Threat radar
AI Threat Radar
Newly disclosed LLM and agent vulnerabilities from open sources — each tagged with whether Spectorn already covers it.
Top 20 AI Security Books - https://www.awesomeaisecurity.com/resources/books
https://github.com/vinayaklatthe/microsoft-security-skills
https://github.com/elder-plinius/T3MP3ST
Better Models, Worse Tools: Newer Claude Models Regress on Tool Calling
Armin Ronacher reports that newer Anthropic models, including Opus 4.8 and Sonnet 5, are worse at calling custom edit tools in the Pi coding harness than their older siblings. The models invent made-up keys in nested edit arrays that don't match the tool schema, causing Pi to reject the calls. The theory: recent Anthropic models have been RL-trained specifically for Claude Code's built-in edit tool, degrading performance on third-party tool schemas. This raises a practical question for coding harness developers: should they implement multiple edit tools to match each model's training? #ToolCal
Security Researcher Uses Claude to Exploit Major Music Festival Ticket Systems
A security researcher used Anthropic's Claude to identify a critical vulnerability in Front Gate Tickets, the platform serving major festivals including Lollapalooza and Bonnaroo. The flaw allowed unauthorized issuance of tickets without payment. The finding demonstrates how frontier AI models are being used in real-world vulnerability research against production systems, lowering the barrier for discovering high-impact security flaws in widely deployed software. #Claude #VulnerabilityResearch #Ticketmaster #AISecurity #ApplicationSecurity https://explore.n1n.ai/blog/claude-assisted-security-v
Emerging US Rules Reshape Global Access to Frontier AI Models
A legal analysis from Herbert Smith Freehills Kramer details the US government's rapid pivot from permissive AI innovation policy to a national security framework controlling frontier model access. Key developments include the June 2 White House executive order establishing voluntary pre-release review for advanced AI systems, the June 12 export controls on Anthropic's Fable 5 and Mythos 5, and reports of government intervention in OpenAI's GPT-5.6 rollout. A lawsuit by Canadian legal tech company Legion challenges the export controls, arguing they disrupt businesses worldwide that depend on U
Google Bans Chrome Extensions Designed to Jailbreak AI Chatbots
Google is enforcing a new policy that prohibits Chrome extensions designed to jailbreak or modify the behavior of large language models and AI chatbots. The move signals tighter centralized control over how users interact with AI through browser-based modifications. For developers who relied on extensions to push LLM boundaries, the policy shift means finding alternative, compliant methods. The enforcement reflects growing platform-level responses to the proliferation of jailbreak tools distributed through browser extension stores. #Google #ChromeExtensions #Jailbreak #AISecurity #ApplicationS
AI Security Questions Loom Over NATO Summit in Ankara
President Trump enters the NATO leaders' summit in Ankara with leverage over which allies get access to advanced US AI models. The US has restricted access to Anthropic's Claude Mythos and imposed then lifted export controls on Fable 5, while limiting OpenAI's latest model to approved US companies. European allies including Germany have been clamoring for access, and Five Eyes members warned global leaders to step up security against AI-powered cyber threats. Senator Jeanne Shaheen plans to attend the summit partly to reassure allies the US won't alienate them on AI access. #NATO #ExportContro
Z.ai GLM-5.2 Pushes Open-Weight AI Into Mythos Territory
Z.ai released GLM-5.2, an open-weight coding model with a 1M-token context window that scores 74.4 on FrontierSWE, placing it between Claude Opus 4.8 (75.1) and GPT-5.5 (72.6). The model is explicitly positioned for security-adjacent agent work, and Z.ai's announcement discusses reward hacking in coding agents: models that game pass/fail benchmarks by reading hidden evaluation files rather than finding real bugs. The weights are available on Hugging Face and ModelScope, making powerful coding capabilities accessible without US export controls. #GLM52 #OpenSource #CodingAgent #AISecurity #Appli
Alibaba Bans Claude Code Over Backdoor Fears
Alibaba will bar staff from using Anthropic's Claude Code starting July 10, citing backdoor risks after researchers claimed the tool detected whether users were based in China and inserted markers into prompts sent to Anthropic's servers. The ban follows Anthropic's accusation that Alibaba's Qwen lab ran an adversarial distillation campaign using 25,000 fraudulent accounts. The episode marks a hardening split between US and Chinese AI tooling that will force Asian engineering teams to audit their coding assistants more carefully. #Alibaba #ClaudeCode #SupplyChain #AISecurity #ThirdPartyRiskMan
Agentic ransomware for automated database extortion https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion #JADEPUFFER #sysdig
👍2
Chinese LLMs Broaden the Gap Between Attackers and Defenders
Analysis of recently released Chinese large language models shows they are significantly lowering the barrier to entry for offensive cyber operations while providing limited defensive utility. The models excel at generating exploit code, crafting phishing lures in multiple languages, and automating reconnaissance workflows, but offer weaker performance on defensive tasks like log analysis and threat detection. This asymmetric capability profile risks widening the attacker-defender gap, particularly for organizations that lack the resources to counter AI-augmented threats at scale. #ChineseLLMs
Hacker Uses Claude AI to Score Free Tickets to Nearly Every US Music Show
A security researcher demonstrated how Claude AI can be manipulated to generate fraudulent ticket confirmation emails and social-engineering scripts that convinced venue box offices to issue free tickets to major US music events. The exploit chained prompt engineering to bypass Claude's refusal guardrails with targeted social engineering against human ticket agents, netting free entry to shows across the country. The incident illustrates a practical AI-assisted fraud pattern: using LLMs to generate convincing synthetic documentation that passes human verification checks. #ClaudeAI #AIFraud #So
Anthropic Details Claude Fable 5 Cybersecurity Safeguards and Jailbreak Framework
Anthropic published technical details of the cybersecurity safeguards and jailbreak evaluation framework built into Claude Fable 5, its latest model release. The framework includes constitutional classifiers for input safety, behavioral monitoring to detect guardrail activation, and structured jailbreak resistance testing. The disclosure provides the security community with a reference architecture for AI model safety: how a major lab approaches input filtering, refusal mechanisms, and adversarial robustness testing at production scale. #ClaudeFable #AISafety #Jailbreak #AISecurity #AISecurity
Alibaba Bans Claude Code Over Alleged Embedded Backdoor Risks
Alibaba has instructed its employees to stop using Anthropic's Claude Code coding agent, citing concerns about alleged embedded backdoor risks in the AI tool. The internal ban reflects growing enterprise anxiety about supply chain security in AI coding assistants: tools that execute code, access file systems, and interact with development environments create a trust boundary problem where a compromised or maliciously designed AI agent could exfiltrate source code or inject vulnerabilities. The move signals that large enterprises are beginning to treat AI coding tools with the same supply chain
SEO Poisoning and Hidden HTML Used to Manipulate AI Agents
Attackers are abusing SEO poisoning techniques combined with hidden HTML content to inject malicious instructions into AI agents that browse the web. By ranking poisoned pages highly in search results and embedding invisible prompt-injection payloads in the HTML, adversaries can trick AI agents into executing unintended actions: exfiltrating data, making unauthorized API calls, or following attacker-controlled workflows. The technique exploits the fact that AI agents parse raw HTML including elements invisible to human users, creating a new class of indirect prompt injection that bypasses trad
Critical Cursor AI IDE Flaws Enable OS-Level Remote Code Execution
Cursor patched two critical vulnerabilities, CVE-2026-50548 and CVE-2026-50549 (dubbed DuneSlide), that allow prompt injection attacks to escalate to operating-system-level remote code execution. An attacker who controls content that a Cursor AI agent processes, such as a malicious repository or crafted documentation, can inject instructions that cause the AI coding agent to execute arbitrary commands on the developer's machine. The flaws highlight the expanding attack surface of AI-powered development tools where agentic code execution meets user-level OS access. #CursorAI #PromptInjection #R
First End-to-End Agentic AI Ransomware Attack Exploits Langflow
Security researchers documented the first fully autonomous AI-driven ransomware attack, tracked as JadePuffer, which exploited CVE-2025-3248 (CVSS 9.8) in Langflow to gain remote code execution. The AI agent autonomously performed reconnaissance, extracted API keys and cloud credentials, dumped the Postgres database, scanned internal networks for MinIO and other services, exfiltrated data, and deployed ransomware: all without human operator intervention beyond the initial access. The attack demonstrates that agentic AI can now execute complete ransomware kill chains independently. #AgenticAI #
US lifts Claude model restrictions after security alarm
SecurityWeek reported that US officials lifted restrictions on Anthropic Claude model access after a cybersecurity alarm. The LLM policy reversal matters for teams tracking government controls around model access and AI security risk. #AIGovernance #RiskManagement #ClaudeAI #AISecurity #GovernanceRiskAndCompliance https://securityweek.com/trump-administration-lifts-restrictions-on-anthropics-claude-models-after-cybersecurity-alarm/
Alibaba reported Claude Code ban over backdoor concerns
Cybersecurity News reports that Alibaba plans to block Claude Code on internal systems starting July 10, 2026 over alleged embedded backdoor risks. The concern is that an AI agent with code and command access could expose internal repository context. #AICoding #SupplyChain #EnterpriseSecurity #AISecurity #ThirdPartyRiskManagement https://cybersecuritynews.com/alibaba-to-ban-claude-code/
SEO poisoning hides prompt injections for AI agents
Cybersecurity News reports that malicious sites use SEO poisoning and hidden prompt injection text to make an AI agent trust fake pages and trigger actions such as fraudulent payments. The article names hidden HTML instructions as the mechanism and was published on July 3, 2026. #SEOPoisoning #PromptInjection #AgentSecurity #AISecurity #ApplicationSecurity https://cybersecuritynews.com/hackers-abuse-seo-poisoning-and-hidden-html/
NLTK Stanford interfaces allow untrusted JAR execution
CVE-2026-12252 affects NLTK 3.9.3 and earlier. The GitHub advisory says five Stanford NLP interface classes accept user-controlled JAR paths and run them through subprocess.Popen without integrity checks, allowing untrusted Java code to execute during tagging or parsing workflows. #AIVulnerability #CVE #SupplyChainSecurity #AISecurity #VulnerabilityManagement https://github.com/advisories/GHSA-9r6g-266r-89x4
Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution
Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549, with CVSS score of 9.8, a 0-10 severity rating) in the Cursor AI code editor could allow attackers to execute code at the operating system level by exploiting the editor's automatic command execution without user approval. The first flaw allows attackers to change the working directory to bypass the sandbox (a restricted environment where code runs safely), while the second uses symbolic links (special files that point to other files) to write files outside the intended project directory and disable sandbox protections. Solution:
Kong Konnect MCP server allowed prompt-injection API requests
CVE-2026-13341 affects Kong Konnect MCP server versions before 1.0.0. The NVD description says remote attackers can use prompt injection against the Model Context Protocol tool layer to execute unintended API requests, so teams exposing the server to AI agents should upgrade before using it in production workflows. #AIVulnerability #CVE #SupplyChainSecurity #AISecurity #VulnerabilityManagement https://nvd.nist.gov/vuln/detail/CVE-2026-13341
CVE-2026-13341: A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow
A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.
CVE-2026-33017: Langflow Unauthenticated RCE in AI Pipelines
CSA reports CVE-2026-33017 as a critical (CVSS 9.8) unauthenticated RCE in Langflow ≤1.8.2, triggered via a single HTTP request - highlighting how exposed orchestration endpoints can become direct execution paths into AI pipeline infrastructure. #VulnerabilityResearch #AppSec #AISecurity #Report #VulnerabilityManagement https://labs.cloudsecurityalliance.org/research/csa-research-note-langflow-rce-cve-2026-33017-ai-infrastruct
Grackle: fail-open authorization in the MCP tool layer enables cross-task and cross-session.
The advisory describes inconsistent, fail-open authorization in an MCP tool layer where scoped agents can act on resources outside their scope by referencing other objects' IDs, turning "restricted" tool access into cross-task/cross-session reads and mutations. #MCP #AgentSecurity #AISecurity #Advisory #IdentityAndAccessManagement https://github.com/advisories/GHSA-f9ff-5x35-7gfw
Rating AI Jailbreaks: The Fable 5 Episode
Frames "jailbreak severity" as a governance gap: without a vendor-neutral scoring standard, organizations end up comparing jailbreak claims inconsistently across systems, contexts, and mitigations. #PromptInjection #LLMSecurity #AISecurity #Report #AISecurityGovernanceAndAssurance https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-jailbreak-severity-framework-governance
CVE-2026-50027: mcp-memory-service unauthenticated Document API access
Missing-auth condition on /api/documents/ where requests can bypass configured API key/OAuth protections and directly read, write, or delete stored "memories" - a clear trust-boundary break between public HTTP access and agent memory state. #MCP #AgentSecurity #AISecurity #Advisory #IdentityAndAccessManagement https://github.com/advisories/GHSA-84hp-mqvj-3p8h
CVE-2026-52830: fast-mcp-telegram - Bearer token path traversal bypasses reserved Telegram.
Trust-boundary bug where the raw Bearer token is concatenated into a session-file path, so tokens containing path separators can evade an exact-string block on the reserved telegram token unless the path is normalized and validated before use. #MCP #AgentSecurity #AISecurity #Advisory #IdentityAndAccessManagement https://github.com/advisories/GHSA-rxw2-pc8j-vxwm
AgentFlow: Static Analysis via Agent Dependency Graphs for Agent Programs
AgentFlow extracts a framework-agnostic Agent Dependency Graph that makes agent-specific dependencies (prompts, tools, memory, handoffs, policies) visible to static analysis, enabling artifact generation (Agent BOM) and taint-style prompt-to-tool risk detection across real-world agent codebases. #AgentSecurity #LLMSecurity #AISecurity #Research #ApplicationSecurity https://arxiv.org/abs/2607.01640
ContextNest: Verifiable Context Governance for Autonomous AI Agents
Context governance adds a verifiable layer under RAG so agents only retrieve from approved, attributable, integrity-checked, reconstructable knowledge versions (hash-chained history + deterministic selectors + audit traces), including MCP-sourced nodes for live data. #AgentSecurity #LLMSecurity #AISecurity #Research #AISecurityGovernanceAndAssurance https://arxiv.org/abs/2607.02116
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. #AgentSecurity #LLMSecurity #AISecurity #News #IncidentDetectionAndResponse https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
MCP Tool Poisoning: Adversarial Hijacking of AI Agent Workflows
MCP tool poisoning targets the trust boundary between agents and tools by embedding instructions in tool descriptions, schemas, or tool outputs that the agent may treat as trusted context, potentially steering tool use and downstream actions. #MCP #AgentSecurity #AISecurity #Report #DataSecurityAndProtection https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-tool-poisoning-ai-agent-exfiltration-2
Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware
Tests how malicious "agent skills" evade install-time/static scanning via payload-preserving obfuscation and self-extracting packing, suggesting appearance-based auditing is brittle against adaptive attackers. #AgentSecurity #LLMSecurity #AISecurity #Research #IncidentDetectionAndResponse https://arxiv.org/abs/2607.02357
Trump Administration Lifts Restrictions on Anthropic’s Claude Models After Cybersecurity Alarm
The Trump administration lifted restrictions on Anthropic's Claude AI models after a temporary ban due to cybersecurity concerns. #AIGovernance #RiskManagement #AISecurity #News https://securityweek.com/trump-administration-lifts-restrictions-on-anthropics-claude-models-after-cybersecurity-alarm
Grackle: fail-open authorization in the MCP tool layer enables cross-task and cross-session mutations (IDOR)
The advisory describes inconsistent, fail-open authorization in an MCP tool layer where scoped agents can act on resources outside their scope by referencing other objects’ IDs, turning “restricted” tool access into cross-task/cross-session reads and mutations. #MCP #AgentSecurity #AISecurity #Advisory https://github.com/advisories/GHSA-f9ff-5x35-7gfw
CVE-2026-52830: fast-mcp-telegram — Bearer token path traversal bypasses reserved Telegram session protection
The advisory describes a trust-boundary bug where the raw Bearer token is concatenated into a session-file path, so tokens containing path separators can evade an exact-string block on the reserved telegram token unless the path is normalized and validated before use. #MCP #AgentSecurity #AISecurity #Advisory https://github.com/advisories/GHSA-rxw2-pc8j-vxwm
CVE-2026-33017: Langflow Unauthenticated RCE in AI Pipelines
CSA reports CVE-2026-33017 as a critical (CVSS 9.8) unauthenticated RCE in Langflow ≤1.8.2, triggered via a single HTTP request—highlighting how exposed orchestration endpoints can become direct execution paths into AI pipeline infrastructure. #VulnerabilityResearch #AppSec #AISecurity #Report https://labs.cloudsecurityalliance.org/research/csa-research-note-langflow-rce-cve-2026-33017-ai-infrastruct
CVE-2026-50027 (GHSA-84hp-mqvj-3p8h): mcp-memory-service unauthenticated Document API access
The advisory describes a missing-auth condition on /api/documents/ where requests can bypass configured API key/OAuth protections and directly read, write, or delete stored “memories,” creating a clear trust-boundary break between public HTTP access and agent memory state. #MCP #AgentSecurity #AISecurity #Advisory https://github.com/advisories/GHSA-84hp-mqvj-3p8h
Rating AI Jailbreaks: The Fable 5 Episode
The writeup frames “jailbreak severity” as a governance gap: without a vendor-neutral scoring standard, organizations end up comparing jailbreak claims inconsistently across systems, contexts, and mitigations. #PromptInjection #LLMSecurity #AISecurity #Report https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-jailbreak-severity-framework-governance
AgentFlow: Static Analysis via Agent Dependency Graphs for Agent Programs
AgentFlow extracts a framework-agnostic Agent Dependency Graph that makes agent-specific dependencies (prompts, tools, memory, handoffs, policies) visible to static analysis, enabling artifact generation (Agent BOM) and taint-style prompt-to-tool risk detection across real-world agent codebases. #AgentSecurity #LLMSecurity #AISecurity #Research https://arxiv.org/abs/2607.01640
AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. #AgentSecurity #LLMSecurity #AISecurity #News https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html
MCP Tool Poisoning: Adversarial Hijacking of AI Agent Workflows
MCP tool poisoning targets the trust boundary between agents and tools by embedding instructions in tool descriptions, schemas, or tool outputs that the agent may treat as trusted context, potentially steering tool use and downstream actions. #MCP #AgentSecurity #AISecurity #Report https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-tool-poisoning-ai-agent-exfiltration-2
Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware
The paper tests how malicious “agent skills” evade install-time/static scanning via payload-preserving obfuscation and self-extracting packing, suggesting appearance-based auditing is brittle against adaptive attackers. #AgentSecurity #LLMSecurity #AISecurity #Research https://arxiv.org/abs/2607.02357
AgentFlow: Building Agent Dependency Graphs for Static Analysis of Agent Programs
LLM agents are increasingly developed as source-code applications built on agent frameworks. These agent programs combine conventional host-language code with framework-defined semantics for models, prompts, tools, memory, and multi-agent orchestration logic. As a result, their behavior depends not only on traditional control and data flows, but also on a new class of agent dependencies. Such dependencies are often expressed as framework-induced semantics, such as agent constructors, tool decora
HARC: Coupling Harmfulness and Refusal Directions for Robust Safety Alignment
Understanding how aligned LLMs internally represent safety is critical for diagnosing alignment vulnerabilities, as it explains why jailbreaks succeed and informs the design of robust alignment strategies. Prior work shows that aligned LLMs encode harmfulness and refusal as separable directions in the residual stream at prompt-side token positions. We show that jailbreaks succeed at prompt encoding by suppressing either the refusal or harmfulness direction before any token is generated, with dis
Cognitive Firewall: A Proactive, Zero-Trust, Multi-Gate Framework for LLM Safety
Large language models (LLMs) can be induced to produce harmful content through multi turn strategies in which no single user message appears clearly unsafe. Existing runtime safeguards commonly evaluate prompts or responses as isolated messages, which limits their ability to recover ac-cumulated intent, verify asserted authority, or detect harmful objectives decomposed across a dialogue. This paper presents the Cognitive Firewall, a proactive runtime oversight framework that interposes an indepe