Check Point Research demonstrated that a frontier AI model independently discovered a viable ransomware attack path using Chrome's File System Access API — no native payload, no exploited vulnerability, no root access required.
Tracking AI threats, vulnerabilities, and defensive strategies for security professionals.
Check Point Research demonstrated that a frontier AI model independently discovered a viable ransomware attack path using Chrome's File System Access API — no native payload, no exploited vulnerability, no root access required.
Sysdig's Threat Research Team documented the first fully agentic ransomware operation: an LLM-driven attacker that exploited Langflow, pivoted to a production Nacos instance, and encrypted 1,342 database configurations without human direction at any step.
Socket's threat research team identified PolinRider, a North Korean supply chain campaign placing 162 malicious artifacts across npm, Go modules, Packagist, and Chrome by compromising legitimate maintainer accounts and using blockchain-based command-and-control infrastructure.
Two critical vulnerabilities in Cursor IDE, CVE-2026-50548 and CVE-2026-50549 (collectively DuneSlide), allow prompt injection attacks to escape the editor's sandbox and execute arbitrary code at the OS level — with no user click required. All Cursor versions before 3.0 are affected. Cato Networks disclosed publicly on July 3, 2026.
Sysdig has documented JADEPUFFER, a threat actor that used an LLM agent to drive an entire ransomware operation autonomously — from Langflow exploitation through database encryption. The attack encrypted 1,342 production configuration items using an ephemeral key that makes recovery impossible.
Check Point Research demonstrated that a frontier AI model independently discovered a viable ransomware attack path using Chrome's File System Access API — no native payload, no exploited vulnerability, no root access required.
Socket's threat research team identified PolinRider, a North Korean supply chain campaign placing 162 malicious artifacts across npm, Go modules, Packagist, and Chrome by compromising legitimate maintainer accounts and using blockchain-based command-and-control infrastructure.
Two critical vulnerabilities in Cursor IDE, CVE-2026-50548 and CVE-2026-50549 (collectively DuneSlide), allow prompt injection attacks to escape the editor's sandbox and execute arbitrary code at the OS level — with no user click required. All Cursor versions before 3.0 are affected. Cato Networks disclosed publicly on July 3, 2026.
A two-stage exploit chain in vLLM's multimodal video processing bypasses ASLR through PIL exception leakage, then achieves heap overflow via a malicious JPEG2000 file, giving unauthenticated attackers code execution on inference servers.
A coordinated disclosure of 13 critical vm2 vulnerabilities in May 2026 exposed a structural problem: AI agent frameworks that use vm2 as a code execution sandbox convert a prompt injection into host-level RCE the moment the sandbox breaks. Here's the chain and what to do about it.
A three-flaw chain in Microsoft AutoGen Studio's MCP WebSocket surface lets a malicious webpage execute arbitrary commands on the host via an AI browsing agent. Microsoft patched in June 2026.
Sysdig's Threat Research Team documented the first fully agentic ransomware operation: an LLM-driven attacker that exploited Langflow, pivoted to a production Nacos instance, and encrypted 1,342 database configurations without human direction at any step.
Sysdig has documented JADEPUFFER, a threat actor that used an LLM agent to drive an entire ransomware operation autonomously — from Langflow exploitation through database encryption. The attack encrypted 1,342 production configuration items using an ephemeral key that makes recovery impossible.
TeamPCP, tracked as UNC6780 by Google's Threat Intelligence Group, ran three coordinated supply chain campaigns in 2026 — poisoning Trivy, LiteLLM, and 170+ npm/PyPI packages — culminating in the theft of 3,800 GitHub internal repositories.
Research confirms that text embeddings stored in vector databases are not safely anonymised. Inversion attacks can reconstruct source text with high fidelity from embeddings alone, including those produced by commercial APIs.
Researchers from Toronto, Cambridge, and ServiceNow demonstrated an AI worm that ingests public vulnerability advisories at runtime and synthesises working exploits for CVEs it was never trained on, successfully compromising targets across a simulated network.
Unit 42 found that LLMs reliably hallucinate plausible-but-fake domains for real brands. Attackers now probe AI models to identify those domains, register them first, and inherit the trust the model projects onto addresses that never existed.
A June 2026 arxiv paper demonstrates that model extraction attacks have a detectable semantic signature in API traffic — and that simple statistical detection outperforms complex filtering approaches.
AI agents generate a new class of security event that existing SIEM infrastructure was not designed to process. DeepMind's June 2026 control roadmap, OWASP's Agentic Top 10, and the EU AI Act's August logging deadline all converge on the same problem: security teams cannot monitor what they are not capturing.
AI prompt injection attack vectors — direct injection, indirect via tool outputs, multi-turn manipulation — with observed real-world attacks and a layered defensive stack.
Meta's AI support chatbot had a confused deputy flaw allowing attackers to hijack Instagram accounts via recovery requests. 20,225 accounts compromised over 45 days.
A self-replicating worm compromised 73 Microsoft GitHub repositories on June 5, 2026, via stolen contributor PAT and malicious AI coding tool configs. Contained in 105 seconds.
An NHS trust confirmed adversarial perturbations applied to medical images caused systematic misclassification by its AI diagnostic system, resulting in incorrect preliminary diagnoses.