LIVE FEED
HalluSquatting Exploits AI Hallucinations for Botnet RCE

HalluSquatting Exploits AI Hallucinations for Botnet RCE

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers have demonstrated a novel attack technique called 'HalluSquatting', which weaponises AI hallucinations by registering fake package names that LLMs fabricate, turning them into malware delivery vectors. When developers trust AI-recommended dependencies and install the squatted packages, attackers can achieve remote code execution and potentially recruit victim machines into botnets. The technique represents a significant escalation in the practical exploitation of LLM hallucinations beyond misinformation into active infrastructure compromise.

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A set of vulnerabilities dubbed 'DuneSlide' in the Cursor AI code editor allow attackers to conduct zero-click prompt injection attacks that escape the application's sandbox and execute arbitrary code at the operating system level. The flaws represent a critical escalation of AI-native attack surface risks, targeting developers who rely on AI-assisted coding environments. Because exploitation requires no user interaction, the attack chain is particularly dangerous in supply chain and watering-hole scenarios.

Anthropic Enhances AI Agent Skill Scanner Security

Anthropic Enhances AI Agent Skill Scanner Security

FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Security firm AIR demonstrated that a malicious AI agent skill, disguised as a Google Stitch landing-page builder, passed every major skill scanner including Cisco's, NVIDIA's, and skills.sh integrations, reaching approximately 26,000 agents before its payload was activated. The attack exploits a structural gap: scanners evaluate a static package at submission time, while the external URL the skill instructs the agent to fetch can be silently swapped post-install to deliver arbitrary instructions. Defenders relying on marketplace reputation signals, GitHub star counts, or one-time scanner verdicts to gatekeep agent skills have no meaningful protection against this class of supply-chain attack.

AutoGen Studio RCE: AutoJack Exploit Chain Targets Developers

AutoGen Studio RCE: AutoJack Exploit Chain Targets Developers

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers disclosed AutoJack, an exploit chain targeting AutoGen Studio's MCP WebSocket endpoint that allows a single malicious web page to execute arbitrary commands on a developer's host machine via an AI browsing agent. The attack chains three distinct weaknesses — localhost trust bypass, missing authentication on MCP paths, and unsanitised command execution — requiring no credentials or user interaction beyond the agent loading the attacker's URL. While the vulnerable handler was not included in stable PyPI releases, it shipped in two pre-release builds that remain unyanked, leaving anyone who installed those versions exposed.

Palo Alto Exposes AI Agent Skill Supply Chain Compromise Risk

Palo Alto Exposes AI Agent Skill Supply Chain Compromise Risk

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Palo Alto Unit 42

Palo Alto Unit 42 introduces Behavioral Integrity Verification (BIV), an audit method exposing widespread mismatches between what third-party AI agent skills claim to do and what they actually execute. Applied at registry scale, BIV identifies a dangerous subset of skills carrying multi-stage attack chains capable of credential theft, remote code execution, and silent data exfiltration. The research highlights that the AI agent skill ecosystem has grown rapidly without the supply-chain audit primitives that mobile and browser extension platforms eventually adopted after abuse.

CVE-2025-67644: LangGraph SQLi to RCE via Checkpointer

CVE-2025-67644: LangGraph SQLi to RCE via Checkpointer

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Check Point Research

Check Point Research disclosed three vulnerabilities in LangGraph's persistence layer, two of which chain together to achieve remote code execution: a SQL injection flaw in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization bug (CVE-2026-28277). A third parallel injection vulnerability (CVE-2026-27022) affects the Redis checkpointer. With over 50 million monthly downloads, self-hosted LangGraph deployments exposing user-controlled state history filters are directly at risk.

CVE-2026-5027: Langflow RCE Actively Exploited

CVE-2026-5027: Langflow RCE Actively Exploited

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical unpatched path traversal vulnerability (CVE-2026-5027, CVSS 8.8) in Langflow, a widely-used open-source AI application builder, is being actively exploited in the wild to achieve unauthenticated remote code execution. Because Langflow enables auto-login by default, attackers require no credentials to reach the vulnerable endpoint and can exploit it with a single HTTP request. With approximately 7,000 publicly exposed Langflow instances and nation-state actors already targeting related Langflow flaws, the risk to AI development infrastructure is severe.

Loopsy AI Agent Relay Enables Cross-Machine RCE

Loopsy AI Agent Relay Enables Cross-Machine RCE

ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.5 HN AI Security

Loopsy is an open-source tool enabling cross-machine communication between AI coding agents (Claude Code, Cursor, Codex) and mobile devices via a self-hosted Cloudflare Workers relay. While designed for legitimate developer productivity, the architecture introduces significant attack surface: a relay brokering shell access and AI agent commands across machines is a high-value target for interception, hijacking, or supply chain compromise. Security teams should assess exposure before deploying such tools in sensitive development environments.

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

Gemini CLI CVSS 10 RCE via Config Injection in CI/CD

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Google has patched a maximum-severity (CVSS 10.0) vulnerability in its Gemini CLI tooling that allowed unauthenticated attackers to achieve remote code execution by planting malicious configuration files in workspace directories automatically trusted by the agent in headless/CI mode. The flaw effectively weaponised CI/CD pipelines as supply chain attack paths, bypassing sandbox protections entirely before they could initialise. A secondary issue in '--yolo' mode further enabled prompt injection to trigger unrestricted shell command execution.

CVE-2026: Anthropic MCP SDK Remote Code Execution

CVE-2026: Anthropic MCP SDK Remote Code Execution

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.4 The Hacker News

A systemic 'by design' vulnerability in Anthropic's Model Context Protocol (MCP) SDK enables arbitrary remote code execution across all supported language implementations via unsafe STDIO transport defaults, affecting over 7,000 publicly accessible servers and 150 million downloads. The flaw has been independently confirmed across 10+ popular AI frameworks including LiteLLM, LangChain, and Flowise, with Anthropic declining to modify the protocol's architecture. This represents a significant AI supply chain risk with cascading exposure to sensitive data, API keys, and internal systems.

Cursor AI Prompt Injection Chains to Shell Access

Cursor AI Prompt Injection Chains to Shell Access

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.5 SecurityWeek

A chained vulnerability in Cursor AI—a widely-used AI-powered code editor—allowed attackers to combine indirect prompt injection with a sandbox escape and the application's built-in remote tunnel feature to achieve arbitrary shell access on developer machines. The attack chain is particularly significant because it weaponises Cursor's own legitimate remote-access infrastructure, meaning malicious commands could blend into normal developer workflows. Developers using Cursor's AI features against untrusted code or repositories are at elevated risk of full host compromise.

ComfyUI RCE Exploited in Cryptomining Botnet Campaign

ComfyUI RCE Exploited in Cryptomining Botnet Campaign

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 The Hacker News

Threat actors are actively exploiting internet-exposed ComfyUI instances — a popular AI image generation platform — by abusing its custom node execution feature to achieve unauthenticated remote code execution. Over 1,000 publicly accessible instances have been identified as targets, with compromised hosts enrolled in Monero and Conflux cryptomining operations and a Hysteria V2 proxy botnet. The attack highlights critical supply chain and insecure plugin design risks inherent in AI/ML tooling ecosystems.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.