Noma Security's GitLost research shows that a public GitHub issue can trick GitHub Agentic Workflows into exfiltrating private repository contents. The attack requires no credentials — just a crafted issue on any public repo the agent can see.
Noma Security's GitLost research shows that a public GitHub issue can trick GitHub Agentic Workflows into exfiltrating private repository contents. The attack requires no credentials — just a crafted issue on any public repo the agent can see.
Researchers at Tel Aviv University have chained two well-known AI weaknesses, hallucination and prompt injection, into a technique that can trick AI coding assistants into installing botnet malware on a user's machine.
NCC Group researchers exposed Kitana, an adversary-in-the-middle fraud platform that uses AI to generate visitor-specific decoy pages and hijack payment sessions in hospitality and e-commerce environments. A related campaign exploits prompt injection to trick AI agents into authorising cryptocurrency payments.
CVE-2026-21858 gives unauthenticated attackers full code execution on n8n workflow servers. Langflow's new IDOR vulnerability has been added to CISA KEV. GitHub Copilot's MCP integration carries a prompt-injection-to-RCE chain. AI automation infrastructure is becoming a primary attack surface.
Researchers from Oxford and Meta demonstrate that four of five frontier LLMs exfiltrate sensitive data from multi-agent orchestrator systems via a single indirect prompt injection, bypassing access controls entirely.
Two critical vulnerabilities in Cursor IDE, CVE-2026-50548 and CVE-2026-50549 (collectively DuneSlide), allow prompt injection attacks to escape the editor's sandbox and execute arbitrary code at the OS level — with no user click required. All Cursor versions before 3.0 are affected. Cato Networks disclosed publicly on July 3, 2026.
A coordinated disclosure of 13 critical vm2 vulnerabilities in May 2026 exposed a structural problem: AI agent frameworks that use vm2 as a code execution sandbox convert a prompt injection into host-level RCE the moment the sandbox breaks. Here's the chain and what to do about it.
A sandbox bypass in Cursor's agentic mode lets attackers poison shell environment variables through implicitly trusted built-ins, converting approved commands like git branch or python3 into arbitrary code execution.
Researchers at ELLIS Tübingen and UMass Amherst prove via Contextual Integrity theory that prompt injection in AI agents cannot be fully prevented, only contained. Current defences including Prompt Guard and Meta SecAlign fall short by wide margins.
A vulnerability in Discourse's AI content triage feature lets a malicious user craft a post that prompt-injects the LLM into returning JavaScript, which is then rendered unescaped in the admin review queue. Patch available.
SentinelLabs discovered a Rust-based macOS backdoor attributed to North Korea that embeds 38 fake system messages designed to trick AI-assisted malware triage into aborting or refusing analysis.
Johann Rehberger's DEF CON Singapore research demonstrates how indirect prompt injection chains into Microsoft Copilot's memory feature to plant a persistent backdoor — one that survives across every future session, not just the compromised one.
Tenet Security's Threat Labs published research on June 17 demonstrating how a single fake Sentry error event can hijack AI coding agents like Claude Code and Cursor into executing arbitrary code on developer machines — no phishing, no infrastructure access, 85% success rate across 100+ tested organisations.
Varonis Threat Labs chained three bugs in Microsoft 365 Copilot Enterprise Search to build a one-click exfiltration path that pulls emails, files, and live MFA codes without any OAuth prompt or user consent beyond clicking a Microsoft-domain URL.
Two critical CVEs in Microsoft Semantic Kernel let attackers chain prompt injection into arbitrary file writes and code execution. Patch to .NET SDK 1.71.0 and Python SDK 1.39.4 immediately.
AI prompt injection attack vectors — direct injection, indirect via tool outputs, multi-turn manipulation — with observed real-world attacks and a layered defensive stack.
The OWASP Top 10 for LLM Applications (v2.0): each vulnerability class, real-world observed attacks, and defensive controls for enterprise AI teams.
A flawed permission check in Anthropic's Claude Code GitHub Action allowed attackers to use prompt injection via a crafted issue to steal CI/CD secrets. Patched in v1.0.94.
SafeBreach Labs documented a prompt injection attack hiding malicious commands inside WhatsApp, Slack, or SMS notifications. Gemini treats hostile text as trusted. Patched Nov 2025.
RAG pipelines introduce document poisoning, indirect prompt injection via retrieved content, and semantic access control gaps that most security teams have not assessed.
Threat actors embed prompt injection payloads in third-party LLM plugins and data sources to hijack AI agent actions, exfiltrate data, and pivot within enterprise environments.
A practical framework for implementing prompt injection detection at the API gateway layer: input sanitisation, context isolation, output filtering, and anomaly detection.
Design patterns for a prompt injection and jailbreak detection layer: rule-based filters, semantic classifiers, canary tokens, and output validation for production LLMs.
How injected instructions in tool outputs can escalate an agent's effective permissions, exfiltrate data, and pivot to internal services — a novel attack class for agentic AI.
A structured methodology for red teaming LLM applications: attack taxonomy, scoping, tooling (Garak, PyRIT, PromptBench), and translating findings into actionable security controls.