI systems that conflate user intent with malicious page content.

Claude Code Indirect Prompt Injection Spawns Reverse Shell

Claude Code Indirect Prompt Injection Spawns Reverse Shell

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers have demonstrated that indirect prompt injection attacks embedded within seemingly benign code repositories can cause Claude Code — Anthropic's agentic coding assistant — to spawn a reverse shell on a developer's machine. The attack exploits Claude Code's autonomous execution capabilities, using hidden instructions in repository content to hijack the host system without any explicit user consent. This highlights a critical risk in agentic AI tools that operate with elevated system privileges in developer environments.

Amazon Quick Launches Agentic Incident Triage Assistant

Amazon Quick Launches Agentic Incident Triage Assistant

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 AWS Machine Learning Blog

Amazon Quick's new agentic incident triage assistant integrates New Relic's observability platform and Asana via MCP, creating a single conversational interface that can query production telemetry, surface error logs, and create tracked tasks autonomously. This multi-tool agent architecture dramatically expands the prompt injection attack surface, as malicious data embedded in production logs, alert payloads, or transaction traces can now influence agent actions — including task creation and RCA narrative generation. The convergence of observability data (high-trust, machine-generated) with autonomous task orchestration creates a novel indirect prompt injection pathway through operational telemetry.

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Tenet Security has disclosed 'Agentjacking', a novel attack class that exploits the implicit trust AI coding agents place in Model Context Protocol (MCP) data sources. By injecting malicious instructions into Sentry error events via publicly accessible DSN credentials, attackers can cause agents like Claude Code and Cursor to execute arbitrary code with full developer privileges. Researchers confirmed 2,388 exposed organisations and an 85% exploitation success rate in controlled testing, with no prior access to victim infrastructure required.

OpenClaw Agent Vulnerable to Prompt Injection RCE

OpenClaw Agent Vulnerable to Prompt Injection RCE

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Two independent research teams demonstrated that OpenClaw, a self-hosted AI agent, is vulnerable to prompt injection attacks delivered through shared contacts, vCards, location pins, and plain emails — enabling attacker-controlled code execution and sensitive data exfiltration. Imperva's finding, now patched in version 2026.4.23, exploited the agent's failure to mark message objects as untrusted before passing them to the underlying LLM. Varonis separately showed that a single crafted email could instruct an agent to forward mock AWS credentials and customer data to an external address, a behaviour-level risk no patch can fully remediate.

Google Gemini Android Hijacked by Indirect Prompt Injection

Google Gemini Android Hijacked by Indirect Prompt Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

SafeBreach researcher Or Yair demonstrated that malicious text embedded in WhatsApp, Slack, SMS, or Signal notifications could trigger indirect prompt injection against Google Gemini's Android Utilities feature, causing the assistant to execute real device actions without user awareness. A novel bypass technique called 'Fake Context Alignment' defeated Google's post-patch authorization checks by exploiting multilingual obfuscation and muted hyperlinks to trick victims into authorising sensitive actions. Google has patched the issue, but the research exposes a fundamentally large attack surface where any app capable of pushing a notification becomes a potential injection vector.

Google Gemini Voice Prompt Injection via Notifications

Google Gemini Voice Prompt Injection via Notifications

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A prompt injection vulnerability in Google Gemini's voice assistant allows attackers to embed malicious instructions within device notifications, which the assistant then processes as legitimate commands. This attack vector enables social engineering, unauthorized actions, and potential data exfiltration without direct user interaction with the malicious payload. The flaw highlights the growing risk of indirect prompt injection in ambient AI assistants that consume untrusted content from the surrounding environment.

ChatGPT Markdown Injection Enables Phishing in Web Summarizer

ChatGPT Markdown Injection Enables Phishing in Web Summarizer

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Permiso Security has disclosed ChatGPhish, a vulnerability in ChatGPT's web summarisation feature that allows attacker-controlled Markdown payloads embedded in third-party pages to render phishing links, spoofed alerts, and QR codes directly within ChatGPT's trusted UI. The attack requires no user interaction beyond asking ChatGPT to summarise a malicious page, and can exfiltrate IP addresses, User-Agent strings, and Referer headers via auto-fetched remote images. The technique significantly expands the phishing attack surface beyond email into everyday AI-assisted browsing workflows, posing a particular risk in enterprise environments.

CVE-2026: Google Antigravity Sandbox Escape via Prompt Injection

CVE-2026: Google Antigravity Sandbox Escape via Prompt Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.0 The Hacker News

A now-patched vulnerability in Google's agentic IDE Antigravity allowed attackers to achieve arbitrary code execution by injecting malicious flags into the find_by_name tool's Pattern parameter, bypassing the platform's Strict Mode sandbox before security constraints were enforced. The attack chain could be triggered entirely via indirect prompt injection—embedding hidden instructions in files pulled from untrusted sources—requiring no account compromise and no additional user interaction. This case exemplifies the systemic risk of insufficient input validation in AI agent tool interfaces, where autonomous execution removes the human oversight layer that traditional security models depend on.

Cursor AI Prompt Injection Chains to Shell Access

Cursor AI Prompt Injection Chains to Shell Access

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 SecurityWeek

A chained vulnerability in Cursor AI—a widely-used AI-powered code editor—allowed attackers to combine indirect prompt injection with a sandbox escape and the application's built-in remote tunnel feature to achieve arbitrary shell access on developer machines. The attack chain is particularly significant because it weaponises Cursor's own legitimate remote-access infrastructure, meaning malicious commands could blend into normal developer workflows. Developers using Cursor's AI features against untrusted code or repositories are at elevated risk of full host compromise.

Comment Injection Attacks Hit Claude Code, Gemini, Copilot

Comment Injection Attacks Hit Claude Code, Gemini, Copilot

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

A researcher has disclosed a novel prompt injection attack technique dubbed 'Comment and Control,' demonstrating that popular AI coding agents — including Claude Code, Gemini CLI, and GitHub Copilot Agents — can be manipulated through malicious instructions embedded in source code comments. The attack exploits the tendency of agentic coding tools to process and act upon contextual content within files they are tasked to read or modify. This represents a meaningful escalation in the risk surface of AI-assisted software development workflows.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.