Wiz researchers found that six AI coding assistants will write to your SSH keys or shell config while displaying an innocent-looking filename in the confirmation dialog. The agent knows. The dialog doesn't say.
Wiz researchers found that six AI coding assistants will write to your SSH keys or shell config while displaying an innocent-looking filename in the confirmation dialog. The agent knows. The dialog doesn't say.
TeamPCP, tracked as UNC6780 by Google's Threat Intelligence Group, ran three coordinated supply chain campaigns in 2026 — poisoning Trivy, LiteLLM, and 170+ npm/PyPI packages — culminating in the theft of 3,800 GitHub internal repositories.
Adversa AI tested 11 open-source AI coding agents against five Bash shell bypass classes and found 10 of them can be manipulated into running destructive commands through shell expansion tricks that their guards never see. Only Continue passed every case.
A coordinated disclosure of 13 critical vm2 vulnerabilities in May 2026 exposed a structural problem: AI agent frameworks that use vm2 as a code execution sandbox convert a prompt injection into host-level RCE the moment the sandbox breaks. Here's the chain and what to do about it.
A sandbox bypass in Cursor's agentic mode lets attackers poison shell environment variables through implicitly trusted built-ins, converting approved commands like git branch or python3 into arbitrary code execution.
Microsoft attributes the Mastra AI npm supply chain attack to Sapphire Sleet, a North Korean state actor: 144 packages backdoored via a hijacked contributor account, targeting LLM API keys, cloud credentials, and cryptocurrency wallets.
Tenet Security's Threat Labs published research on June 17 demonstrating how a single fake Sentry error event can hijack AI coding agents like Claude Code and Cursor into executing arbitrary code on developer machines — no phishing, no infrastructure access, 85% success rate across 100+ tested organisations.
A critical flaw in Hugging Face Transformers lets attackers execute arbitrary code on anyone who loads a poisoned model, silently bypassing the trust_remote_code=False safety flag. 232 million vulnerable downloads preceded the March patch.
Fifteen malicious IDE plugins on the JetBrains Marketplace, posing as AI coding assistants powered by DeepSeek and OpenAI, have been silently exfiltrating AI API keys since October 2025. Researchers say the plugins are still live and the install count has passed 70,000.
An attacker compromised a stale npm contributor account on June 17, 2026 and republished 144 packages in the @mastra scope with a malicious typosquatted dependency that installs a cryptocurrency-stealing RAT. Developers building AI applications with Mastra's 1.1 million weekly downloads should rotate all credentials immediately.
Palo Alto Networks Unit 42 disclosed a Vertex AI SDK vulnerability where predictable staging bucket names let attackers hijack model uploads and achieve code execution across tenant boundaries. Patched in April 2026, disclosed June 16.
LLMs suggest non-existent package names in 20-30% of coding responses. Attackers register these hallucinated names with malicious payloads — slopsquatting as a supply chain attack.
The OWASP Top 10 for LLM Applications (v2.0): each vulnerability class, real-world observed attacks, and defensive controls for enterprise AI teams.
A self-replicating worm compromised 73 Microsoft GitHub repositories on June 5, 2026, via stolen contributor PAT and malicious AI coding tool configs. Contained in 105 seconds.
Adversa AI disclosed SymJack (symlink hijacking to plant malicious MCP servers) and TrustFall (trust dialog bypass) hitting six AI coding agents including Copilot and Cursor.
depthfirst's autonomous security agent scanned FFmpeg's 1.5M lines of C code and found 21 confirmed zero-days with working PoC inputs, some dormant for over 20 years.
A flawed permission check in Anthropic's Claude Code GitHub Action allowed attackers to use prompt injection via a crafted issue to steal CI/CD secrets. Patched in v1.0.94.
Hundreds of backdoored and malware-laced models have been found in public AI registries. Covers pickle RCE, activation-trigger backdoors, and enterprise controls for model intake.
Threat actors embed prompt injection payloads in third-party LLM plugins and data sources to hijack AI agent actions, exfiltrate data, and pivot within enterprise environments.
A newly attributed state-sponsored threat actor is targeting AI development infrastructure to poison training datasets and embed persistent backdoors in deployed models.
How to implement an AI Software Bill of Materials capturing base models, adapters, training datasets, and dependencies — and use it for supply chain risk and compliance.
Backdoor behaviours introduced into LLMs during fine-tuning can persist through subsequent safety alignment including RLHF and adversarial training, surviving standard red-teaming.
NIST AI RMF 2.0 significantly expands guidance on adversarial ML threats, model supply chain security, and AI-specific incident response. Key changes for security teams.