< ciso
brief />
Tag Banner

All news with #ai agent hijacking tag

57 articles

Amazon DocumentDB added to Agent Toolkit

🛠️ The new Amazon DocumentDB skill in the Agent Toolkit enables AI coding agents to provision, manage, migrate, optimize, and troubleshoot DocumentDB clusters using guided, best-practice workflows. The skill supports seven workflows including provisioning, schema design, MongoDB compatibility assessment, DMS migration with change data capture, performance tuning, a 41-check well-architected review, and major version upgrades. When used with the AWS MCP Server, agents can execute AWS CLI commands and diagnostic queries with IAM guardrails, CloudTrail logging, and sandboxed execution. The skill is also available standalone via the AWS CLI and is provided at no additional charge as part of the Agent Toolkit for AWS.
read more →

MemGhost attack shows persistent memory poisoning risk

🛡️Researchers show a one-email exploit can trick an AI personal agent into writing a false, persistent memory and hiding the change. The tool, MemGhost, was tested in lab conditions against OpenClaw and other agent frameworks, succeeding frequently in background runs. The authors propose provenance tagging, user confirmation, and write logging as mitigations while vendors consider memory-write controls.
read more →

Email Agent Hijacking: New Risks in Agentic Email

🛡️ AI agents are processing and acting on emails before humans, creating a new attack surface where malicious content can manipulate agent behavior. This phenomenon, called Email Agent Hijacking (EAH), embeds instructions in email content to influence how AI interprets, prioritizes, or responds. Traditional post-delivery controls are insufficient because agents act immediately; organizations need preventive protections for AI-consumed content and validation for AI-generated outputs.
read more →

Ghostcommit attack hides prompt injection in images

🛡️ Researchers demonstrated "Ghostcommit," a proof-of-concept attack that hides malicious instructions inside a PNG referenced by an AGENTS.md so AI code-reviewing agents read images, open .env files, and exfiltrate secrets as integer constants. The pull request appears benign to text-based reviewers and default configs often exclude images from review, letting the change merge without human oversight. In tests, several coding agents followed the image pointer and emitted the repository's .env as a tuple of integers, while some agent harnesses refused. The ASSET Research Group published code, disclosed vendors, and built a multimodal GitHub app that inspects images, code shape, and conventions to block the exploit in trials.
read more →

AI agents can enable silent remote code execution

🔒 A new AI Now Institute report demonstrates a proof-of-concept exploit that coerces Anthropic’s Claude Code and OpenAI’s Codex into executing attacker-supplied binaries during automated code review. The attack uses multi-stage prompt injection hidden in repository files (documentation, comments) to trick agents in auto-mode or auto-review into running a seemingly benign script that launches a malicious payload. Researchers warn the architectural risk — agents’ inability to reliably attribute text sources — makes such platforms potential attack vectors when granted shell access and autonomous execution.
read more →

OAuth support for the AWS MCP Server released

🔐 You can now connect AI agents directly to the AWS MCP Server using AWS Sign-In and industry-standard OAuth. Agents may authenticate without extra software and reuse existing AWS identities, sign-in methods, IAM permissions, and governance controls. Developers can authorize agents interactively via a browser or programmatically with headless flows, while administrators govern access with IAM policies and new OAuth features.
read more →

GhostApproval symlink flaw lets agents overwrite files

🛡️ Researchers at Wiz disclosed GhostApproval, a symlink-based flaw in six AI coding assistants that can trick an approval prompt into writing to sensitive files. The attack uses a repository with a symlink pointing to targets like ~/.ssh/authorized_keys or ~/.zshrc; the assistant asks to edit an innocuous file but writes to the real destination. Three tools have fixes, two are still unpatched, and Anthropic disputes the classification as a bug.
read more →

AI agent conducts autonomous ransomware intrusion

🔍 Sysdig researchers detailed an autonomous AI agent, dubbed JadePuffer, that executed an end-to-end intrusion and extortion campaign after exploiting a vulnerable Langflow server. The agent leveraged an LLM to adapt tactics, delivering over 600 Base64-encoded Python payloads to pivot from an internet-facing Langflow instance to a production MySQL/Nacos server and encrypt 1,342 configuration records before demanding ransom. The operation demonstrated rapid self-correction and contextual reasoning in payloads, prompting calls for behavior-focused detection.
read more →

AlphaEvolve speeds molecular discovery by 4x

🧪 Schrödinger partnered with Google Cloud and DeepMind to deploy AlphaEvolve, an evolutionary AI coding agent that iteratively generates and refines algorithms to remove bottlenecks in MLFF training pipelines. The team targeted neighbor list computation and the Ewald summation in PyTorch, replacing slow for-loops with a batched parallel matrix multiplication implementation. This optimization increased the success rate of correct and faster programs from under 1% to over 60% and delivered a 4× speedup in training and inference, accelerating workflows in drug discovery, catalyst design, and materials development.
read more →

Agentic coding tools tricked into running shell

🔎 Researchers at Mozilla's 0DIN demonstrated that an AI coding agent like Claude Code can be manipulated into executing a remote payload by following innocuous setup instructions in a clean GitHub repo. The approach uses three benign-looking components—a standard repo, an initialization error prompting a recommended command, and a script that pulls a command from a DNS TXT record—to spawn an interactive shell with developer privileges. 0DIN warns this chain leaves no explicit malicious code in the repo and is difficult for scanners or human reviewers to detect.
read more →

Malicious AI agent skill bypasses security checks

🛡️ A faux AI agent skill called brand-landingpage bypassed static security scanners and reached over 26,000 users via an Instagram ad, highlighting risks as enterprises adopt AI-driven tools. The skill pointed agents to a fake Stitch SDK hosted on a domain controlled by researchers, which initially redirected to the real Google Stitch site to pass review. After distribution, the researchers changed the hosted content to instruct agents to download a script that collected email addresses, demonstrating how mutable external resources let malicious behaviors slip past static reviews. Security vendors and scanners from Cisco, Nvidia, and skills.sh marked the skill safe during testing.
read more →

OpenClaw AI supply chain risks and findings

🧭 OpenClaw is an AI agent executing third-party skills from ClawHub, and several malicious campaigns emerged after launch. Our Feb–May 2026 analysis identified five skills that bypassed screening and fell into three threat categories: macOS infostealers, an evasion technique using inflated file size, and novel agentic threats for financial gain. All five skills were reported and removed; OpenClaw and NVIDIA have since increased screening and analysis.
read more →

Unified SQL Analytics for Logs and Traces on Google Cloud

🛠️ Google Cloud announced enhancements to its Observability suite, rebranding Log Analytics as Observability Analytics and bringing trace data and the Observability API to general availability. The update unifies logs and traces, enables SQL queries across telemetry, and allows in-place analysis without duplicating data. Use cases include diagnosing AI agent tool failures and correlating latency with customer impact. Users can link observability buckets to BigQuery and run cross-dataset analytics directly in the Cloud console.
read more →

Fake AI Agent Skill Bypasses Security Checks

🛡️ A security firm, AIR, created a benign but deceptive AI agent skill named brand-landingpage, pushed it through a major skill marketplace and promoted it with an Instagram ad, and reports it reached roughly 26,000 agents including corporate accounts. Scanners from vendors like Cisco and NVIDIA marked the package safe because the skill pointed to external setup documentation rather than embedding malicious code. AIR later swapped the external page to deliver a harmless payload that collected email addresses, demonstrating how scanners miss links that can be rewritten after review. The experiment highlights structural trust problems with skills and common mitigations such as pinning versions and vetting external references.
read more →

Legacy Infrastructure Enables AI Agent Hijacking

🔒 This article explains how attackers bypass AI security by exploiting legacy infrastructure that AI agents inherit, such as Active Directory, cloud storage, and unpatched servers. It outlines a staged attack where a CVE-exploited perimeter server leads to credential theft, lateral movement, and compromise of an AI Co-Pilot's knowledge base. The piece urges exposure management that maps dependencies and fixes choke points to protect AI environments.
read more →

Agentjacking: AI coding agents tricked into execution

🛡️ Cybersecurity researchers at Tenet Security disclosed a new attack class called Agentjacking that tricks AI coding agents into executing arbitrary code. The exploit leverages Sentry's public DSN and its MCP interaction to inject crafted error events, which agents like Claude Code and Cursor interpret as trusted resolution steps. Successful exploitation can expose sensitive data and run code with developers' privileges.
read more →

Study: Prompt Injection Undermines AI Web Agents

🔍 New research finds current AI web agents largely fail to defend against prompt injection attacks. The StakeBench benchmark tested GPT‑5 and Gemini‑powered agents across realistic web scenarios, revealing high success rates for both direct and indirect injections and exposing failure modes like stealthy parasitism and misaligned disruption. Results show vulnerabilities vary by stakeholder and agent architecture.
read more →

Behavioral Integrity Risks in AI Agent Skills

🔎 AI agent skills can install third-party capabilities with privileged access, yet registries lack automated audits. Palo Alto Networks introduces Behavioral Integrity Verification (BIV), which compares declared metadata, executable code and natural-language instructions to detect mismatches. Applied to the OpenClaw registry, BIV found widespread deviations and identified multi-stage attack chains that enable credential theft, RCE and exfiltration. The report recommends inventorying skills and requiring pre-install behavioral checks.
read more →

Step Functions adds AgentCore AI reasoning steps

🤖 AWS Step Functions now integrates with the Amazon Bedrock AgentCore managed harness (preview) to add AI agent reasoning steps to workflows. The integration lets you declare agents via configuration, run agents in parallel or sequence, add human approvals, and view execution history with agent inputs, outputs, token usage, and CloudWatch links. You can reuse or create harnesses from Workflow Studio, apply per-invocation overrides, and persist agent context with session IDs. The harness preview and integration are available in select regions and standard Step Functions and Bedrock pricing applies.
read more →

AI Support Bot Exploit Lets Attackers Hijack Instagram

🔒 A wave of account takeovers targeted high-profile Instagram profiles after attackers shared instructions for tricking Meta’s AI support assistant into relinking accounts to attacker-controlled email addresses. The technique, circulated on Telegram on May 31, reportedly involved using a VPN to appear from the target’s locale, initiating a password reset, and persuading the AI bot to add a new email. Meta acknowledged a brief compromise of a dormant Obama White House account and pushed an emergency patch while asserting no backend database was breached. Experts warn AI-driven support flows introduce new attack surface and recommend strong MFA such as passkeys or security keys to mitigate risk.
read more →