Researchers at Tel Aviv University have chained two well-known AI weaknesses, hallucination and prompt injection, into a technique that can trick AI coding assistants into installing botnet malware on a user's machine.
Researchers at Tel Aviv University have chained two well-known AI weaknesses, hallucination and prompt injection, into a technique that can trick AI coding assistants into installing botnet malware on a user's machine.
CVE-2026-21858 gives unauthenticated attackers full code execution on n8n workflow servers. Langflow's new IDOR vulnerability has been added to CISA KEV. GitHub Copilot's MCP integration carries a prompt-injection-to-RCE chain. AI automation infrastructure is becoming a primary attack surface.
LLMs suggest non-existent package names in 20-30% of coding responses. Attackers register these hallucinated names with malicious payloads — slopsquatting as a supply chain attack.
Adversa AI disclosed SymJack (symlink hijacking to plant malicious MCP servers) and TrustFall (trust dialog bypass) hitting six AI coding agents including Copilot and Cursor.