An exploration of the risks associated with agentic AI by granting a local large language model full access to a WSL2 virtual machine. The experiment highlights the unpredictable nature of LLMs, which can hallucinate capabilities or make dangerous decisions when given control over an operating system environment.
Key points include:
- Testing OpenClaw as an open harness for agentic AI tasks.
- Observations on how LLMs struggle with persistent memory and tool installation.
- The tendency of models to lie about successful task completion (hallucination).
- The urgent need for better guardrails to prevent probabilistic errors from causing irreversible system damage.
Key points include:
- Testing OpenClaw as an open harness for agentic AI tasks.
- Observations on how LLMs struggle with persistent memory and tool installation.
- The tendency of models to lie about successful task completion (hallucination).
- The urgent need for better guardrails to prevent probabilistic errors from causing irreversible system damage.
This advisory details a significant tactical shift by China-nexus cyber actors toward using large-scale networks of compromised devices, known as covert networks or botnets, to route malicious activity. These networks primarily consist of vulnerable Small Office Home Office (SOHO) routers and Internet of Things (IoT) devices, allowing threat actors to disguise their origins and conduct reconnaissance, malware delivery, and data exfiltration with high deniability.
Key points include:
- The transition from individually procured infrastructure to externally provisioned botnets managed by Chinese information security companies.
- Use of compromised edge devices like Cisco and NetGear routers that are often end-of-life or unpatched.
- Challenges for defenders due to indicator of compromise (IOC) extinction, making static IP block lists less effective.
- Recommended defensive strategies ranging from basic asset mapping and multi-factor authentication to advanced zero trust policies and active threat hunting.
Key points include:
- The transition from individually procured infrastructure to externally provisioned botnets managed by Chinese information security companies.
- Use of compromised edge devices like Cisco and NetGear routers that are often end-of-life or unpatched.
- Challenges for defenders due to indicator of compromise (IOC) extinction, making static IP block lists less effective.
- Recommended defensive strategies ranging from basic asset mapping and multi-factor authentication to advanced zero trust policies and active threat hunting.
Researchers from Google and Forcepoint have identified a rise in indirect prompt injection (IPI) attacks, where malicious instructions are hidden within web pages to manipulate LLM-powered AI agents. While some injections are harmless pranks or tone adjustments, others aim for serious harm including traffic hijacking, data exfiltration, denial of service, and financial fraud through unauthorized payment processing. Attackers use techniques like invisible text, HTML comments, and metadata manipulation to hide these payloads from humans while remaining visible to AI.
Key points:
* Real-world evidence of IPI attacks found in massive web crawls and active threat hunting.
* Malicious intents include search engine manipulation, data theft (API keys), and destructive commands.
* Financial fraud attempts have been observed using embedded PayPal transactions and Stripe donation routing.
* Attackers hide instructions via single-pixel text, near-transparent colors, or metadata injection.
* The risk level scales with AI privilege; agentic AIs capable of executing commands or payments are high-impact targets.
Key points:
* Real-world evidence of IPI attacks found in massive web crawls and active threat hunting.
* Malicious intents include search engine manipulation, data theft (API keys), and destructive commands.
* Financial fraud attempts have been observed using embedded PayPal transactions and Stripe donation routing.
* Attackers hide instructions via single-pixel text, near-transparent colors, or metadata injection.
* The risk level scales with AI privilege; agentic AIs capable of executing commands or payments are high-impact targets.
Researchers have identified a significant security flaw in Anthropic's Model Context Protocol, which is designed to connect Large Language Models with external tools. The protocol's architecture allows for remote command execution because the parameters used to create server instances can contain arbitrary commands that are executed in a server-side shell without proper input sanitization. This vulnerability has been demonstrated on platforms like LettaAI, LangFlow, Flowise, and Windsurf. When researchers brought these findings to Anthropic, the company responded that there was no design flaw and stated it is the developer's responsibility to implement sanitization.
Key points:
- MCP architecture facilitates remote command execution (RCE) via StdioServerParameters.
- Lack of input sanitization allows arbitrary commands and arguments in server-side shells.
- Exploitation has been successful against LettaAI, LangFlow, Flowise, and Windsurf.
- Anthropic maintains the protocol works as designed, placing responsibility on developers for security implementation.
Key points:
- MCP architecture facilitates remote command execution (RCE) via StdioServerParameters.
- Lack of input sanitization allows arbitrary commands and arguments in server-side shells.
- Exploitation has been successful against LettaAI, LangFlow, Flowise, and Windsurf.
- Anthropic maintains the protocol works as designed, placing responsibility on developers for security implementation.
AI startup Lovable is facing criticism over its handling of a security vulnerability that allowed users to access sensitive information belonging to others. The flaw, identified as a Broken Object Level Authorization (BOLA) bug, potentially exposed source code, database credentials, and chat histories for projects created before November 2025.
.
.
.
.
With MCP, users can connect AI agents to HIBP data to perform complex, automated security analysis that was previously difficult for non-technical users. The article demonstrates how AI agents can act independently to investigate breaches, monitor specific email addresses, and uncover deep insights from stealer logs.
Anthropic research scientist Nicholas Carlini demonstrated that Claude Code can discover critical security vulnerabilities in the Linux kernel, including a heap buffer overflow in the NFS driver that had remained undetected since 2003. By using a simple bash script to iterate through source files with minimal prompting, the AI identified five confirmed vulnerabilities across various components like io_uring and futex. This discovery marks a significant shift in cybersecurity, as Linux kernel maintainers report a surge in high-quality vulnerability reports from AI agents.
Key points:
* Claude Code discovered a 23-year-old NFS driver bug using basic automation.
* Significant capability jump observed between older models and Opus 4.6.
* Kernel maintainers are seeing a massive increase in daily, accurate security reports.
* LLM agents may represent a new category of tool that combines the strengths of fuzzing and static analysis.
* Concerns exist regarding the dual-use nature of these tools for adversaries.
Key points:
* Claude Code discovered a 23-year-old NFS driver bug using basic automation.
* Significant capability jump observed between older models and Opus 4.6.
* Kernel maintainers are seeing a massive increase in daily, accurate security reports.
* LLM agents may represent a new category of tool that combines the strengths of fuzzing and static analysis.
* Concerns exist regarding the dual-use nature of these tools for adversaries.
Clearwing is an autonomous offensive security tool built on LangGraph, designed to emulate advanced vulnerability scanning capabilities using accessible AI models. It functions as a dual-mode system featuring a network pentest agent for live target scanning and service detection, alongside a source-code hunter that utilizes agent-driven pipelines to identify, verify, and potentially patch vulnerabilities in codebases.
Key features include:
* Dual-mode operation covering both network penetration testing and source-code analysis.
* A ReAct-loop network agent equipped with 63 bind-tools for scanning and exploitation attempts.
* An automated source-code hunter that uses adversarial verification and sanitizer crashes as ground truth.
* Comprehensive reporting capabilities including SARIF, markdown, and JSON formats.
* Support for various AI providers such as Anthropic, OpenAI, and local LLM endpoints via OpenRouter or Ollama.
Key features include:
* Dual-mode operation covering both network penetration testing and source-code analysis.
* A ReAct-loop network agent equipped with 63 bind-tools for scanning and exploitation attempts.
* An automated source-code hunter that uses adversarial verification and sanitizer crashes as ground truth.
* Comprehensive reporting capabilities including SARIF, markdown, and JSON formats.
* Support for various AI providers such as Anthropic, OpenAI, and local LLM endpoints via OpenRouter or Ollama.
This research presents a specialized GAN framework designed to enhance cybersecurity threat detection through advanced network traffic augmentation. By integrating nine differentiable loss components inspired by bio-inspired metaheuristics (Firefly, Jellyfish Search, and Mantis Shrimp), the model resolves class imbalance while preserving critical attack signatures.
* An energy-aware adaptive attention mechanism reduces training energy consumption by 40% without sacrificing accuracy.
* Tested across seven benchmark datasets, the framework achieved a high average accuracy of 98.73%.
* The model demonstrated strong robustness against adversarial evasion attempts.
* An energy-aware adaptive attention mechanism reduces training energy consumption by 40% without sacrificing accuracy.
* Tested across seven benchmark datasets, the framework achieved a high average accuracy of 98.73%.
* The model demonstrated strong robustness against adversarial evasion attempts.
ZeroID is a new open-source identity and credentialing platform designed specifically to address the attribution challenges in agentic workflows. It provides a verifiable delegation chain using RFC 8693 token exchange, ensuring that when orchestrator agents spawn sub-agents, every action remains traceable back to the original authorizing principal while maintaining strict permission boundaries.
Key features and details:
- Implements verifiable delegation chains for multi-agent systems
- Supports real-time revocation via OpenID Shared Signals Framework (SSF) and CAEP
- Offers SDKs for Python, TypeScript, and Rust
- Integrates with frameworks like LangGraph, CrewAI, and Strands
- Provides a containerized deployment model backed by PostgreSQL
Key features and details:
- Implements verifiable delegation chains for multi-agent systems
- Supports real-time revocation via OpenID Shared Signals Framework (SSF) and CAEP
- Offers SDKs for Python, TypeScript, and Rust
- Integrates with frameworks like LangGraph, CrewAI, and Strands
- Provides a containerized deployment model backed by PostgreSQL
