LIVE FEED
Claude Code OAuth Token Theft via npm Supply Chain

Claude Code OAuth Token Theft via npm Supply Chain

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 SecurityWeek

Mitiga Labs has disclosed a stealthy attack chain targeting Claude Code's MCP infrastructure, allowing adversaries to silently intercept OAuth tokens by redirecting MCP traffic through attacker-controlled infrastructure. The attack requires only the ability to install a malicious npm package, which modifies ~/.claude.json to insert a proxy and pre-sets trust flags to suppress security prompts. Because the OAuth token grants broad access to all connected SaaS tools, successful exploitation effectively hands attackers a persistent master key to the victim's integrated development environment.

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

Supply Chain Risk: Gradio MCP Server Exposes AI Agents

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 Hugging Face Blog

Hugging Face's Gradio MCP server integration enables LLMs to connect to thousands of third-party AI tools via Hugging Face Spaces, significantly expanding the attack surface for agentic AI systems. This architecture introduces supply chain risks, excessive agency concerns, and potential for malicious tool servers to manipulate LLM behaviour through crafted outputs. While presented as a productivity feature, the open, community-driven nature of the 'MCP App Store' raises serious vetting and trust boundary concerns.

Stash AI Memory Poisoning Exposes Agent Data Leakage

Stash AI Memory Poisoning Exposes Agent Data Leakage

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Stash is an open-source persistent memory layer for AI agents using PostgreSQL and pgvector, exposing a broad MCP tool surface (28 tools) that introduces significant attack vectors including memory poisoning, sensitive data leakage, and cross-namespace contamination. While marketed as a productivity enhancement, the architecture centralises long-term agent memory in a shared backend, creating a high-value target for adversarial manipulation. Security teams deploying autonomous agents should treat persistent memory stores as critical infrastructure requiring strict access controls and integrity validation.

CVE-2026: Anthropic MCP SDK Remote Code Execution

CVE-2026: Anthropic MCP SDK Remote Code Execution

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.4 The Hacker News

A systemic 'by design' vulnerability in Anthropic's Model Context Protocol (MCP) SDK enables arbitrary remote code execution across all supported language implementations via unsafe STDIO transport defaults, affecting over 7,000 publicly accessible servers and 150 million downloads. The flaw has been independently confirmed across 10+ popular AI frameworks including LiteLLM, LangChain, and Flowise, with Anthropic declining to modify the protocol's architecture. This represents a significant AI supply chain risk with cascading exposure to sensitive data, API keys, and internal systems.

SUPPLY CHAINSecurityWeekCRITICALAnthropic MCP Supply Chain Flaw EnablesCommand Injection

Anthropic MCP Supply Chain Flaw Enables Command Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.1 SecurityWeek

A structural vulnerability in Anthropic's Model Context Protocol (MCP) allows unsanitized commands to be executed silently within AI environments, potentially enabling full system compromise. Researchers classify the flaw as 'by design,' meaning it stems from architectural decisions rather than implementation bugs, making it particularly difficult to patch without protocol-level changes. The breadth of MCP adoption across agentic AI toolchains significantly amplifies the supply chain risk.

CVE-2025-59528: Flowise RCE Exploited Across 12,000 Instances

CVE-2025-59528: Flowise RCE Exploited Across 12,000 Instances

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.4 The Hacker News

A maximum-severity (CVSS 10.0) remote code execution vulnerability in Flowise, a widely-used open-source AI agent builder, is under active exploitation with over 12,000 internet-exposed instances at risk. The flaw, CVE-2025-59528, exists in the CustomMCP node and allows unauthenticated JavaScript execution with full Node.js runtime privileges via unsanitised MCP server configuration input. This marks the third Flowise vulnerability exploited in the wild, underscoring systemic security gaps in AI orchestration and agent-building platforms.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.