{"items":[{"id":"faeb812120f76b3608c51216323440b34cfa4b8e","incidentId":"2ca010e31e735c09c149dc848cbccb42618b3e56","title":"What happened after 2,000 people tried to hack my AI assistant","summary":"Fernando Irarrázaval ran a public challenge at hackmyclaw.com inviting people to leak secrets from his OpenClaw test instance via email-based prompt injection. After roughly 6,000 attempts by ~2,000 people, nobody succeeded in extracting the secret, with the instance protected by anti-prompt-injection system rules on the underlying model.","whyItMatters":"It offers real-world evidence that frontier-model injection defenses are improving, while underscoring that no number of failed attempts guarantees safety for production agents handling untrusted input.","threatTypeTags":["prompt-injection","data-exfiltration"],"affectedTechTags":["llm","ai-agents"],"threatActor":null,"relevanceScore":0.92,"severityScore":0.3,"sources":[{"sourceId":"simonwillison","title":"What happened after 2,000 people tried to hack my AI assistant","link":"https://simonwillison.net/2026/Jun/26/hack-my-ai-assistant/#atom-everything"}],"sourceItemIds":["4b95f76493606f79a9d62cfea8862f9946df5799"],"publishedAt":"2026-06-26T18:33:14.000Z","firstReportedAt":"2026-06-26T18:33:14.000Z","curatedAt":"2026-06-27T04:05:30.045Z","itemType":"analysis"},{"id":"c58554a110e52329926999d43dae552d79c1db21","incidentId":"18a55cf866543de3ed12261731615f8a0d3d3c03","title":"Cybersecurity firms targeted by fraudulent OpenAI organization invites","summary":"Threat actors are creating OpenAI tenants impersonating legitimate companies and inviting employees to join them, aiming to trick targets into submitting sensitive company information through chats and projects. Cybersecurity firms have been among those targeted.","whyItMatters":"Attackers are abusing legitimate AI platform features like organization invites to harvest sensitive corporate data, turning enterprise LLM adoption into a new social-engineering vector.","threatTypeTags":["social-engineering","data-exfiltration","impersonation"],"affectedTechTags":["llm","openai"],"threatActor":null,"relevanceScore":0.55,"severityScore":0.45,"sources":[{"sourceId":"bleepingcomputer","title":"Cybersecurity firms targeted by fraudulent OpenAI organization invites","link":"https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/"}],"sourceItemIds":["93d6e0bae50de9a00bf6440a8655adda7f7485da"],"publishedAt":"2026-06-26T17:49:07.000Z","firstReportedAt":"2026-06-26T17:49:07.000Z","curatedAt":"2026-06-27T04:05:20.546Z","itemType":"incident"},{"id":"e87037741c7a26d61b64c9983300ef6386e3c0f7","incidentId":"9a64c1576b6e73d36607c31d47e9e549c60c0ca0","title":"Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs","summary":"A high-severity flaw (CVE-2026-12957, CVSS 8.5) in Amazon Q Developer's handling of Model Context Protocol (MCP) servers allowed a malicious repository to run commands and steal a developer's cloud credentials once the workspace was trusted. Amazon has patched the bug.","whyItMatters":"AI coding assistants that auto-load MCP configs from untrusted repos can be turned into a credential-stealing and code-execution vector against developers.","threatTypeTags":["tool-abuse","supply-chain","data-exfiltration"],"affectedTechTags":["mcp","copilot","ai-agents"],"threatActor":null,"relevanceScore":0.9,"severityScore":0.75,"sources":[{"sourceId":"thehackernews","title":"Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs","link":"https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html"}],"sourceItemIds":["37e4789db39d621f0d5df7b3edd2ed44136dc4a5"],"publishedAt":"2026-06-26T13:53:00.000Z","firstReportedAt":"2026-06-26T13:53:00.000Z","curatedAt":"2026-06-27T04:06:02.447Z","itemType":"incident"},{"id":"d4a6a241c6804ae389e002d19bdc92276da73e5f","incidentId":"8eae9800b96d06ccc13e614ad0a79165902000ba","title":"New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis","summary":"A Rust-based macOS implant and information stealer dubbed Gaslight embeds prompt injection strings and fake debugging/error data within its executable to trick AI-assisted malware analysis tools into aborting or refusing analysis of the artifact.","whyItMatters":"Malware now actively weaponizes prompt injection against AI-powered analysis pipelines, undermining the reliability of automated reverse-engineering and triage tools.","threatTypeTags":["prompt-injection","anti-analysis"],"affectedTechTags":["llm","ai-agents"],"threatActor":null,"relevanceScore":0.9,"severityScore":0.6,"sources":[{"sourceId":"bleepingcomputer","title":"New macOS malware embeds fake errors to confuse AI analysis tools","link":"https://www.bleepingcomputer.com/news/security/new-macos-malware-embeds-fake-errors-to-confuse-ai-analysis-tools/"},{"sourceId":"thehackernews","title":"New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis","link":"https://thehackernews.com/2026/06/new-gaslight-macos-malware-uses-prompt.html"}],"sourceItemIds":["d98e7cad402931425d5e6e905d48e14182779639","704a35b102da11f6273521e4a7a081f8b0ca82e8"],"publishedAt":"2026-06-25T16:23:19.000Z","firstReportedAt":"2026-06-25T09:23:03.000Z","curatedAt":"2026-06-27T03:00:43.103Z","itemType":"incident"},{"id":"036a4fa85a156dafae44676159d6b6ebd852f5c1","incidentId":"776962509c74e3888244aca26c94615440c3a772","title":"More Malicious OpenClaw Skills Threaten AI Supply Chain","summary":"OpenClaw reportedly removed five malicious packages from its ClawHub skills marketplace that bypassed security checks while containing infostealers and other threats, posing an AI agent supply-chain risk.","whyItMatters":"Malicious skills distributed through an AI agent marketplace can deliver infostealers and compromise downstream users, highlighting the AI supply-chain attack surface.","threatTypeTags":["supply-chain","malicious-agent","data-exfiltration"],"affectedTechTags":["ai-agents","llm"],"threatActor":null,"relevanceScore":0.85,"severityScore":0.6,"sources":[{"sourceId":"darkreading","title":"More Malicious OpenClaw Skills Threaten AI Supply Chain","link":"https://www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain"}],"sourceItemIds":["c53dd907a9018e2cd30f9b5afa7d0dff36373e1f"],"publishedAt":"2026-06-24T16:56:49.000Z","firstReportedAt":"2026-06-24T16:56:49.000Z","curatedAt":"2026-06-27T04:07:30.545Z","itemType":"incident"},{"id":"167b83504ce06ad28afe3e008cdbf2b19a8497f4","incidentId":"0bf0d76d78b5b550969a4c7a94d55f8560174f12","title":"Dawn of the Apex Agentic Adversary","summary":"An analysis piece arguing that autonomous, agentic AI adversaries are compressing the timeline of cyberattacks beyond human-speed defenses, ending the era of human-paced threat cycles. The available text is introductory commentary without specific technical proof-of-concept details.","whyItMatters":"Defenders should anticipate AI-driven adversaries that operate faster than traditional patch and response cycles can accommodate.","threatTypeTags":["autonomous-attack-framework"],"affectedTechTags":["ai-agents","llm"],"threatActor":null,"relevanceScore":0.6,"severityScore":0.3,"sources":[{"sourceId":"thehackernews","title":"Dawn of the Apex Agentic Adversary","link":"https://thehackernews.com/2026/06/dawn-of-apex-agentic-adversary.html"}],"sourceItemIds":["25a954e0ee1d0b882f0b2f84c8b7dff9c279d236"],"publishedAt":"2026-06-24T11:30:00.000Z","firstReportedAt":"2026-06-24T11:30:00.000Z","curatedAt":"2026-06-27T03:03:08.329Z","itemType":"analysis"},{"id":"5b6bb87d3a0d0b07a66b64b4c55fcc35c409074d","incidentId":"2c0227abba848fcf277649e6f98b421b48e9f4f4","title":"Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents","summary":"Security firm AIR built a fake AI agent skill and distributed it via a popular skill marketplace and an Instagram ad, reportedly reaching roughly 26,000 agents including some on corporate accounts. Every skill security scanner tested marked it safe, though the payload was harmless by design and only collected the user's email address.","whyItMatters":"It demonstrates that malicious AI agent skills can pass existing security scans and spread widely through marketplaces, posing a real supply-chain risk to enterprise agent deployments.","threatTypeTags":["supply-chain","malicious-agent-skill","data-exfiltration"],"affectedTechTags":["ai-agents"],"threatActor":null,"relevanceScore":0.92,"severityScore":0.62,"sources":[{"sourceId":"thehackernews","title":"Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents","link":"https://thehackernews.com/2026/06/fake-ai-agent-skill-passed-security.html"}],"sourceItemIds":["3c80850eb8a7d95c3566a03ef873a34cf01ea2b7"],"publishedAt":"2026-06-23T15:16:43.000Z","firstReportedAt":"2026-06-23T15:16:43.000Z","curatedAt":"2026-06-27T03:03:16.892Z","itemType":"research"},{"id":"fe5a47dc32e6e37ae332a7667a144e58d4e05595","incidentId":"1f9598ee21beec3563faf72666cb71c0f14118ce","title":"Agentic AI: The Weapon That No Longer Needs a Warrior","summary":"An opinion/commentary piece reflecting on how agentic AI removes the human from the targeting loop, drawing analogies to the historical evolution of weapons that distanced warriors from their victims.","whyItMatters":"It frames the conceptual risk of autonomous AI agents acting without human decision-making, but offers no concrete technical threat detail.","threatTypeTags":["autonomous-attack"],"affectedTechTags":["ai-agents","llm"],"threatActor":null,"relevanceScore":0.55,"severityScore":0.2,"sources":[{"sourceId":"thehackernews","title":"Agentic AI: The Weapon That No Longer Needs a Warrior","link":"https://thehackernews.com/2026/06/agentic-ai-weapon-that-no-longer-needs.html"}],"sourceItemIds":["d1ebe4e0f30872fe2d3261bd2833839df8c3c602"],"publishedAt":"2026-06-23T11:30:00.000Z","firstReportedAt":"2026-06-23T11:30:00.000Z","curatedAt":"2026-06-27T03:03:58.058Z","itemType":"analysis"},{"id":"a86bc2a38d8b12e6f3a9247b5756c38bf04c168f","incidentId":"b4698ced9e269d0c4e7caf7bcabd0445ee4145e9","title":"What nearly 10,000 developer environments reveal about agentic development risk","summary":"Snyk analyzed nearly 10,000 developer environments to examine risks introduced by AI coding agents as a new layer in the software supply chain, highlighting issues around tools, instructions, and permissions in agentic development.","whyItMatters":"AI coding agents expand the software supply-chain attack surface, and defenders need visibility into the tools and permissions these agents wield.","threatTypeTags":["supply-chain","tool-abuse"],"affectedTechTags":["ai-agents","copilot","mcp"],"threatActor":null,"relevanceScore":0.75,"severityScore":0.4,"sources":[{"sourceId":"snyk","title":"What nearly 10,000 developer environments reveal about agentic development risk","link":"https://snyk.io/blog/agentic-development-security-ai-coding-risk/"}],"sourceItemIds":["3d0f866f7c4c152ad7993b22886bc55e23662d21"],"publishedAt":"2026-06-23T04:00:00.000Z","firstReportedAt":"2026-06-23T04:00:00.000Z","curatedAt":"2026-06-27T03:30:55.156Z","itemType":"research"},{"id":"d4faec733d6e763f40900109cd8321dbdcf67738","incidentId":"e85366420e573823aed59474d22f9bf78bcc74b6","title":"Prompt Injection as Role Confusion","summary":"Research by Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell shows LLMs cannot reliably distinguish privileged system/assistant text from untrusted user input, and weigh writing style over content. Crafting injected text in the style of internal reasoning blocks ('role confusion') enabled jailbreaks, with attack success at 61% that dropped to 10% when text was 'destyled.'","whyItMatters":"It demonstrates a fundamental, style-based weakness in role separation that makes prompt injection defenses a perpetual whack-a-mole, affecting any LLM relying on role tags.","threatTypeTags":["prompt-injection","jailbreak"],"affectedTechTags":["llm"],"threatActor":null,"relevanceScore":0.95,"severityScore":0.6,"sources":[{"sourceId":"simonwillison","title":"Prompt Injection as Role Confusion","link":"https://simonwillison.net/2026/Jun/22/prompt-injection-as-role-confusion/#atom-everything"}],"sourceItemIds":["e683af0f8ecce8d69a8e2712fa97e0d1c9f4fbcf"],"publishedAt":"2026-06-22T23:59:53.000Z","firstReportedAt":"2026-06-22T23:59:53.000Z","curatedAt":"2026-06-27T03:00:51.059Z","itemType":"research"},{"id":"cf7c0fa6ee88ef24289d624d985367654bcba57e","incidentId":"0154735ba5c68b92124ba95e2dcc420cb0a507c0","title":"DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories","summary":"Four vulnerabilities dubbed 'DifyTap' in Dify, a platform for building and managing AI applications, allow attackers to silently access and exfiltrate sensitive data, including AI chat histories.","whyItMatters":"Flaws in AI application platforms can expose sensitive chat data and enable covert exfiltration, putting organizations that rely on these tools at risk.","threatTypeTags":["data-exfiltration","supply-chain"],"affectedTechTags":["llm","ai-agents"],"threatActor":null,"relevanceScore":0.8,"severityScore":0.7,"sources":[{"sourceId":"darkreading","title":"DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories","link":"https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories"}],"sourceItemIds":["27d04c16bbe5e62556964fd40a25002f47c5c75a"],"publishedAt":"2026-06-22T21:14:11.000Z","firstReportedAt":"2026-06-22T21:14:11.000Z","curatedAt":"2026-06-27T04:00:07.220Z","itemType":"advisory"},{"id":"5caf2071c720ee0f56e83f8a32c8a43d26d97b82","incidentId":"ed856ce28770c85695207ba4d892cdbd4eebd59c","title":"Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants","summary":"Researchers at Zafran Security disclosed four vulnerabilities, collectively codenamed DifyTap, in the open-source agentic workflow platform Dify that could allow unauthenticated attackers to stealthily read AI conversations from other customers' applications across tenants.","whyItMatters":"Cross-tenant exposure of AI chats in a widely used agentic workflow platform could leak sensitive data from any organization relying on Dify.","threatTypeTags":["data-exfiltration","cross-tenant-leak","vulnerability"],"affectedTechTags":["ai-agents","llm"],"threatActor":null,"relevanceScore":0.85,"severityScore":0.7,"sources":[{"sourceId":"thehackernews","title":"Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants","link":"https://thehackernews.com/2026/06/researchers-detail-difytap-flaws-in.html"}],"sourceItemIds":["4d9f27c337398c4d8ba1058317fa7bf584e2dac2"],"publishedAt":"2026-06-22T16:13:28.000Z","firstReportedAt":"2026-06-22T16:13:28.000Z","curatedAt":"2026-06-27T04:06:29.047Z","itemType":"research"},{"id":"96b98625babd53e1012bf264272b3c973989cd58","incidentId":"f63e659d68d8a356fa2c7a31223d76283ad36bff","title":"Stop Your Legacy Infrastructure from Hijacking Your AI Agents","summary":"A conference talk recap discussing how attackers may use legacy infrastructure to circumvent AI security programs and hijack AI agents, noting rapid AI agent adoption outpacing security controls.","whyItMatters":"Highlights a potential blind spot where legacy infrastructure could be leveraged to compromise deployed AI agents, though the piece is largely commentary.","threatTypeTags":["agent-hijacking"],"affectedTechTags":["ai-agents"],"threatActor":null,"relevanceScore":0.6,"severityScore":0.3,"sources":[{"sourceId":"thehackernews","title":"Stop Your Legacy Infrastructure from Hijacking Your AI Agents","link":"https://thehackernews.com/2026/06/stop-your-legacy-infrastructure-from.html"}],"sourceItemIds":["a3b53a1c854cca16985131c87af1501df4688635"],"publishedAt":"2026-06-22T11:58:00.000Z","firstReportedAt":"2026-06-22T11:58:00.000Z","curatedAt":"2026-06-27T03:30:31.066Z","itemType":"analysis"},{"id":"8173a375291757ec1f21848aefd6e1a381557eee","incidentId":"2e602e09caac3001d364b55f1f6217a32abbccac","title":"AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution","summary":"Microsoft researchers detailed an exploit chain called AutoJack that hijacks an AI browsing agent to achieve host code execution. By steering the agent to load an attacker's web page, the page's JavaScript reaches a privileged local service and spawns a process on the host with no credentials or further user interaction.","whyItMatters":"It shows that AI browsing agents can be weaponized into a path for remote code execution on the host, turning a single malicious web page into a full system compromise vector.","threatTypeTags":["prompt-injection","tool-abuse","remote-code-execution"],"affectedTechTags":["browser-agent","ai-agents","llm"],"threatActor":null,"relevanceScore":0.95,"severityScore":0.85,"sources":[{"sourceId":"thehackernews","title":"AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution","link":"https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html"}],"sourceItemIds":["161b031cb6a03ffba9266d8c691c5b75691358d7"],"publishedAt":"2026-06-19T15:30:47.000Z","firstReportedAt":"2026-06-19T15:30:47.000Z","curatedAt":"2026-06-27T04:06:09.774Z","itemType":"research"},{"id":"0a9304a90257e8c82469fabf53bc829f3ccdc6c8","incidentId":"6298f7ce666cc6e531c12436515b403e2b00e4b0","title":"Forget Data Leakage: Shadow AI's Real Threat Is Access Control","summary":"The article argues that shadow AI in enterprises has evolved from a data leakage concern into an access control problem, where the risk lies in autonomous AI tools and agents having unmanaged access permissions rather than just employees pasting sensitive data.","whyItMatters":"Defenders should rethink shadow AI governance to focus on identity and access controls for AI agents, not just data loss prevention.","threatTypeTags":["shadow-ai","access-control"],"affectedTechTags":["ai-agents","llm"],"threatActor":null,"relevanceScore":0.6,"severityScore":0.3,"sources":[{"sourceId":"thehackernews","title":"Forget Data Leakage: Shadow AI's Real Threat Is Access Control","link":"https://thehackernews.com/2026/06/forget-data-leakage-shadow-ais-real.html"}],"sourceItemIds":["350da01ce1719dddbb39644db4967a91be7ee4be"],"publishedAt":"2026-06-19T10:30:00.000Z","firstReportedAt":"2026-06-19T10:30:00.000Z","curatedAt":"2026-06-27T03:30:45.312Z","itemType":"analysis"},{"id":"494a5ffaa540e78d466e89bb59b957b6469f6e26","incidentId":"b493580bfabe0492c411b71f5bfbf4b0034db13a","title":"GitHub - Jake-Schoellkopf/aicu: Black-box security scanner for LLM applications — prompt injection, safety bypass, credential leakage · GitHub","summary":"aicu is an open-source black-box security scanner for LLM applications that tests for prompt injection, safety bypass, and credential leakage. It ships with 173 payloads across seven test suites and a full-scan CLI command.","whyItMatters":"Defensive tooling like this helps teams probe deployed LLM apps for prompt injection and data-leakage weaknesses before attackers do.","threatTypeTags":["prompt-injection","jailbreak","data-exfiltration"],"affectedTechTags":["llm"],"threatActor":null,"relevanceScore":0.75,"severityScore":0.3,"sources":[{"sourceId":"hn-search","title":"GitHub - Jake-Schoellkopf/aicu: Black-box security scanner for LLM applications — prompt injection, safety bypass, credential leakage · GitHub","link":"https://github.com/Jake-Schoellkopf/aicu"}],"sourceItemIds":["5dbd433b02aeb8412cdf9d6838b060bdf8685c5c"],"publishedAt":"2026-06-18T18:06:36.000Z","firstReportedAt":"2026-06-18T18:06:36.000Z","curatedAt":"2026-06-27T04:33:20.539Z","itemType":"research"},{"id":"f5a74400d5eb08d70c8ecadd8747a81ca5f1775c","incidentId":"a2ad48fa0d9086eebb69f1720eb948a064c824ad","title":"MCP Supply Chain Attacks: Why Better Models Make It Worse","summary":"An analysis arguing that the Model Context Protocol (MCP) is following the insecure early-API trajectory by leaving authentication, authorization, input validation, and sandboxing to implementers. It highlights that compromising the AI/MCP layer can cause broader, harder-to-trace damage than a compromised API because LLM-driven agents autonomously select tools and can be manipulated via upstream data or prompts.","whyItMatters":"MCP server tampering or weak security delegation could let attackers manipulate the most privileged component of agentic AI systems without touching traditional endpoints.","threatTypeTags":["supply-chain","tool-abuse","prompt-injection"],"affectedTechTags":["mcp","ai-agents","llm"],"threatActor":null,"relevanceScore":0.82,"severityScore":0.4,"sources":[{"sourceId":"hn-search","title":"MCP security tracks API's playbook — we know how that ends | RL Blog","link":"https://www.reversinglabs.com/blog/mcp-security-tracks-api-playbook"},{"sourceId":"hn-search","title":"MCP Supply Chain Attacks: Why Better Models Make It Worse","link":"https://manveerc.substack.com/p/mcp-supply-chain-attack-vector"}],"sourceItemIds":["0b8b9cf090e8f449e8ce2574a2b4fc8b740892a5","4eed0345cc5fe219778ad542a6518e89a2ca80a6"],"publishedAt":"2026-06-16T04:52:26.000Z","firstReportedAt":"2026-06-12T01:48:25.000Z","curatedAt":"2026-06-27T04:31:26.657Z","itemType":"analysis"},{"id":"ca4136871eb14d5065874aa38431981f1896d318","incidentId":"216cd41d95266212f2e95569950c737d46966eab","title":"Quoting Matteo Wong, The Atlantic","summary":"An Atlantic piece quotes cybersecurity expert Katie Moussouris discussing a White House report on a Claude jailbreak, where the model refused to 'review code for security issues' but complied when asked to 'fix this code.' Moussouris characterized this as the model working as intended for cyberdefense rather than a genuine exploit.","whyItMatters":"It illustrates how phrasing can bypass an AI model's safety guardrails, a consideration for defenders relying on LLM refusal behaviors.","threatTypeTags":["jailbreak"],"affectedTechTags":["llm"],"threatActor":null,"relevanceScore":0.55,"severityScore":0.2,"sources":[{"sourceId":"simonwillison","title":"Quoting Matteo Wong, The Atlantic","link":"https://simonwillison.net/2026/Jun/16/matteo-wong-the-atlantic/#atom-everything"}],"sourceItemIds":["ebaeab20b2425572a07c9e47e92f42ffdc6b7382"],"publishedAt":"2026-06-16T03:07:54.000Z","firstReportedAt":"2026-06-16T03:07:54.000Z","curatedAt":"2026-06-27T03:02:11.683Z","itemType":"analysis"},{"id":"1345d092c602f60e6c7f20228652d02caa16c2fe","incidentId":"36e780993240a7a13bb6f4e8b9401df4b6151d0a","title":"deep-xpia - multi-hop cross-prompt injection benchmark","summary":"deep-xpia is a benchmark of multi-hop cross-prompt injection (DXPIA) across delegated agent boundaries, with 300 live-measured cases and 8 attack patterns showing 69% land undefended and 12% even with all defenses. It highlights registry injection at tool-discovery (DXPIA-008) entering upstream of all 5 stacked defenses and maps patterns to documented Copilot incidents like EchoLeak.","whyItMatters":"It demonstrates that injection crossing agent trust boundaries evades existing defenses and that the blind spot is the delegation/tool-discovery layer, which defenders of multi-agent systems must guard.","threatTypeTags":["prompt-injection","cross-prompt-injection","memory-injection","tool-abuse","supply-chain","data-exfiltration"],"affectedTechTags":["ai-agents","llm","mcp","copilot"],"threatActor":null,"relevanceScore":0.98,"severityScore":0.7,"sources":[{"sourceId":"hn-search","title":"deep-xpia - multi-hop cross-prompt injection benchmark","link":"https://freyzo.github.io/deep-xpia/"}],"sourceItemIds":["467fb0683b0fe1480b5597b83c362a0c62849114"],"publishedAt":"2026-06-16T01:40:07.000Z","firstReportedAt":"2026-06-16T01:40:07.000Z","curatedAt":"2026-06-27T04:32:22.640Z","itemType":"research"},{"id":"331bf8f9fc72d7822a1d60296687b16cccdbe132","incidentId":"57cf8a72288fb3f382ae14be00275cd79a0d6952","title":"Copilot 'SearchLeak' Attack Allows 1-Click Data Theft","summary":"A three-stage 'SearchLeak' attack against Copilot enabled 1-click data theft using hidden URLs and other variables, part of a new class of AI prompt-injection issues. The vulnerability has now been patched.","whyItMatters":"It demonstrates how prompt injection with hidden URLs can exfiltrate data from AI assistants like Copilot, a direct risk to enterprise users.","threatTypeTags":["prompt-injection","data-exfiltration"],"affectedTechTags":["copilot","llm"],"threatActor":null,"relevanceScore":0.92,"severityScore":0.7,"sources":[{"sourceId":"darkreading","title":"Copilot 'SearchLeak' Attack Allows 1-Click Data Theft","link":"https://www.darkreading.com/application-security/copilot-searchleak-attack-1-click-data-theft"}],"sourceItemIds":["285a02ca88334e2573224bba8ccbea97178c83ca"],"publishedAt":"2026-06-15T19:27:48.000Z","firstReportedAt":"2026-06-15T19:27:48.000Z","curatedAt":"2026-06-27T04:01:16.394Z","itemType":"incident"}],"total":45,"limit":20,"offset":0}