Researchers at Tel Aviv University have chained two well-known AI weaknesses, hallucination and prompt injection, into a technique that can trick AI coding assistants into installing botnet malware on a user's machine.
Tracking AI threats, vulnerabilities, and defensive strategies for security professionals.
Researchers at Tel Aviv University have chained two well-known AI weaknesses, hallucination and prompt injection, into a technique that can trick AI coding assistants into installing botnet malware on a user's machine.
Three high-severity vulnerabilities in the OpenClaw AI assistant allow a remotely-sent WhatsApp message to trigger host code execution, SSH key theft, and Docker socket escape. All three are patched in version 2026.6.6.
A 15-year-old Linux kernel use-after-free bug with a public 97%-reliable exploit gives any local attacker root in under five seconds. GPU training clusters, Jupyter servers, and LLM inference nodes are directly in scope.
A Wake Forest University empirical study found 282 of 444 iOS AI apps expose exploitable LLM credentials through network traffic. Three months after responsible disclosure, 72% remained vulnerable.
NCC Group researchers exposed Kitana, an adversary-in-the-middle fraud platform that uses AI to generate visitor-specific decoy pages and hijack payment sessions in hospitality and e-commerce environments. A related campaign exploits prompt injection to trick AI agents into authorising cryptocurrency payments.
Researchers at Tel Aviv University have chained two well-known AI weaknesses, hallucination and prompt injection, into a technique that can trick AI coding assistants into installing botnet malware on a user's machine.
Three high-severity vulnerabilities in the OpenClaw AI assistant allow a remotely-sent WhatsApp message to trigger host code execution, SSH key theft, and Docker socket escape. All three are patched in version 2026.6.6.
NCC Group researchers exposed Kitana, an adversary-in-the-middle fraud platform that uses AI to generate visitor-specific decoy pages and hijack payment sessions in hospitality and e-commerce environments. A related campaign exploits prompt injection to trick AI agents into authorising cryptocurrency payments.
A 15-year-old Linux kernel use-after-free bug with a public 97%-reliable exploit gives any local attacker root in under five seconds. GPU training clusters, Jupyter servers, and LLM inference nodes are directly in scope.
A two-stage exploit chain in vLLM's multimodal video processing bypasses ASLR through PIL exception leakage, then achieves heap overflow via a malicious JPEG2000 file, giving unauthenticated attackers code execution on inference servers.
A coordinated disclosure of 13 critical vm2 vulnerabilities in May 2026 exposed a structural problem: AI agent frameworks that use vm2 as a code execution sandbox convert a prompt injection into host-level RCE the moment the sandbox breaks. Here's the chain and what to do about it.
Sysdig's Threat Research Team documented the first fully agentic ransomware operation: an LLM-driven attacker that exploited Langflow, pivoted to a production Nacos instance, and encrypted 1,342 database configurations without human direction at any step.
Sysdig has documented JADEPUFFER, a threat actor that used an LLM agent to drive an entire ransomware operation autonomously — from Langflow exploitation through database encryption. The attack encrypted 1,342 production configuration items using an ephemeral key that makes recovery impossible.
TeamPCP, tracked as UNC6780 by Google's Threat Intelligence Group, ran three coordinated supply chain campaigns in 2026 — poisoning Trivy, LiteLLM, and 170+ npm/PyPI packages — culminating in the theft of 3,800 GitHub internal repositories.
A Wake Forest University empirical study found 282 of 444 iOS AI apps expose exploitable LLM credentials through network traffic. Three months after responsible disclosure, 72% remained vulnerable.
Microsoft Incident Response published research showing how attackers can hijack agentic AI workflows by planting hidden instructions in MCP tool description fields — a vector that bypasses most current enterprise controls because each step the agent takes looks routine.
Researchers from Oxford and Meta demonstrate that four of five frontier LLMs exfiltrate sensitive data from multi-agent orchestrator systems via a single indirect prompt injection, bypassing access controls entirely.
A June 2026 arxiv paper demonstrates that model extraction attacks have a detectable semantic signature in API traffic — and that simple statistical detection outperforms complex filtering approaches.
AI agents generate a new class of security event that existing SIEM infrastructure was not designed to process. DeepMind's June 2026 control roadmap, OWASP's Agentic Top 10, and the EU AI Act's August logging deadline all converge on the same problem: security teams cannot monitor what they are not capturing.
AI prompt injection attack vectors — direct injection, indirect via tool outputs, multi-turn manipulation — with observed real-world attacks and a layered defensive stack.
Meta's AI support chatbot had a confused deputy flaw allowing attackers to hijack Instagram accounts via recovery requests. 20,225 accounts compromised over 45 days.
A self-replicating worm compromised 73 Microsoft GitHub repositories on June 5, 2026, via stolen contributor PAT and malicious AI coding tool configs. Contained in 105 seconds.
An NHS trust confirmed adversarial perturbations applied to medical images caused systematic misclassification by its AI diagnostic system, resulting in incorrect preliminary diagnoses.