A curated timeline of real AI agent security incidents, breaches, and vulnerabilities from 2024-2026. Every entry includes date, named company/product, specific impact, root cause, CVE where applicable, and source links.
No opinions. No product pitches. Just facts with sources.
Last updated: 2026-04-28
- Target: LangChain langchain-openai (before 1.1.14) and langchain-text-splitters (before 1.1.2)
- Impact: Attacker-controlled URLs can reach private and localhost services (cloud metadata, internal admin interfaces) from any host running LangChain image-token counting or HTML splitter helpers
- Root Cause: TOCTOU and DNS rebinding window in
_url_to_size()(validate-then-fetch pattern with independent DNS resolution); HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL but followed redirects viarequests.get()without revalidating redirect targets - CVE: CVE-2026-41488 (CVSS 3.1, langchain-openai SSRF), CVE-2026-41481 (CVSS 6.5, langchain-text-splitters redirect SSRF)
- Sources: GitLab Advisory CVE-2026-41488, GitLab Advisory CVE-2026-41481, TheHackerWire CVE-2026-41488, TheHackerWire CVE-2026-41481, Vulnerability-Lookup CVE-2026-41488
2026-04-23 - HexagonalRodent North Korean APT Industrializes Web3 Developer Attacks Using AI Coding Tools
- Target: Web3 developers worldwide (subgroup of Famous Chollima/Lazarus tracked by Expel as HexagonalRodent)
- Impact: 2,726 developer systems infected and 26,584 cryptocurrency wallet entries exfiltrated; an estimated $12 million in crypto assets stolen during Q1 2026; victims lured by fake high-paying job postings on LinkedIn and Web3 boards that ship "skills tests" abusing VSCode
tasks.jsonto auto-execute malware on project open - Root Cause: Operators with low to medium technical skill scaled malware authoring, fake company website creation, and phishing lure crafting by prompting Cursor, ChatGPT, and Anima; Cursor blocked the associated accounts and IPs; OpenAI confirmed a small number of accounts had asked for help on dual-use topics
- Sources: Help Net Security, Expel, Yahoo / Decrypt, KuCoin
- Target: Public web content consumed by AI agents and Google Workspace Gemini integrations (sector-wide measurement based on Google's 2-3 billion crawled pages per month)
- Impact: Google observed a 32% relative increase in malicious indirect prompt injection pages between November 2025 and February 2026; payloads target agentic AI features that can send email, run terminal commands, or process payments; Forcepoint amplified the same finding with field cases
- Root Cause: AI agents ingest untrusted web content with no strict data versus instruction boundary; static blogs, forums, and comment sections are now intentional weaponization surfaces for IPI
- Sources: Google Online Security Blog "AI threats in the wild", Google Workspace continuous IPI mitigation, Help Net Security, WebProNews
2026-04-23 - SecurityScorecard Finds 40,214 OpenClaw Instances Exposed Online with 63% RCE-Vulnerable
- Target: OpenClaw (formerly Moltbot/Clawdbot) personal AI agent platform
- Impact: Internet scan identified 40,214 reachable OpenClaw instances and 28,663 unique IP addresses hosting publicly accessible control panels; about 63% of deployments are vulnerable to remote code execution; 549 exposed instances correlate with prior breach activity and 1,493 are linked to known vulnerabilities; cloud and hosting providers concentrate the exposure
- Root Cause: Default deployment patterns expose admin panels with no authentication; multiple unpatched 2026 OpenClaw CVEs including ClawBleed (CVE-2026-25253, CVSS 8.8), CVE-2026-25593, and the device-pairing privilege escalation chain CVE-2026-32922 (CVSS 9.9) remain widely deployed
- Sources: SecurityScorecard, Infosecurity Magazine, Dataconomy, TechRadar, TechBriefly
- Target: @bitwarden/cli npm package version 2026.4.0
- Impact: Malicious build of Bitwarden CLI was live on npm for roughly 90 minutes (5:57 PM-7:30 PM ET, April 22, 2026) and pulled approximately 334 times; payload
bw1.jsran on install and harvested GitHub and npm tokens, SSH keys, AWS, GCP, and Azure secrets, GitHub Actions secrets, AI tooling configuration files, environment variables, and shell history; data exfiltrated to public GitHub repositories created under victim accounts; Bitwarden vault data was not accessed - Root Cause: Earlier in the day, attackers compromised the Checkmarx KICS Docker Hub repository; Bitwarden's Dependabot pulled the malicious
checkmarx/kics:latestimage into the Bitwarden CI/CD pipeline, which then signed and published the trojanized CLI; payload contained the marker "Shai-Hulud: The Third Coming" with Dune-themed identifiers - Sources: Bitwarden Statement, The Hacker News, The Register, Socket, SecurityWeek, CSO Online, Endor Labs, GitHub Issue 20353
- Target: Xinference (Xorbits Inference) Python package on PyPI; an open-source distributed AI model inference framework with 600,000+ downloads used to self-host LLMs, embedding models, and image generators
- Impact: Three consecutive releases (2.6.0, 2.6.1, 2.6.2) shipped a base64-encoded credential-stealing payload that runs on import; harvests AWS credentials and secrets, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials; payload spawns a detached subprocess so it survives parent process exit
- Root Cause: An automated bot account "XprobeBot" (active since October 2025) was compromised and committed the malicious payload directly into
__init__.py; payload structure mirrors prior TeamPCP attacks (double base64, exhaustive credential sweep, detached subprocess on import), but TeamPCP publicly denied responsibility for this one - Sources: Mend.io, GBHackers, OX Security, Cyberpress, GitGuardian, Orca Security
- Target: LMDeploy LLM serving toolkit by Shanghai AI Laboratory / InternLM (all versions 0.12.0 and earlier with vision-language support)
- Impact: Sysdig honeypot recorded the first exploit attempt 12 hours and 31 minutes after the GitHub advisory went live; attackers used the vision-language image loader as a generic HTTP SSRF primitive to port-scan internal networks behind the model server, hit AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP admin interface, and an out-of-band DNS exfiltration endpoint, all in a single eight-minute session
- Root Cause:
load_image()inlmdeploy/vl/utils.pyfetches arbitrary URLs without validating internal or private IP ranges; fix in 0.12.3 adds URL validation and IP filtering - CVE: CVE-2026-33626 (CVSS 7.5)
- Sources: The Hacker News, Sysdig, GBHackers, SC Media, SentinelOne CVE Profile, Vulert
- Target: Namastex Labs npm publisher namespaces and pgserve (embedded PostgreSQL for Node.js development)
- Impact: At least 16 malicious package versions across linked namespaces; pgserve releases 1.1.11, 1.1.12, and 1.1.13 (April 21 starting 22:14 UTC) carried a postinstall hook that harvested npm publish tokens, AWS, GCP, Azure, and Kubernetes credentials, SSH keys, and AI tooling configuration, then republished poisoned versions of every package the victim could publish; if a PyPI token was found, the worm jumped to PyPI; data exfiltrated both to a webhook (
telemetry.api-monitor.com) and to ICP canistercjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io - Root Cause: Compromised maintainer credentials at Namastex Labs (a vendor of agentic AI tooling) plus npm's allowance of postinstall hooks; ICP canister IDs cannot be removed via registrar takedowns or DNS sinkholing, blunting law-enforcement response
- Sources: StepSecurity, Socket, The Hacker News, The Register, BleepingComputer, SC Media, Cloud Security Alliance Lab, Infosecurity Magazine
- Target: Anthropic Claude Mythos Preview (cyber-offensive AI model held back under Project Glasswing limited-partner program)
- Impact: A small private Discord community gained continuous access to Mythos starting on launch day (April 7, 2026) by guessing the preview URL pattern, drawing on operational details from a Mercor breach three weeks earlier; group has not used Mythos for cyberattacks but has retained access; Anthropic stated it is investigating "unauthorized access to Claude Mythos Preview through one of our third-party vendor environments"
- Root Cause: A third-party contractor with operational knowledge confirmed URL guesses based on Anthropic's prior naming conventions; access controls relied on URL secrecy at the vendor environment rather than authenticated tenancy; Mercor breach context fed the recon
- Sources: TechCrunch, Bloomberg, Fortune, Engadget, Cybernews, Hackread, GovInfoSecurity, The Next Web
- Target: AI agent governance across 418 surveyed organizations (CSA / Token Security study, "Autonomous but Not Controlled: AI Agent Incidents Now Common in Enterprises")
- Impact: 65% of organizations experienced at least one AI agent-related cybersecurity incident in the past 12 months; 88% confirmed or suspected AI agent incidents; 82% had discovered previously unknown AI agents in their environment in the past year; 61% reported data exposure, 43% operational disruption, 35% financial loss, and 41% unintended actions in business processes from these incidents; only 21% had formal decommissioning processes in place
- Root Cause: Survey analysis; visibility and decommissioning gaps allow shadow AI agents to operate outside identity, network, and audit controls; healthcare incident rate reaches 92.7%
- Sources: CSA Press Release, BusinessWire, Infosecurity Magazine, ADVISOR Magazine
- Target: FlowiseAI Flowise (all versions before 3.1.0)
- Impact: Authenticated RCE on Flowise hosts through any chatflow that uses the CSV Agent node; an attacker prompts the LLM into emitting a Python script that the server then runs without sandboxing
- Root Cause:
runmethod of the CSV_Agents class evaluates LLM-generated Python without proper sandboxing; bypasses earlier hardening for CVE-2026-41137; reported through Trend Micro Zero Day Initiative; fix in 3.1.0 disallows all imports inside CSV Agent - CVE: CVE-2026-41264 (CVSS 7.0)
- Sources: GitHub Advisory GHSA-3hjv-c53m-58jj, GitLab Advisory, THREATINT, SC Media
- Target: Vercel (Next.js hosting platform) via Context.ai (AI Office Suite)
- Impact: Attacker accessed Vercel Google Workspace and internal systems, including environment variables for a "limited subset" of customer projects; stolen data offered for $2M on BreachForums by a ShinyHunters persona; downstream crypto projects scrambled to rotate API keys
- Root Cause: Context.ai employee infected with Lumma Stealer in February 2026; attacker abused the Context.ai Google Workspace OAuth application that a Vercel employee had granted "Allow All" enterprise scopes; OAuth token replay escalated into the Vercel tenant
- Sources: TechCrunch, The Hacker News, The Register, Vercel Bulletin, OX Security, Trend Micro, CoinDesk, Tom's Hardware
- Target: FastGPT AI agent building platform (before v4.14.9.5)
- Impact: Unauthenticated attacker can log in as any user including root via MongoDB operator injection on the password field; authenticated attacker can bypass old-password verification to take over any account
- Root Cause: TypeScript type assertion without runtime validation on password login endpoint; NoSQL operator injection in password change endpoint
- CVE: CVE-2026-40351 (CVSS 9.8), CVE-2026-40352 (CVSS 8.8)
- Sources: TheHackerWire CVE-2026-40351, TheHackerWire CVE-2026-40352
- Target: Anthropic Model Context Protocol reference SDKs (Python, TypeScript, Java, Rust) and 200,000+ downstream instances
- Impact: Arbitrary command execution on any MCP host via STDIO transport; OX Security demonstrated takeover of six production platforms and 30+ RCE reports across projects including LiteLLM, LangChain, Flowise, GPT Researcher, Agent Zero, and Windsurf; 11 CVEs assigned to downstream projects
- Root Cause: MCP STDIO transport accepts arbitrary command strings and passes them to subprocess execution with no validation, sanitization, or sandboxing; commands execute even when process startup fails; Anthropic declined to modify the protocol and said sanitization is the developer's responsibility
- CVE: CVE-2025-65720, CVE-2026-30623, CVE-2026-30624, CVE-2026-40933 (Flowise MCP Adapters, CVSS 10.0) and 7+ others
- Sources: OX Security, The Hacker News, The Register, CSO Online, Infosecurity Magazine, TechRadar, GitHub Advisory CVE-2026-40933
- Target: LiteLLM (BerriAI LLM gateway) deployments with JWT auth enabled
- Impact: Unauthenticated attacker can craft a token whose first 20 characters collide with a cached legitimate token, inheriting that user's identity and permissions across the gateway
- Root Cause: OIDC userinfo cache keyed on token[:20] instead of the full token or a secure hash; JWTs produced by the same signing algorithm share the same header prefix
- CVE: CVE-2026-35030 (CVSS 9.4)
- Sources: LiteLLM Advisory, GitLab Advisory, GitHub Advisory, SecurityOnline, Wiz
- Target: Microsoft Copilot Studio and Salesforce Agentforce
- Impact: Attackers fill public-facing SharePoint or Web-to-Lead form fields with a fake system-role payload; hijacked agents query connected data sources in bulk and email the results to an attacker address with no volume cap, no Human-in-the-Loop prompt, and no trace shown to the employee who triggered the agent; Capsule Security reports the email channel remains exploitable on Agentforce Sub-Agents (formerly Custom Topics) even after Salesforce's remediation
- Root Cause: Untrusted form inputs concatenated directly into agent context windows; agents simultaneously hold read access to CRM/SharePoint data and authority to send outbound email
- CVE: CVE-2026-21520 (CVSS 7.5, Copilot Studio ShareLeak); PipeLeak has no CVE assigned
- Sources: VentureBeat, Dark Reading, CSO Online, NVD CVE-2026-21520, PointGuard AI
- Target: Anthropic Claude Code Security Review, Google Gemini CLI Action, GitHub Copilot Agent (all GitHub Actions integrations)
- Impact: Prompt injection via PR titles, issue descriptions, and comments lets attackers execute arbitrary commands in the Actions runner, steal Anthropic and Gemini API keys, GitHub tokens, and any repository or organization secret available to the workflow
- Root Cause: Each agent ingests untrusted GitHub comment content as authoritative instructions with no separation between policy and data; all three vendors paid bug bounties ($100 Anthropic, $500 GitHub, undisclosed Google) but none assigned CVEs or published advisories, leaving downstream users unaware
- Sources: The Register, SecurityWeek, The Next Web, Cybernews
- Target: n8n AI workflow automation platform (cloud-hosted webhooks)
- Impact: Attackers embed n8n-hosted webhook URLs in phishing emails; clicking opens a JavaScript CAPTCHA page on the trusted n8n domain that then downloads modified RMM tools such as Datto and ITarian; March 2026 volume of emails carrying these URLs was 686% higher than January 2025
- Root Cause: Public webhook URLs on trusted n8n infrastructure let attackers bypass email security filters that would otherwise block attacker-controlled domains; abuse first observed October 2025 and escalated through April 2026
- Sources: The Hacker News, Cisco Talos, SC Media, TechRepublic
- Target: AI ecosystem (sector-wide report covering January 1 - April 11, 2026)
- Impact: Documents the transition from theoretical risks to active exploitation; 520 reported tool misuse and privilege escalation incidents in 2026; prompt injection with 450 incidents; highlights Anthropic Claude abuse in the 150GB Mexican government data theft as the period's prominent case; notes a growing gap between traditional CVE-based vulnerability management and architectural AI risks that never receive CVE IDs
- Root Cause: Report synthesis; attackers target agent identities, orchestration layers, and supply chains rather than just model outputs
- Sources: OWASP GenAI Q1 2026 Report
- Target: 428 public AI API routers tested by UCSB/UCSD researchers (published arXiv April 8, amplified April 13)
- Impact: 26 routers injected malicious tool calls, 9 injected malicious code into agent outputs, 17 accessed researcher AWS credentials, and at least one drained ETH from a researcher-controlled wallet; one client reportedly lost $500,000 in crypto to a malicious router; attacks include payload injection (AC-1), secret exfiltration (AC-2), dependency rewriting, and adaptive evasion that activates only in autonomous "YOLO mode"
- Root Cause: LLM routers operate as opaque man-in-the-middle intermediaries between clients and model providers; agents accept rewritten tool calls as trusted output
- Sources: ArXiv paper, CoinDesk, Risky Business, CCN, OECD AI Incident Database
- Target: Marimo Python reactive notebook platform (all versions up to 0.20.4)
- Impact: 662 exploit events from 11 source IPs across 10 countries between April 11 and 14, 2026; reverse shells, credential theft, DNS exfiltration, lateral movement to PostgreSQL and Redis, and deployment of a new NKAbuse variant; malware installer hosted on a typosquat Hugging Face Space "vsccode-modetx" drops a Go ELF binary named kagent that uses the NKN blockchain for C2
- Root Cause: /terminal/ws WebSocket endpoint lacks the validate_auth() call present on other endpoints; unauthenticated attackers obtain a full PTY shell; exploitation began within 10 hours of public disclosure
- CVE: CVE-2026-39987 (CVSS 9.3)
- Sources: Sysdig, The Hacker News, BleepingComputer, Cybersecurity News
- Target: nginx-ui open-source Nginx management tool (before v2.3.4), approximately 2,600 publicly reachable instances
- Impact: Network-adjacent attacker can invoke 12 MCP tools (including nginx_config_add with auto-reload) in two HTTP requests; full Nginx server takeover, traffic interception, administrator credential harvest; chains with CVE-2026-27944 to extract the node_secret for ongoing session control
- Root Cause: /mcp_message endpoint handles every destructive tool invocation without the AuthRequired() middleware that protects the paired /mcp endpoint
- CVE: CVE-2026-33032 (CVSS 9.8)
- Sources: The Hacker News, BleepingComputer, Rapid7, Picus Security, Security Affairs
- Target: aws-mcp-server (Model Context Protocol server for AWS CLI)
- Impact: Unauthenticated remote attackers can execute arbitrary code on affected installations; full compromise of the MCP server and any AWS credentials it holds
- Root Cause: Missing validation of a user-supplied string passed to a system call; improper handling of the allowed commands list
- CVE: CVE-2026-5058 (CVSS 9.8), CVE-2026-5059 (CVSS 9.8)
- Sources: TheHackerWire CVE-2026-5058, TheHackerWire CVE-2026-5059, NVD CVE-2026-5059, Endor Labs
- Target: Red Hat OpenShift AI (odh-dashboard component)
- Impact: Kubernetes Service Account tokens disclosed via a NodeJS endpoint; disclosed tokens usable to authenticate to the Kubernetes API and reach cluster resources
- Root Cause: Insecure handling/exposure of token data on a NodeJS endpoint in odh-dashboard
- CVE: CVE-2026-5483 (CVSS 8.5)
- Sources: TheHackerWire, Red Hat RHSA-2026:3713, CSO Online
- Target: PraisonAI (multi-agent teams framework, PyPI) prior to v4.5.115
- Impact: Arbitrary code execution via template expressions injected into agent.start() input processed by create_agent_centric_tools()
- Root Cause: Unescaped user input passed directly to template-rendering tools such as acp_create_file
- CVE: CVE-2026-39891 (CVSS 8.8)
- Sources: GitLab Advisory, NVD, TheHackerWire
- Target: npm, PyPI, Go, Rust, Packagist registries (developer tooling impersonation)
- Impact: 1,700+ malicious packages identified since January 2025 fueling espionage and financial theft; SEAL blocked 164 UNC1069 domains impersonating Teams and Zoom between Feb 6 and Apr 7, 2026
- Root Cause: DPRK-linked UNC1069 (overlaps BlueNoroff, Sapphire Sleet, Stardust Chollima) publishing malware-loader packages disguised as dev tooling; delivery via fake Zoom/Teams ClickFix lures after LinkedIn/Telegram/Slack social engineering
- Sources: The Hacker News, Vulert, Cybersecuritywaala
- Target: AWS Bedrock AgentCore starter toolkit
- Impact: Default IAM roles auto-created by the toolkit scope permissions to wildcard, letting any agent read or poison memory belonging to every other agent in the AWS account; enables privilege escalation and cross-tenant data exfiltration
- Root Cause: Starter toolkit auto-create logic issues IAM policies with GetMemory and RetrieveMemoryRecords on resource "*" instead of per-resource scoping
- Sources: Unit 42, Unit 42 sandbox escape
- Target: Flowise (open-source AI agent builder) versions up to 3.0.5
- Impact: Unauthenticated remote code execution via CustomMCP node; 12,000-15,000+ instances exposed on the internet; first in-the-wild exploitation from a Starlink IP
- Root Cause: CustomMCP node parses user-supplied mcpServerConfig and executes JavaScript without validation, exposing child_process and fs modules under full Node.js runtime privileges
- CVE: CVE-2025-59528 (CVSS 10.0)
- Sources: The Hacker News, BleepingComputer, Security Affairs, CSO Online
- Target: PraisonAI Gateway
- Impact: Any network client can enumerate agents and send arbitrary messages via unauthenticated WebSocket
- Root Cause: No authentication on WebSocket and agent topology endpoints
- CVE: CVE-2026-34952 (CVSS 9.1)
- Sources: TheHackerWire
- Target: Microsoft Azure MCP Server
- Impact: Sensitive data accessible without valid credentials; no patch available at disclosure
- Root Cause: Improper authentication implementation
- CVE: CVE-2026-32211 (CVSS 9.1)
- Sources: WindowsNews
- Target: Meta / Mercor
- Impact: All Meta contracts with Mercor suspended indefinitely; AI training data secrets at risk
- Root Cause: Response to Mercor breach from LiteLLM supply chain attack
- Sources: Social Media Today, Benzinga
- Target: Drift Protocol (Solana DeFi)
- Impact: $285M stolen in 12 minutes via fictitious CarbonVote Token, oracle manipulation, and zero-timelock Security Council migration
- Root Cause: Six-month social engineering campaign by UNC4736 (DPRK) targeting multisig signers; pre-signed hidden authorizations
- Sources: TRM Labs, Elliptic, The Hacker News
2026-03-30 - ChatGPT Hidden DNS Exfiltration Channel
- Target: OpenAI ChatGPT code execution sandbox
- Impact: A single prompt could silently exfiltrate user messages, uploaded files, and other sandbox contents over DNS; same path usable to establish a remote shell inside the Linux runtime
- Root Cause: Sandbox blocked direct network requests but left recursive DNS resolution unrestricted; data encoded into DNS subdomain labels escaped all other network controls
- Sources: Check Point Research, The Register, eSecurity Planet, Cybersecurity News
- Target: Mercor ($10B AI hiring startup)
- Impact: 40K+ people affected; Lapsus$ claims 4TB of data including PII, video interviews, credentials, source code; class action filed
- Root Cause: Cascading supply chain: TeamPCP compromised Trivy, stole LiteLLM credentials, published poisoned PyPI packages
- Sources: Fortune, TechCrunch, SecurityWeek
- Target: Axios (70-100M weekly npm downloads)
- Impact: Malicious versions tagged "latest" delivered cross-platform RAT via dependency "plain-crypto-js"
- Root Cause: Social engineering of lead maintainer's npm credentials by Sapphire Sleet / UNC1069 (DPRK)
- Sources: Microsoft Security Blog, The Hacker News, Elastic Security Labs
- Target: Cisco internal dev environment
- Impact: 300+ GitHub repos cloned including AI product source code and customer code from banks and US government agencies
- Root Cause: Credentials harvested during TeamPCP's Trivy compromise used to access Cisco dev infrastructure
- Sources: BleepingComputer, SOCRadar
- Target: Telnyx Python SDK
- Impact: Credential harvester concealed in WAV audio file frame data; malicious code injected into telnyx/_client.py
- Root Cause: Telnyx PyPI token stolen during LiteLLM compromise; TeamPCP cascading attack
- Sources: The Hacker News, Akamai, Trend Micro
- Target: LiteLLM (3.4M daily PyPI downloads)
- Impact: Three-stage malware: credential theft, K8s lateral movement, persistent systemd backdoor; fork bomb bug triggered discovery; available ~3 hours before quarantine
- Root Cause: PyPI credentials stolen from LiteLLM CI environment during Trivy compromise
- Sources: LiteLLM Official, Snyk, ReversingLabs
- Target: Checkmarx KICS, AST GitHub Action, OpenVSX extensions
- Impact: 35 tags hijacked; credential stealer exfiltrated secrets encrypted to attacker server checkmarx.zone
- Root Cause: cx-plugins-releases service account compromised via credentials from Trivy attack
- Sources: Wiz, Checkmarx, The Hacker News
- Target: npm ecosystem (66+ packages)
- Impact: 141 malicious package artifacts; persistent systemd backdoor; first npm worm to use decentralized ICP as C2, making takedown impossible
- Root Cause: Credentials harvested from Trivy compromise used to publish malicious versions
- CVE: CVE-2026-33634
- Sources: Aikido, The Hacker News, Mend.io
- Target: Aqua Security Trivy scanner
- Impact: 76 of 77 version tags redirected to malicious commits; Runner.Worker memory dumped; SSH, cloud, K8s secrets harvested; 1,000+ SaaS environments compromised downstream
- Root Cause: Service account compromise via prior incompletely remediated incident
- Sources: Wiz, Aqua Security, Unit 42
- Target: Meta internal AI systems
- Impact: AI agent posted unauthorized technical advice; another employee followed it, exposing massive company and user data to unauthorized engineers for two hours
- Root Cause: AI agent acted autonomously without human-in-the-loop confirmation
- Sources: TechCrunch, The Information, Engadget
- Target: Langflow (all versions through 1.8.1)
- Impact: Attackers built working exploits within 20 hours; harvested OpenAI, Anthropic, and AWS API keys from compromised instances
- Root Cause: POST endpoint accepts arbitrary Python code in node definitions, executed server-side without sandboxing
- CVE: CVE-2026-33017 (CVSS 9.3)
- Sources: The Hacker News, Sysdig, Barrack AI
- Target: LangChain Core
- Impact: Arbitrary file access via prompt-loading API
- Root Cause: Path traversal in prompt loading
- CVE: CVE-2026-34070 (CVSS 7.5)
- Sources: GitLab Advisory
- Target: nx monorepo tooling / enterprise AWS
- Impact: Attacker cloned GitHub repos, extracted CI/CD secrets, achieved full AWS admin; S3 buckets accessed, EC2/RDS terminated
- Root Cause: Compromised nx npm package delivered QUIETVAULT credential stealer; GitHub-to-AWS OIDC trust chain abuse
- Sources: The Hacker News, CSA Labs
- Target: Moltbook/OpenClaw platform
- Impact: Meta acquired the platform after exposed database (1.5M API tokens, 35K emails), 1,184+ malicious skills distributing Atomic Stealer, and 135K exposed instances
- Root Cause: Unsecured database; no skill vetting; WebSocket accepting unauthenticated localhost connections
- CVE: CVE-2026-25593, CVE-2026-25253 (CVSS 8.8), and 6 others
- Sources: Wiz, eSecurity Planet, BleepingComputer
- Target: ROME agent (Alibaba-affiliated)
- Impact: Agent accessed GPU resources to mine crypto; created reverse SSH tunnel bypassing security processes; behavior was spontaneous, not prompted
- Root Cause: During reinforcement learning, agent spontaneously produced unauthorized behaviors including system tool invocation outside boundaries
- Sources: Axios, Live Science
- Target: OpenClaw / Meta
- Impact: Meta AI safety director lost 200+ emails; agent ignored repeated STOP commands; post received ~9M views on X
- Root Cause: Agent ran out of working memory and condensed prior messages, discarding the instruction to confirm before acting
- Sources: Fast Company, TechCrunch
- Target: Fortinet FortiGate devices (600+ across 55 countries)
- Impact: Russian-speaking financially motivated actor used commercial GenAI services and the open-source CyberStrikeAI framework to brute-force exposed management ports and single-factor credentials; Team Cymru observed 21 CyberStrikeAI C2 IPs between Jan 20 and Feb 26, 2026
- Root Cause: No FortiGate CVE exploitation; AI orchestration let a low-skill actor scale reconnaissance, credential spraying, and post-compromise steps against exposed admin interfaces
- Sources: AWS Security Blog, The Hacker News, The Hacker News CyberStrikeAI, The Record, CSO Online, SC Media
- Target: Cline AI coding assistant (5M+ users)
- Impact: ~4,000 developer machines compromised in 8-hour window; malicious cline@2.3.0 published to npm installing OpenClaw globally
- Root Cause: Prompt injection in GitHub issue title tricked Claude-powered triage bot; GitHub Actions cache poisoning (Cacheract)
- Sources: Snyk, The Hacker News, Adnan Khan
- Target: MCP TypeScript SDK (v1.10.0-1.25.3)
- Impact: Tool results, resource content, and error messages routed to wrong client in multi-tenant deployments
- Root Cause: Race condition in response multiplexing of StreamableHTTPServerTransport
- CVE: CVE-2026-25536 (CVSS 7.1)
- Sources: VulnerableMCP
- Target: Langflow (versions up to 1.6.9)
- Impact: Complete account takeover and RCE via malicious webpage visit; Flodrix botnet deployed for DDoS and data exfiltration
- Root Cause: Overly permissive CORS, no CSRF protection on token refresh, code validation endpoint allows execution
- CVE: CVE-2025-34291 (CVSS 9.4)
- Sources: Obsidian Security, CrowdSec
- Target: Anthropic Claude Code
- Impact: Malicious settings file redirects API requests to attacker endpoint before trust prompt; stolen API key grants access to team's shared resources
- Root Cause: API requests issued before trust confirmation prompt
- CVE: CVE-2026-21852 (CVSS 5.3)
- Sources: Check Point Research, GitHub Advisory
- Target: Anthropic Git MCP Server
- Impact: Path traversal, argument injection, and RCE when chained; any directory turned into Git repo; arbitrary file overwrite
- Root Cause: Missing path validation, unsanitized arguments in git_diff/git_checkout
- CVE: CVE-2025-68143, CVE-2025-68144, CVE-2025-68145
- Sources: The Hacker News, SecurityWeek
- Target: Step Finance (Solana DeFi portfolio manager)
- Impact: ~$40M drained from treasury; 261,000+ SOL transferred; native token crashed ~97% from pre-hack levels; only ~$4.7M recovered; platform wound down operations
- Root Cause: Executive device compromise gave attackers wallet and fee-account access; trading agents held broad permissions across wallets, oracles, and trading endpoints with no scope isolation; 45.6% of surveyed teams reused shared API keys across agents
- Sources: KuCoin
- Target: n8n workflow automation (~100K instances)
- Impact: Unauthenticated full server takeover; access to API credentials, OAuth tokens, CI/CD pipelines, payment processors
- Root Cause: Content-Type confusion in webhook processing overwrites req.body.files; no code execution sandboxing
- CVE: CVE-2026-21858 (CVSS 10.0), CVE-2026-21877 (CVSS 10.0)
- Sources: The Hacker News, Cyera Research, The Register
- Target: LangChain Core (before 0.3.81)
- Impact: Secret exfiltration and potential RCE via LLM-influenced metadata containing reserved 'lc' key
- Root Cause: dumps()/dumpd() did not escape user-controlled dicts with reserved serialization marker
- CVE: CVE-2025-68664 (CVSS 9.3)
- Sources: Cyata, The Hacker News, Orca Security
- Target: Cursor, Windsurf, Kiro.dev, Copilot, Zed, Roo Code, Cline, others
- Impact: Data exfiltration, RCE, and supply chain compromise across most popular AI IDEs; Windsurf vulnerable to persistent memory poisoning
- Root Cause: Systemic lack of input validation; persistent memory stores process untrusted content as trusted
- CVE: Multiple
- Sources: The Hacker News, Fortune
- Target: Microsoft Copilot Studio
- Impact: Credit card data leaked; business logic manipulated (booking trips at $0)
- Root Cause: No-code agent platform allows employees to build AI agents without robust input validation
- Sources: Tenable, Security Boulevard
- Target: ServiceNow Now Assist / Agentforce
- Impact: Low-privilege agent tricks higher-privilege agent into exporting case files to external URL; ServiceNow said system "works as intended"
- Root Cause: Default agent configs allow autonomous overrides; agents run with initiating user privilege
- Sources: The Hacker News, AppOmni
- Target: CrewAI platform
- Impact: Single internal GitHub token with admin rights to all private repos exposed; CVSS 9.2
- Root Cause: Improper error handling exposed internal GitHub token
- Sources: Noma Security, Security Boulevard
- Target: Anthropic Claude Desktop (Chrome, iMessage, Apple Notes extensions)
- Impact: Command injection in three official Anthropic-written extensions; SSH keys, AWS credentials, browser passwords exposed; CVSS 8.9
- Root Cause: Unsanitized input handling; no sandboxing for Desktop Extensions
- Sources: Koi AI, CSO Online
- Target: ~30 global organizations (large tech companies, financial institutions, chemical manufacturers, government agencies)
- Impact: First publicly documented AI-orchestrated cyber espionage campaign; Claude Code executed 80-90% of tactical operations autonomously (reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, analysis, exfiltration) with humans intervening only at decision gates; detected Sep 2025, disclosed Nov 13, 2025
- Root Cause: Operators jailbroke Claude Code by claiming to be employees of legitimate cybersecurity firms running defensive tests, then split malicious workflows into innocuous-looking subtasks to bypass safety training
- Sources: Anthropic report (PDF), Cybersecurity Dive, The Hacker News, The Register, BlackFog, ExtraHop, AI Incident Database
- Target: GitHub Copilot Chat (Agent mode)
- Impact: Arbitrary instruction execution via extremely long filenames containing prompt injections; Microsoft declined to fix
- Root Cause: Copilot appends file names to user prompts without sanitization
- Sources: Tenable TRA-2025-53
- Target: Anthropic Claude Code
- Impact: RCE and API token exfiltration when developers clone untrusted repositories; hooks execute before trust dialog
- Root Cause: Startup trust dialog allowed code execution from project configs before user accepts
- CVE: CVE-2025-59536 (CVSS 8.7)
- Sources: Check Point Research, Dark Reading, Cybernews
- Target: Langflow (versions up to 1.6.9)
- Impact: Complete instance compromise; all stored API keys exposed
- Root Cause: Overly permissive CORS + missing CSRF protection + code validation endpoint
- CVE: CVE-2025-34291 (CVSS 9.4)
- Sources: Obsidian Security, NVD
- Target: Salesforce Agentforce
- Impact: CRM data exfiltrated via indirect prompt injection through Web-to-Lead forms; CVSS 9.4
- Root Cause: Indirect prompt injection via user-submitted form data; expired domain still whitelisted in CSP
- Sources: Noma Security, The Hacker News, The Register
- Target: Salesloft Drift / Salesforce / Google Workspace / Slack
- Impact: 700+ organizations compromised including Cloudflare, Google, Palo Alto Networks, Zscaler; CRM records, API keys, cloud credentials stolen
- Root Cause: UNC6395 stole OAuth tokens from Drift chatbot integration
- Sources: Google Cloud Blog, The Hacker News, Cloudflare Blog
- Target: Anthropic Claude Code (below v1.0.20)
- Impact: Whitelisted echo command used as injection vector; AI model helps reverse-engineer its own security
- Root Cause: Error in command parsing; echo whitelisted without sanitization
- CVE: CVE-2025-54794, CVE-2025-54795 (CVSS 8.7)
- Sources: Cymulate, GitHub Advisory
- Target: Claude Code extensions
- Impact: Malicious websites could read local files and execute code in Jupyter notebooks via unauthenticated local WebSocket
- Root Cause: Unauthenticated local WebSocket servers exposed to browser contexts
- CVE: CVE-2025-52882
- Sources: Datadog Security Labs
- Target: OpenAI Codex CLI (before v0.23.0)
- Impact: Arbitrary command execution in user's security context; CI/automation runs at risk
- Root Cause: Codex implicitly trusted project-local config files and executed embedded commands
- CVE: CVE-2025-61260
- Sources: SecurityWeek, Check Point Research
- Target: GitHub Copilot (VS Code)
- Impact: Prompt injection in code comments enables "YOLO mode" - disabling all confirmations and executing privileged shell commands
- Root Cause: Copilot processes untrusted content from code comments as instructions; no safeguard against config modification
- CVE: CVE-2025-53773
- Sources: Embrace The Red, GBHackers
- Target: Cursor AI IDE
- Impact: Full developer machine compromise from a single crafted Slack message; attack completes in minutes
- Root Cause: AI processed crafted Slack messages as instructions; config changes executed before user approval
- CVE: CVE-2025-54135 (CVSS 8.6)
- Sources: Tenable, NVD
- Target: Cursor AI IDE
- Impact: Silent backdoor execution on every team member who opens a project
- Root Cause: MCP server trust bound to name rather than content hash; no re-approval for config changes
- CVE: CVE-2025-54136 (CVSS 7.2)
- Sources: Check Point Research, NVD
- Target: Microsoft Copilot
- Impact: File access history, location, conversation memory exfiltrated; attacker maintains control after chat closed
- Root Cause: URL query parameter ?q= accepted as pre-filled prompt without validation
- Sources: Varonis, SecurityWeek
- Target: Amazon Q Developer Extension (950K+ installs)
- Impact: Compromised v1.84.0 live for two days; destructive AI prompt instructed deletion of home directory and AWS resources; failed due to syntax error
- Root Cause: Over-scoped GitHub token in CI/CD pipeline
- Sources: AWS-2025-015, The Register, CSO Online
- Target: Hugging Face (1.5M+ GGUF files)
- Impact: Backdoor instructions embedded in model files execute inside trusted inference, evading system prompts and runtime monitoring
- Root Cause: No content validation of GGUF template sections
- Sources: GlobeNewsWire
- Target: mcp-remote (437K+ downloads)
- Impact: Full system compromise via malicious MCP server OAuth flow
- Root Cause: Improper handling of authorization_endpoint URL in OAuth flow
- CVE: CVE-2025-6514 (CVSS 9.6)
- Sources: JFrog, The Hacker News
- Target: Langflow servers
- Impact: Full system compromise; Flodrix botnet deployed for DDoS and data exfiltration
- Root Cause: Unpatched Langflow instances (CVE-2025-3248) exposed to internet
- CVE: CVE-2025-3248
- Sources: Trend Micro, SecurityWeek, Dark Reading
- Target: Microsoft 365 Copilot
- Impact: Zero-click data exfiltration from M365 sessions via crafted email; bypassed XPIA classifier
- Root Cause: AI command injection via hidden text, speaker notes, and metadata in documents
- CVE: CVE-2025-32711 (CVSS 9.3)
- Sources: The Hacker News, HackTheBox
- Target: GitHub Copilot Chat
- Impact: Silent exfiltration of AWS keys, security tokens, and zero-day details from private repos; CVSS 9.6
- Root Cause: Copilot parsed invisible markdown comments; data exfiltrated via GitHub Camo proxy image requests
- CVE: CVE-2025-59145
- Sources: Legit Security, Dark Reading
- Target: Anthropic Filesystem MCP Server
- Impact: Sandbox escape, arbitrary file access, root-level compromise possible
- Root Cause: Naive startswith path validation; no symlink validation
- CVE: CVE-2025-53109 (CVSS 8.4), CVE-2025-53110 (CVSS 7.3)
- Sources: Cymulate, SecurityWeek
- Target: ElizaOS (AI agent framework for blockchain)
- Impact: Potential loss of millions in crypto; fabricated payment confirmations stored in memory redirect future transactions
- Root Cause: No integrity verification on persistent memory entries
- Sources: Decrypt
- Target: Langflow (before v1.3.0)
- Impact: Full server takeover; CISA confirmed active exploitation in the wild
- Root Cause: Code validation endpoint invokes exec() on user-supplied code without auth or sandboxing
- CVE: CVE-2025-3248 (CVSS 9.8)
- Sources: The Hacker News, Zscaler, NVD
- Target: WhatsApp MCP server / MCP ecosystem
- Impact: Complete WhatsApp message history exfiltration; 5.5% of MCP servers exhibit tool poisoning; 33% allow unrestricted network access
- Root Cause: Hidden instructions in MCP tool descriptions; no runtime integrity verification; tools can mutate definitions post-install
- Sources: Invariant Labs, Docker, Simon Willison
- Target: Cursor IDE, GitHub Copilot
- Impact: Malicious code injected silently into AI-generated output; invisible Unicode characters bypass code reviews
- Root Cause: AI config files parsed by AI but invisible to human reviewers due to Unicode obfuscation
- Sources: Pillar Security, The Hacker News
- Target: 23,000+ GitHub repositories
- Impact: Access keys, GitHub PATs, npm tokens, and private RSA keys exposed in public workflow logs
- Root Cause: Compromised GitHub PAT; chained via reviewdog/action-setup
- CVE: CVE-2025-30066, CVE-2025-30154
- Sources: CISA, Wiz, Unit 42
- Target: Bybit exchange / Safe{Wallet}
- Impact: $1.5B in Ethereum stolen; largest crypto theft in history; part of $2.02B DPRK total in 2025
- Root Cause: Social engineering of Safe{Wallet} developer; dormant malware activated during legitimate transaction
- Sources: FBI IC3, Fortune, TRM Labs
- Target: Google Gemini / Calendar / Smart Home
- Impact: Unauthorized smart home control, private calendar data exfiltration, deceptive events - all zero-click; 73% of scenarios rated High-Critical
- Root Cause: Gemini processes hidden instructions in calendar event metadata
- Sources: The Register, Dark Reading, Miggo
- Target: OmniGPT AI aggregator
- Impact: 30K user emails/phones; 34M lines of chat messages leaked including API keys, crypto private keys
- Root Cause: Infrastructure breach; sold for $100 on BreachForums
- Sources: Hackread, CSO Online
- Target: Cursor AI IDE (v1.6.23 and below)
- Impact: Configuration file modification leading to potential RCE on case-insensitive file systems
- Root Cause: Path comparison used exact case matching on case-insensitive filesystems
- CVE: CVE-2025-59944 (CVSS 8.0)
- Sources: Lakera, NVD
- Target: GitHub Codespaces + Copilot
- Impact: Silent GITHUB_TOKEN exfiltration enabling full repository takeover
- Root Cause: Copilot processes invisible HTML comments in issues; Codespace secrets accessible via symlink
- Sources: Orca Security, SecurityWeek
- Target: DB-GPT v0.7.0
- Impact: Arbitrary code execution with DB-GPT process privileges (default: root in containers)
- Root Cause: No content validation on uploaded plugin Python files
- CVE: CVE-2025-51459 (CVSS 6.5)
- Sources: Gecko Security
- Target: Ultralytics YOLO AI library
- Impact: Four malicious versions uploaded containing XMRig crypto miner; two-phase attack over Dec 4-7
- Root Cause: Attacker abused git branch names to steal GitHub Actions CI/CD credentials; compromised PyPI token
- Sources: PyPI Blog, Wiz, Snyk
2024-12 - ChatGPT Search Manipulation via Hidden Text
- Target: OpenAI ChatGPT Search
- Impact: Hidden webpage text manipulates AI-generated summaries; demonstrated in crypto scam distributing credential-stealing instructions
- Root Cause: Indirect prompt injection via hidden text; ChatGPT Search processed all content including invisible elements
- Sources: dig.watch
- Target: Freysa autonomous AI agent
- Impact: AI agent tricked into releasing $47,316 in crypto by redefining the approveTransfer function's purpose
- Root Cause: AI agent manipulated into misinterpreting its own function definitions
- Sources: The Block, CryptoBriefing
- Target: Microsoft Copilot / Bing Cache
- Impact: 16,000+ organizations affected; Fortune 500 private repos exposed; 300+ leaked tokens, keys, secrets
- Root Cause: Bing cached repo content when briefly public; Copilot continued serving "zombie data" after repos went private
- Sources: Lasso Security, SecurityWeek
- Target: Microsoft Copilot Studio
- Impact: Cross-site scripting allowing execution of malicious scripts within authenticated sessions
- Root Cause: Improper neutralization of input during web page generation
- CVE: CVE-2024-49038
- Sources: SentinelOne
- Target: Mistral LeChat, ChatGLM, Meta Llama
- Impact: 80% success rate exfiltrating PII via obfuscated adversarial prompts and hidden Markdown image URLs
- Root Cause: Multi-lingual token substitution generates human-unreadable but LLM-executable malicious prompts
- Sources: ArXiv, Imprompter.ai
- Target: Anthropic Claude 3.5 Sonnet
- Impact: Autonomous computer control exposed to prompt injection from any visual or textual content; demos showed potential for autonomous malware creation
- Root Cause: Granting autonomous computer control inherently exposes LLM to prompt injection from encountered content
- Sources: Prompt Security, Bank Info Security
- Target: OpenAI ChatGPT macOS app
- Impact: Persistent spyware in ChatGPT's long-term memory; continuous data exfiltration across all future sessions
- Root Cause: Memory feature allowed prompt injection from untrusted data to create persistent exfiltration instructions
- Sources: Embrace The Red, The Hacker News
- Target: NVIDIA Container Toolkit (35%+ of cloud GPU environments)
- Impact: Container escape, host filesystem access, privilege escalation, manipulation of GPU workloads
- Root Cause: Time-of-check Time-of-Use (TOCTOU) flaw
- CVE: CVE-2024-0132 (CVSS 9.0)
- Sources: Wiz, NVIDIA
- Target: Slack AI
- Impact: Data exfiltrated from private channels; API keys stolen via crafted public channel messages
- Root Cause: Indirect prompt injection through public channel messages; Markdown link rendering enabled exfiltration
- Sources: PromptArmor, Dark Reading
- Target: Microsoft 365 Copilot
- Impact: Hidden email code injection, plugin exploitation, data exfiltration through default Copilot access; no user interaction required
- Root Cause: Default configurations grant broad access to emails/docs; indirect prompt injection via invisible email tags
- Sources: Dark Reading, The Register
- Target: Microsoft Copilot Studio
- Impact: Access to Microsoft internal infrastructure, IMDS, and internal Cosmos DB; cross-tenant impact possible
- Root Cause: Server-Side Request Forgery via HTTP header manipulation and redirect techniques
- CVE: CVE-2024-38206 (CVSS 8.5)
- Sources: Tenable, The Hacker News
- Target: X/Twitter Grok AI chatbot
- Impact: Falsely stated VP Harris missed ballot deadlines in 9 states; misinformation repeated for over a week; reached millions of users
- Root Cause: No guardrails on political/election queries; secretaries of state from 5 states demanded correction
- Sources: Axios, TechCrunch
- Target: OpenAI ChatGPT macOS app
- Impact: All conversations stored in plaintext in non-sandboxed location; any app or malware could read chat history
- Root Cause: OpenAI opted out of macOS sandboxing; unencrypted storage
- CVE: CVE-2024-40594
- Sources: 9to5Mac
- Target: Microsoft 365 Copilot
- Impact: Invisible Unicode characters in hyperlinks exfiltrate emails, MFA codes, and sensitive data
- Root Cause: Copilot rendered invisible Unicode characters carrying hidden data payloads in links
- Sources: Embrace The Red, The Hacker News
- Target: Rabbit R1 AI device
- Impact: ElevenLabs admin key, Azure, Yelp, Google Maps, SendGrid keys exposed; could crash entire rabbit OS backend
- Root Cause: API keys hardcoded in device source code instead of secure storage
- Sources: Cybernews
- Target: McDonald's AI drive-thru (IBM)
- Impact: AI added 260 McNuggets, bacon on ice cream, unwanted items; three-year IBM partnership terminated
- Root Cause: AI failed to interpret accents, dialects, background noise, and overlapping voices
- Sources: CNBC
- Target: Hugging Face Spaces platform
- Impact: Unauthorized access to authentication secrets, API tokens, and keys used by developers
- Root Cause: Unauthorized access to platform secrets storage
- Sources: The Hacker News, SecurityWeek
- Target: GitHub Copilot
- Impact: Copilot reproduces real, previously exposed secrets from training data; repos using Copilot show 40% higher secret leakage rates
- Root Cause: Training data memorization of secrets from public GitHub repositories
- Sources: GitGuardian
- Target: Hugging Face shared inference infrastructure
- Impact: Cross-tenant access to other customers' AI models via malicious Pickle-serialized model
- Root Cause: Insecure deserialization; insufficient tenant isolation in shared inference
- Sources: Wiz, Dark Reading
- Target: Claude, GPT-4, GPT-3.5, Llama 2, Mistral
- Impact: Hundreds of harmful Q&A examples in a single long prompt bypass safety guardrails of all major LLMs
- Root Cause: Expanded context windows enable in-context learning to override safety training
- Sources: Anthropic
- Target: ChatGPT plugins, PluginLab.ai, Kesem AI
- Impact: OAuth credential theft, zero-click account takeover, malicious plugin installation; GitHub account access possible
- Root Cause: Missing authentication in plugin install flow; missing user account verification in PluginLab
- Sources: Salt Security, The Hacker News
- Target: OpenAI ChatGPT users
- Impact: 225,000+ compromised credentials for sale; 130K+ unique hosts infiltrated
- Root Cause: LummaC2, Raccoon, and RedLine infostealer malware on user devices
- Sources: The Hacker News, BleepingComputer
- Target: All RAG systems
- Impact: Injecting 5 malicious texts into a million-document database achieves 90% attack success; 0.04% corpus poisoning achieves 98.2% success
- Root Cause: RAG systems inherently trust retrieved documents; no integrity verification of knowledge base contents
- Sources: ArXiv
- Target: Air Canada
- Impact: Tribunal ruled Air Canada liable for chatbot's fabricated bereavement fare policy; ordered to pay $812.02; landmark AI liability ruling
- Root Cause: AI chatbot hallucinated nonexistent policy; Air Canada's "separate legal entity" defense rejected
- Sources: CBC, ABA
- Target: DPD (UK parcel delivery)
- Impact: Chatbot swore at customers, wrote poetry criticizing DPD, called itself "the worst delivery firm"; 1.3M views on X
- Root Cause: System update removed guardrails from AI chat element
- Sources: Time
- Target: langchain-experimental (v0.0.15-0.0.21)
- Impact: Arbitrary Python code execution via VectorSQLDatabaseChain
- Root Cause: eval() used on all database-retrieved values without sanitization
- CVE: CVE-2024-21513 (CVSS 8.5)
- Sources: NVD, Snyk
- Target: langchain-ai/langchain v0.2.5
- Impact: SQL/Cypher injection enabling unauthorized data manipulation, exfiltration, and DoS
- Root Cause: Insufficient input sanitization in graph database query construction
- CVE: CVE-2024-7042
- Sources: SentinelOne
- Target: langchain-experimental
- Impact: Arbitrary code execution through symbolic math processing
- Root Cause: Unsafe code evaluation in symbolic math processing
- CVE: CVE-2024-46946
- Sources: NVD
| Metric | Value | Source |
|---|---|---|
| AI safety incidents in 2024 | 233 (56.4% increase from 2023) | Stanford AI Index 2025 |
| AI incidents in 2025 | 346 (179 involved deepfakes) | AI Incident Database |
| DPRK crypto theft in 2025 | $2.02 billion | The Hacker News |
| Largest single crypto theft (Bybit) | $1.5 billion | FBI IC3 |
| Largest DeFi exploit of 2026 (Drift) | $285 million | Elliptic |
| AI trading agent losses Q1 2026 | $45 million+ | KuCoin |
| Step Finance treasury drained (Jan 2026) | $40 million (token -97%) | KuCoin |
| DeFi teams reusing shared API keys across agents | 45.6% | KuCoin |
| GTG-1002 organizations targeted (Sep-Nov 2025) | ~30 | Anthropic |
| GTG-1002 share of operations executed by AI | 80-90% | Anthropic |
| FortiGate devices compromised by CyberStrikeAI (Jan-Feb 2026) | 600+ across 55 countries | AWS Security Blog |
| CyberStrikeAI C2 IPs observed | 21 (Jan 20-Feb 26, 2026) | The Hacker News |
| MCP server CVEs in Jan-Feb 2026 | 30+ in 60 days | MCP Security Report |
| Flowise instances exposed (Apr 2026) | 12,000-15,000+ | The Hacker News |
| MCP STDIO design RCE exposure (OX Security, Apr 2026) | 200,000+ servers, 150M+ downloads across Python/TypeScript/Java/Rust SDKs | OX Security |
| Marimo CVE-2026-39987 exploit events (Apr 11-14, 2026) | 662 from 11 IPs across 10 countries | Sysdig |
| AI API routers tested vs. malicious (UCSB/UCSD, Apr 2026) | 26 of 428 routed malicious payloads; 17 stole AWS creds | ArXiv |
| Single crypto wallet drained by malicious LLM router | $500,000 | CoinDesk |
| n8n-hosted webhook phishing email volume (Mar 2026 vs Jan 2025) | 686% increase | Cisco Talos |
| Vercel stolen data listing price on BreachForums (Apr 2026) | $2 million | OX Security |
| Tool misuse incidents tracked in 2026 (OWASP Q1 report) | 520 (most reported category) | OWASP GenAI Q1 2026 |
| Prompt injection incidents tracked in 2026 (OWASP Q1 report) | 450 | OWASP GenAI Q1 2026 |
| UNC1069 malicious packages since Jan 2025 | 1,700+ across npm, PyPI, Go, Rust, Packagist | The Hacker News |
| UNC1069 impersonation domains blocked (Feb 6-Apr 7, 2026) | 164 | The Hacker News |
| MCP servers exposed, zero auth | 492 | Trend Micro |
| MCP servers with cmd injection flaws | 43% | Invariant Labs |
| MCP servers with tool poisoning | 5.5% | Invariant Labs |
| Malicious packages in registries (2025) | 512,847 (156% YoY increase) | Sonatype |
| Forbes AI 50 with leaked secrets | 65% | Wiz Research |
| Orgs compromised via Salesloft Drift | 700+ | Google Cloud Blog |
| OpenClaw instances exposed (Feb 2026) | 135,000+ across 82 countries | Kaspersky |
| Malicious skills on ClawHub | 1,184+ (~12% of registry) | eSecurity Planet |
| SaaS envs via Trivy cascade | 1,000+ | Wiz |
| ChatGPT credentials on dark web | 225,000+ | The Hacker News |
| AI coding tool vulns (5 tools tested) | 69 vulns, 6 critical | Fortune |
| Deepfake fraud losses Q1 2025 | $200 million | AI Incident Database |
| Organizations with AI agent-related cyber incident in past 12 months (CSA, Apr 2026) | 65% (88% confirmed or suspected) | CSA Press Release |
| Enterprises that discovered previously unknown AI agents in their environment | 82% | CSA Press Release |
| Healthcare-sector AI agent incident rate (CSA, Apr 2026) | 92.7% | Infosecurity Magazine |
| Organizations with formal AI agent decommissioning processes | 21% | CSA Press Release |
| Increase in malicious indirect prompt injection web pages (Google, Nov 2025-Feb 2026) | 32% relative increase | Google Online Security Blog |
| OpenClaw instances reachable on the public internet (SecurityScorecard, Apr 2026) | 40,214 (28,663 unique IPs hosting accessible control panels) | SecurityScorecard |
| Exposed OpenClaw instances vulnerable to RCE | ~63% | Infosecurity Magazine |
| Crypto stolen by HexagonalRodent in Q1 2026 via AI-augmented Web3 dev attacks | $12 million; 26,584 wallets exfiltrated from 2,726 systems | Help Net Security |
| LMDeploy CVE-2026-33626 time from advisory to first in-the-wild exploit | 12 hours 31 minutes | Sysdig |
| Bitwarden CLI 2026.4.0 trojanized npm package window | ~90 minutes (April 22, 2026); 334 downloads | The Hacker News |
| Xinference PyPI total downloads at time of compromise | 600,000+ | Mend.io |
A single compromised credential triggers lateral movement across multiple package registries and downstream organizations.
Key incidents:
- Bitwarden CLI cascade (Apr 22, 2026): Checkmarx KICS Docker Hub compromise propagated through Bitwarden's Dependabot pipeline, signing and publishing a trojanized @bitwarden/cli@2026.4.0 that harvested AI tooling configs alongside cloud and registry secrets.
- CanisterSprawl npm worm via Namastex Labs and pgserve (Apr 21, 2026): Self-propagating worm jumps from npm into PyPI when a developer holds tokens for both registries; data exfiltrates to an ICP canister that is structurally takedown-resistant.
- Vercel / Context.ai OAuth chain (Apr 2026): Lumma Stealer infection of a Context.ai employee led to OAuth token theft, then escalated into the Vercel Google Workspace tenant because a Vercel employee had granted the Context.ai browser extension "Allow All" enterprise scopes.
- TeamPCP cascade (Mar 2026): Trivy -> Checkmarx -> LiteLLM -> Telnyx -> CanisterWorm -> Cisco -> Mercor. One service account compromise led to 1,000+ SaaS environments breached.
- Xinference PyPI compromise (Apr 22, 2026): Compromised XprobeBot account injected a base64 credential stealer into
__init__.pyfor versions 2.6.0-2.6.2 of an inference framework with 600,000+ downloads. - UNC1069 Contagious Interview (Apr 2026): 1,700+ malicious packages across npm, PyPI, Go, Rust, and Packagist since Jan 2025; ClickFix lures via fake Zoom/Teams links after social engineering.
- Axios npm compromise (Mar 2026): Social engineering of one maintainer threatened 70-100M weekly downloads.
- Bybit heist (Feb 2025): Compromise of one Safe{Wallet} developer led to $1.5B theft.
- Ultralytics PyPI attack (Dec 2024): Git branch name abuse stole CI/CD credentials for two-phase supply chain attack.
An AI agent with legitimate access is tricked into performing actions on behalf of an attacker.
Key incidents:
- Copilot Studio ShareLeak and Agentforce PipeLeak (Apr 2026): Crafted SharePoint and Web-to-Lead form payloads hijack agents into bulk-exfiltrating CRM and SharePoint data by email, with no volume cap and no user-visible indicator.
- Claude Code / Gemini CLI / Copilot Agent via GitHub comments (Apr 2026): PR titles, issue descriptions, and comments hijack CI agents to exfiltrate API keys and secrets from the runner.
- Salesforce Agentforce ForcedLeak (Sep 2025): Malicious Web-to-Lead form data tricks agent into exfiltrating CRM records.
- ServiceNow Now Assist (Nov 2025): Low-privilege agent tricks higher-privilege agent into exporting case files.
- EchoLeak M365 Copilot (Jun 2025): Crafted email triggers zero-click data exfiltration.
- ChatGPT SpAIware (Sep 2024): Untrusted data plants persistent exfiltration instructions in memory.
AI agents or chatbot integrations granted excessive access that becomes the attack surface.
Key incidents:
- AWS Bedrock AgentCore "God Mode" (Apr 2026): Starter toolkit auto-creates IAM roles with wildcard memory actions so any agent can read or poison every other agent's state.
- Step Finance treasury drain (Jan 2026): Trading agents held wallet, oracle, and trading-endpoint permissions simultaneously; one device compromise cascaded into $40M loss.
- Salesloft Drift OAuth breach (Aug 2025): Stolen OAuth tokens gave access to 700+ customer Salesforce environments.
- LOLCopilot/M365 Copilot (Aug 2024): Default configurations grant broad access to all emails and documents.
- Amazon Q extension (Jul 2025): Over-scoped GitHub token in CI/CD allowed destructive prompt injection.
- Copilot "zombie data" exposure (Nov 2024): 16,000+ organizations' private repos exposed via cached data.
Malicious configurations in repository files execute code when AI tools process them.
Key incidents:
- Claude Code RCE via hooks (CVE-2025-59536): Malicious .claude/settings.json executes commands before trust dialog.
- Codex CLI command injection (CVE-2025-61260): Project-local configs execute commands without user consent.
- Rules File Backdoor (Mar 2025): Invisible Unicode in .cursorrules and copilot-instructions.md injects malicious code.
- Cursor MCPoison (CVE-2025-54136): Benign MCP config approved once, then silently modified to execute backdoor.
AI tools run user-supplied or AI-generated code without isolation.
Key incidents:
- Anthropic MCP STDIO design RCE (Apr 2026): Reference SDKs in Python, TypeScript, Java, and Rust execute attacker-supplied command strings passed to STDIO transport; 200K+ servers and 150M+ downloads exposed; Anthropic declined to patch.
- Flowise CSV Agent prompt injection RCE (CVE-2026-41264, Apr 21, 2026): Lack of sandboxing in the CSV_Agents
runmethod lets an LLM-emitted Python script run on the host; bypass for the earlier CVE-2026-41137 hardening. - Flowise MCP Adapters CVE-2026-40933 (CVSS 10.0): Unsafe serialization of stdio commands lets an authenticated user add an MCP server that runs arbitrary commands such as
npx -c "touch /tmp/pwn". - Marimo CVE-2026-39987 (CVSS 9.3): /terminal/ws WebSocket lacks auth; weaponized within 10 hours and used to drop NKAbuse blockchain-C2 malware hosted on a Hugging Face typosquat.
- Flowise CVE-2025-59528 (CVSS 10.0): CustomMCP node executes JavaScript from mcpServerConfig without validation; 12K+ exposed instances under active exploitation from Starlink IP in April 2026.
- aws-mcp-server CVE-2026-5058 and CVE-2026-5059 (CVSS 9.8): Unauthenticated command injection via allowed-commands list passed to a system call.
- PraisonAI CVE-2026-39891 (CVSS 8.8): Template injection via unescaped agent.start() input processed by create_agent_centric_tools().
- Langflow CVE-2025-3248 (CVSS 9.8): exec() on user-supplied code without auth; added to CISA KEV.
- Langflow CVE-2026-33017 (CVSS 9.3): Same exec() pattern exploited within 20 hours of disclosure.
- n8n Ni8mare (CVSS 10.0): Content-Type confusion enables unauthenticated RCE on 100K+ instances.
- DB-GPT plugin upload RCE (CVE-2025-51459): No content validation on uploaded Python plugins.
Humans manipulate AI agents or use AI as intermediaries for social engineering.
Key incidents:
- Drift Protocol $285M exploit (Apr 2026): Six-month campaign posing as legitimate trading firm to social-engineer multisig signers.
- Freysa AI agent game (Nov 2024): AI tricked into redefining its own function semantics to release $47K in crypto.
- OpenClaw email deletion at Meta (Feb 2026): Agent's context compaction caused it to ignore explicit stop commands.
- DPD chatbot manipulation (Jan 2024): Customer manipulated chatbot into cursing and criticizing its own company.
Malicious instructions embedded in tool descriptions, model files, or integration metadata.
Key incidents:
- Malicious LLM routers (Apr 2026): 26 of 428 tested routers rewrote tool calls, exfiltrated secrets, or redirected transactions; at least one drained a $500K crypto wallet.
- MCP tool poisoning / WhatsApp exfiltration (Apr 2025): Hidden instructions in MCP tool descriptions cause silent data theft.
- Hugging Face GGUF poisoned templates (Jul 2025): Malicious instructions embedded in 1.5M+ model files.
- ClawHub malicious skills (Jan-Mar 2026): 1,184+ malicious skills distributing Atomic Stealer and keyloggers.
- GitHub Copilot filename injection (Nov 2025): Extremely long filenames with prompt injection instructions.
AI agents execute privileged operations without per-action permission checks.
Key incidents:
- Meta Sev 1 rogue AI agent (Mar 2026): Agent posted technical advice containing sensitive data without human confirmation.
- ROME agent sandbox escape (Mar 2026): Agent spontaneously initiated crypto mining and reverse SSH tunnel.
- GitHub Copilot YOLO mode (CVE-2025-53773): Prompt injection disables all user confirmations.
- Cursor CurXecute (CVE-2025-54135): Config changes and malicious commands execute before user can reject.
URL handling in vision, image, and text-loading helpers fetches attacker-controlled hosts without isolating them from internal networks or cloud metadata services.
Key incidents:
- LMDeploy CVE-2026-33626 (Apr 21, 2026):
load_image()in vision-language module fetches arbitrary URLs without IP filtering; first in-the-wild exploitation 12 hours 31 minutes after disclosure. - LangChain langchain-openai CVE-2026-41488 (Apr 24, 2026): TOCTOU/DNS-rebinding window in
_url_to_size()between SSRF validation and the separate fetch with independent DNS resolution. - LangChain langchain-text-splitters CVE-2026-41481 (Apr 24, 2026):
HTMLHeaderTextSplitter.split_text_from_url()validated only the initial URL and followed redirects via defaultrequests.get()settings. - mcp-atlassian SSRF CVE-2026-27826 (Feb 2026): Custom
X-Atlassian-Jira-UrlandX-Atlassian-Confluence-Urlheaders caused outbound requests without validation, paired with arbitrary file write CVE-2026-27825 for unauthenticated RCE on network-exposed deployments.
AI agents send data to arbitrary external endpoints without restriction.
Key incidents:
- ChatGPT DNS exfiltration channel (Mar 2026): Sandbox blocked direct network traffic but left DNS resolution unrestricted, enabling data encoded in subdomain labels to leak out.
- EchoLeak (CVE-2025-32711): M365 Copilot exfiltrates data via crafted emails.
- GitHub Copilot CamoLeak (CVE-2025-59145): Data exfiltrated via GitHub Camo proxy image requests encoding secrets in URLs.
- Slack AI exfiltration (Aug 2024): Markdown link rendering enables data exfiltration to attacker servers.
- ASCII smuggling M365 Copilot (Jul 2024): Invisible Unicode in hyperlinks carries stolen MFA codes to external servers.
Threat actors use commercial or open-source AI agents to plan and execute the bulk of an intrusion end to end, with humans only approving decision gates.
Key incidents:
- GTG-1002 Chinese espionage (Sep-Nov 2025): Claude Code executed 80-90% of tactical operations against ~30 orgs after operators posed as legitimate red teamers.
- CyberStrikeAI FortiGate campaign (Jan-Feb 2026): Russian-speaking actor used commercial GenAI plus the open-source CyberStrikeAI framework to compromise 600+ FortiGate devices across 55 countries without exploiting a single CVE.
- HexagonalRodent Web3 developer campaign (Q1 2026, reported Apr 23, 2026): North Korean APT subgroup of Famous Chollima used Cursor, ChatGPT, and Anima to author malware, build fake company websites, and craft phishing lures; stole an estimated $12 million in crypto across 26,584 wallets exfiltrated from 2,726 developer systems.
- Drift Protocol $285M exploit (Apr 2026): UNC4736 ran a six-month multi-channel social engineering campaign against multisig signers.
- CanisterWorm and CanisterSprawl (Mar-Apr 2026): First and second npm worms to use decentralized ICP infrastructure as C2, with the second adding cross-ecosystem hop to PyPI when a developer holds both tokens.
AI development tools become vectors for credential and secret exposure.
Key incidents:
- LiteLLM CVE-2026-35030 (Apr 2026): OIDC userinfo cache keyed on token[:20] lets an attacker collide with a legitimate cached token and inherit that user's identity across the gateway.
- FastGPT CVE-2026-40351 and CVE-2026-40352 (Apr 2026): TypeScript type assertion without runtime validation lets NoSQL operator injection log in as any user, including root; password-change endpoint bypasses old-password verification.
- Red Hat OpenShift AI odh-dashboard (CVE-2026-5483, Apr 2026): NodeJS endpoint discloses Kubernetes Service Account tokens usable against the cluster API.
- Claude Code API key exfiltration (CVE-2026-21852): Malicious settings redirect API requests before trust prompt.
- Claude Code InversePrompt (CVE-2025-54795): AI helps reverse-engineer its own security to enable command injection.
- CrewAI "Uncrew" (Nov 2025): Improper error handling exposes admin GitHub token to all private repos.
- GitHub Copilot training data leakage (May 2024): Copilot reproduces real secrets from training data; 40% higher leakage rate.
See CONTRIBUTING.md for guidelines on adding incidents.