LIVE FEED
Z.ai Releases GLM-5.2 Open-Weights 753B LLM

Z.ai Releases GLM-5.2 Open-Weights 753B LLM

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.2 Simon Willison

Z.ai has released GLM-5.2, a 753-billion-parameter mixture-of-experts model under an MIT license, ranking as the top open-weights model on the Artificial Analysis Intelligence Index and second on the Code Arena WebDev leaderboard. For defenders, the combination of frontier-level capability, unrestricted open-weights distribution, and a 1-million-token context window materially lowers the barrier for threat actors to self-host a highly capable model outside any provider's safety controls. The model's agentic coding performance and massive context window expand the viable attack surface for automated code generation, targeted phishing, and large-scale document analysis without API-level monitoring.

CrowdStrike Launches Continuous Identity for AI Agents

CrowdStrike Launches Continuous Identity for AI Agents

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.8 CrowdStrike Blog

CrowdStrike's Continuous Identity for AI Agents introduces persistent, trackable identity primitives for agentic workflows — but persistent identities are also persistent targets. Attackers who compromise an agent identity gain a durable, trusted foothold that can persist across sessions and tool invocations without the natural expiry of human session tokens. The feature's integration into the Falcon platform means agent identity tokens, if stolen or forged, may carry elevated detection-suppression trust within the same security toolchain defending the environment.

Anthropic Ships Claude Fable 5 with Exploit Generation

Anthropic Ships Claude Fable 5 with Exploit Generation

FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.7 Wired Security

Anthropic's Mythos 5 and Claude Fable 5 represent the arrival of frontier AI models with demonstrated, advanced vulnerability discovery and exploit-development capabilities — a capability class that will rapidly proliferate across multiple vendors and open-weight releases. The core attack surface is not model-specific: guardrail bypass of the consumer-facing Fable 5 exposes full Mythos-grade offensive capability to any actor who can defeat the content filters, while the broader proliferation trajectory means defenders must assume adversary access to equivalent capabilities within months. The regulatory response addresses a single vendor while doing nothing to raise the floor for the broader ecosystem of competitive and open-weight models following close behind.

Google Launches Android 17 with Gemini Omni Integration

Google Launches Android 17 with Gemini Omni Integration

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 TechCrunch AI

Android 17 embeds Gemini Omni and multiple AI models (Lyria 3, AudioLM) directly into OS-level functions including video editing, call handling, screen recording, and emergency detection, dramatically expanding the attack surface for AI-assisted exploitation on mobile endpoints. The deep integration of conversational AI with device sensors, media pipelines, and inter-app communication creates novel prompt injection and data exfiltration vectors that existing mobile threat defences were not designed to address. The simultaneous AirDrop interoperability expansion and cross-device Pixel Watch mirroring further widen the lateral movement surface across the Google hardware ecosystem.

NVIDIA Launches XR AI for Agentic AR Glasses

NVIDIA Launches XR AI for Agentic AR Glasses

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 NVIDIA AI Blog

NVIDIA XR AI puts multimodal agentic systems directly into AR glasses, fusing continuous video, audio, depth, and pose data with enterprise knowledge retrieval and tool execution — creating a persistent, always-on sensor exfiltration and prompt injection surface that sits inches from a worker's face. The framework connects to industrial systems, digital twins, and enterprise RAG backends, meaning a compromised agent can pivot from perceptual data into operational technology networks. Because the inputs are environmental and largely uncontrolled, adversarial content placed in the physical world (signage, screens, spoken commands) becomes a viable injection vector against enterprise infrastructure.

Vertex AI SDK Bucket Squatting Flaw Enables Model Hijack

Vertex AI SDK Bucket Squatting Flaw Enables Model Hijack

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A vulnerability in the Google Cloud Vertex AI Python SDK allowed unauthenticated attackers to intercept model uploads by pre-registering predictable staging bucket names — a technique Unit 42 calls 'Pickle in the Middle'. Once a malicious model replaced the legitimate upload, arbitrary code executed inside Google's serving infrastructure via pickle deserialization. Google patched the flaw in v1.148.0 after disclosure in March 2026, but the incident highlights systemic risks in ML pipeline supply chains.

Amazon Bedrock AgentCore Ships with RAG and Memory

Amazon Bedrock AgentCore Ships with RAG and Memory

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 AWS Machine Learning Blog

Amazon Bedrock AgentCore now enables production-grade agentic systems that combine RAG retrieval, persistent cross-session memory, and direct user-facing endpoints authenticated only via Cognito Bearer tokens — all surfaced through a single /invocations endpoint. This architecture creates compounded attack surfaces where adversarially crafted content in S3-backed knowledge bases can propagate through the retrieve_and_generate pipeline directly into technician workflows. The persistent AgentCore Memory layer introduces a new cross-session context poisoning vector that does not exist in stateless LLM deployments.

AWS Launches Agent-EvalKit for LLM-Powered Agent Evaluation

AWS Launches Agent-EvalKit for LLM-Powered Agent Evaluation

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 AWS Machine Learning Blog

Agent-EvalKit introduces an open-source evaluation pipeline that integrates LLM-as-judge evaluators and AI coding assistants directly into agent development workflows, creating new attack surfaces where poisoned test cases, manipulated ground-truth datasets, and adversarial evaluation prompts could corrupt agent quality signals. The toolkit's deep code-reading access via Claude Code, Kiro CLI, and Kilo Code means a compromised evaluation run could exfiltrate source code or inject malicious recommendations into the development pipeline. Because evaluation outputs drive concrete code changes, adversarial manipulation of the eval layer has downstream consequences for production agent behaviour.

Amazon Quick Launches Agentic Incident Triage Assistant

Amazon Quick Launches Agentic Incident Triage Assistant

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 AWS Machine Learning Blog

Amazon Quick's new agentic incident triage assistant integrates New Relic's observability platform and Asana via MCP, creating a single conversational interface that can query production telemetry, surface error logs, and create tracked tasks autonomously. This multi-tool agent architecture dramatically expands the prompt injection attack surface, as malicious data embedded in production logs, alert payloads, or transaction traces can now influence agent actions — including task creation and RCA narrative generation. The convergence of observability data (high-trust, machine-generated) with autonomous task orchestration creates a novel indirect prompt injection pathway through operational telemetry.

Google Gemini Prompt Injection Powers Smishing Campaign

Google Gemini Prompt Injection Powers Smishing Campaign

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 The Hacker News

Google has filed suit against a Chinese cybercrime network operating the Outsider phishing-as-a-service kit, which exploited Gemini AI to generate fraudulent phishing pages and power large-scale SMS phishing attacks against Americans. The network used carefully framed prompts — disguised as benign programming requests — to bypass AI safety controls and produce functional credential-harvesting websites. The case illustrates the growing industrialisation of AI-assisted phishing infrastructure, with over 1.59 million malicious URLs and 100,000 victims attributed to the operation.

Anthropic Releases Claude Fable 5 with Jailbreak Resistance

Anthropic Releases Claude Fable 5 with Jailbreak Resistance

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 SecurityWeek

Anthropic's release of Claude Fable 5, a Mythos-class frontier model, has prompted significant industry debate over its dual-use offensive capabilities in cybersecurity and biology. The model includes a capability fallback mechanism — downgrading to Claude Opus 4.8 in high-risk domains — alongside extensive jailbreak-resistance red-teaming. Security professionals are warning that frontier AI capability investment directly accelerates attacker tooling for machine-speed, AI-orchestrated 'hyperattacks' that outpace human defenders.

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Tenet Security has disclosed 'Agentjacking', a novel attack class that exploits the implicit trust AI coding agents place in Model Context Protocol (MCP) data sources. By injecting malicious instructions into Sentry error events via publicly accessible DSN credentials, attackers can cause agents like Claude Code and Cursor to execute arbitrary code with full developer privileges. Researchers confirmed 2,388 exposed organisations and an 85% exploitation success rate in controlled testing, with no prior access to victim infrastructure required.

Palo Alto Exposes AI Agent Skill Supply Chain Compromise Risk

Palo Alto Exposes AI Agent Skill Supply Chain Compromise Risk

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 Palo Alto Unit 42

Palo Alto Unit 42 introduces Behavioral Integrity Verification (BIV), an audit method exposing widespread mismatches between what third-party AI agent skills claim to do and what they actually execute. Applied at registry scale, BIV identifies a dangerous subset of skills carrying multi-stage attack chains capable of credential theft, remote code execution, and silent data exfiltration. The research highlights that the AI agent skill ecosystem has grown rapidly without the supply-chain audit primitives that mobile and browser extension platforms eventually adopted after abuse.

CVE-2025-67644: LangGraph SQLi to RCE via Checkpointer

CVE-2025-67644: LangGraph SQLi to RCE via Checkpointer

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 Check Point Research

Check Point Research disclosed three vulnerabilities in LangGraph's persistence layer, two of which chain together to achieve remote code execution: a SQL injection flaw in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization bug (CVE-2026-28277). A third parallel injection vulnerability (CVE-2026-27022) affects the Redis checkpointer. With over 50 million monthly downloads, self-hosted LangGraph deployments exposing user-controlled state history filters are directly at risk.

Claude Fable 5 Prompt Injection Jailbreak Resistance

Claude Fable 5 Prompt Injection Jailbreak Resistance

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.8 The Hacker News

Anthropic has released Claude Fable 5 with a classifier-based safety layer that routes flagged offensive cyber, bio, and model-distillation requests to a weaker fallback model, while reserving full capabilities in a twin model (Mythos 5) for vetted defenders. The architecture represents a novel approach to dual-use AI risk mitigation but introduces measurable false-positive friction and raises questions about the robustness of classifier-only defences. An external bug bounty of over 1,000 hours found no universal jailbreak, though the conservative tuning and <5% fallback rate leave open questions about real-world bypass rates under adversarial pressure.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.