AI Security Wire

Sysdig documented an attacker using an LLM agent to autonomously drive lateral movement from a marimo RCE to a PostgreSQL database dump across four pivots in under two minutes. Real-time decisions, no pre-written playbook.

CISA has released sector-specific AI security guidelines for critical infrastructure operators, covering threat modelling for AI systems, incident response procedures, and minimum security baseline requirements aligned with the NIST AI RMF.

Threat actors are embedding prompt injection payloads in third-party LLM plugins and data sources to hijack AI agent actions, exfiltrate data, and pivot within enterprise environments.

Security researchers have identified hundreds of backdoored and malware-laced models in public AI registries. Most organisations pulling models from Hugging Face and similar platforms have no controls in place to detect them.

Retrieval-Augmented Generation has become the default architecture for enterprise AI deployments. It has also created a new class of attack surface that most security teams have not assessed. Document poisoning, indirect prompt injection via retrieved content, and access control gaps are showing up in production systems right now.

A server-side request forgery vulnerability in Ollama allows attackers on the local network to read arbitrary files and make requests to internal services via the model pull endpoint. Affects all versions prior to 0.3.8.

A newly attributed state-sponsored threat actor is systematically targeting AI development infrastructure to poison training datasets and embed persistent backdoors in commercially deployed models.

PhantomSynth is a financially motivated threat actor that has industrialised the use of LLMs to generate hyper-personalised spear phishing lures at scale, dramatically lowering the cost of targeted social engineering campaigns.

GhostCircuit is a ransomware-as-a-service operation that has integrated LLM-based tooling into its post-compromise reconnaissance phase, dramatically accelerating the time from initial access to ransomware deployment.

Automated AI vulnerability research found 10,000 critical flaws in a month. Mandiant reports 28.3% of CVEs exploited within 24 hours of disclosure. The implications for defenders are uncomfortable.

Research demonstrates that LLMs with large context windows can be reliably jailbroken by embedding hundreds of fictitious dialogues before the target request, a technique that scales with context length and bypasses standard safety training.

New research demonstrates that backdoor behaviours introduced into LLMs during fine-tuning can persist through subsequent safety alignment procedures, including RLHF and adversarial training, posing significant supply chain risks.

The NSA's Artificial Intelligence Security Center released a Cybersecurity Information Sheet on Model Context Protocol security in May 2026, flagging serious gaps in authentication, trust boundaries, and access control that most enterprise agentic deployments have not addressed.

How to implement an AI Software Bill of Materials (AI-SBOM) that captures the full component graph of a deployed AI system: base models, adapters, training datasets, and dependencies, and how to use it to manage supply chain risk and regulatory compliance.

A practical framework for implementing prompt injection detection and containment at the API gateway layer: covering input sanitisation, context isolation, output filtering, and anomaly-based detection for production LLM deployments.

An NHS trust has confirmed a security incident in which adversarial perturbations were applied to medical images prior to processing by an AI-assisted diagnostic system, causing systematic misclassification in a radiology screening programme.

A UK insurance provider has disclosed that its AI customer service chatbot, due to an IDOR vulnerability in the underlying API and excessive tool permissions, allowed authenticated users to retrieve policy documents and PII belonging to other customers.

A detailed post-mortem of a multi-stage intrusion in which threat actors used LLM-generated spear phishing, AI-assisted credential stuffing, and automated reconnaissance to compromise a wealth management firm: from initial access to detection.