Noma Security's GitLost research shows that a public GitHub issue can trick GitHub Agentic Workflows into exfiltrating private repository contents. The attack requires no credentials — just a crafted issue on any public repo the agent can see.
Tracking AI threats, vulnerabilities, and defensive strategies for security professionals.
Noma Security's GitLost research shows that a public GitHub issue can trick GitHub Agentic Workflows into exfiltrating private repository contents. The attack requires no credentials — just a crafted issue on any public repo the agent can see.
Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on July 7, 2026, after confirming active exploitation of an insecure direct object reference in Langflow that let authenticated users execute workflows belonging to other tenants.
Researchers at ICML 2026 introduce OTora, a red-teaming framework for Reasoning-Level Denial-of-Service attacks on LLM agents. The attack inflates reasoning token consumption by up to 10x and causes order-of-magnitude latency spikes while keeping task outputs correct -- making it invisible to standard error monitoring.
Sophos X-Ops telemetry analysis shows Claude Code, Cursor, and OpenAI Codex triggering behavioral EDR detection rules built to catch human attackers. Credential access patterns account for 56.2% of blocked activity -- agents using the same Windows DPAPI technique as Redline stealer.
Noma Security's GitLost research shows that a public GitHub issue can trick GitHub Agentic Workflows into exfiltrating private repository contents. The attack requires no credentials — just a crafted issue on any public repo the agent can see.
Sysdig's Threat Research Team published research in July 2026 documenting JADEPUFFER, the first ransomware operation fully executed by an LLM agent — no human operator required at any step after initial access.
Sophos X-Ops telemetry analysis shows Claude Code, Cursor, and OpenAI Codex triggering behavioral EDR detection rules built to catch human attackers. Credential access patterns account for 56.2% of blocked activity -- agents using the same Windows DPAPI technique as Redline stealer.
CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on July 7, 2026, after confirming active exploitation of an insecure direct object reference in Langflow that let authenticated users execute workflows belonging to other tenants.
A 15-year-old Linux kernel use-after-free bug with a public 97%-reliable exploit gives any local attacker root in under five seconds. GPU training clusters, Jupyter servers, and LLM inference nodes are directly in scope.
A two-stage exploit chain in vLLM's multimodal video processing bypasses ASLR through PIL exception leakage, then achieves heap overflow via a malicious JPEG2000 file, giving unauthenticated attackers code execution on inference servers.
Sysdig's Threat Research Team documented the first fully agentic ransomware operation: an LLM-driven attacker that exploited Langflow, pivoted to a production Nacos instance, and encrypted 1,342 database configurations without human direction at any step.
Sysdig has documented JADEPUFFER, a threat actor that used an LLM agent to drive an entire ransomware operation autonomously — from Langflow exploitation through database encryption. The attack encrypted 1,342 production configuration items using an ephemeral key that makes recovery impossible.
TeamPCP, tracked as UNC6780 by Google's Threat Intelligence Group, ran three coordinated supply chain campaigns in 2026 — poisoning Trivy, LiteLLM, and 170+ npm/PyPI packages — culminating in the theft of 3,800 GitHub internal repositories.
Researchers at ICML 2026 introduce OTora, a red-teaming framework for Reasoning-Level Denial-of-Service attacks on LLM agents. The attack inflates reasoning token consumption by up to 10x and causes order-of-magnitude latency spikes while keeping task outputs correct -- making it invisible to standard error monitoring.
A Wake Forest University empirical study found 282 of 444 iOS AI apps expose exploitable LLM credentials through network traffic. Three months after responsible disclosure, 72% remained vulnerable.
Microsoft Incident Response published research showing how attackers can hijack agentic AI workflows by planting hidden instructions in MCP tool description fields — a vector that bypasses most current enterprise controls because each step the agent takes looks routine.
A June 2026 arxiv paper demonstrates that model extraction attacks have a detectable semantic signature in API traffic — and that simple statistical detection outperforms complex filtering approaches.
AI agents generate a new class of security event that existing SIEM infrastructure was not designed to process. DeepMind's June 2026 control roadmap, OWASP's Agentic Top 10, and the EU AI Act's August logging deadline all converge on the same problem: security teams cannot monitor what they are not capturing.
AI prompt injection attack vectors — direct injection, indirect via tool outputs, multi-turn manipulation — with observed real-world attacks and a layered defensive stack.
Meta's AI support chatbot had a confused deputy flaw allowing attackers to hijack Instagram accounts via recovery requests. 20,225 accounts compromised over 45 days.
A self-replicating worm compromised 73 Microsoft GitHub repositories on June 5, 2026, via stolen contributor PAT and malicious AI coding tool configs. Contained in 105 seconds.
An NHS trust confirmed adversarial perturbations applied to medical images caused systematic misclassification by its AI diagnostic system, resulting in incorrect preliminary diagnoses.