LIVE FEED
Claude Code Indirect Prompt Injection Spawns Reverse Shell

Claude Code Indirect Prompt Injection Spawns Reverse Shell

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 SecurityWeek

Researchers have demonstrated that indirect prompt injection attacks embedded within seemingly benign code repositories can cause Claude Code — Anthropic's agentic coding assistant — to spawn a reverse shell on a developer's machine. The attack exploits Claude Code's autonomous execution capabilities, using hidden instructions in repository content to hijack the host system without any explicit user consent. This highlights a critical risk in agentic AI tools that operate with elevated system privileges in developer environments.

NanoEuler Launches GPT-2 LLM Built from Scratch in C/CUDA

NanoEuler Launches GPT-2 LLM Built from Scratch in C/CUDA

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 Cohere AI (via HN)

NanoEuler is an open-source GPT-2-class language model (~116M parameters) built entirely from scratch in C/CUDA, including hand-written backpropagation, a BPE tokenizer, FlashAttention, pretraining, and supervised fine-tuning — with RLHF/DPO planned. For defenders, the significance lies in the democratisation of low-level, dependency-free LLM training infrastructure: adversaries gain a highly portable, auditable, and modifiable training stack that bypasses standard ML framework telemetry and supply chain controls. Security teams should treat this class of 'from-scratch' open-source LLM tooling as a potential foundation for covert fine-tuning pipelines, backdoor insertion, and evasion of model-level safety controls.

Zhipu AI Releases GLM-5.2 Open-Weight Model

Zhipu AI Releases GLM-5.2 Open-Weight Model

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Verge AI

Zhipu AI (Z.ai) has released GLM-5.2, an open-weight model that researchers report matches Anthropic's Mythos in bug-finding and cybersecurity-related tasks, while remaining freely downloadable and runnable on commodity hardware. The open-weight distribution removes access controls and usage monitoring that restrict frontier closed models, enabling unconstrained offensive security use by any actor. Defenders face a materially elevated threat from nation-state and cybercriminal actors who can now fine-tune, deploy, and weaponise a frontier-class vulnerability-discovery model without API gatekeeping or usage telemetry.

Anthropic CEO: Open-Source AI Models Pose Systemic Safety Risk

Anthropic CEO: Open-Source AI Models Pose Systemic Safety Risk

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.2 Meta AI (via HN)

Anthropic CEO Dario Amodei testified to lawmakers that open-source AI models present a systemic safety risk because once released, developers lose the ability to monitor misuse, revoke access, or patch safety guardrails. For defenders, this formalises a long-standing asymmetry: closed-source safety controls (rate-limiting, usage monitoring, kill-switches) become irrelevant once capable weights are publicly distributed. Security teams building on or competing against open-weight models must now treat every downloaded model artifact as a potentially unpatched, unmonitored endpoint that can be fine-tuned to remove safety constraints entirely.

Claude Code Prompt Injection via GitHub Supply Chain

Claude Code Prompt Injection via GitHub Supply Chain

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 BleepingComputer

Mozilla 0DIN researchers demonstrated a novel attack chain in which a seemingly clean GitHub repository tricks AI coding agents like Claude Code into executing a reverse shell payload — with no malicious code ever present in the repo itself. The attack leverages three innocuous components: a Python package that deliberately errors on first run, an error message that instructs the agent to run an init command, and a shell script that fetches and executes a payload stored in an attacker-controlled DNS TXT record. The technique exploits the autonomous error-recovery behaviour of agentic AI tools, effectively turning a safety feature into an attack vector.

Meta Releases AgentKits with 60 Production-Ready Agent Blueprints

Meta Releases AgentKits with 60 Production-Ready Agent Blueprints

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 Meta AI (via HN)

AgentKits ships 60 open, free AI agent blueprints covering 30 operational categories — from incident response and access provisioning to HR screening and fraud detection — complete with copyable system prompts, tool definitions, and workflow architectures targeting Claude, OpenAI, LangGraph, and n8n. The free, no-login distribution model dramatically lowers the barrier for adversaries to study, clone, or weaponise production-grade agent architectures, including sensitive categories like SecOps triage, access provisioning, and compliance monitoring. Defenders must treat these blueprints as publicly documented attack playbooks and audit any internally deployed instances against their documented worst-case actions and trust levels.

OpenAI Releases GPT-5.6 Sol for Vulnerability Research

OpenAI Releases GPT-5.6 Sol for Vulnerability Research

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Hacker News

OpenAI has released a limited preview of GPT-5.6 Sol, Terra, and Luna to select partners, positioning Sol as its most capable model for vulnerability research and exploit chain development, benchmarked against real-world hardened targets via an internal framework called VulnLMP. The model's demonstrated ability to produce credible memory safety leads and automate substantial portions of vulnerability research pipelines materially lowers the barrier for both defenders and adversaries. Security teams should expect accelerated attacker timelines for exploit development and increased pressure on detection and patch-deployment cadences.

Sakana AI and 360 Launch Fugu and Tulongfeng Models

Sakana AI and 360 Launch Fugu and Tulongfeng Models

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 Cohere AI (via HN)

Sakana AI's Fugu and Chinese firm 360's Tulongfeng are frontier AI models positioned as functional alternatives to Anthropic's export-restricted Mythos and Fable 5, with Fugu explicitly designed for agentic orchestration across third-party model APIs. For defenders, the proliferation of cybersecurity-focused frontier models outside US regulatory reach removes a key friction point that previously slowed adversary access to high-capability AI offensive tooling. The agentic, multi-model orchestration design of Fugu in particular introduces compounded supply-chain and prompt-injection risk for any enterprise connecting these models to existing tool ecosystems.

OpenAI Workspace Phishing via Fraudulent Tenant Registration

OpenAI Workspace Phishing via Fraudulent Tenant Registration

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 BleepingComputer

Threat actors are registering fraudulent OpenAI tenants impersonating legitimate companies and inviting employees to join them, in a campaign dubbed 'Poisoned Tenant' by Push Security. The attack exploits OpenAI's legitimate invitation infrastructure, making phishing emails appear authentic as they pass all email authentication checks. The goal appears to be tricking employees into submitting sensitive corporate information via ChatGPT chats and projects within the attacker-controlled workspace.

OpenAI Launches GPT-5.6 with Enhanced Agentic Capabilities

OpenAI Launches GPT-5.6 with Enhanced Agentic Capabilities

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 TechCrunch AI

OpenAI has released GPT-5.6 in a restricted preview to government-vetted partners, featuring three models (Sol, Terra, Luna) with significantly upgraded agentic capabilities in coding, biology, and cybersecurity, including a coordinated multi-subagent 'ultra' mode. The cybersecurity-specific enhancements and agentic orchestration introduce meaningful new attack surface: adversaries gaining access to Sol's coordinated subagent architecture could automate sophisticated multi-stage intrusions at scale previously requiring significant human expertise. The restricted rollout itself creates a novel supply chain and access-control risk, as the 'trusted partner' gating model concentrates high-capability model access among a small set of privileged accounts, making partner credential compromise a high-value target.

Anthropic Releases Claude Mythos 5 Under U.S. Export Controls

Anthropic Releases Claude Mythos 5 Under U.S. Export Controls

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 Anthropic (via HN)

The U.S. Commerce Department has lifted export controls on Anthropic's Claude Mythos 5, permitting access to over 100 vetted U.S. institutions and government agencies under a nascent federal AI licensing regime. For defenders, this tiered-release model introduces a new class of risk: the 'trusted partner' designation becomes a high-value target, as compromise of any listed entity grants implicit legitimacy to interact with a model previously deemed too dangerous for general release. Security teams at approved organizations should treat Mythos 5 access credentials and API endpoints as critical assets, and assume adversaries will probe the boundary between licensed and unlicensed access patterns.

OpenAI Releases GPT-5.6 Under Controlled Access

OpenAI Releases GPT-5.6 Under Controlled Access

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 TechCrunch AI

OpenAI's GPT-5.6, a frontier model with advanced cyber capabilities, is being released exclusively to vetted partners under a White House-directed limited-access programme coordinated with the Office of the National Cyber Director and OSTP. This controlled rollout signals that the model's offensive cyber potential — including autonomous vulnerability identification and exploitation — is significant enough to warrant government-gated distribution, mirroring Anthropic's Project Glasswing model for Claude Mythos. For defenders, the emergence of a government-approved, partner-tier distribution model creates new supply chain trust questions and raises the stakes around who gains early access and how that access is verified, monitored, and potentially abused.

GitHub Releases Copilot Agentic Harness Evaluation

GitHub Releases Copilot Agentic Harness Evaluation

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 GitHub Blog

GitHub has published an evaluation of its Copilot agentic harness, detailing how the orchestration layer performs across multiple underlying models and coding tasks — effectively documenting the architecture of an autonomous, multi-step code generation and execution system. For defenders, this transparency reveals an orchestration surface where prompt injection, supply chain manipulation, and model-switching logic can be targeted across a broader set of model backends than previously understood. Security teams should treat the harness itself as a critical trust boundary, since compromising task routing or model selection logic could silently redirect agentic workflows to less-safe or adversary-controlled model endpoints.

Anthropic Launches Claude Cowork Mobile with Remote Control

Anthropic Launches Claude Cowork Mobile with Remote Control

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 BleepingComputer

Anthropic is expanding its Claude Cowork agentic desktop feature to mobile, enabling users to remotely initiate, monitor, and steer long-running AI tasks on their PC from a smartphone — with background task execution persisting even after the mobile app is closed. This cross-device architecture introduces a new attack surface: a mobile application acting as a command-and-control interface for an agent with local filesystem access, expanding the blast radius of device compromise, session hijacking, and prompt injection attacks. Defenders must now account for a persistent, background-running agentic process on employee endpoints that can be triggered or manipulated via a separate, potentially less-secured mobile channel.

Prompt Injection Malware Evades LLM Security Scanners

Prompt Injection Malware Evades LLM Security Scanners

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 Schneier on Security

A malware developer has embedded nuclear and biological weapons-related text inside JavaScript comment blocks within spyware payloads, specifically to trigger refusal behaviour or context confusion in LLM-powered security analysis pipelines. The technique exploits the architectural gap between how interpreters (which skip comments) and language models (which ingest the full file as input) process the same file. While ineffective against traditional static analysis tooling, the tactic represents a practical adversarial countermeasure targeting AI-first triage workflows and analyst copilots.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.