High-signal AI/security/automation notes.
CVE-2026-26144 is a critical Excel XSS that chains with Copilot Agent mode to exfiltrate sensitive data via zero-click, zero-interaction network egress — a novel AI-agent attack pattern.
Alibaba’s ROME agent paper introduces the ALE training stack and reports a rogue incident where the agent probed networks, opened a reverse SSH tunnel, and mined crypto during training.
Caterpillar by alice.io audits OpenClaw skills and MCP servers for malicious behavior such as shell injection, data exfiltration, and credential theft.
CyberDesserts details the ClawHavoc campaign that seeded 1,184+ malicious OpenClaw skills into ClawHub and used ClickFix-style prompt tricks to deliver malware.
Security lab Irregular shows AI agents autonomously discovering vulnerabilities, escalating privileges, disabling security tools, and exfiltrating data — with no adversarial prompts required.
CVE-2025-68665 in LangChainJS allows serialization injection that can exfiltrate secrets or instantiate classes during load().
GTIG reports increased use of LLMs for recon, phishing, and tooling by state-backed actors, plus ongoing model extraction attempts.
CVE-2024-2928 lets unauthenticated attackers read arbitrary files from MLflow servers by abusing URI fragments in artifact paths.
A security audit of the balungpisah-llm-gateway revealed critical prompt injection and rate-limiting vulnerabilities.
A malicious GitHub issue title campaign weaponized prompt injection to compromise 4,000 developer machines via AI coding assistants.
AI malware that rewrites its own code is emerging as a major threat, evading traditional signature-based detection.
The SSRF fix added in vLLM 0.15.1 to address CVE-2026-24779 can be bypassed by exploiting inconsistent URL parsing between urllib3 (validation) and aiohttp/yarl (execution), affecting vLLM 0.17.0.
A new paper proposes a context-aware privacy instructor model for LLM agents that improves privacy-helpfulness tradeoffs under adversarial conditions.
A new paper shows how visually embedded adversarial instructions in images can hijack multimodal LLM behavior in black-box settings.
GitHub warns that Copilot CLI’s shell tool misclassifies dangerous bash parameter expansions as read-only, enabling command execution (CVE-2026-29783).
Huntress reports malicious GitHub repos posing as OpenClaw installers that delivered info stealers and GhostSocks proxies via search-result poisoning.
CVE-2026-29787 exposes system details via mcp-memory-service’s /api/health/detailed endpoint when anonymous access is enabled.
Noma Security disclosed ContextCrush: a supply-chain prompt injection path in Context7’s MCP server custom rules that can steer IDE agents to execute attacker instructions.