LIVE FEED
Gemini Spark Prompt Injection Exposes Enterprise Gmail Data

Gemini Spark Prompt Injection Exposes Enterprise Gmail Data

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 Simon Willison

Google's newly announced Gemini Spark personal AI agent, integrated with Gmail, Drive, Calendar, and other sensitive Google services, presents a significant prompt injection attack surface as it processes user data at scale. The article highlights that Google's published security mitigations — ephemeral VMs, Agent Gateway, and DLP policies — address infrastructure isolation but do not directly address the prompt injection vector inherent to LLM-powered agents processing untrusted content. Additionally, the transition from open-source Gemini CLI to a closed-source Antigravity CLI raises supply chain transparency concerns.

Microsoft RAMPART Tests AI Agents for Prompt Injection

Microsoft RAMPART Tests AI Agents for Prompt Injection

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 The Hacker News

Microsoft has released two open-source tools, RAMPART and Clarity, aimed at embedding security testing into AI agent development workflows. RAMPART extends the existing PyRIT framework with a Pytest-native harness for running adversarial and safety tests against AI agents, explicitly covering cross-prompt injection, data exfiltration, and behavioural regression scenarios. Clarity operates as a pre-code design analysis tool, helping teams surface and challenge unsafe assumptions before an agentic system is built.

Claude Chrome Extension Prompt Injection Enables Agent Takeover

Claude Chrome Extension Prompt Injection Enables Agent Takeover

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 SecurityWeek

A vulnerability dubbed ClaudeBleed in Anthropic's Claude Chrome extension allows any browser extension to inject arbitrary prompts into the Claude AI agent by exploiting lax permission checks and improper trust validation. Attackers can bypass user confirmation protections via DOM manipulation and repeated message forging, enabling full agent takeover for information theft or unauthorized actions. The flaw effectively breaks Chrome's extension security model and exposes users running Claude's agentic capabilities to third-party extension compromise.

TrustFall: Repository Poisoning RCE in AI Coding Tools

TrustFall: Repository Poisoning RCE in AI Coding Tools

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Dark Reading

A vulnerability class dubbed 'TrustFall' demonstrates that malicious code repositories can trigger arbitrary code execution in AI-assisted developer tools including Claude Code, Cursor CLI, Gemini CLI, and GitHub Copilot CLI, with little to no user interaction required. The attack surface stems from inadequate or easily dismissed warning dialogs that fail to surface the risk of executing untrusted repository content. Developers cloning or opening adversarial repositories are exposed to full host-level compromise through the elevated trust these AI coding agents place in repository-supplied context.

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 SecurityWeek

Cisco's AI Threat Intelligence team has demonstrated that bounded pixel-level perturbations can recover the attack effectiveness of degraded typographic images against vision-language models (VLMs), enabling hidden prompt injection that bypasses both human review and content filters. The technique works by optimising perturbations against open-source embedding models and transferring results to proprietary systems like GPT-4o and Claude, exposing a cross-model transferability risk. The attack allows adversaries to embed instructions—such as data exfiltration commands—inside images that appear as visual noise to human observers.

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

CVE-2026-26030: Semantic Kernel RCE via Prompt Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Microsoft Security Blog

Microsoft's Defender Security Research Team disclosed two CVEs in Semantic Kernel — a widely-used AI agent orchestration framework — demonstrating how prompt injection can escalate to remote code execution via compromised plugins. The vulnerabilities (CVE-2026-26030 and CVE-2026-25592) expose a systemic risk in the agentic AI layer: because frameworks like Semantic Kernel abstract tool orchestration, a single flaw in how LLM outputs are mapped to system tools can propagate across every application built on that foundation. This research signals a critical shift in AI threat modelling, where prompt injection is no longer a content risk but an execution risk.

CrowdStrike Red Teaming: LLM Jailbreak and Data Poisoning

CrowdStrike Red Teaming: LLM Jailbreak and Data Poisoning

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 SecurityWeek

Joey Melo, Principal Security Researcher at CrowdStrike, outlines his methodology for AI red teaming, focusing on manipulating LLM guardrails through jailbreaking and data poisoning without altering underlying source code. His work, rooted in competitive AI hacking challenges, translates classical adversarial thinking into the emerging field of machine learning security. The profile highlights the growing professionalisation of AI red teaming as organisations seek to harden LLM deployments against real-world manipulation attacks.

agent-desktop Prompt Injection Grants AI Agents OS Control

agent-desktop Prompt Injection Grants AI Agents OS Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 HN AI Security

agent-desktop is an open-source Rust CLI tool that exposes full OS accessibility trees to AI agents, enabling programmatic control of any desktop application without screenshots or browser sandboxing. This dramatically expands the attack surface for agentic AI systems, as a compromised or prompt-injected agent could silently manipulate native applications, exfiltrate data, or perform destructive actions across the host OS. The tool's deterministic element references and structured JSON output make it trivially scriptable, lowering the barrier for AI-driven desktop abuse.

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Google has patched a maximum-severity (CVSS 10.0) vulnerability in its Gemini CLI tooling that allowed unauthenticated attackers to achieve remote code execution by planting malicious configuration files in workspace directories automatically trusted by the agent in headless/CI mode. The flaw effectively weaponised CI/CD pipelines as supply chain attack paths, bypassing sandbox protections entirely before they could initialise. A secondary issue in '--yolo' mode further enabled prompt injection to trigger unrestricted shell command execution.

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

Cisco AI Agents Vulnerable to Prompt Injection Honeypots

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 7.2 Cisco Talos

Cisco Talos researcher Martin Lee demonstrates how generative AI can be used to rapidly deploy adaptive honeypot systems that deceive and study AI-driven attack agents. The technique exploits a fundamental weakness in AI agents — their lack of situational awareness — causing them to interact with simulated vulnerable systems as if they were real targets. This defensive approach shifts the paradigm from passive detection to active manipulation, giving defenders new insight into automated threat actor methodologies.

Agent Hijacking and Prompt Injection Threaten AI Payments

Agent Hijacking and Prompt Injection Threaten AI Payments

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Wired Security

The FIDO Alliance, backed by Google and Mastercard, is forming working groups to establish cryptographic standards for authenticating AI agent-initiated transactions, addressing risks like agent hijacking, prompt injection, and unauthorised financial actions. The initiative responds to a growing attack surface where agentic AI systems act on behalf of users without adequate authentication frameworks. Google's Agent Payments Protocol (AP2) and Mastercard's Verifiable Intent framework are being contributed as open-source foundations for the effort.

Llama Guard 4 Jailbreak Detection Vulnerable to Prompt Injection

Llama Guard 4 Jailbreak Detection Vulnerable to Prompt Injection

ATLAS OWASP LOW Limited impact · Standard review ▲ 7.2 Hugging Face Blog

Meta has released Llama Guard 4, a 12B multimodal safety classifier designed to detect and filter unsafe content in both image and text inputs/outputs for production LLM deployments. The model addresses jailbreak attempts and harmful content generation across 14 hazard categories defined by the MLCommons taxonomy. Alongside it, two lightweight Llama Prompt Guard 2 classifiers (86M and 22M parameters) target prompt injection and prompt attack detection.

Browser Harness Grants LLMs Unrestricted Chrome Control

Browser Harness Grants LLMs Unrestricted Chrome Control

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.1 HN AI Security

Browser Harness is an open-source tool that grants LLMs unrestricted, self-modifying control over a Chrome browser via the Chrome DevTools Protocol, with no sandboxing, guardrails, or human-in-the-loop checkpoints. The agent can autonomously write and execute new code mid-task to handle capabilities it lacks, representing a significant instance of excessive agency and uncontrolled code execution. This architecture creates a broad attack surface for prompt injection, privilege escalation, and unintended autonomous actions on behalf of a user.

ChatGPT Code Runtime Exfiltrates Data via Prompt Injection

ChatGPT Code Runtime Exfiltrates Data via Prompt Injection

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Check Point Research

Check Point Research disclosed a critical vulnerability in ChatGPT's code execution runtime that allows a single malicious prompt to establish a covert outbound exfiltration channel, bypassing OpenAI's stated network isolation safeguards. Sensitive user data — including uploaded files, conversation content, and personal documents — could be silently transmitted to attacker-controlled servers without user knowledge or consent. The same channel was also found capable of enabling remote shell access within the Linux execution environment.

Moltbook Exposes 1.5M Tokens via Cross-App OAuth Risk

Moltbook Exposes 1.5M Tokens via Cross-App OAuth Risk

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Hacker News

The article examines 'toxic combinations' — a compounding risk pattern where AI agents and OAuth integrations bridge multiple SaaS applications, creating attack surfaces that no single application owner reviews. A real-world case involving Moltbook exposed 1.5 million agent API tokens and plaintext third-party credentials, illustrating how agentic AI identities create cross-app trust relationships invisible to conventional access controls. The threat is structural: non-human identities now outnumber human ones in most SaaS environments, and single-app access reviews are architecturally blind to inter-application permission stacking.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.