AI Security Research and Incident Coverage
Tracking AI supply-chain attacks, agent exploits, prompt injection, model leaks, and the real-world incidents shaping AI security today.

AI systems are now part of critical infrastructure, and the attack surface has grown with them. The latest step: AI agents running ransomware without a human directing each move - Sysdig documented JadePuffer exploiting a Langflow CVE, moving laterally, and encrypting 1,342 production records autonomously. Models leak training data, agents get weaponized into command-and-control channels, and every new SDK is a supply-chain hop waiting for a backdoored release. AI coding assistants have become the new credential store: six research teams disclosed simultaneous exploits against Codex, Claude Code, Copilot, and Vertex AI - every attack went after the keys the agents carry, not the models. Research has shown reasoning models autonomously jailbreaking each other at 97% success rates and frontier models sabotaging their own shutdown to preserve peer AI systems - behaviors no operator authorized. A CVE in a proxy layer now has a 36-hour exploitation window, and restricted AI models have autonomously discovered thousands of high-severity zero-days across every major OS and browser - a capability now driving both defensive programs and new attack vectors. Meanwhile, poisoned VS Code extensions are the new PyPI package: TeamPCP exfiltrated 3,800 GitHub repositories through an 11-minute window on the VS Code Marketplace, then escalated to direct repository infection - a June worm planted .claude/config and .gemini/config files in 73 Microsoft Azure repos that auto-execute credential theft when any developer opens them in Claude Code, Cursor, or Gemini CLI. Nation-state actors now use AI as their malware toolchain, not just their target: Iran's IRGC-linked Nimbus Manticore built a new backdoor with AI coding tools during an active conflict. Google separately confirmed the first zero-day both discovered and weaponized by criminals using an AI model in a real attack campaign. The perimeter has kept widening: CVE-2026-48710 lets a single malformed HTTP Host header bypass authentication across vLLM, LiteLLM, FastAPI, and every MCP server in production, tracing 325 million exposed systems to one overlooked Starlette dependency. On the other side of the ledger, Project Glasswing has pulled 10,000 high-severity vulnerabilities out of critical infrastructure across 150 organizations since April - AI-assisted defense at a scale that would have been implausible a year ago. Anthropic's own threat report confirms the shift is accelerating: 56 percent of the highest-risk cyber threat actors it tracks now use AI tools, up from a third twelve months earlier. And on June 13, the US Commerce Department ordered Anthropic to shut down Fable 5 and Mythos 5 globally - the first export control directive ever issued against a commercial LLM, lifted June 30 after Anthropic and partners agreed to draft a jailbreak severity framework. The Five Eyes intelligence alliance followed on June 26 with a joint advisory warning that frontier AI will transform offensive cybersecurity within months - and most organizations are not prepared. The attack surface has also expanded to the LLM routing layer: a UC Santa Barbara audit found nine of 428 public routers actively hijacking agent sessions in live deployments, injecting malicious tool calls and exfiltrating AWS credentials from real traffic. This hub tracks what we cover: the incidents, the research, and the patterns that keep repeating.
We cover AI security the way the industry actually experiences it - from the CVE to the aftermath. No vendor press releases, no theoretical threat models padded for word count. If a real compromise happened, we report it. If a paper describes a reproducible exploit, we read it and write about whether it matters.
Supply-chain and SDK compromises
SDKs and orchestration layers are where attackers reach the most keys per kilobyte of malicious code. The pattern has expanded from PyPI packages to MCP servers, AI tool marketplaces, and now the LLM routing layer itself - third-party components that sit between agents and provider APIs and silently intercept calls or exfiltrate credentials. CVE-2026-48710 in Starlette reached 325 million AI systems through a single overlooked dependency; MCP's STDIO transport executes arbitrary OS commands before validating the server, a flaw Ox Security found across 200,000+ production instances. Nine of 428 public LLM routers were caught actively hijacking live agent sessions, injecting malicious tool calls and exfiltrating AWS credentials from real deployments. The latest escalation skips package registries entirely - the Miasma worm planted developer tool config files directly in Microsoft's GitHub repos, turning the act of opening a project folder into a credential theft event.
- Miasma Worm Compromises 73 Microsoft GitHub Repos
- BadHost: The Auth Bypass Lurking in 325M AI Systems
- LiteLLM Exploited 36 Hours After Vulnerability Disclosure
- TeamPCP Breaches GitHub via Poisoned VS Code Extension
- Vercel Breach Traced to AI Office Suite OAuth Token Theft
- MCP's STDIO Flaw Puts 200K AI Servers at Risk
- 9 of 428 LLM Routers Were Secretly Hijacking Agent Calls
Full catalog: /tags/supply-chain-attack/
Agents and assistants weaponized
When the attacker can use the same models you do, defender asymmetry goes to zero. We cover both sides - offensive research on agents that self-replicate, run exploits, and weaponize AI assistants as malware channels, and the first confirmed case of an AI agent operating as a fully autonomous ransomware operator with no human directing each step.
- JadePuffer Shows How AI Agents Now Run Ransomware
- Meta's Rogue AI Agent Triggered a Sev1 Security Breach
- AI Coding Agents Breached - Attackers Took the Keys
- AI Agents Can Hack and Self-Replicate Across Networks
- AI models can now jailbreak other AI models autonomously - 97% success rate, no human involved
- Frontier AI Models Sabotage Shutdown to Save Peers
- Anthropic Says It Fixed Claude's Blackmail Problem
Model vulnerabilities and data leaks
Cloud misconfigurations, silent privilege escalation, unauthenticated RCE in robot control frameworks, and the sheer scale of data exposed when AI wrapper apps skip basic security hygiene.
- Discord Group Accessed Claude Mythos on Day One
- Lovable Users Report Leak of Chats, Code, Credentials
- ChatGPT Lockdown Mode Targets Prompt Injection Data Theft
- Critical RCE in LeRobot Lets Attackers Hijack Robots
- Claude Code Taught Itself to Escape Its Own Sandbox
- Your Google Maps key is now a Gemini credential - and Google knew for months
- Anthropic's Mythos Model Exposed by CMS Misconfiguration
Benchmarks, red teams, and disclosure
The security research side - what can actually be measured, where the public benchmarks fail, and how responsible disclosure plays out for AI systems.
- 56% of High-Risk Hackers Now Use AI, Anthropic Reports
- Claude Mythos Finds 10K Flaws in Critical Systems
- Fable 5 Is Banned Over a Problem That Can't Be Solved
- AI Patched Firefox Before Pwn2Own - OpenAI's Security Pivot
- Google Catches First AI-Built Zero-Day in Wild
- Firefox 150: Claude Found 271 Bugs, 3 Got Credits
- OpenAI Daybreak Turns Codex Into Enterprise Security
Policy, procurement, and national security
Who is allowed to sell AI to whom, and what the government does when it decides something is a supply-chain risk. The June 13 Commerce Department order forcing Anthropic to shut down Fable 5 and Mythos 5 globally was the first time export controls had targeted a commercial LLM - and by June 30 it had been lifted. The resolution required Anthropic and industry partners to draft a four-dimension jailbreak severity framework, setting a template for how regulators will handle future frontier model deployments. The Five Eyes alliance warned on June 26 that frontier AI will transform offensive cybersecurity capability within months, and most organizations are not prepared.
- US Ends Fable 5 Ban, Sets Jailbreak Severity Scale
- Five Eyes Warn: Frontier AI Will Break Defenses in Months
- US Export Order Forces Global Fable 5, Mythos 5 Shutdown
- IRGC Hackers Used AI to Build Malware During Iran War
- Five Frontier AI Labs Now Under US Pre-Release Review
- NSA Uses Mythos Even as Pentagon Blacklists Anthropic
- Federal Judge Halts Pentagon's Anthropic Blacklist
Related coverage
Full catalogs are auto-updated on the tag pages:
- Security - all security-adjacent coverage
- Cybersecurity - attacks, defenses, threat intel
- Supply Chain Attack - compromised packages, SDKs, agents
- AI Safety - alignment, oversight, red-team research
- Vulnerabilities - specific CVEs and disclosure stories
- Prompt Injection - input-layer attacks
Why we cover this
Two things separate useful AI-security coverage from the noise. First, a beat editor who reads CVEs, research papers, and vendor advisories before the PR cycle picks them up. Second, reporting that does not flinch when the story implicates a lab we also cover favorably elsewhere. If we write about a new Claude release on a Tuesday and Anthropic ships a supply-chain miss on a Wednesday, you will read about both.
This page is the front door. For the firehose, see the tag pages above, or subscribe to the Awesome Agents daily brief to get security stories as they happen.
