LIVE FEED
FableCut Ships AI-Drivable Browser Video Editor via MCP and REST

FableCut Ships AI-Drivable Browser Video Editor via MCP and REST

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 HN AI Security

FableCut is a zero-dependency, browser-based non-linear video editor that exposes its entire timeline as a JSON document and accepts live control from AI agents via MCP (Model Context Protocol) and REST APIs, enabling tools like Claude Code or Claude Desktop to autonomously edit video. This agent-accessible media pipeline introduces meaningful new attack surface: any AI agent granted MCP/REST access can read, overwrite, or poison the JSON timeline, and a compromised or prompt-injected agent could silently alter exported video content. Defenders managing AI agent workflows that touch media pipelines should treat this as an unsandboxed tool-use endpoint requiring strict authZ, input validation, and output integrity checks.

The Security Analyst's Claude Code Playbook

The Security Analyst's Claude Code Playbook

DEEP SIGNAL

A practitioner's guide to deploying Claude Code in security operations — threat intelligence automation, compliance gap analysis, token management, and enterprise hardening.

Amazon Q Extension Credential Theft via MCP Injection

Amazon Q Extension Credential Theft via MCP Injection

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Dark Reading

A vulnerability in the Amazon Q Visual Studio Code extension allows adversaries to plant malicious repositories that execute arbitrary code and exfiltrate cloud credentials. The flaw highlights escalating risks associated with Model Context Protocol (MCP) integrations embedded within AI-powered developer tools. This attack vector represents a growing threat surface as AI coding assistants gain privileged access to developer environments and cloud infrastructure.

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers have demonstrated how attackers can embed hidden instructions inside MCP tool descriptions to covertly redirect AI agents into exfiltrating sensitive business data. Because each individual action the agent takes appears legitimate — using approved tools and the user's own permissions — default security controls generate no alerts. The attack exploits a fundamental design tension in MCP: tool descriptions simultaneously carry operational instructions and attacker-controlled data, collapsing a critical trust boundary.

CVE-2026-50548: Cursor IDE Prompt Injection RCE

CVE-2026-50548: Cursor IDE Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549) in the Cursor AI code editor allow prompt injection attacks delivered via MCP services or web search results to escape the editor's terminal sandbox and execute arbitrary commands on a developer's machine without any user interaction. Both flaws abuse the sandbox's write-permission logic — one through a misconfigured working directory parameter, the other through a symlink-resolution fallback — ultimately allowing overwrite of the sandbox helper binary itself. The attack surface is significant given Cursor's reported adoption across more than half of Fortune 500 companies; all versions prior to 3.0 remain vulnerable.

Google Launches Gemini Spark on Mac with File Access

Google Launches Gemini Spark on Mac with File Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 TechCrunch AI

Google has expanded Gemini Spark to macOS, giving the agentic assistant access to local files, third-party app integrations (including Dropbox, Canva, and Instacart), custom MCP connections, and real-time topic monitoring. This substantially widens the attack surface for enterprise defenders, as a compromised or manipulated Spark agent gains a foothold across local file systems, cloud workspaces, and external service APIs simultaneously. The addition of custom Model Context Protocol support is particularly concerning, as it allows arbitrary third-party tool connections with unclear trust boundaries and permission scoping.

AutoGen Studio RCE: AutoJack Exploit Chain Targets Developers

AutoGen Studio RCE: AutoJack Exploit Chain Targets Developers

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers disclosed AutoJack, an exploit chain targeting AutoGen Studio's MCP WebSocket endpoint that allows a single malicious web page to execute arbitrary commands on a developer's host machine via an AI browsing agent. The attack chains three distinct weaknesses — localhost trust bypass, missing authentication on MCP paths, and unsanitised command execution — requiring no credentials or user interaction beyond the agent loading the attacker's URL. While the vulnerable handler was not included in stable PyPI releases, it shipped in two pre-release builds that remain unyanked, leaving anyone who installed those versions exposed.

AWS Launches Amazon Bedrock AgentCore Harness

AWS Launches Amazon Bedrock AgentCore Harness

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 AWS Machine Learning Blog

AWS has made Amazon Bedrock AgentCore Harness generally available, providing a managed abstraction layer that reduces agent deployment to two API calls while bundling sandboxed compute, persistent memory, tool gateway, browser access, identity management, and observability. For defenders, this dramatically lowers the barrier to deploying autonomous agents with filesystem access, shell execution, web browsing, and multi-provider model switching — compressing what was a weeks-long infrastructure project into minutes. Security teams face an expanded attack surface where prompt injection, tool abuse, cross-session memory poisoning, and supply chain risks through AWS-curated skill catalogs now arrive as a single, tightly integrated managed service rather than individually reviewable components.

Microsoft AutoGen Studio RCE via MCP Bypass

Microsoft AutoGen Studio RCE via MCP Bypass

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Researchers at Microsoft identified a three-stage exploit chain in AutoGen Studio that allows a malicious web page visited by a browsing AI agent to reach the host's local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes. The chain exploits a bypassable origin allowlist, authentication middleware that excluded MCP endpoints, and unsanitised URL-derived command parameters. Although the vulnerable surface was never shipped in a PyPI release, the finding exposes a systemic architectural risk in any agent framework that combines untrusted browsing with privileged localhost services.

Amazon Quick Launches Agentic Incident Triage Assistant

Amazon Quick Launches Agentic Incident Triage Assistant

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 AWS Machine Learning Blog

Amazon Quick's new agentic incident triage assistant integrates New Relic's observability platform and Asana via MCP, creating a single conversational interface that can query production telemetry, surface error logs, and create tracked tasks autonomously. This multi-tool agent architecture dramatically expands the prompt injection attack surface, as malicious data embedded in production logs, alert payloads, or transaction traces can now influence agent actions — including task creation and RCA narrative generation. The convergence of observability data (high-trust, machine-generated) with autonomous task orchestration creates a novel indirect prompt injection pathway through operational telemetry.

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Tenet Security has disclosed 'Agentjacking', a novel attack class that exploits the implicit trust AI coding agents place in Model Context Protocol (MCP) data sources. By injecting malicious instructions into Sentry error events via publicly accessible DSN credentials, attackers can cause agents like Claude Code and Cursor to execute arbitrary code with full developer privileges. Researchers confirmed 2,388 exposed organisations and an 85% exploitation success rate in controlled testing, with no prior access to victim infrastructure required.

Microsoft Scout Agent Vulnerable to Prompt Injection

Microsoft Scout Agent Vulnerable to Prompt Injection

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Microsoft has launched Scout, an always-on autonomous AI agent built on the OpenClaw framework that operates across Microsoft 365 apps including Teams, Outlook, OneDrive, and SharePoint with its own Entra identity. The agent's persistent, unsupervised access to email, calendar, chat, and external systems via MCP creates a broad new attack surface for prompt injection, privilege abuse, and data exfiltration. As an experimental release with limited deployment controls, security teams should treat Scout as a high-risk agentic surface requiring careful governance before broad adoption.

Robinhood Prompt Injection Enables Autonomous Trade Attacks

Robinhood Prompt Injection Enables Autonomous Trade Attacks

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

Robinhood has launched agentic trading and a virtual credit card that allow third-party AI agents to autonomously execute stock trades and payments on behalf of users via a Model Context Protocol (MCP) integration. This architecture introduces significant attack surface through prompt injection, excessive agency, and insecure plugin design risks inherent to LLM-driven autonomous financial action. The delegation of real financial authority to AI agents with limited human-in-the-loop controls represents a systemic risk to retail investors if agent pipelines are compromised or manipulated.

FuzzingBrain V2 Discovers 29 Zero-Day Vulnerabilities

FuzzingBrain V2 Discovers 29 Zero-Day Vulnerabilities

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 HN AI Security

Researchers have developed FuzzingBrain V2, a multi-agent LLM system capable of autonomously discovering and reproducing software vulnerabilities with a 90% detection rate on a competitive benchmark dataset. The system discovered 29 zero-day vulnerabilities across 12 open-source projects, all confirmed by maintainers, raising both defensive and dual-use concerns for the security community. While positioned as a defensive research tool, the automation of end-to-end vulnerability discovery at this scale represents a meaningful shift in the offensive capability landscape.

CVE-2026-44112: OpenClaw Sandbox Escape and RCE

CVE-2026-44112: OpenClaw Sandbox Escape and RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.9 The Hacker News

Researchers at Cyera disclosed four vulnerabilities in OpenClaw, an AI agent runtime platform, that can be chained to achieve credential theft, privilege escalation, and persistent backdoor access. The attack chain, dubbed 'Claw Chain', exploits sandbox escapes, allowlist bypasses, and a spoofable ownership flag in the MCP loopback runtime to weaponise the agent's own privileges against the host environment. All four CVEs have been patched in OpenClaw version 2026.4.22 and users should update immediately.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.