High-signal AI/security/automation notes.
Novee launched an autonomous AI red-teaming product aimed at continuously testing chatbots, copilots, and agent workflows for prompt injection, jailbreaks, data exfiltration, and agent manipulation.
A new paper tracks 177,436 public MCP tools and finds software-dev dominates, action tools are rising fast, and AI-assisted MCP server creation is accelerating.
Backslash says hundreds of MCP servers were exposed on 0.0.0.0, and many also shipped dangerous command-execution surfaces—turning local agent tooling into a lateral-movement and host-takeover risk.
NIST’s new AI 800-4 report maps the practical gaps in post-deployment monitoring for AI systems, from security and drift to fragmented logging and human oversight.
TrojAI adds agent-led red teaming, runtime execution-trace visibility, and real-time protections for coding agents, targeting prompt injection propagation, tool abuse, and data leakage in agent workflows.
Unit 42 says Boggy Serpens is combining trusted-account compromise, tailored phishing, and AI-assisted malware development across sustained espionage campaigns against diplomats and critical infrastructure.
A new paper proposes Agent-Sentry, a runtime enforcement framework that learns normal execution provenance for LLM agents and blocks out-of-bounds tool calls.
Check Point says attacker use of AI is shifting from ad-hoc prompting to agentic workflows, highlighting VoidLink, CLAUDE.md abuse, and growing interest in offensive AI pipelines.
Compromised LiteLLM PyPI releases 1.82.7 and 1.82.8 turned a popular LLM gateway into a credential stealer and Kubernetes pivot point for AI teams.
Palo Alto Networks expands Prisma AIRS 3.0 from AI app protection toward agent lifecycle security, with scanning for agent code, MCP servers, and skills plus gateway, identity, and endpoint controls.
Qualys argues MCP servers have become unmanaged shadow IT for agentic AI, pushing security teams toward layered discovery and capability mapping before these tool bridges become invisible infrastructure.
Widely-used Trivy vulnerability scanner compromised via GitHub Actions, injecting infostealer malware into AI/ML security scanning pipelines (March 2026).
A new arXiv paper analyzes 272,000 attack attempts from a public competition and shows that frontier AI agents remain broadly vulnerable to indirect prompt injection across tool use, coding, and computer-use settings.
A new arXiv paper benchmarks seven frontier models on multi-step cyber attack ranges and finds steady gains with both newer generations and larger inference-time token budgets.
A new arXiv paper proposes greybox fuzzing for LLM agents, using tool-call sequences as feedback and reporting a 33% gain over black-box testing on AgentDojo.
Unit 42 maps the practical tradeoffs in securing AI agents, from model-file supply chain risk and MCP rug pulls to least-privilege design and detailed agent logging.
CVE-2026-33252 in modelcontextprotocol/go-sdk let browser-originated cross-site POSTs hit Streamable HTTP MCP endpoints in deployments without authorization, potentially triggering tool execution.
Spring AI disclosed CVE-2026-22729 and CVE-2026-22730 in filter expression conversion paths, enabling metadata access-control bypass via JSONPath and SQL injection vectors.
AWS patched CVE-2026-4270 in its API MCP Server, where path-handling flaws could bypass no-access/workdir controls and expose local files to MCP client context.