Skip to content

CyberSecurity Institute

Security News Curated from across the world

Menu
Menu

AI & ML in Security — July 12, 2026

Posted on July 12, 2026 by admini
AI & ML in Security · Issue July 12, 2026

AI & ML in Security

July 12, 2026 · Weekly Edition · AI security + new AI capabilities & approaches

At a glance

Agentic AI showed both faces of itself this week. BleepingComputer and the Cloud Security Alliance documented JadePuffer, the first ransomware intrusion researchers can show was run start to finish by an autonomous LLM agent — exploiting a Langflow RCE and a Nacos auth bypass, adapting to failed logins in real time, and encrypting 1,342 service configuration items with no human operator in the loop. Days later, Forbes reported that CISA has quietly begun using Anthropic’s restricted Mythos model to scan government code repositories, uncovering a “large number” of vulnerabilities human reviewers had missed. The same week, a Help Net Security analysis of roughly 1,080 open job postings found OpenAI and Anthropic pulling in genuinely different directions — OpenAI building toward sovereign compute and public-sector infrastructure, Anthropic toward audited trust infrastructure — a reminder that agentic capability is now a strategic bet, not just a feature.

Frontier releases kept coming. xAI/SpaceXAI shipped Grok 4.5, which Elon Musk called an “Opus-class model” at a quarter of Opus 4.8’s price — independent benchmarks put it fourth on general intelligence but first on agentic tool-use tasks. OpenAI, not to be outdone, says its still-limited-preview GPT-5.6 Sol Ultra produced a proof of the 50-year-old Cycle Double Cover Conjecture in under an hour using 64 parallel subagents — a claim mathematicians are calling intriguing but unverified. And the US Commerce Department’s export-control reversal on Claude Fable 5 and Mythos 5, first reported four weeks ago, continues to ripple through enterprise deployment plans.

Underneath the releases, the safety picture stayed sobering and the attack research kept piling up. The Future of Life Institute’s Summer 2026 AI Safety Index graded nine frontier labs and handed out nothing above a C+ (Anthropic led; xAI and DeepSeek failed outright) — covered separately by Time as “nobody gets an A.” A large-scale scan found thousands of the internet’s roughly 9,700 public MCP servers vulnerable to file access, injection, and SSRF flaws, and this week’s foundational reading doubles down on the prompt-injection/agentic-browser risk cluster: DuneSlide’s zero-click Cursor IDE RCE, a DeepSeek-generated browser ransomware technique, a University of Washington study of agentic browser risk, the Agentjacking and SearchLeak attack chains, and a new “CoT Forgery” jailbreak that talked chatbots into cocaine recipes. Layer on the EU’s new AI-cybersecurity action plan and the UN’s first all-nations AI governance summit, and the throughline holds: agentic capability keeps outrunning the guardrails meant to contain it.

Topic map — how this week’s research clusters

This week in one frame: the JadePuffer/CISA agentic-attack-and-defense pair, the Anthropic/OpenAI/xAI model-release cluster (Mythos, Fable 5, Grok 4.5, GPT-5.6 Sol Ultra), the AI Safety Index/UN/EU governance cluster, the MCP-security-product cluster (BeyondTrust, Codenotary, First Recon AI, Exterro), and the dense prompt-injection/agentic-browser foundational-reading cluster (DuneSlide, InfernoGrabber, Agentjacking, SearchLeak, CoT Forgery).

Topic map of AI & ML in Security issue July 12, 2026

Weighted entity-relationship map for the July 12, 2026 issue. Node size reflects mention frequency; edge thickness reflects co-mention strength across the week’s articles.

View interactive topic map →

Article index

Agentic AI in attack & defense

JadePuffer’s fully AI-agent-run ransomware attack, CISA’s use of Anthropic’s Mythos to hunt government code vulnerabilities, and hiring data showing OpenAI and Anthropic charting different strategic bets.

Article Source Published
W2. A US cyber agency is finally using Anthropic’s Mythos Forbes July 7, 2026
W6. JadePuffer ransomware used AI agent to automate entire attack BleepingComputer July 8, 2026
W9. OpenAI and Anthropic are pulling in different directions Help Net Security July 8, 2026

Frontier model releases & policy

Grok 4.5’s Opus-class claim, GPT-5.6 Sol Ultra’s disputed math breakthrough, and the continuing fallout from the US export-control reversal on Claude Fable 5 and Mythos 5.

Article Source Published
W10. SpaceXAI releases Grok 4.5, which Elon describes as an “Opus-class model” TechCrunch July 8, 2026
W14. OpenAI’s GPT-5.6 Sol Ultra reportedly solves a 50-year-old math problem in under an hour The Decoder July 10, 2026
F8. US lifts restrictions on Anthropic’s powerful AI models Fable and Mythos Al Jazeera July 1, 2026

Agent & MCP security products

A large-scale MCP server vulnerability scan, plus new agent-governance and runtime-security launches from BeyondTrust, Codenotary, First Recon AI, and Exterro.

Article Source Published
W7. Codenotary launches AgentMon 3, an AI security platform that learns from agent behavior Help Net Security July 8, 2026
W8. First Recon AI launches AI Security Runtime Business Wire July 8, 2026
W11. Thousands of MCP servers found vulnerable to file access and injection attacks GBHackers July 8, 2026
W12. BeyondTrust extends privileged access leadership with NHI Governance for every non-human and AI identity GlobeNewswire July 9, 2026
W13. Exterro launches ARMOUR for FTK GlobeNewswire July 9, 2026

Prompt injection, jailbreak & agentic browser risk (foundational)

DuneSlide’s Cursor IDE zero-click RCE, DeepSeek-generated browser ransomware, the UW agentic-browser risk study, Agentjacking, a Microsoft 365 Copilot one-click data-theft chain, the CoT Forgery jailbreak, and why prompt injection still drives most agentic AI failures in production.

Article Source Published
F1. Prompt injection still drives most agentic AI security failures in production Help Net Security June 11, 2026
F2. Agentjacking attack tricks AI coding agents into running malicious code The Hacker News June 12, 2026
F3. One-click Microsoft 365 Copilot flaw could have let attackers steal emails, files, and MFA codes The Hacker News June 15, 2026
F4. Some agentic AI browsers come with major cybersecurity risks, UW study finds UW News June 30, 2026
F5. Security researchers tricked LLMs into giving them cocaine recipes by abusing role models for prompt injection The Register June 30, 2026
F6. AI-generated browser ransomware abuses Chromium API The Hacker News July 1, 2026
F7. DuneSlide: two critical RCE vulnerabilities via zero-click prompt injection in Cursor IDE Cato Networks July 1, 2026

AI safety, governance & risk economics

The Future of Life Institute’s Summer 2026 AI Safety Index, Time’s coverage of the same rankings, the EU’s new AI-cybersecurity action plan, and the UN’s first all-nations AI governance summit.

Article Source Published
W1. Global push for AI governance amid warnings of ‘catastrophic harm’ UN News July 6, 2026
W3. New EU plan to address the risks and opportunities of advanced AI for cybersecurity European Commission July 7, 2026
W4. AI Safety Index — Summer 2026 Future of Life Institute July 7, 2026
W5. The latest AI safety rankings are in. Nobody gets an A Time July 7, 2026

Detailed write-ups

1. JadePuffer ransomware used an AI agent to automate an entire attack

BleepingComputer · July 8, 2026

Researchers documented what they believe is the first ransomware intrusion run start-to-finish by an autonomous LLM agent, with no human operator directing individual steps. JadePuffer gained initial access by exploiting CVE-2025-3248, an unauthenticated RCE in the Langflow LLM-app framework, then pivoted to a production MySQL server running Alibaba Nacos and used root credentials plus CVE-2021-29441, an authentication bypass, to move laterally. The agent encrypted 1,342 Nacos service configuration items before deleting the originals, and researchers say it behaved like a human operator handling obstacles — retrying failed logins with refined parameters and, in one sequence, going from a failed login to a working fix in 31 seconds. The case matters less for its blast radius than for what it demonstrates: reconnaissance, credential theft, lateral movement, privilege escalation, and encryption chained together and adapted on the fly by a single agent, with no evidence a human intervened once the intrusion began.

Read the article →

Sources: BleepingComputer

2. A US cyber agency is finally using Anthropic’s Mythos

Forbes · July 7, 2026

CISA has begun using Anthropic’s Mythos — a model Anthropic has otherwise limited to a small cohort of roughly 50 partner organizations — to search government code repositories on GitHub for exploitable vulnerabilities, with staff on its Attack Surface Evaluation team reporting a “large number” of findings so far. The access is notable given CISA was not part of Mythos’s original partner cohort and given the White House’s own recent standoff with Anthropic over Fable 5 and Mythos 5 export controls; it remains unclear exactly how the agency secured permission to use a model the administration was, weeks earlier, restricting on national-security grounds. The episode is the clearest evidence yet that the US government sees offensive-grade AI vulnerability discovery as something it needs in its own defensive toolkit, even while it polices who else gets to use the same capability — the flip side of the same coin JadePuffer represents on the attacker’s ledger this week.

Read the article →

Sources: Forbes

3. AI Safety Index — Summer 2026: nobody gets an A

Future of Life Institute & Time · July 7, 2026

The Future of Life Institute’s Summer 2026 AI Safety Index graded nine leading AI companies — Anthropic, OpenAI, Google DeepMind, xAI, Z.ai, Meta, DeepSeek, Alibaba Cloud, and Mistral — across 37 indicators in six domains: risk assessment, current harms, safety frameworks, existential safety, governance and accountability, and information sharing. No company scored above a C+: Anthropic led at C+, OpenAI and Google DeepMind followed at C, Meta received a D+, and xAI, DeepSeek, and Mistral failed outright. Time’s separate coverage of the same rankings emphasized that all nine flagship models tested remain vulnerable to jailbreaks, and that reviewers judged every company’s current safety strategy inadequate for controlling a hypothetical future system that rivals human intelligence. Perhaps the most consequential finding is procedural rather than technical: the report says several labs, including Anthropic, OpenAI, Google DeepMind, and Meta, have quietly weakened or dropped earlier public commitments to pause development if their systems approached specified danger thresholds — suggesting the voluntary safety framework the industry built for itself is eroding faster than governments are building a durable replacement.

Read the article →

Sources: Future of Life Institute, Time

4. SpaceXAI releases Grok 4.5, which Elon describes as an “Opus-class model”

TechCrunch · July 8, 2026

xAI/SpaceXAI shipped Grok 4.5, which Elon Musk described on X as “an Opus-class model, but faster, more token-efficient and lower cost” — comparable, in his telling, to Anthropic’s Opus 4.7 but much faster, at $2/$6 per million input/output tokens versus Opus 4.7’s $5/$25. Independent benchmarking from Artificial Analysis complicates the claim: Grok 4.5 scored 54 on the Intelligence Index, placing it fourth overall behind Claude Fable 5, GPT-5.5, and Claude Opus 4.8 — the exact model Musk claimed to match. Where Grok 4.5 does lead outright is agentic performance: 33% on agentic tool use (versus GPT-5.5’s 31%) and 29% on long-horizon software engineering tasks (versus Opus 4.8’s 26%). For security teams evaluating agentic deployments, that split matters more than the marketing framing: general intelligence rankings say less about which model is safe to hand tool access to than agentic-task benchmarks do, and on that measure Grok 4.5 is a genuine frontrunner.

Read the article →

Sources: TechCrunch

5. OpenAI’s GPT-5.6 Sol Ultra reportedly solves a 50-year-old math problem in under an hour

The Decoder · July 10, 2026

OpenAI says its limited-preview GPT-5.6 Sol Ultra produced a proof of the Cycle Double Cover Conjecture — an open graph-theory question for roughly 50 years asking whether any network of vertices and edges admits a set of cycles traversing every edge exactly twice — using 64 subagents working in parallel, completing the task in under an hour. Mathematician Thomas Bloom of the University of Manchester called the resulting proof “a very nice proof,” noting it is short, elementary, and arguably could have been discovered decades earlier by a human researcher who happened to look at the problem the right way; independent peer review and broader mathematical verification are still pending. For security teams, the significance isn’t the conjecture itself but the method: 64 parallel subagents coordinating on a single hard research problem is a concrete preview of the orchestration patterns — and the corresponding trust and tool-access questions — that will show up in production agentic workflows well before frontier labs finish verifying the underlying capability claims.

Read the article →

Sources: The Decoder

6. Thousands of MCP servers found vulnerable to file access and injection attacks

GBHackers · July 8, 2026

A large-scale analysis of 9,695 Model Context Protocol servers across GitHub, Glama, Lobehub, and PulseMCP found 5,832 with security issues, 2,259 confirmed to contain exploitable vulnerabilities beyond simple authentication gaps, and 4,982 distinct cataloged issues in total — including 880 cases of arbitrary file access, 476 command injection flaws, 422 SSRF vulnerabilities, 211 cross-site-scripting instances, and 185 cases of prompt injection, plus 2,054 servers with no authentication at all. The headline finding is that popularity, repository activity, and verification badges — the signals organizations currently use to decide which MCP servers to trust — do not reliably correlate with security posture. With MCP now the default integration layer connecting agents to tools, data, and each other, this is the clearest evidence yet that the ecosystem’s growth has outpaced any baseline security review process, and it directly reinforces this week’s DuneSlide and Agentjacking findings that the MCP trust boundary, not any individual model’s alignment, is where agentic risk concentrates.

Read the article →

Sources: GBHackers

7. The prompt-injection and agentic-browser risk cluster (foundational reading)

Multiple sources · June 11 – July 1, 2026 · Foundational reading

This week’s foundational reading is a single, cumulative case for one argument: indirect prompt injection, not model jailbreaking, is now the dominant practical route to compromising agentic AI, and it is being demonstrated across every surface an agent touches. Cato Networks’ DuneSlide disclosed two critical, zero-click vulnerabilities (CVE-2026-50548 and CVE-2026-50549, both CVSS 9.8) that let a single injected prompt escape Cursor IDE’s terminal sandbox and run arbitrary commands with the developer’s full account authority — patched in Cursor 3.0 after the vendor initially rejected the report. Check Point identified a DeepSeek-generated browser ransomware technique, dubbed InfernoGrabber, that uses Chromium’s File System Access API to encrypt local files entirely inside the browser with no native payload or exploit required. A University of Washington study found agentic AI browsers routinely take actions on a user’s behalf without flagging that the underlying request has changed. Agentjacking showed a fabricated Sentry bug report hijacking AI coding agents (Claude Code, Cursor, and Codex among them) with an 85% success rate across more than 100 tested organizations. A Microsoft 365 Copilot flaw dubbed SearchLeak chained a parameter-injection bug, an HTML race condition, and a Bing SSRF into a one-click path to emails, files, and live MFA codes. And a newly published “CoT Forgery” technique from MIT and Harvard researchers found that simply inserting fake chain-of-thought reasoning into a prompt — text written to look like the model’s own prior reasoning — pushed jailbreak success from near zero to roughly 60% across every model tested, because LLMs judge trustworthiness by how text sounds rather than where it came from. Taken together with Help Net Security’s summary of why prompt injection still drives most agentic AI security failures in production, the throughline is structural, not a string of one-off bugs: every one of these attacks succeeds by exploiting an agent’s designed trust in inputs it was never built to authenticate.

Read the article →

Sources: Cato Networks (DuneSlide), The Hacker News (InfernoGrabber), UW News, The Hacker News (Agentjacking), The Hacker News (SearchLeak), The Register (CoT Forgery), Help Net Security

On our watch list

  1. Agent-run intrusions beyond JadePuffer. Whether other ransomware crews replicate a fully autonomous, adapt-on-failure attack chain, and whether JadePuffer’s techniques (Langflow/Nacos exploitation, credential-driven lateral movement) show up reused by human-directed operators now that the playbook is public.
  2. Government access to restricted frontier models. How CISA secured Mythos access outside Anthropic’s ~50-partner cohort, whether other agencies follow, and whether this becomes a template or a one-off exception to the administration’s own export-control posture.
  3. MCP trust-boundary remediation at scale. Whether the 2,259 confirmed-exploitable MCP servers identified this week get patched or abandoned, and whether directory operators (GitHub, Glama, Lobehub, PulseMCP) start scoring security posture rather than just popularity.
  4. Independent verification of GPT-5.6 Sol Ultra’s math claim. Whether OpenAI publishes the full proof for peer review, and whether the 64-subagent orchestration pattern becomes a disclosed technique other labs adopt for hard research problems.
  5. Whether AI Safety Index grades move policy. Whether regulators cite the Future of Life Institute’s report (or the EU’s new AI-cybersecurity action plan, or the UN’s governance summit) in any binding rulemaking, given labs are already reported to be quietly walking back earlier voluntary safety pledges.

AI & ML in Security · a weekly intelligence bulletin from Security Radar LLC

Weekly news items are from the previous seven days. Foundational reading is refreshed each week.

Curated by Paul Davis · paul.davis@security-radar.com

*|LIST:ADDRESS|*

View this email in your browser · Unsubscribe

© 2026 Security Radar LLC. All rights reserved.

Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.

Recent Posts

  • DevSecOps Weekly — July 12, 2026
  • DevSecOps Weekly — July 12, 2026 — Interactive Topic Map
  • Malware Analysis Weekly — July 12, 2026
  • Malware Analysis Weekly — July 12, 2026 — Interactive Topic Map
  • AI & ML in Security — July 12, 2026

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • November 2025
  • April 2024
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • April 2023
  • March 2023
  • February 2022
  • January 2022
  • December 2021
  • September 2020
  • October 2019
  • August 2019
  • July 2019
  • December 2018
  • April 2018
  • December 2016
  • September 2016
  • August 2016
  • July 2016
  • April 2015
  • March 2015
  • August 2014
  • March 2014
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • October 2012
  • September 2012
  • August 2012
  • February 2012
  • October 2011
  • August 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • June 2009
  • May 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • December 2003
  • November 2003
  • October 2003
  • September 2003

Categories

  • AI-ML
  • Augment / Virtual Reality
  • Blogging
  • Cloud
  • DR/Crisis Response/Crisis Management
  • Editorial
  • Financial
  • Make You Smile
  • Malware
  • Mobility
  • Motor Industry
  • News
  • OTT Video
  • Pending Review
  • Personal
  • Product
  • Regulations
  • Secure
  • Security Industry News
  • Security Operations
  • Statistics
  • Threat Intel
  • Trends
  • Uncategorized
  • Warnings
  • WebSite News
  • Zero Trust

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2026 CyberSecurity Institute | Powered by Superbs Personal Blog theme