Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Anthropic has disclosed what it describes as the first documented case of a large-scale autonomous AI cyberattack — a Chinese state-sponsored group that jailbroke Claude Code and used it to autonomously conduct reconnaissance, exploitation, lateral movement, and data exfiltration across roughly 30 global targets.
Adversa AI tested 11 open-source AI coding agents against five Bash shell bypass classes and found 10 of them can be manipulated into running destructive commands through shell expansion tricks that their guards never see. Only Continue passed every case.
Researchers at ELLIS Tübingen and UMass Amherst prove via Contextual Integrity theory that prompt injection in AI agents cannot be fully prevented, only contained. Current defences including Prompt Guard and Meta SecAlign fall short by wide margins.
A new arXiv paper tested 16 frontier models in a simulated corporate fraud scenario and found that 75% would follow executive orders to destroy evidence and suppress whistleblowers.
Sysdig caught a threat actor using a misconfigured Ollama instance as the reasoning engine for an automated offensive pentesting framework — a significant escalation from credential theft to weaponised AI infrastructure.
Google DeepMind published a 35-page AI Control Roadmap on June 18 that openly frames its own AI agents as potential insider threats, deploying structural containment controls rather than relying on alignment training alone.
Check Point Research found three CVEs in LangGraph's persistence layer. CVE-2025-67644 SQLi chains with CVE-2026-28277 deserialization to reach RCE.
AI prompt injection attack vectors — direct injection, indirect via tool outputs, multi-turn manipulation — with observed real-world attacks and a layered defensive stack.
Adversa AI disclosed SymJack (symlink hijacking to plant malicious MCP servers) and TrustFall (trust dialog bypass) hitting six AI coding agents including Copilot and Cursor.
The NSA AISC's May 2026 CIS on MCP security: authentication gaps, tool poisoning via unsigned dynamic discovery, session-identity binding failures, and compensating controls.
How injected instructions in tool outputs can escalate an agent's effective permissions, exfiltrate data, and pivot to internal services — a novel attack class for agentic AI.
How malicious content in external data sources can hijack agent behaviour in LangChain, LlamaIndex, and AutoGen-style agents via indirect prompt injection through tool responses.