LIVE FEED
Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

Microsoft Copilot MCP Tool Poisoning Enables Data Exfiltration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 The Hacker News

Microsoft researchers have demonstrated how attackers can embed hidden instructions inside MCP tool descriptions to covertly redirect AI agents into exfiltrating sensitive business data. Because each individual action the agent takes appears legitimate — using approved tools and the user's own permissions — default security controls generate no alerts. The attack exploits a fundamental design tension in MCP: tool descriptions simultaneously carry operational instructions and attacker-controlled data, collapsing a critical trust boundary.

Agentjacking: Prompt Injection via Malicious Bug Reports

Agentjacking: Prompt Injection via Malicious Bug Reports

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

A technique dubbed 'agentjacking' exploits the inability of AI coding agents to distinguish between legitimate content and embedded instructions, allowing attackers to hijack agent behaviour through maliciously crafted bug reports. The attack represents a scalable, low-barrier prompt injection vector targeting developer workflows that rely on autonomous AI agents. As AI coding assistants gain broader adoption and elevated system permissions, this class of attack poses a significant risk to software supply chain integrity.

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

Cursor IDE DuneSlide Zero-Click Prompt Injection RCE

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A set of vulnerabilities dubbed 'DuneSlide' in the Cursor AI code editor allow attackers to conduct zero-click prompt injection attacks that escape the application's sandbox and execute arbitrary code at the operating system level. The flaws represent a critical escalation of AI-native attack surface risks, targeting developers who rely on AI-assisted coding environments. Because exploitation requires no user interaction, the attack chain is particularly dangerous in supply chain and watering-hole scenarios.

Current AI Launches Open Source AI Gap Map with 421 Projects

Current AI Launches Open Source AI Gap Map with 421 Projects

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.5 Simon Willison

Current AI has published the Open Source AI Gap Map v0.1, a structured, MIT-licensed index of 421 open-source AI products spanning models, datasets, software tools, and hardware, backed by 1,184 YAML files and tracking over 16,000 GitHub repositories. For defenders, this comprehensive public inventory creates a dual-use intelligence resource: while it aids supply chain visibility, it simultaneously provides adversaries with a curated, machine-readable attack surface map of the open-source AI ecosystem. Security teams should treat this dataset as threat-actor recon material and cross-reference their own AI dependencies against it immediately.

Browser Ransomware via File System Access API: DeepSeek

Browser Ransomware via File System Access API: DeepSeek

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Check Point Research

Check Point Research demonstrates how DeepSeek's lower refusal rates allowed researchers to transform an LLM-hallucinated malware concept into a practical browser-native ransomware technique targeting Android photo directories via the File System Access API. The attack requires no native payload, APK installation, or root access — only social engineering to obtain a legitimate browser permission prompt. This research highlights how frontier AI models with weaker safety controls can independently design novel attack paths not yet seen in real-world campaigns.

Anthropic Releases Claude-Real-Video for Local Video Analysis

Anthropic Releases Claude-Real-Video for Local Video Analysis

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 HN AI Security

claude-real-video is an open-source, MIT-licensed Python library that extracts scene-change frames, deduplicates images, and transcribes audio from any video URL or local file, then packages the result as a folder any LLM can consume — all processed locally without cloud upload. For defenders, this dramatically expands the multimodal prompt injection surface by enabling adversaries to embed malicious instructions inside video content that LLM pipelines will now ingest and act upon. Security teams building or deploying LLM agents with video-processing capabilities must treat video content as an untrusted, potentially adversarial input channel.

IGA Platforms Add AI Agent Governance and Access Control

IGA Platforms Add AI Agent Governance and Access Control

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 The Hacker News

A new analysis published via The Hacker News details how traditional Identity Governance and Administration (IGA) frameworks — built around HR-driven, human-centric lifecycle events — are fundamentally unequipped to govern AI agents acting as autonomous principals in enterprise environments. Security teams face a growing blind spot: AI agents acquire, retain, and exercise entitlements without triggering the joiner-mover-leaver workflows, manager attestations, or termination events that IGA tooling depends on. Defenders must now treat AI agent identities as a separate governance tier, requiring purpose-built provisioning, audit, and deprovisioning logic that existing platforms like Workday, SailPoint, and Azure AD connectors were never designed to provide.

Anthropic Ships Mythos for AI-Driven Bug Discovery

Anthropic Ships Mythos for AI-Driven Bug Discovery

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 Dark Reading

Anthropic's Mythos capability, combined with IBM and Red Hat's Project Lightwell service backed by 20,000 engineers and $5B, introduces an AI-driven pipeline for discovering and remediating bugs in open-source software at industrial scale. This creates a dual-edged attack surface: adversaries who can influence Mythos's findings, its training data, or the remediation pipeline gain a privileged position to inject subtle vulnerabilities into widely-deployed open-source components. Defenders must treat the AI vulnerability-finding and patch-generation pipeline itself as a high-value, high-risk supply chain asset requiring rigorous integrity controls.

AGENTIC AIThe Hacker NewsCRITICALCVE-2025-3248: Langflow RCE Enables AutonomousRansomware Attack

CVE-2025-3248: Langflow RCE Enables Autonomous Ransomware Attack

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.8 The Hacker News

Sysdig has documented what it claims is the first end-to-end ransomware attack orchestrated autonomously by an AI agent, attributed to a threat actor tracked as JADEPUFFER. The agent exploited a known remote code execution flaw in Langflow (CVE-2025-3248) to gain initial access, harvest credentials, pivot laterally, and ultimately encrypt and destroy a production database — all without human intervention at the keyboard. The incident demonstrates that AI agents can now lower the skill floor for complex, multi-stage attacks to near zero, representing a qualitative shift in the ransomware threat landscape.

Phantom Squatting: LLM Hallucinations Enable Domain Takeover

Phantom Squatting: LLM Hallucinations Enable Domain Takeover

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Dark Reading

Researchers have identified a novel attack vector dubbed 'Phantom Squatting', in which LLMs consistently hallucinate plausible but non-existent web domains for legitimate brands, which attackers can then register and weaponise. Unlike traditional typosquatting, these hallucinated domains carry implicit trust because they originate from AI-generated outputs that users and developers may act upon without verification. The technique is difficult to detect because the domains are not misspellings but plausible inventions, making automated defences less effective.

Google Launches Gemini Spark on Mac with File Access

Google Launches Gemini Spark on Mac with File Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 TechCrunch AI

Google has expanded Gemini Spark to macOS, giving the agentic assistant access to local files, third-party app integrations (including Dropbox, Canva, and Instacart), custom MCP connections, and real-time topic monitoring. This substantially widens the attack surface for enterprise defenders, as a compromised or manipulated Spark agent gains a foothold across local file systems, cloud workspaces, and external service APIs simultaneously. The addition of custom Model Context Protocol support is particularly concerning, as it allows arbitrary third-party tool connections with unclear trust boundaries and permission scoping.

AWS Brings NVIDIA Nemotron and OpenAI GPT to GovCloud

AWS Brings NVIDIA Nemotron and OpenAI GPT to GovCloud

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 AWS Machine Learning Blog

AWS has expanded Amazon Bedrock in GovCloud (US) to include NVIDIA Nemotron and OpenAI's open-weight GPT OSS models, enabling U.S. government agencies and defense contractors to run frontier LLMs within FedRAMP High and DoD SRG compliance boundaries. This expansion introduces large, capable open-weight models into sensitive government mission workflows — including intelligence analysis, security log review, and contract automation — dramatically increasing the consequence of a successful prompt injection or jailbreak. Defenders must account for the elevated impact of model compromise in classified-adjacent environments, supply chain trust assumptions around open-weight model weights, and the risk of agentic workflows operating with privileged data access under reduced human oversight.

Phantom Squatting: LLM Hallucinations in Supply Chain

Phantom Squatting: LLM Hallucinations in Supply Chain

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Palo Alto Unit 42

Unit 42 researchers have documented 'phantom squatting', a novel attack vector where adversaries register domains that LLMs consistently hallucinate when responding to developer queries, intercepting traffic from AI-assisted workflows. Analysis of 913 brands across 685,339 URL queries uncovered 13,229 confirmed malicious URLs and approximately 250,000 unregistered hallucinated domains still available for adversarial pre-registration. A concrete case study reveals a fully operational phishing kit, Montana Empire, built with an AI coding assistant and deployed against a domain Unit 42 had flagged as high-risk 23 days prior.

Anthropic Releases Mythos and Fable Models with Global Access

Anthropic Releases Mythos and Fable Models with Global Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 TechCrunch AI

The US government has lifted export restrictions on Anthropic's Mythos and Fable models, restoring broad international access to what are described as the most capable AI models publicly available, with Mythos specifically noted for its advanced ability to identify and exploit software vulnerabilities. Defenders must now contend with a significantly wider pool of threat actors — including foreign nationals and nation-state-affiliated researchers — who can access a model with documented offensive security capabilities. The policy reversal also introduces regulatory uncertainty that complicates enterprise risk assessments, as organizations cannot rely on stable governance signals to calibrate their AI security postures.

Token Security Publishes Agentic AI Identity Risk Analysis

Token Security Publishes Agentic AI Identity Risk Analysis

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 BleepingComputer

Token Security has published a detailed analysis of the identity and access management failures emerging as agentic AI systems proliferate across enterprise environments, highlighting how AI agents authenticate, hold credentials, and act autonomously across production systems without adequate oversight. Unlike traditional machine identities, AI agents combine human-like goal-directed behaviour with machine-speed execution, creating credential sprawl that existing IAM programs were never designed to govern. Security teams face a compounding risk: agents are being provisioned with overprivileged OAuth grants, API tokens, and cloud roles that remain unreviewed and unrevoked long after the original use case has expired.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.