AI Security Wire

Microsoft attributes the Mastra AI npm supply chain attack to Sapphire Sleet, a North Korean state actor: 144 packages backdoored via a hijacked contributor account, targeting LLM API keys, cloud credentials, and cryptocurrency wallets.

CVE-2026-47729 (Squidbleed) is a heap buffer overread in Squid Proxy's FTP parser, present since 1997, discovered by Anthropic's Claude Mythos Preview: it leaks users' HTTP credentials and session tokens in corporate and shared proxy environments.

Sysdig caught a threat actor using a misconfigured Ollama instance as the reasoning engine for an automated offensive pentesting framework — a significant escalation from credential theft to weaponised AI infrastructure.

Johann Rehberger's DEF CON Singapore research demonstrates how indirect prompt injection chains into Microsoft Copilot's memory feature to plant a persistent backdoor — one that survives across every future session, not just the compromised one.

Tenet Security's Threat Labs published research on June 17 demonstrating how a single fake Sentry error event can hijack AI coding agents like Claude Code and Cursor into executing arbitrary code on developer machines — no phishing, no infrastructure access, 85% success rate across 100+ tested organisations.

A critical flaw in Hugging Face Transformers lets attackers execute arbitrary code on anyone who loads a poisoned model, silently bypassing the trust_remote_code=False safety flag. 232 million vulnerable downloads preceded the March patch.

North Korea's FAMOUS CHOLLIMA operation has expanded beyond revenue generation into systematic AI intellectual property theft, placing fake engineers inside foundation model developers, GPU cloud providers, and AI safety organisations. CrowdStrike, Microsoft, and the DOJ have documented the mechanism. The AI industry has not caught up.

A newly attributed state-sponsored threat actor is targeting AI development infrastructure to poison training datasets and embed persistent backdoors in deployed models.

PhantomSynth is a financially motivated threat actor that has industrialised LLM-generated spear phishing, dramatically reducing the cost of targeted social engineering at scale.

Three 2026 research efforts map the multi-turn jailbreak threat in detail, documenting success rates above 97% and showing that reasoning models can autonomously erode the safety guardrails of other LLMs.

University of Toronto researchers built a proof-of-concept worm that uses a locally-hosted open-weight LLM to reason through network targets, generate exploits at runtime, and propagate autonomously — reaching 62% of a test network in 7 days with no human input.

NeuralTrust researchers published details of a new image generation jailbreak called Semantic Chaining that breaks safety filters in Grok 4, Gemini Nano, and other multimodal models by exploiting how each editing step is evaluated in isolation.

AI prompt injection attack vectors — direct injection, indirect via tool outputs, multi-turn manipulation — with observed real-world attacks and a layered defensive stack.

The OWASP Top 10 for LLM Applications (v2.0): each vulnerability class, real-world observed attacks, and defensive controls for enterprise AI teams.

The NSA AISC's May 2026 CIS on MCP security: authentication gaps, tool poisoning via unsigned dynamic discovery, session-identity binding failures, and compensating controls.

Meta's AI support chatbot had a confused deputy flaw allowing attackers to hijack Instagram accounts via recovery requests. 20,225 accounts compromised over 45 days.

A self-replicating worm compromised 73 Microsoft GitHub repositories on June 5, 2026, via stolen contributor PAT and malicious AI coding tool configs. Contained in 105 seconds.

An NHS trust confirmed adversarial perturbations applied to medical images caused systematic misclassification by its AI diagnostic system, resulting in incorrect preliminary diagnoses.