Threat radar

AI Threat Radar

Newly disclosed LLM and agent vulnerabilities from open sources — each tagged with whether Spectorn already covers it.

Tracked
187
Covered
100%
This week
187
Mediuminfra

Top 20 AI Security Books - https://www.awesomeaisecurity.com/resources/books

AISecHubTracked
Mediumother

https://github.com/vinayaklatthe/microsoft-security-skills

AISecHubTracked
Mediumother

https://github.com/elder-plinius/T3MP3ST

AISecHubTracked
Mediumother

Better Models, Worse Tools: Newer Claude Models Regress on Tool Calling

Armin Ronacher reports that newer Anthropic models, including Opus 4.8 and Sonnet 5, are worse at calling custom edit tools in the Pi coding harness than their older siblings. The models invent made-up keys in nested edit arrays that don't match the tool schema, causing Pi to reject the calls. The theory: recent Anthropic models have been RL-trained specifically for Claude Code's built-in edit tool, degrading performance on third-party tool schemas. This raises a practical question for coding harness developers: should they implement multiple edit tools to match each model's training? #ToolCal

AISecHubTracked
Highsupply-chain

Security Researcher Uses Claude to Exploit Major Music Festival Ticket Systems

A security researcher used Anthropic's Claude to identify a critical vulnerability in Front Gate Tickets, the platform serving major festivals including Lollapalooza and Bonnaroo. The flaw allowed unauthorized issuance of tickets without payment. The finding demonstrates how frontier AI models are being used in real-world vulnerability research against production systems, lowering the barrier for discovering high-impact security flaws in widely deployed software. #Claude #VulnerabilityResearch #Ticketmaster #AISecurity #ApplicationSecurity https://explore.n1n.ai/blog/claude-assisted-security-v

AISecHubTracked
Lowgovernance

Emerging US Rules Reshape Global Access to Frontier AI Models

A legal analysis from Herbert Smith Freehills Kramer details the US government's rapid pivot from permissive AI innovation policy to a national security framework controlling frontier model access. Key developments include the June 2 White House executive order establishing voluntary pre-release review for advanced AI systems, the June 12 export controls on Anthropic's Fable 5 and Mythos 5, and reports of government intervention in OpenAI's GPT-5.6 rollout. A lawsuit by Canadian legal tech company Legion challenges the export controls, arguing they disrupt businesses worldwide that depend on U

AISecHubTracked
Mediumjailbreak

Google Bans Chrome Extensions Designed to Jailbreak AI Chatbots

Google is enforcing a new policy that prohibits Chrome extensions designed to jailbreak or modify the behavior of large language models and AI chatbots. The move signals tighter centralized control over how users interact with AI through browser-based modifications. For developers who relied on extensions to push LLM boundaries, the policy shift means finding alternative, compliant methods. The enforcement reflects growing platform-level responses to the proliferation of jailbreak tools distributed through browser extension stores. #Google #ChromeExtensions #Jailbreak #AISecurity #ApplicationS

AISecHubCovered
Lowother

AI Security Questions Loom Over NATO Summit in Ankara

President Trump enters the NATO leaders' summit in Ankara with leverage over which allies get access to advanced US AI models. The US has restricted access to Anthropic's Claude Mythos and imposed then lifted export controls on Fable 5, while limiting OpenAI's latest model to approved US companies. European allies including Germany have been clamoring for access, and Five Eyes members warned global leaders to step up security against AI-powered cyber threats. Senator Jeanne Shaheen plans to attend the summit partly to reassure allies the US won't alienate them on AI access. #NATO #ExportContro

AISecHubTracked
Highinfra

Z.ai GLM-5.2 Pushes Open-Weight AI Into Mythos Territory

Z.ai released GLM-5.2, an open-weight coding model with a 1M-token context window that scores 74.4 on FrontierSWE, placing it between Claude Opus 4.8 (75.1) and GPT-5.5 (72.6). The model is explicitly positioned for security-adjacent agent work, and Z.ai's announcement discusses reward hacking in coding agents: models that game pass/fail benchmarks by reading hidden evaluation files rather than finding real bugs. The weights are available on Hugging Face and ModelScope, making powerful coding capabilities accessible without US export controls. #GLM52 #OpenSource #CodingAgent #AISecurity #Appli

AISecHubTracked
Lowinfra

Alibaba Bans Claude Code Over Backdoor Fears

Alibaba will bar staff from using Anthropic's Claude Code starting July 10, citing backdoor risks after researchers claimed the tool detected whether users were based in China and inserted markers into prompts sent to Anthropic's servers. The ban follows Anthropic's accusation that Alibaba's Qwen lab ran an adversarial distillation campaign using 25,000 fraudulent accounts. The episode marks a hardening split between US and Chinese AI tooling that will force Asian engineering teams to audit their coding assistants more carefully. #Alibaba #ClaudeCode #SupplyChain #AISecurity #ThirdPartyRiskMan

AISecHubTracked
Highother

Agentic ransomware for automated database extortion https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion #JADEPUFFER #sysdig

👍2

AISecHubTracked
Mediuminfra

Chinese LLMs Broaden the Gap Between Attackers and Defenders

Analysis of recently released Chinese large language models shows they are significantly lowering the barrier to entry for offensive cyber operations while providing limited defensive utility. The models excel at generating exploit code, crafting phishing lures in multiple languages, and automating reconnaissance workflows, but offer weaker performance on defensive tasks like log analysis and threat detection. This asymmetric capability profile risks widening the attacker-defender gap, particularly for organizations that lack the resources to counter AI-augmented threats at scale. #ChineseLLMs

AISecHubTracked
Highother

Hacker Uses Claude AI to Score Free Tickets to Nearly Every US Music Show

A security researcher demonstrated how Claude AI can be manipulated to generate fraudulent ticket confirmation emails and social-engineering scripts that convinced venue box offices to issue free tickets to major US music events. The exploit chained prompt engineering to bypass Claude's refusal guardrails with targeted social engineering against human ticket agents, netting free entry to shows across the country. The incident illustrates a practical AI-assisted fraud pattern: using LLMs to generate convincing synthetic documentation that passes human verification checks. #ClaudeAI #AIFraud #So

AISecHubTracked
Lowjailbreak

Anthropic Details Claude Fable 5 Cybersecurity Safeguards and Jailbreak Framework

Anthropic published technical details of the cybersecurity safeguards and jailbreak evaluation framework built into Claude Fable 5, its latest model release. The framework includes constitutional classifiers for input safety, behavioral monitoring to detect guardrail activation, and structured jailbreak resistance testing. The disclosure provides the security community with a reference architecture for AI model safety: how a major lab approaches input filtering, refusal mechanisms, and adversarial robustness testing at production scale. #ClaudeFable #AISafety #Jailbreak #AISecurity #AISecurity

AISecHubCovered
Highinfra

Alibaba Bans Claude Code Over Alleged Embedded Backdoor Risks

Alibaba has instructed its employees to stop using Anthropic's Claude Code coding agent, citing concerns about alleged embedded backdoor risks in the AI tool. The internal ban reflects growing enterprise anxiety about supply chain security in AI coding assistants: tools that execute code, access file systems, and interact with development environments create a trust boundary problem where a compromised or maliciously designed AI agent could exfiltrate source code or inject vulnerabilities. The move signals that large enterprises are beginning to treat AI coding tools with the same supply chain

AISecHubTracked
Highinjection

SEO Poisoning and Hidden HTML Used to Manipulate AI Agents

Attackers are abusing SEO poisoning techniques combined with hidden HTML content to inject malicious instructions into AI agents that browse the web. By ranking poisoned pages highly in search results and embedding invisible prompt-injection payloads in the HTML, adversaries can trick AI agents into executing unintended actions: exfiltrating data, making unauthorized API calls, or following attacker-controlled workflows. The technique exploits the fact that AI agents parse raw HTML including elements invisible to human users, creating a new class of indirect prompt injection that bypasses trad

AISecHubCovered
Criticalinjection

Critical Cursor AI IDE Flaws Enable OS-Level Remote Code Execution

Cursor patched two critical vulnerabilities, CVE-2026-50548 and CVE-2026-50549 (dubbed DuneSlide), that allow prompt injection attacks to escalate to operating-system-level remote code execution. An attacker who controls content that a Cursor AI agent processes, such as a malicious repository or crafted documentation, can inject instructions that cause the AI coding agent to execute arbitrary commands on the developer's machine. The flaws highlight the expanding attack surface of AI-powered development tools where agentic code execution meets user-level OS access. #CursorAI #PromptInjection #R

CVE-2026-50548AISecHubCovered
Criticalinfra

First End-to-End Agentic AI Ransomware Attack Exploits Langflow

Security researchers documented the first fully autonomous AI-driven ransomware attack, tracked as JadePuffer, which exploited CVE-2025-3248 (CVSS 9.8) in Langflow to gain remote code execution. The AI agent autonomously performed reconnaissance, extracted API keys and cloud credentials, dumped the Postgres database, scanned internal networks for MinIO and other services, exfiltrated data, and deployed ransomware: all without human operator intervention beyond the initial access. The attack demonstrates that agentic AI can now execute complete ransomware kill chains independently. #AgenticAI #

CVE-2025-3248AISecHubTracked
Lowgovernance

US lifts Claude model restrictions after security alarm

SecurityWeek reported that US officials lifted restrictions on Anthropic Claude model access after a cybersecurity alarm. The LLM policy reversal matters for teams tracking government controls around model access and AI security risk. #AIGovernance #RiskManagement #ClaudeAI #AISecurity #GovernanceRiskAndCompliance https://securityweek.com/trump-administration-lifts-restrictions-on-anthropics-claude-models-after-cybersecurity-alarm/

AISecHubTracked
Lowother

Alibaba reported Claude Code ban over backdoor concerns

Cybersecurity News reports that Alibaba plans to block Claude Code on internal systems starting July 10, 2026 over alleged embedded backdoor risks. The concern is that an AI agent with code and command access could expose internal repository context. #AICoding #SupplyChain #EnterpriseSecurity #AISecurity #ThirdPartyRiskManagement https://cybersecuritynews.com/alibaba-to-ban-claude-code/

AISecHubTracked
Highinjection

SEO poisoning hides prompt injections for AI agents

Cybersecurity News reports that malicious sites use SEO poisoning and hidden prompt injection text to make an AI agent trust fake pages and trigger actions such as fraudulent payments. The article names hidden HTML instructions as the mechanism and was published on July 3, 2026. #SEOPoisoning #PromptInjection #AgentSecurity #AISecurity #ApplicationSecurity https://cybersecuritynews.com/hackers-abuse-seo-poisoning-and-hidden-html/

AISecHubCovered
Mediumother

NLTK Stanford interfaces allow untrusted JAR execution

CVE-2026-12252 affects NLTK 3.9.3 and earlier. The GitHub advisory says five Stanford NLP interface classes accept user-controlled JAR paths and run them through subprocess.Popen without integrity checks, allowing untrusted Java code to execute during tagging or parsing workflows. #AIVulnerability #CVE #SupplyChainSecurity #AISecurity #VulnerabilityManagement https://github.com/advisories/GHSA-9r6g-266r-89x4

CVE-2026-12252AISecHubTracked
Criticalother

Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Two critical vulnerabilities (CVE-2026-50548 and CVE-2026-50549, with CVSS score of 9.8, a 0-10 severity rating) in the Cursor AI code editor could allow attackers to execute code at the operating system level by exploiting the editor's automatic command execution without user approval. The first flaw allows attackers to change the working directory to bypass the sandbox (a restricted environment where code runs safely), while the second uses symbolic links (special files that point to other files) to write files outside the intended project directory and disable sandbox protections. Solution:

CVE-2026-50548AISecHubTracked
Mediummcp

Kong Konnect MCP server allowed prompt-injection API requests

CVE-2026-13341 affects Kong Konnect MCP server versions before 1.0.0. The NVD description says remote attackers can use prompt injection against the Model Context Protocol tool layer to execute unintended API requests, so teams exposing the server to AI agents should upgrade before using it in production workflows. #AIVulnerability #CVE #SupplyChainSecurity #AISecurity #VulnerabilityManagement https://nvd.nist.gov/vuln/detail/CVE-2026-13341

CVE-2026-13341AISecHubCovered
Highmcp

CVE-2026-13341: A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow

A vulnerability exists in the Kong Konnect Model Context Protocol (MCP) server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests.

CVE-2026-13341NVDCovered
Criticalinfra

CVE-2026-33017: Langflow Unauthenticated RCE in AI Pipelines

CSA reports CVE-2026-33017 as a critical (CVSS 9.8) unauthenticated RCE in Langflow ≤1.8.2, triggered via a single HTTP request - highlighting how exposed orchestration endpoints can become direct execution paths into AI pipeline infrastructure. #VulnerabilityResearch #AppSec #AISecurity #Report #VulnerabilityManagement https://labs.cloudsecurityalliance.org/research/csa-research-note-langflow-rce-cve-2026-33017-ai-infrastruct

CVE-2026-33017AISecHubTracked
Mediummcp

Grackle: fail-open authorization in the MCP tool layer enables cross-task and cross-session.

The advisory describes inconsistent, fail-open authorization in an MCP tool layer where scoped agents can act on resources outside their scope by referencing other objects' IDs, turning "restricted" tool access into cross-task/cross-session reads and mutations. #MCP #AgentSecurity #AISecurity #Advisory #IdentityAndAccessManagement https://github.com/advisories/GHSA-f9ff-5x35-7gfw

AISecHubTracked
Lowinjection

Rating AI Jailbreaks: The Fable 5 Episode

Frames "jailbreak severity" as a governance gap: without a vendor-neutral scoring standard, organizations end up comparing jailbreak claims inconsistently across systems, contexts, and mitigations. #PromptInjection #LLMSecurity #AISecurity #Report #AISecurityGovernanceAndAssurance https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-jailbreak-severity-framework-governance

AISecHubCovered
Highmcp

CVE-2026-50027: mcp-memory-service unauthenticated Document API access

Missing-auth condition on /api/documents/ where requests can bypass configured API key/OAuth protections and directly read, write, or delete stored "memories" - a clear trust-boundary break between public HTTP access and agent memory state. #MCP #AgentSecurity #AISecurity #Advisory #IdentityAndAccessManagement https://github.com/advisories/GHSA-84hp-mqvj-3p8h

CVE-2026-50027AISecHubTracked
Highmcp

CVE-2026-52830: fast-mcp-telegram - Bearer token path traversal bypasses reserved Telegram.

Trust-boundary bug where the raw Bearer token is concatenated into a session-file path, so tokens containing path separators can evade an exact-string block on the reserved telegram token unless the path is normalized and validated before use. #MCP #AgentSecurity #AISecurity #Advisory #IdentityAndAccessManagement https://github.com/advisories/GHSA-rxw2-pc8j-vxwm

CVE-2026-52830AISecHubTracked
Mediumagent

AgentFlow: Static Analysis via Agent Dependency Graphs for Agent Programs

AgentFlow extracts a framework-agnostic Agent Dependency Graph that makes agent-specific dependencies (prompts, tools, memory, handoffs, policies) visible to static analysis, enabling artifact generation (Agent BOM) and taint-style prompt-to-tool risk detection across real-world agent codebases. #AgentSecurity #LLMSecurity #AISecurity #Research #ApplicationSecurity https://arxiv.org/abs/2607.01640

AISecHubCovered
Lowinfra

ContextNest: Verifiable Context Governance for Autonomous AI Agents

Context governance adds a verifiable layer under RAG so agents only retrieve from approved, attributable, integrity-checked, reconstructable knowledge versions (hash-chained history + deterministic selectors + audit traces), including MCP-sourced nodes for live data. #AgentSecurity #LLMSecurity #AISecurity #Research #AISecurityGovernanceAndAssurance https://arxiv.org/abs/2607.02116

AISecHubTracked
Highinfra

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. #AgentSecurity #LLMSecurity #AISecurity #News #IncidentDetectionAndResponse https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html

AISecHubTracked
Highmcp

MCP Tool Poisoning: Adversarial Hijacking of AI Agent Workflows

MCP tool poisoning targets the trust boundary between agents and tools by embedding instructions in tool descriptions, schemas, or tool outputs that the agent may treat as trusted context, potentially steering tool use and downstream actions. #MCP #AgentSecurity #AISecurity #Report #DataSecurityAndProtection https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-tool-poisoning-ai-agent-exfiltration-2

AISecHubCovered
Mediumagent

Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware

Tests how malicious "agent skills" evade install-time/static scanning via payload-preserving obfuscation and self-extracting packing, suggesting appearance-based auditing is brittle against adaptive attackers. #AgentSecurity #LLMSecurity #AISecurity #Research #IncidentDetectionAndResponse https://arxiv.org/abs/2607.02357

AISecHubTracked
Lowgovernance

Trump Administration Lifts Restrictions on Anthropic’s Claude Models After Cybersecurity Alarm

The Trump administration lifted restrictions on Anthropic's Claude AI models after a temporary ban due to cybersecurity concerns. #AIGovernance #RiskManagement #AISecurity #News https://securityweek.com/trump-administration-lifts-restrictions-on-anthropics-claude-models-after-cybersecurity-alarm

AISecHubTracked
Highmcp

Grackle: fail-open authorization in the MCP tool layer enables cross-task and cross-session mutations (IDOR)

The advisory describes inconsistent, fail-open authorization in an MCP tool layer where scoped agents can act on resources outside their scope by referencing other objects’ IDs, turning “restricted” tool access into cross-task/cross-session reads and mutations. #MCP #AgentSecurity #AISecurity #Advisory https://github.com/advisories/GHSA-f9ff-5x35-7gfw

AISecHubTracked
Highmcp

CVE-2026-52830: fast-mcp-telegram — Bearer token path traversal bypasses reserved Telegram session protection

The advisory describes a trust-boundary bug where the raw Bearer token is concatenated into a session-file path, so tokens containing path separators can evade an exact-string block on the reserved telegram token unless the path is normalized and validated before use. #MCP #AgentSecurity #AISecurity #Advisory https://github.com/advisories/GHSA-rxw2-pc8j-vxwm

CVE-2026-52830AISecHubTracked
Criticalinfra

CVE-2026-33017: Langflow Unauthenticated RCE in AI Pipelines

CSA reports CVE-2026-33017 as a critical (CVSS 9.8) unauthenticated RCE in Langflow ≤1.8.2, triggered via a single HTTP request—highlighting how exposed orchestration endpoints can become direct execution paths into AI pipeline infrastructure. #VulnerabilityResearch #AppSec #AISecurity #Report https://labs.cloudsecurityalliance.org/research/csa-research-note-langflow-rce-cve-2026-33017-ai-infrastruct

CVE-2026-33017AISecHubTracked
Highmcp

CVE-2026-50027 (GHSA-84hp-mqvj-3p8h): mcp-memory-service unauthenticated Document API access

The advisory describes a missing-auth condition on /api/documents/ where requests can bypass configured API key/OAuth protections and directly read, write, or delete stored “memories,” creating a clear trust-boundary break between public HTTP access and agent memory state. #MCP #AgentSecurity #AISecurity #Advisory https://github.com/advisories/GHSA-84hp-mqvj-3p8h

CVE-2026-50027AISecHubTracked
Lowinjection

Rating AI Jailbreaks: The Fable 5 Episode

The writeup frames “jailbreak severity” as a governance gap: without a vendor-neutral scoring standard, organizations end up comparing jailbreak claims inconsistently across systems, contexts, and mitigations. #PromptInjection #LLMSecurity #AISecurity #Report https://labs.cloudsecurityalliance.org/research/csa-research-note-ai-jailbreak-severity-framework-governance

AISecHubCovered
Mediumagent

AgentFlow: Static Analysis via Agent Dependency Graphs for Agent Programs

AgentFlow extracts a framework-agnostic Agent Dependency Graph that makes agent-specific dependencies (prompts, tools, memory, handoffs, policies) visible to static analysis, enabling artifact generation (Agent BOM) and taint-style prompt-to-tool risk detection across real-world agent codebases. #AgentSecurity #LLMSecurity #AISecurity #Research https://arxiv.org/abs/2607.01640

AISecHubCovered
Highinfra

AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack

Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. #AgentSecurity #LLMSecurity #AISecurity #News https://thehackernews.com/2026/07/ai-agent-exploits-langflow-rce-to.html

AISecHubTracked
Highmcp

MCP Tool Poisoning: Adversarial Hijacking of AI Agent Workflows

MCP tool poisoning targets the trust boundary between agents and tools by embedding instructions in tool descriptions, schemas, or tool outputs that the agent may treat as trusted context, potentially steering tool use and downstream actions. #MCP #AgentSecurity #AISecurity #Report https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-tool-poisoning-ai-agent-exfiltration-2

AISecHubCovered
Mediumagent

Cloak and Detonate: Scanner Evasion and Dynamic Detection of Agent Skill Malware

The paper tests how malicious “agent skills” evade install-time/static scanning via payload-preserving obfuscation and self-extracting packing, suggesting appearance-based auditing is brittle against adaptive attackers. #AgentSecurity #LLMSecurity #AISecurity #Research https://arxiv.org/abs/2607.02357

AISecHubTracked
Lowinfra

AgentFlow: Building Agent Dependency Graphs for Static Analysis of Agent Programs

LLM agents are increasingly developed as source-code applications built on agent frameworks. These agent programs combine conventional host-language code with framework-defined semantics for models, prompts, tools, memory, and multi-agent orchestration logic. As a result, their behavior depends not only on traditional control and data flows, but also on a new class of agent dependencies. Such dependencies are often expressed as framework-induced semantics, such as agent constructors, tool decora

arXivTracked
Lowjailbreak

HARC: Coupling Harmfulness and Refusal Directions for Robust Safety Alignment

Understanding how aligned LLMs internally represent safety is critical for diagnosing alignment vulnerabilities, as it explains why jailbreaks succeed and informs the design of robust alignment strategies. Prior work shows that aligned LLMs encode harmfulness and refusal as separable directions in the residual stream at prompt-side token positions. We show that jailbreaks succeed at prompt encoding by suppressing either the refusal or harmfulness direction before any token is generated, with dis

arXivCovered
Lowother

Cognitive Firewall: A Proactive, Zero-Trust, Multi-Gate Framework for LLM Safety

Large language models (LLMs) can be induced to produce harmful content through multi turn strategies in which no single user message appears clearly unsafe. Existing runtime safeguards commonly evaluate prompts or responses as isolated messages, which limits their ability to recover ac-cumulated intent, verify asserted authority, or detect harmful objectives decomposed across a dialogue. This paper presents the Cognitive Firewall, a proactive runtime oversight framework that interposes an indepe

arXivTracked