LIVE FEED
AWS SageMaker Ships 100+ Inference Metrics to CloudWatch

AWS SageMaker Ships 100+ Inference Metrics to CloudWatch

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 AWS Machine Learning Blog

AWS has released a deep observability layer for SageMaker AI inference endpoints, emitting over 100 metrics covering GPU health, KV cache pressure, token-level latency, and traffic distribution into a native CloudWatch Insights dashboard with PromQL-compatible export. For defenders, this centralised telemetry surface introduces new reconnaissance and exfiltration vectors: an adversary with read access to CloudWatch or connected third-party tools (Grafana, Datadog) can infer model architecture, request patterns, and capacity limits without touching the model itself. The richness of these signals also raises insider-threat risk, as operational staff now have granular visibility into inference behaviour that can be leveraged to reverse-engineer model characteristics or plan targeted denial-of-service campaigns.

AWS Launches Amazon Bedrock AgentCore Harness

AWS Launches Amazon Bedrock AgentCore Harness

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 AWS Machine Learning Blog

AWS has made Amazon Bedrock AgentCore Harness generally available, providing a managed abstraction layer that reduces agent deployment to two API calls while bundling sandboxed compute, persistent memory, tool gateway, browser access, identity management, and observability. For defenders, this dramatically lowers the barrier to deploying autonomous agents with filesystem access, shell execution, web browsing, and multi-provider model switching — compressing what was a weeks-long infrastructure project into minutes. Security teams face an expanded attack surface where prompt injection, tool abuse, cross-session memory poisoning, and supply chain risks through AWS-curated skill catalogs now arrive as a single, tightly integrated managed service rather than individually reviewable components.

Microsoft AutoGen Studio RCE via MCP Bypass

Microsoft AutoGen Studio RCE via MCP Bypass

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 9.1 Microsoft Security Blog

Researchers at Microsoft identified a three-stage exploit chain in AutoGen Studio that allows a malicious web page visited by a browsing AI agent to reach the host's local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes. The chain exploits a bypassable origin allowlist, authentication middleware that excluded MCP endpoints, and unsanitised URL-derived command parameters. Although the vulnerable surface was never shipped in a PyPI release, the finding exposes a systemic architectural risk in any agent framework that combines untrusted browsing with privileged localhost services.

Midjourney Medical Releases Full-Body AI Ultrasound Scanner

Midjourney Medical Releases Full-Body AI Ultrasound Scanner

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 The Verge AI

Midjourney Medical has announced a full-body ultrasound scanner that uses a ring of sensors and AI processing to generate MRI-comparable internal body imagery, representing a significant pivot from image generation into AI-assisted medical diagnostics hardware. The convergence of AI inference pipelines with sensitive biometric and anatomical data creates new attack surfaces around health data exfiltration, model output manipulation, and diagnostic integrity. Defenders in healthcare and enterprise wellness programmes should treat this class of device as a high-sensitivity AI-enabled medical endpoint requiring strict data governance and supply chain vetting.

Odyssey Launches Physical World Model Platform Backed by Amazon

Odyssey Launches Physical World Model Platform Backed by Amazon

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.2 TechCrunch AI

Odyssey has raised a $310M Series B to scale its world model platform, which ingests real-world physical environment data to generate interactive simulations, video, and training environments for robotics and gaming. The platform's reliance on large-scale physical data collection, multi-tenant simulation outputs, and deep AWS infrastructure integration introduces supply chain, data poisoning, and adversarial simulation risks defenders should assess. Organizations consuming Odyssey-generated synthetic environments for robotics training or game content pipelines are newly exposed to integrity attacks targeting the underlying world model.

OpenAI Launches ChatGPT for Science with Institutional Access

OpenAI Launches ChatGPT for Science with Institutional Access

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 5.8 BleepingComputer

OpenAI is internally testing a specialised 'ChatGPT for Science' subscription tier, likely restricted to verified universities and research institutions, building on capabilities from GPT-Rosalind — a purpose-built life sciences model already deployed under a trusted-access structure with select pharma partners. The gated, domain-specific nature of this offering creates novel identity and access verification attack surfaces, as threat actors will likely probe credential and institutional verification mechanisms to gain privileged access to specialised scientific knowledge. Defenders at academic and research institutions should anticipate increased phishing campaigns targeting institutional credentials and prepare governance frameworks for AI use in sensitive research environments.

Z.ai Releases GLM-5.2 Open-Weights 753B LLM

Z.ai Releases GLM-5.2 Open-Weights 753B LLM

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 6.2 Simon Willison

Z.ai has released GLM-5.2, a 753-billion-parameter mixture-of-experts model under an MIT license, ranking as the top open-weights model on the Artificial Analysis Intelligence Index and second on the Code Arena WebDev leaderboard. For defenders, the combination of frontier-level capability, unrestricted open-weights distribution, and a 1-million-token context window materially lowers the barrier for threat actors to self-host a highly capable model outside any provider's safety controls. The model's agentic coding performance and massive context window expand the viable attack surface for automated code generation, targeted phishing, and large-scale document analysis without API-level monitoring.

Anthropic Ships Claude Fable 5 with Exploit Generation

Anthropic Ships Claude Fable 5 with Exploit Generation

FIRST LOOK ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 8.7 Wired Security

Anthropic's Mythos 5 and Claude Fable 5 represent the arrival of frontier AI models with demonstrated, advanced vulnerability discovery and exploit-development capabilities — a capability class that will rapidly proliferate across multiple vendors and open-weight releases. The core attack surface is not model-specific: guardrail bypass of the consumer-facing Fable 5 exposes full Mythos-grade offensive capability to any actor who can defeat the content filters, while the broader proliferation trajectory means defenders must assume adversary access to equivalent capabilities within months. The regulatory response addresses a single vendor while doing nothing to raise the floor for the broader ecosystem of competitive and open-weight models following close behind.

Google Launches Android 17 with Gemini Omni Integration

Google Launches Android 17 with Gemini Omni Integration

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.2 TechCrunch AI

Android 17 embeds Gemini Omni and multiple AI models (Lyria 3, AudioLM) directly into OS-level functions including video editing, call handling, screen recording, and emergency detection, dramatically expanding the attack surface for AI-assisted exploitation on mobile endpoints. The deep integration of conversational AI with device sensors, media pipelines, and inter-app communication creates novel prompt injection and data exfiltration vectors that existing mobile threat defences were not designed to address. The simultaneous AirDrop interoperability expansion and cross-device Pixel Watch mirroring further widen the lateral movement surface across the Google hardware ecosystem.

NVIDIA Launches XR AI for Agentic AR Glasses

NVIDIA Launches XR AI for Agentic AR Glasses

FIRST LOOK ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.2 NVIDIA AI Blog

NVIDIA XR AI puts multimodal agentic systems directly into AR glasses, fusing continuous video, audio, depth, and pose data with enterprise knowledge retrieval and tool execution — creating a persistent, always-on sensor exfiltration and prompt injection surface that sits inches from a worker's face. The framework connects to industrial systems, digital twins, and enterprise RAG backends, meaning a compromised agent can pivot from perceptual data into operational technology networks. Because the inputs are environmental and largely uncontrolled, adversarial content placed in the physical world (signage, screens, spoken commands) becomes a viable injection vector against enterprise infrastructure.

Vertex AI SDK Bucket Squatting Flaw Enables Model Hijack

Vertex AI SDK Bucket Squatting Flaw Enables Model Hijack

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

A vulnerability in the Google Cloud Vertex AI Python SDK allowed unauthenticated attackers to intercept model uploads by pre-registering predictable staging bucket names — a technique Unit 42 calls 'Pickle in the Middle'. Once a malicious model replaced the legitimate upload, arbitrary code executed inside Google's serving infrastructure via pickle deserialization. Google patched the flaw in v1.148.0 after disclosure in March 2026, but the incident highlights systemic risks in ML pipeline supply chains.

AWS Launches Agent-EvalKit for LLM-Powered Agent Evaluation

AWS Launches Agent-EvalKit for LLM-Powered Agent Evaluation

FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely ▲ 6.8 AWS Machine Learning Blog

Agent-EvalKit introduces an open-source evaluation pipeline that integrates LLM-as-judge evaluators and AI coding assistants directly into agent development workflows, creating new attack surfaces where poisoned test cases, manipulated ground-truth datasets, and adversarial evaluation prompts could corrupt agent quality signals. The toolkit's deep code-reading access via Claude Code, Kiro CLI, and Kilo Code means a compromised evaluation run could exfiltrate source code or inject malicious recommendations into the development pipeline. Because evaluation outputs drive concrete code changes, adversarial manipulation of the eval layer has downstream consequences for production agent behaviour.

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

Agentjacking Attack Achieves 85% Success Rate Against AI Coding Agents via Sentry MCP

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

Tenet Security has disclosed 'Agentjacking', a novel attack class that exploits the implicit trust AI coding agents place in Model Context Protocol (MCP) data sources. By injecting malicious instructions into Sentry error events via publicly accessible DSN credentials, attackers can cause agents like Claude Code and Cursor to execute arbitrary code with full developer privileges. Researchers confirmed 2,388 exposed organisations and an 85% exploitation success rate in controlled testing, with no prior access to victim infrastructure required.

OpenClaw Agent Vulnerable to Prompt Injection RCE

OpenClaw Agent Vulnerable to Prompt Injection RCE

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 8.5 The Hacker News

Two independent research teams demonstrated that OpenClaw, a self-hosted AI agent, is vulnerable to prompt injection attacks delivered through shared contacts, vCards, location pins, and plain emails — enabling attacker-controlled code execution and sensitive data exfiltration. Imperva's finding, now patched in version 2026.4.23, exploited the agent's failure to mark message objects as untrusted before passing them to the underlying LLM. Varonis separately showed that a single crafted email could instruct an agent to forward mock AWS credentials and customer data to an external address, a behaviour-level risk no patch can fully remediate.

Claude Fable 5 Jailbreak Extracts System Prompts

Claude Fable 5 Jailbreak Extracts System Prompts

ATLAS OWASP HIGH Significant risk · Prioritise patching ▲ 7.5 SecurityWeek

Security researcher Pliny the Liberator claimed a prompt-based jailbreak of Anthropic's newly launched Claude Fable 5 model, allegedly extracting the internal system prompt and eliciting responses on high-risk topics including bioweapons and cyberattacks. Anthropic disputed the claim, arguing the technique merely coaxes conversational continuation rather than bypassing core safety classifiers. The incident highlights ongoing tension between AI safety assurances at launch and real-world adversarial probing, particularly for Mythos-class models with elevated capability ceilings.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.