Lead dispatch · top current threat
First reported 23 Jun 2026 · 3d ago
Security firm AIR built a fake AI agent skill and distributed it via a popular skill marketplace and an Instagram ad, reportedly reaching roughly 26,000 agents including some on corporate accounts. Every skill security scanner tested marked it safe, though the payload was harmless by design and only collected the user's email address.
supply-chain · malicious-agent-skill · data-exfiltration
ai-agents
The wire · latest
First reported 23 Jun 2026 · 4d ago
Snyk analyzed nearly 10,000 developer environments to examine risks introduced by AI coding agents as a new layer in the software supply chain, highlighting issues around tools, instructions, and permissions in agentic development.
Incident details →First reported 22 Jun 2026 · 4d ago
Research by Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell shows LLMs cannot reliably distinguish privileged system/assistant text from untrusted user input, and weigh writing style over content. Crafting injected text in the style of internal reasoning blocks ('role confusion') enabled jailbreaks, with attack success at 61% that dropped to 10% when text was 'destyled.'
Incident details →First reported 22 Jun 2026 · 4d ago
Researchers at Zafran Security disclosed four vulnerabilities, collectively codenamed DifyTap, in the open-source agentic workflow platform Dify that could allow unauthenticated attackers to stealthily read AI conversations from other customers' applications across tenants.
Incident details →First reported 19 Jun 2026 · 7d ago
Microsoft researchers detailed an exploit chain called AutoJack that hijacks an AI browsing agent to achieve host code execution. By steering the agent to load an attacker's web page, the page's JavaScript reaches a privileged local service and spawns a process on the host with no credentials or further user interaction.
Incident details →First reported 18 Jun 2026 · 8d ago
aicu is an open-source black-box security scanner for LLM applications that tests for prompt injection, safety bypass, and credential leakage. It ships with 173 payloads across seven test suites and a full-scan CLI command.
Incident details →First reported 16 Jun 2026 · 11d ago
deep-xpia is a benchmark of multi-hop cross-prompt injection (DXPIA) across delegated agent boundaries, with 300 live-measured cases and 8 attack patterns showing 69% land undefended and 12% even with all defenses. It highlights registry injection at tool-discovery (DXPIA-008) entering upstream of all 5 stacked defenses and maps patterns to documented Copilot incidents like EchoLeak.
Incident details →First reported 15 Jun 2026 · 11d ago
A black-box prompt injection susceptibility assessment of GPT-5 Nano using the IPI Taxonomy v0.13 across 201 analyzed test cases, reporting a 38.3% overall susceptibility rate. The model was fully resistant to surface-level attacks (CSS concealment, HTML cloaking, SEO phishing, RAG corpus poisoning) but highly vulnerable to recursive instruction framing (100%) and MCP tool description poisoning (80%).
Incident details →First reported 15 Jun 2026 · 11d ago
A PDF research paper hosted on GitHub titled 'On the Impossibility of Perfect Universal Guardians Against LLM Jailbreaks,' which argues about the theoretical limits of defending LLMs against jailbreak attacks. Only repository metadata is available; the actual technical content is not included in the provided text.
Incident details →First reported 15 Jun 2026 · 11d ago
A vendor blog catalogs ten basic prompt injection techniques including context ignoring, fake completion, payload splitting, token smuggling via Base64, few-shot poisoning, defined dictionary attacks, virtualization (grandma trick), DAN jailbreak personas, indirect injection through fetched content, and markdown-image data exfiltration. Each uses a harmless 'I am a sandwich' test string to demonstrate success.
Incident details →First reported 11 Jun 2026 · 15d ago
Trend Micro's TrendAI Research describes a new agentic-AI exploitation pattern they call return-to-tool (RTT) exploits, where embedded instructions in benign-looking untrusted input cause an AI agent to invoke its authorized tools to perform attacker-intended actions such as exfiltrating production database credentials. The research notes a vulnerable PostgreSQL MCP server image pulled over 100,000 times from Docker Hub as a realistic exposure vector.
Incident details →First reported 8 Jun 2026 · 18d ago
A technical write-up explaining how indirect prompt injection works in RAG agentic systems, where retrieved documents (Confluence pages, Jira tickets, HR docs) land in the model's context with no trust boundary, allowing a single poisoned document to manipulate agent behavior and exfiltrate sensitive data. Includes a demonstration repository and production mitigation discussion.
Incident details →First reported 4 Jun 2026 · 22d ago
A technical guide based on a Quito Lambda talk demonstrating how prompt injection (direct, indirect, and confused-deputy/exfiltration) can compromise LLM applications that generate SQL over a live Postgres database, using an example LLM-powered SQL analyst with a Streamlit frontend. It walks through layered defenses and what they stop or fail to stop.
Incident details →First reported 1 Jun 2026 · 25d ago
Origin researchers demonstrate how Claude Code's background sessions and undocumented supervisor daemon (introduced in recent versions) can be repurposed into a mostly invisible, persistent C2-like agent using only Markdown and JSON files after a one-time local code execution. They reverse-engineered the daemon's local IPC channel (named pipes on Windows, Unix sockets on macOS/Unix) that manages worker processes independently of the terminal lifecycle.
Incident details →First reported 1 Jun 2026 · 25d ago
An OWASP project repository, www-project-agent-memory-guard, focused on defending AI agent memory against poisoning/injection attacks, including a demo showing attack-then-block scenarios for agent memory.
Incident details →First reported 31 May 2026 · 26d ago
The author of Triagewall, a local LLM tool that classifies Suricata IDS alerts using Foundation-Sec-8B via Ollama, demonstrated an indirect prompt injection where attacker-controlled URL fields could dictate the model's verdict and confidence. A crafted URL embedding directives caused the model to return exactly the attacker-chosen classification (false_positive, 0.99), bypassing canary-token and schema-validation defenses.
Incident details →How the wire is made
Poll & cluster
Internet is crawled for AI security news and near-duplicate coverage is embedded and grouped into durable incidents.
Curate
AI Agent filters for agentic-AI relevance, tags threat-type & affected-tech, scores severity, and writes the summary.
Every item here is one machine-curated intelligence object, not a headline.
Read the wire for free. There is a small charge to ask the index questions.
The wire, open
The complete curated feed, no key required.
The vector desk
Query the index by meaning, not just keyword.