Detailed write-ups
1. Prompt injection still drives most agentic AI security failures in production
Help Net Security · June 11, 2026
This walkthrough of OWASP’s State of Agentic AI Security and Governance v2.01 is notable for being grounded in real CVEs and breaches rather than hypotheticals. It maps prompt injection to 6 of the 10 categories in the OWASP Top 10 for Agentic Applications, and pulls in the “lethal trifecta” and Meta’s “Agents Rule of Two” as design heuristics. For anyone building AI agents, prompt injection is the most load-bearing vulnerability class, and this is the clearest current evidence base for treating it as the default threat rather than an edge case.
Read the article →
2. Updating the taxonomy of failure modes in agentic AI systems
Microsoft Security · June 4, 2026
Microsoft published v2.0 of its agentic-AI failure-mode taxonomy, distilled from 12 months of red-team engagements and adding seven categories: supply-chain compromise, tool abuse, excessive agency, feedback-loop poisoning, goal misalignment, reasoning-based information leakage, and autonomy escalation. As a first-party red-team taxonomy, it gives engineers a concrete checklist to map onto their own agent designs — and it pairs naturally with the OWASP top-ten above, with the taxonomy describing how agents fail and the OWASP list ranking which failures matter most in production.
Read the article →
3. Agentjacking: MCP injection hijacks AI coding agents
Cloud Security Alliance · June 12, 2026
The CSA classified “agentjacking,” an attack from Tenet Security that injects malicious instructions into Sentry error events. MCP-connected agents — Claude Code, Cursor, Codex — then retrieve those events and execute the embedded instructions with developer privileges, reported at roughly 85% success across 2,388 organizations. It is an in-the-wild demonstration of the agent trust-boundary problem at the MCP layer: any data source an agent reads is a potential injection channel, and observability tooling like error tracking is now part of the attack surface.
Read the article →
4. AI is helping low-skill hackers pull off advanced cyberattacks
Help Net Security · June 5, 2026
Anthropic mapped 832 banned malicious accounts to MITRE ATT&CK — 13,873 actions across 482 techniques — and found that AI now lets unsophisticated actors perform post-compromise techniques that previously required real expertise. The study’s sharper conclusion is methodological: agentic orchestration is becoming the better risk indicator than raw model capability. As a frontier lab’s empirical look at how its own models are weaponized, it gives defenders a grounded picture of where the capability uplift actually lands in the attack chain.
Read the article →
5. Autonomous AI-driven worm can reason its way through corporate networks
Help Net Security · June 3, 2026 · Foundational reading
Researchers from Toronto, the Vector Institute, and Cambridge built a proof-of-concept worm that runs a small free LLM on compromised hosts, using it to reason about each target and craft strategy on the fly — compromising roughly 73.8% of a simulated enterprise network. The capability is qualitatively new: the LLM itself is the attack engine, not just an assistant to a human operator. It is the clearest signal yet that autonomous, reasoning-driven malware is moving from speculation toward demonstrated feasibility.
Read the article →
6. TrustFall: one-keypress RCE in Claude Code, Cursor, Gemini CLI and GitHub Copilot
Adversa AI · May 7, 2026 · Foundational reading
Adversa’s TrustFall research shows that a cloned repo carrying a malicious .mcp.json or .claude/settings.json auto-starts an attacker-controlled MCP server the moment a developer accepts the folder-trust prompt — one keypress to RCE in dev environments, and zero prompt on headless CI runners. All four CLIs tested defaulted to “trust.” This is vendor-grade research on the most widely used AI coding agents, and it makes the case that folder-trust defaults are an under-examined RCE vector.
Read the article →
7. AI red-teaming agents change how LLMs get tested
Help Net Security · May 21, 2026 · Foundational reading
This survey tracks the shift to agent-orchestrated red teaming across PyRIT, Garak, and Promptfoo, including techniques like Graph of Attacks with Pruning. The throughline is that the testing methodology for models is itself becoming agentic — automated agents now generate, mutate, and prune attack paths faster than human red teams can. For security teams it is useful orientation on which tooling to standardize on as agent-driven evaluation becomes the default rather than a research novelty.
Read the article →
8. When prompts become shells: RCE vulnerabilities in AI agent frameworks
Microsoft Security · May 7, 2026 · Foundational reading
Microsoft detailed two Semantic Kernel flaws where a prompt injection escalates to host-level RCE by passing through a model-invokable function that feeds a code or eval sink. It is the cleanest illustration of prompt injection crossing the boundary from text into code execution — the moment an injected instruction stops being a content problem and becomes an arbitrary-execution problem. Anyone wiring model-invokable functions to anything resembling an eval path should read it as a direct warning.
Read the article →
9. Four “Claw Chain” flaws in OpenClaw enable data theft, privilege escalation, persistence
The Hacker News · May 2026 · Foundational reading
Researchers disclosed four “Claw Chain” flaws in OpenClaw, a mainstream open-source agent framework. The most instructive is an MCP loopback runtime that trusts a client-controlled ownership flag, allowing owner impersonation and gateway takeover. These are foundational identity and permission flaws in agent infrastructure — the kind that undercut every higher-level control — and a reminder that trust decisions delegated to client-supplied data are a recurring failure pattern in agent frameworks.
Read the article →
10. SymJack: symlink-hijack RCE in six AI coding agents
Adversa AI · May 26, 2026 · Foundational reading
Adversa’s SymJack shows a symlink-disguised file copy tricking six AI coding assistants into RCE while the approval prompt misrepresents what is actually being approved; all six tested tools were vulnerable. The central lesson is that the human-in-the-loop approval UI can be defeated — if the prompt lies about what it is granting, the human reviewer is not a real control. That makes approval-prompt integrity central to agent permission design, and pairs directly with the TrustFall folder-trust findings above.
Read the article →
11. Microsoft launches Scout, an OpenClaw-inspired personal assistant
TechCrunch · June 2, 2026 · Foundational reading
Microsoft launched Scout, a personal-assistant product whose design is openly inspired by the viral open-source OpenClaw agent. The move shows how fast the OpenClaw pattern — an autonomous agent that executes tasks through everyday messaging interfaces — is being absorbed by major platform vendors. For security architects, the signal is that the agent-assistant model is going mainstream inside enterprise software, carrying the same trust-boundary and permission questions OpenClaw raised into products employees will adopt by default.
Read the article →
12. Red Hat’s OpenClaw maintainer just made enterprise Claw deployments a lot safer
TechCrunch · April 28, 2026 · Foundational reading
TechCrunch covers work by the Red Hat-employed OpenClaw maintainer to harden the framework for enterprise use. It is useful context for any team weighing OpenClaw adoption: the piece frames the governance and safety improvements that make the open-source agent more defensible in production. Read it alongside the OpenClaw vulnerability research in this issue’s foundational cluster to balance the framework’s capability against where its hardening curve actually sits.
Read the article →
13. OpenClaw in 2026: What it is, who’s using it, and whether your business should adopt it
Linux Journal · 2026 · Foundational reading
A plain-language guide to OpenClaw — the free, open-source autonomous agent that executes tasks via LLMs using messaging platforms as its interface — covering its rapid adoption and the case for and against business use. The recommendation is a controlled, governance-first rollout: start with limited workflows and expand as policy and security controls mature. A good orientation read for architects who keep hearing “OpenClaw” and want the grounded version before fielding adoption requests.
Read the article →
14. OpenClaw had a rough week
OpenClaw Blog · April 2026 · Foundational reading
The project’s own postmortem on a bad stretch in late April: gateways slowed, some installs got stuck in plugin-dependency repair loops, and messaging channels misbehaved — traced not to one bug but to plugin-split issues, still-settling ClawHub artifact metadata, and overloaded gateway cold paths. The team’s response is to shrink the core, move optional functionality to ClawHub, and ship a separate LTS track. A candid look at the operational maturity of the framework enterprises are racing to adopt.
Read the article →
15. For enterprises, security remains agentic AI’s biggest challenge
Dark Reading · May 26, 2026 · Foundational reading
Dark Reading argues that while every company now needs an agentic-AI strategy, the tooling to adopt agent frameworks safely is only just appearing. Experts call for production-grade security architecture designed specifically for AI agents — not adapted from web-application security or borrowed from container orchestration — and for governance enforced by infrastructure so it is declarative rather than probabilistic. A useful strategic frame for architects standing up an agent program this year.
Read the article →
16. AI agents present massive new attack surface
GovInfoSecurity · May 28, 2026 · Foundational reading
Unlike chatbots, AI agents can act — send email, schedule, push code to production — so any vulnerability becomes a direct path to operational disruption, demanding a systemic approach to AI security and governance. The piece highlights mapping agentic attacks (from a DeepMind paper) onto the OWASP Agentic AI threat-modeling guide, and building defenses at both training time (conditioning agents to refuse manipulative instructions) and operation time (filtering sources, scanning content for hidden instructions, and monitoring agent output for suspicious behavior).
Read the article →
17. Prompt injection breaks today’s AI agents, study warns
CSO Online · June 12, 2026
A new study reinforces that prompt injection remains the dominant failure mode for production AI agents, warning that current defenses are not holding up as agents gain real-world capabilities. It complements this issue’s OWASP coverage from a defender’s vantage point: the threat is not theoretical, and the controls most teams have in place do not yet match the attack. Treat it as confirmation that prompt-injection resistance belongs at the center of any agent security review — a topical companion to the OWASP item that opens this issue.
Read the article →
18. NanoClaw now armed with JFrog for safer packages
The Register · June 13, 2026
NanoClaw integrated JFrog’s registries to secure the packages its AI agents download, aiming to close the supply-chain gap that opens when autonomous agents pull dependencies at runtime. It is an early example of an agent framework wiring in artifact-management and provenance controls rather than trusting whatever a package resolver returns. For architects, it marks the point where agent security and software-supply-chain security visibly converge. (JFrog is named here; this week’s Competitive Intelligence bulletin covers JFrog’s broader moves.)
Read the article →
19. AI software supply chain threats escalate in 2026
eSecurity Planet · May 28, 2026 · Foundational reading
Drawing on JFrog’s Software Supply Chain Security State of the Union 2026, the piece argues AI-driven development is accelerating malicious-package activity, insecure AI tooling, and governance gaps faster than many organizations can secure them. JFrog’s CTO frames AI as increasing both the speed and the scale at which zero-days are exploited and supply-chain attacks are built and distributed. A data-backed framing of why AI security and software-supply-chain security are now the same conversation.
Read the article →
20. CISA’s AI SBOM guidance pushes software supply-chain oversight into new territory
CSO Online · May 12, 2026 · Foundational reading
CISA, with G7 partners, released joint guidance extending the SBOM concept into AI — calling for documentation of models, datasets, software components, providers, and licenses. The effect is to pull AI risk firmly into the same vendor-risk and supply-chain-oversight processes that already cover software composition and cloud services. Architects shipping or procuring AI systems should start mapping an “AI SBOM” now, before it hardens into a contractual expectation.
Read the article →
21. AI worm prototype shows attackers don’t need Mythos to take over your network
CSO Online · June 2026
University of Toronto researchers built a self-replicating worm driven by a free LLM running on local hardware, which spread across a simulated network by reasoning about each host and chaining old and new vulnerabilities with misconfigurations. The pointed conclusion: attackers don’t need frontier models like Anthropic’s Mythos to cause autonomous havoc — and because paid API models would get their guardrail-bypassing prompts flagged, free local models are the more practical engine for malicious autonomy. (This is the CSO Online write-up of the same prototype covered under item 5, included per request for its additional framing.)
Read the article →
22. Meet Hades: the malware that lies to AI security agents
InfoWorld · June 2026
StepSecurity uncovered “Hades,” a Python supply-chain campaign that hides in package __init__.py files, drops a Bun runtime to execute JavaScript, and propagates like a worm. Its standout trick is adversarial prompt injection aimed at the defender’s own tooling: it plants instructions in the rule and config files of 14 different AI coding agents so LLM-based analysis tools misclassify the malicious package as safe. It also scrapes memory across Linux, macOS, and Windows, exfiltrates via public GitHub repos, and runs a wiper if its stolen token is revoked — a vivid demonstration that AI security agents are themselves becoming a target.
Read the article →
23. Best vector databases in 2026: pricing, scale limits, and architecture tradeoffs
MarkTechPost · May 10, 2026 · Foundational reading
A comparative survey of nine leading vector-database systems, weighing pricing, scale limits, and architectural tradeoffs for teams building retrieval and RAG infrastructure. It is a practical procurement reference for architects choosing the data layer underneath AI applications, useful background as vector storage becomes a default component of enterprise AI stacks. (Infrastructure context rather than a security story, included for the architect audience.)
Read the article →
24. Your AI doesn’t need another database
InfoWorld · May 13, 2026 · Foundational reading
A contrarian take arguing that organizations don’t need a dedicated vector database because the databases they already run now ship vector support — Oracle AI Database 26ai stores embeddings alongside business data, SQL Server 2025 added a native VECTOR type, MongoDB pushes embeddings into Atlas Vector Search, and Postgres offers pgvector. The strategic point for architects: consolidate on existing data platforms before bolting on a new one. (Infrastructure and strategy context; the author is Oracle-affiliated, so weigh the framing accordingly.)
Read the article →
25. MongoDB adds new vector, performance capabilities to aid AI
TechTarget · May 7, 2026 · Foundational reading
MongoDB 8.3 (generally available May 7) added automated Voyage AI embeddings to Vector Search — cutting embedding-pipeline setup from weeks to minutes — plus performance upgrades aimed at the heavier demands AI workloads place on systems. It is another data point in the “your existing database now does vectors” trend, relevant to architects standardizing the data layer for agentic and RAG workloads. (Infrastructure context for the build-side reader.)
Read the article →
26. AI’s productivity paradox
Business Insider · June 2026
Business Insider examines why the expected enterprise AI productivity boom hasn’t clearly materialized, with many companies still waiting on measurable returns from heavy AI investment. It is a useful reality check for leaders setting expectations: capability is advancing fast, but realized productivity depends on workflow change, governance, and adoption — not the model alone. (Industry and adoption context rather than security.)
Read the article →
|