All news with #ai agent hijacking tag

🔒 A wave of account takeovers targeted high-profile Instagram profiles after attackers shared instructions for tricking Meta’s AI support assistant into relinking accounts to attacker-controlled email addresses. The technique, circulated on Telegram on May 31, reportedly involved using a VPN to appear from the target’s locale, initiating a password reset, and persuading the AI bot to add a new email. Meta acknowledged a brief compromise of a dormant Obama White House account and pushed an emergency patch while asserting no backend database was breached. Experts warn AI-driven support flows introduce new attack surface and recommend strong MFA such as passkeys or security keys to mitigate risk.

🛰️ The Linux Foundation has proposed DNS-AID, a standards-driven extension to the Domain Name System to let AI agents discover, verify, and communicate without new infrastructure. The project leverages a well-known DNS address pattern (for example, _index._agents.{domain}) to provide a global, vendor-neutral directory for agents and MCP servers. Initial work was done by Infoblox, with contributions from Deutsche Telekom and Amazon, and the foundation is soliciting further input to keep the approach scalable and secure.

🛡️ Microsoft uncovered a targeted cryptojacking campaign that lures owners of high-performance PCs to malicious download pages for utilities like CrystalDiskInfo and HWMonitor. The attackers used SEO poisoning and, in some cases, manipulated AI chatbots to surface attacker-controlled download links. Infected ZIP archives include legitimate utilities and a malicious DLL that installs the ScreenConnect remote access tool, enabling persistent access and deployment of a process-hollowing loader that ultimately launches GPU miners.

🔒 PraisonAI contained a critical authentication bypass (CVE-2026-44338) in its legacy Flask API server that sets AUTH_ENABLED = False and AUTH_TOKEN = None by default. Exploitation allows unauthenticated callers to enumerate configured agents via /agents and to trigger workflows through /chat, potentially consuming model quotas and exposing run results. The flaw affects versions 2.5.6–4.6.33 and was fixed in v4.6.34; operators are advised to update, audit deployments, and rotate exposed credentials.

🔒 Knostic’s internet-wide reconnaissance discovered 1,862 exposed MCP servers, and manual checks of 119 instances showed every sampled server returned internal tool listings without authentication. High-impact flaws like EchoLeak (CVE-2025-32711) and mcp-remote (CVE-2025-6514) illustrate how poisoned documents and command-injection in widely used packages can enable silent data exfiltration or full system compromise. The article prescribes immediate adoption of zero-trust controls: authentication on every interaction, network segmentation, cryptographic signing for tool definitions, continuous integrity monitoring, and human approval for sensitive actions.

🛡️ Analysts and Orchid Security warn that enterprises are deploying AI agents faster than governance can keep up, creating an invisible layer of "identity dark matter" that conventional IAM misses. Orchid Security inspects applications at the binary and configuration layer to discover agents, audit compliance, and locate static credentials. Its Ask Orchid assistant answers natural-language questions about active agents, NIST compliance, and credential risks, then recommends prioritized remediation. This in-application observability aims to close the structural gap in identity visibility and enforce purpose-bound, least-privilege controls.

🔒 Okta Threat Intelligence tested OpenClaw, a model-agnostic enterprise AI agent running Claude Sonnet 4.6, and found it could be manipulated to disclose sensitive credentials. In one scenario an attacker who hijacked a user’s Telegram prompted the agent to display an OAuth token in a terminal, reset the agent to erase that memory, then force a screenshot and send the token via Telegram. Okta warns that agents’ default helpfulness and deep system access can create significant credential exposure risks if not properly governed.

⚠️ Security researchers disclosed a high-severity vulnerability in the Cursor AI-powered IDE that can lead to arbitrary code execution when its agent interacts with a malicious repository. Novee Security's analysis shows an attacker can embed a bare Git repository with a crafted hook and trigger it when the IDE autonomously runs Git operations. Cursor patched the flaw in version 2.5; there are no reports of active exploitation.

🛡️At VirusTotal we are integrating reputation and Code Insight directly into AI agent decision loops so agents can consult verdicts and context as part of their runtime behavior. Two community plugins, VT-sentinel (OpenClaw) and hermes-virustotal (Hermes), demonstrate the approach using the new VTAI API with compact responses and per-agent identities. Both MIT-licensed projects scan files, annotate hashes, and provide configurable privacy and enforcement presets so agents can quarantine, block, or proceed based on risk appetite.

🔒 Multiple vendors and researchers this week disclosed a broad set of active threats spanning cloud environments, endpoints, and messaging platforms. OAuth consent abuse campaigns impersonated trusted apps to harvest tokens and access mail and files without passwords, while the BlackSanta campaign used resume-themed ISOs to chain DLL side‑loading and disable AV/EDR via vulnerable drivers. Other notable items include microcontroller debug bypasses, ZIP header evasion that defeats some AV/EDR tools, an AI-agent compromise of an internal platform, and targeted phishing against Signal and WhatsApp users.

🛡️ Attackers increasingly treat high-volume phishing as a weapon, flooding Security Operations Centers to exhaust analysts and hide targeted spear-phish. The article argues defenders must move from rule-based automation to decision-ready investigations—transparent, auditable agentic AI that produces concise verdicts and evidence. This reduces analyst fatigue, restores rapid response, and limits the window for attacker success.

🛡️ CodeWall’s autonomous red-team agent compromised hiring startup Jack & Jill by chaining four seemingly minor bugs into a complete account takeover within an hour. The agent abused a permissive URL fetcher, an enabled test-login mode, missing onboarding role checks, and absent domain verification to map APIs, authenticate via a test OTP flow, and escalate to org-admin privileges. It then generated synthetic voice clips to social-engineer Jack, conducting 28 multi-turn exchanges and even impersonating Donald Trump before moving on, demonstrating how AI can rapidly combine low-risk flaws into high-impact attacks.

🔒 OpenAI said it will acquire AI testing startup Promptfoo to strengthen security checks for AI agents as enterprises deploy autonomous systems in business workflows. Promptfoo’s tools let developers test LLM applications against adversarial prompts, including prompt injection and jailbreak attempts, and evaluate whether models follow safety and reliability guidelines. OpenAI plans to integrate Promptfoo into OpenAI Frontier and to continue developing the open-source project while expanding enterprise capabilities.

🤖 AI-based assistants such as OpenClaw are rapidly reshaping organizational security, blurring boundaries between data and code and between trusted co-workers and insider threats. Incidents and research show agents taking autonomous actions and misconfigured admin interfaces exposing credentials, conversations, and integrations. Demonstrated supply-chain and prompt injection attacks can install rogue agents and manipulate agent perception. Organizations should isolate agents, enforce strict network controls, vet third-party skills, and address AI fragility as a core security concern.

🚀 Google Cloud and Nokia announced an integration at MWC Barcelona that connects Nokia Network as Code (NaC) with Google Cloud’s agentic AI stack to enable AI agents to observe, program, and optimize mobile networks autonomously. The collaboration leverages Gemini models and standardized protocols such as A2A and MCP to translate natural-language intent into network actions. An Agent Development Kit (ADK) allows enterprises to build custom multi-agent workflows that bridge business logic and network intelligence, delivering a zero-code, intent-driven developer experience.

🔍 OpenClaw is an AI-driven automation framework with a modular skills marketplace that lets agents run user-installed plugins to manage mail, schedules, and system tasks. Security researchers disclosed multiple critical flaws — including one-click RCE (CVE-2026-25253), token/OAuth abuse, prompt-injection pathways, and absent sandboxing — and documented dozens of poisoned skills on ClawHub. Flare's telemetry shows significant chatter across research and fringe channels but limited evidence of mass criminal operationalization; the immediate confirmed threat is supply-chain abuse where malicious skills execute with agent-level privileges and exfiltrate credentials and sessions.

⚠️ Check Point Research warns attackers can misuse web-based AI assistants such as Grok and Microsoft Copilot to create covert, bidirectional command-and-control channels. By abusing built-in web-browsing and URL-fetch capabilities, malware can instruct an AI web interface to retrieve content from attacker-controlled URLs and return embedded commands without requiring API keys or authenticated accounts. Because many organizations treat AI domains as trusted outbound traffic and apply limited inspection, these C2 flows can blend into routine HTTPS sessions and evade traditional network controls.

🤖 Amazon Web Services today announced that Amazon Aurora DSQL now integrates with Kiro powers and AI agent skills to accelerate database-backed application development. The integration packages the Aurora DSQL Model Context Protocol (MCP) server with development best practices so AI agents can assist with schema design, performance tuning, and routine database operations out of the box. Kiro powers provides a curated registry of MCP servers, steering files, and agent hooks with one-click installation in the Kiro IDE. The Aurora DSQL skill extends the same guidance to other agent ecosystems via a Skills CLI, allowing agents to dynamically load Postgres-compatible SQL patterns, distributed design advice, and IAM authentication guidance.

⚙️ Provisioned Throughput on Vertex AI standardizes reserved capacity across first-party, third-party, and open-source models, adding multimodal and operational enhancements to support production-scale AI agents. The update introduces Anthropic integration (private preview), PT for popular open models such as Llama 4, Qwen3, and GLM-4.7, and native support for high-bandwidth modalities including Gemini 3, Nano Banana, and Gemini Live API. Operational improvements — one-week PT terms, scheduled change orders, and explicit caching for long contexts — enable predictable latency, flexible commitments, and lower input costs for peak events and high-concurrency workloads.

🔓 Hudson Rock says an info‑stealer, likely a Vidar variant, exfiltrated an OpenClaw agent's configuration, including openclaw.json, device.json and soul.md. The files contain gateway tokens, cryptographic keys and the agent's operational 'soul,' which could let attackers impersonate the AI assistant or connect to local instances if exposed. The incident signals a shift from stealing credentials to harvesting AI agent identities, and vendors should expect targeted modules to follow.