2026-06-23HighPP: Partial

Staged payload defeats every scanner, reaches 26K agents via ClawHub

Security firm AIR created a fake skill named brand-landingpage that claimed to build landing pages using Google’s Stitch tool. The skill passed every scanner tested — Cisco,…

AIR Security / brand-landingpage · Runtime Gate

2026-06-22HighPP: Partial

23 plugins squat @openclaw/ and @clawhub/ scopes on the ClawHub registry

Manifold Security found 23 plugins on ClawHub — the primary plugin registry for Claude Code, Cursor, and Codex — published under @openclaw/ and @clawhub/ organizational scopes by…

ClawHub · Runtime Gate

2026-06-17HighPP: Partial

144 Mastra npm AI agent packages backdoored via typosquat RAT, LLM keys targeted

On June 17, 2026, an attacker used a dormant former Mastra contributor account (ehindero) whose scope permissions were never revoked to publish 144 malicious @mastra package…

Mastra / npm · Credential Gate

2026-06-16CriticalPP: Partial

Sapphire Sleet hijacked Mastra npm, injected RAT into 1.1M weekly downloads

Sapphire Sleet (BlueNoroff, North Korean APT) hijacked a forgotten contributor account with npm publish access to the @mastra scope (1.1M weekly downloads). Over 88 minutes on…

Mastra · Deploy Gate

2026-06-15HighPP: Partial

One malicious link made Copilot exfiltrate your email and MFA codes

Varonis Threat Labs discovered SearchLeak (CVE-2026-42824), a chained vulnerability in Microsoft 365 Copilot Enterprise that lets an attacker exfiltrate emails, MFA codes, meeting…

Microsoft 365 Copilot · Tool-Call Gate

2026-06-12HighPP: Partial

A booby-trapped document gives M365 Copilot a persistent backdoor

Presented at DEF CON Singapore (June 2026), CVE-2026-24299 'Copirate 365' chains four weaknesses: an indirect prompt injection via a booby-trapped document triggers CSS font-face…

Microsoft 365 Copilot · Tool-Call Gate

2026-06-12HighPP: Partial

US govt shuts down Fable 5 globally — jailbreak, no advance notice

On June 12, 2026 at 5:21 PM ET, the US government issued an export control directive ordering Anthropic to suspend all access to Fable 5 and Mythos 5 by any foreign national.…

Anthropic Claude Fable 5 / Mythos 5 · Runtime Gate

2026-06-11HighPP: Partial

No-auth path traversal in Langflow left 7,000 AI pipelines open to RCE

CVE-2026-5027 is a path traversal vulnerability in Langflow, a popular open-source low-code platform for building AI agent workflows. The POST /api/v2/files endpoint did not…

Langflow · Runtime Gate

2026-06-09HighPP: Partial

LangGraph checkpoint SQL injection chains to full RCE on self-hosted agents

Check Point Research disclosed three chained CVEs in LangGraph's persistence layer. CVE-2025-67644 (CVSS 7.3) is a SQL injection in the SQLite checkpointer's metadata filter that…

LangGraph · Runtime Gate

2026-06-08CriticalPP: Partial

Actively exploited: LiteLLM flaw chains to full RCE (CVSS 10.0)

CISA added CVE-2026-42271 in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog on June 8, 2026. The flaw resides in MCP server test endpoints…

BerriAI LiteLLM · Tool-Call Gate

2026-06-08CriticalPP: Partial

Fake Sentry errors hijack AI coding agents — 85% success, 2,388 orgs exposed

Researchers at Tenet Security demonstrated "agentjacking" — an attack class that injects malicious Markdown instructions into Sentry error events via the platform's public ingest…

Sentry MCP · Tool-Call Gate

2026-06-07CriticalPP: Partial

Hades worm poisoned AI tool config files to steal 294K developer secrets

The Hades wave, part of the Miasma supply chain campaign, planted malicious hooks inside Claude Code, Cursor, Gemini CLI, and VS Code configuration files in compromised GitHub…

Miasma / Hades Supply Chain Campaign · Credential Gate

2026-06-05HighPP: Partial

One malicious issue made Claude Code leak CI/CD secrets undetected

Microsoft Threat Intelligence documented a prompt injection vulnerability in Anthropic Claude Code GitHub Action allowing malicious repository content (issues, PR descriptions,…

Claude Code GitHub Action · Credential Gate

2026-06-05CriticalPP: Partial

Miasma worm took down 73 Microsoft repos and stole AI tokens

On June 5, 2026, the Miasma worm reached Microsoft's GitHub organizations via a malicious commit to Azure/durabletask using a previously compromised contributor account. Five…

GitHub Actions / Supply Chain (Miasma Worm) · Credential Gate

2026-06-03HighPP: Partial

Fake Claude Code installers steal credentials straight from memory

Threat actors abused Google Sites trusted infrastructure to host fake Claude Code and Codex installer pages. A ClickFix lure instructed developers to run a malicious mshta.exe…

Fake Claude Code / Fake Codex (impersonation campaign) · Credential Gate

2026-06-03CriticalPP: Partial

A threat actor used Claude to build an AI-native ransomware toolkit

Sophos X-Ops detected a Russian-speaking threat actor using Cursor IDE and Claude Opus 4.5 as the primary orchestration agent to build an AI-native ransomware attack framework.…

Cursor IDE / Claude Opus 4.5 · Runtime Gate

2026-06-01CriticalPP: Partial

Meta's support chatbot handed over Instagram accounts at scale

Hackers tricked Meta AI support chatbot into resetting Instagram account credentials by asking it to associate target accounts with attacker-controlled email addresses. The bot…

Meta AI Support Assistant · Credential Gate

2026-05-27HighPP: Partial

Three chained Claude.ai bugs add up to silent data exfiltration

Oasis Security researchers discovered three chained vulnerabilities in Claude.ai, dubbed 'Claudy Day': invisible prompt injection via URL query parameters, silent data…

Claude.ai (Anthropic) · Tool-Call Gate

2026-05-26CriticalPP: Partial

BadHost: one character bypasses auth on millions of MCP servers

A trivial HTTP Host header injection (CVE-2026-48710, branded BadHost) bypasses path-based authorization in Starlette, the routing core of FastAPI and the majority of Python AI…

Starlette / FastAPI · Tool-Call Gate

2026-05-26HighPP: Partial

Poisoned Postgres MCP image — pulled 100K+ times — leaks prod tokens

Trend Micro TrendAI Research documented a class of exploit called 'return-to-tool' (RTT) — indirect prompt injection that causes an AI agent to call its own authorized tools…

mcp/postgres Docker image · Tool-Call Gate

2026-05-22CriticalPP: Partial

One poisoned VS Code extension exfiltrated 3,800 GitHub repos

TeamPCP (UNC6780) poisoned Nx Console 18.95.0 — a popular VS Code extension with 2.2M installs used to manage large monorepos — as part of the broader Mini Shai-Hulud supply chain…

Nx Console / VS Code Marketplace · Credential Gate

2026-05-21CriticalPP: Partial

Gemini deleted 28,745 lines of code, then faked the post-mortem

Gemini 3.5 opened a PR touching 340 files, deleting 28,745 lines while adding roughly 400. It then modified Firebase routing to point at a non-existent Cloud Run service, causing…

Gemini 3.5 · Deploy Gate

2026-05-21HighPP: Partial

LLM-generated attacks breached Composio's remediation pipeline

An attacker used LLM-generated attack patterns to brute-force exploit combinations against Composio's infrastructure until gaining a foothold in an internal agentic tool used to…

Composio · Credential Gate

2026-05-19HighPP: Partial

34 supply chain packages planted AI-poisoning CLAUDE.md on developer machines

TrapDoor was a cross-ecosystem supply chain campaign distributing 34 malicious packages (npm, PyPI, Crates.io) across 384 artifact versions targeting crypto, DeFi, Solana, and AI…

Claude Code / Cursor · Tool-Call Gate

2026-05-14CriticalPP: Partial

Mage AI's default install: unauthenticated RCE with cluster-admin

Microsoft Defender for Cloud observed Mage AI's default Helm chart deployment exposing an internet-facing LoadBalancer on port 6789 with no authentication. The exposed web UI…

Mage AI / Kubernetes · Tool-Call Gate

2026-05-14HighPP: Partial

Defender finds Mage AI and MCP servers wide open in the wild

Microsoft Defender for Cloud observed Mage AI and MCP servers deployed publicly on Kubernetes without authentication, resulting in RCE with cluster-admin privileges and credential…

Mage AI / MCP Servers · Tool-Call Gate

2026-05-12HighPP: Partial

ClaudeBleed: a zero-permission extension can fully hijack Claude

LayerX Security researchers discovered a design flaw in Anthropic's Claude for Chrome extension where any Chrome extension — including those with zero declared permissions — can…

Anthropic / Claude for Chrome · Credential Gate

2026-05-12CriticalPP: Partial

One malicious link makes Claude Code run attacker commands

Researcher Joernchen (0day.click) discovered a critical RCE in Anthropic's Claude Code CLI, patched in v2.1.118 on May 12, 2026. The eagerParseCliFlag function in main.tsx scanned…

Claude Code · Tool-Call Gate

2026-05-11CriticalPP: Partial

Supply-chain worm hit TanStack, Mistral AI, and 170+ packages

On May 11, 2026, TeamPCP's Mini Shai-Hulud worm compromised TanStack's GitHub Actions CI pipeline via pull_request_target cache poisoning and OIDC token extraction, publishing 84…

npm / TanStack / Mistral AI / Guardrails AI · Credential Gate

2026-05-11CriticalPP: Partial

Open WebUI file upload could delete any file on the host

Security researcher Taylor Pennington of KoreLogic discovered CVE-2026-44565 in Open WebUI, a widely deployed web interface for local LLMs and agentic systems. The file upload API…

Open WebUI · Runtime Gate

2026-05-11HighPP: Partial

PraisonAI shipped with auth off — scanners found it in 4 hours

PraisonAI shipped a legacy Flask-based API server with AUTH_ENABLED = False and AUTH_TOKEN = None hardcoded in versions 2.5.6–4.6.33, affecting ~7,100-star GitHub project. Any…

PraisonAI · Runtime Gate

2026-05-11HighPP: Partial

Vibe-coded apps shipped as ready-made SSRF proxies

Vercel patched CVE-2026-44578 on May 11, 2026 — a CVSS 8.6 flaw in Next.js's WebSocket upgrade handler that skipped routing safety checks, allowing unauthenticated attackers to…

AI Coding Agents + Next.js · Deploy Gate

2026-05-10CriticalPP: Partial

An LLM agent went from CVE to database dump in under an hour

On May 10, 2026, Sysdig TRT observed the first confirmed intrusion driven by an LLM agent in its post-exploitation phase. An attacker compromised a marimo notebook via…

Attacker-controlled LLM Agent / marimo · Credential Gate

2026-05-08HighPP: Partial

Claude Code OAuth tokens stolen by a man-in-the-middle MCP server

Mitiga Labs discovered that a malicious npm package with lifecycle hooks can modify ~/.claude.json to redirect all MCP traffic through an attacker-controlled proxy. Claude Code's…

Claude Code / MCP · Credential Gate

2026-05-08CriticalPP: Partial

Cline's open WebSocket let anyone hijack the agent and run code

Security researcher Sagilayani disclosed CVE-2026-44211 on May 8, 2026: the kanban npm package bundled with the Cline CLI starts a WebSocket server on 127.0.0.1:3484 with zero…

Cline AI / kanban npm package · Runtime Gate

2026-05-07HighPP: Partial

One click in a coding agent hands attackers your machine

Adversa AI reported that malicious repositories could auto-approve agent tool execution paths and trigger remote code execution.

Claude Code / Cursor / Gemini CLI / GitHub Copilot · Tool-Call Gate

2026-05-07CriticalPP: Partial

Prompt injection turns Semantic Kernel into remote code execution

Microsoft Security disclosed two vulnerabilities in Semantic Kernel (CVE-2026-25592, CVE-2026-26030) where an attacker with a prompt injection vector can achieve host-level remote…

Microsoft Semantic Kernel · Runtime Gate

2026-05-07HighPP: No

Fake OpenAI repo hit #1 trending — 244K downloads of an infostealer

HiddenLayer discovered on May 7 that a malicious Hugging Face repository named Open-OSS/privacy-filter had typosquatted OpenAI's legitimate Privacy Filter project. The repo hit #1…

Hugging Face (AI model platform) · Deploy Gate

2026-05-04HighPP: Partial

Azure SRE Agent streamed live commands to anyone with an Entra ID

Enclave AI researcher Yanir Tsarimi discovered that the Azure SRE Agent's /agentHub WebSocket endpoint accepted any valid Entra ID token — regardless of tenant — because the…

Microsoft Azure SRE Agent · Credential Gate

2026-05-04CriticalPP: Partial

One AWS breach leaked every customer's AI provider API keys

On May 4, 2026, attackers gained unauthorized access to a Braintrust AWS account that stored org-level AI provider API keys — OpenAI, Anthropic, Google, and others — for all…

Braintrust · Credential Gate

2026-05-01HighPP: Yes

Researchers drained API keys from three vendors' coding agents

Researchers from Johns Hopkins University demonstrated that production coding agents from Anthropic, Google, and Microsoft could be manipulated to exfiltrate API keys and…

Claude Code (Anthropic) / Gemini (Google) / GitHub Copilot (Microsoft) · Credential Gate

2026-04-27CriticalPP: Partial

Production database and backups gone in 9 seconds

An autonomous coding agent reportedly deleted PocketOS's production database and backups through Railway.

Cursor + Claude Opus 4.6 + Railway · Data Mutation Gate

2026-04-24CriticalPP: Yes

Gemini CLI headless mode and --yolo flag enabled CVSS 10.0 CI runner RCE

Gemini CLI had two compounding security issues discovered by Elad Meged (Novee Security) and Dan Lisichkin (Pillar Security). First, headless mode automatically trusted any…

Gemini CLI · Deploy Gate

2026-04-23CriticalPP: Partial

Claw Chain: 245,000 AI agent servers exposed by four chained CVEs

Cyera Research disclosed four chained vulnerabilities (CVE-2026-44112/113/115/118) in OpenClaw, affecting all versions prior to the April 23, 2026 patch. From a single foothold —…

OpenClaw · Tool-Call Gate

2026-04-22HighPP: Partial

Poisoned Bitwarden CLI harvested AI coding keys from 334 developers

On April 22, 2026, attackers hijacked Bitwarden's CI/CD pipeline and published malicious @bitwarden/[email protected] to npm. The malware explicitly scanned developer filesystem paths…

Bitwarden CLI / @bitwarden/cli npm package · Credential Gate

2026-04-19CriticalPP: Partial

Vercel breached — customer data stolen via compromised OAuth tokens

Attackers reportedly used a compromised Context AI OAuth path to access Vercel internal systems and customer data.

Context AI OAuth app / Vercel · Credential Gate

2026-04-15HighPP: Yes

A PR title stole API keys from Claude Code, Gemini, and Copilot

Researchers at Johns Hopkins University discovered a novel prompt injection pattern affecting Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub…

Claude Code Security Review / Gemini CLI Action / GitHub Copilot · Credential Gate

2026-04-15HighPP: Yes

Windsurf zero-click attack auto-registered malicious MCP STDIO server

OX Security disclosed CVE-2026-30615, the only fully zero-click AI IDE exploit in their disclosure chain. Processing attacker-controlled HTML within Windsurf caused unauthorized…

Windsurf · Tool-Call Gate

2026-04-01CriticalPP: Partial

Empty IP whitelist = allow all: 2,600+ nginx-ui MCP endpoints fully open

nginx-ui's /mcp_message endpoint used IP address whitelisting for access control. The default configuration had an empty whitelist, which was treated as allow-all rather than…

nginx-ui · Runtime Gate

2026-04-01CriticalPP: Partial

Vertex AI predictable bucket let attacker swap pickle for cross-tenant RCE

Unit 42 (Palo Alto Networks) discovered that the Google Vertex AI SDK generated predictable GCS bucket names derived deterministically from the victim's project ID and region. An…

Google Vertex AI · Deploy Gate

2026-03-30HighPP: Partial

A branch name was all it took to steal GitHub tokens from Codex

Researchers reported that crafted GitHub branch names could trigger command injection in Codex and exfiltrate GitHub OAuth tokens.

OpenAI Codex · Runtime Gate

2026-03-24CriticalPP: Partial

Backdoored LiteLLM on PyPI stole env vars, SSH keys, and cloud creds

On March 24, 2026, TeamPCP published backdoored LiteLLM versions 1.82.7 and 1.82.8 to PyPI after stealing PyPI publish credentials via a compromised Trivy GitHub Action in…

BerriAI LiteLLM · Credential Gate

2026-03-16MediumPP: Partial

AI coding agents quietly shipped vulnerable dependencies

An operator reported AI-assisted code pinned a vulnerable Next.js dependency later exploited to run a cryptominer.

Claude Code / OpenAI Codex + Next.js · Deploy Gate

2026-03-10HighPP: Partial

Azure MCP SSRF leaked managed identity token for privilege escalation

XBOW discovered that Azure MCP Server accepted arbitrary URLs as Azure resource identifiers without validation. An attacker could supply a malicious URL instead of a legitimate…

Azure MCP Server · Credential Gate

2026-03-01CriticalPP: Partial

Claude Code rewrote its own tests to make a bug disappear

Claude Code, tasked with fixing a failing test, instead modified the test assertions to pass rather than fix the underlying code defect. The agent was not 'trying to deceive' in a…

Claude Code · Deploy Gate

2026-03-01HighPP: Yes

Meta AI forum agent posted dangerous config publicly, exposing data for 2 hours

A Meta employee asked an internal AI forum agent a technical question in a private context. The agent posted its response publicly on the internal engineering forum without the…

Meta Internal AI Forum Agent · Deploy Gate

2026-02-28HighPP: Partial

Autonomous agent breached McKinsey Lilli via SQL injection, 46M messages exposed

On February 28, 2026, CodeWall pointed an autonomous offensive AI agent at McKinsey's internal AI platform Lilli and allowed it to select and attack a target. In under 2 hours,…

CodeWall autonomous agent / McKinsey Lilli · Tool-Call Gate

2026-02-26CriticalPP: Partial

Claude Code ran Terraform — production, database, and snapshots gone

A coding agent reportedly ran Terraform destroy against production infrastructure, removing database and snapshots.

Claude Code + Terraform · Deploy Gate

2026-02-24HighPP: Yes

OpenClaw deleted 200 emails and ignored every stop command

Summer Yue, director of alignment at Meta Superintelligence Labs, shared screenshots on X of OpenClaw speedrunning through her inbox, deleting every email older than one week.…

OpenClaw (Anthropic Claude) · Data Mutation Gate

2026-02-17CriticalPP: Partial

Cline 2.3.0 supply chain attack silently installed OpenClaw on 4K machines

Researcher Adnan Khan discovered a vulnerability chain in Cline: prompt injection via crafted PR titles/descriptions could exfiltrate npm publish tokens stored in GitHub Actions,…

Cline · Deploy Gate

2026-02-08HighPP: Partial

Owockibot leaked hot-wallet keys it was told never to touch

On February 8, 2026, Owockibot — an autonomous AI agent created by the Gitcoin team and granted control of a small crypto treasury — exposed the private keys to its hot wallet in…

Owockibot (Gitcoin) · Credential Gate

2026-02-05CriticalPP: Partial

1,184 ClawHub skills delivered AMOS stealer to 40K OpenClaw instances

Koi Security disclosed that 1,184 malicious Skills were uploaded across 12 coordinated accounts to OpenClaw's ClawHub marketplace. The primary payload was Atomic Stealer (AMOS), a…

OpenClaw · Tool-Call Gate

2026-02-02CriticalPP: Partial

Captured logs: hackers ran Claude Code as C2 for 18 days of live intrusions

Open Analysis Labs (OALABS) published captured AI session logs from a developer host compromised in February 2026, then cloned to an attacker-controlled Vultr VPS. The attacker…

Claude Code (claude-opus-4-6) · Tool-Call Gate

2026-02-01HighPP: Partial

One hardcoded key exposed 1.5M agent tokens to full hijack

Wiz researchers found a Supabase API key hardcoded in Moltbook's client-side Next.js JavaScript bundle, granting unauthenticated read/write access to the entire production…

Moltbook / Supabase · Credential Gate

2026-02-01HighPP: Partial

Cloned Oura MCP server with fake contributors deployed StealC infostealer

The SmartLoader threat group cloned the legitimate Oura Ring MCP server and built a fake contributor ecosystem — fabricated GitHub contributors, commit history, and community…

Oura Ring MCP (trojanized) · Tool-Call Gate

2026-01-31CriticalPP: Yes

AI trading agents moved $27M in SOL without human approval after exec compromise

Attackers compromised executive devices at Step Finance, a Solana DeFi platform. The platform's AI trading agents held excessive permissions and operated without human-approval…

Step Finance AI Trading Agents · Data Mutation Gate

2026-01-29HighPP: Yes

WebSocket hijacking in OpenClaw Control UI leads to RCE

OpenClaw's web-based Control UI accepted a `gatewayUrl` query parameter without origin validation or restriction. An attacker can construct a malicious link with JavaScript that…

OpenClaw · Runtime Gate

2026-01-14HighPP: Partial

Cursor's allowlist bypass: shell env poisoning turned 'git' into RCE

CVE-2026-22708 disclosed a logic flaw in Cursor AI's Auto-Run terminal allowlist. Cursor's allowlist checked external binaries but did not scrutinize shell built-ins (export,…

Cursor AI · Tool-Call Gate

2026-01-01CriticalPP: Partial

Claude Code ran recon and password sprays on a water utility

Between December 2025 and February 2026, an unknown threat group used Anthropic's Claude Code as the primary technical executor in a large-scale intrusion campaign against nine…

Claude Code / OpenAI GPT-4.1 · Tool-Call Gate

2026-01-01CriticalPP: Partial

Attackers drove Claude and GPT-4.1 at a water utility's OT systems

Between December 2025 and February 2026, an unknown threat group used Claude Code and OpenAI GPT-4.1 to attack nine Mexican government agencies including a water utility. Without…

Claude Code / OpenAI GPT-4.1 · Tool-Call Gate

2025-12-29CriticalPP: Yes

Copilot Studio's default setting enables invisible agent backdoors

Zenity Labs documented that Microsoft Copilot Studio's Connected Agents feature — enabled by default on all new agents — allows any agent in the same environment to silently…

Microsoft Copilot Studio · Tool-Call Gate

2025-12-15MediumPP: Unknown

An AI coding bot's blunder reportedly took down AWS

Media reports linked an AWS service interruption to user error involving Amazon's Kiro AI coding agent.

Amazon Kiro / AI coding workflow · Deploy Gate

2025-12-06HighPP: Partial

30+ CVEs across every major AI IDE — prompt injection chains to RCE

Security researcher Ari Marzouk (MaccariTA) published IDEsaster in December 2025 after a six-month research project, documenting 30+ vulnerabilities and 24 CVEs across every major…

Cursor / GitHub Copilot / Claude Code / Multiple AI IDEs · Tool-Call Gate

2025-11-13CriticalPP: Partial

Chinese APT used jailbroken Claude Code for autonomous nation-state espionage

Anthropic disclosed that Chinese state-linked threat actor GTG-1002 jailbroke Claude Code using a technique called 'Micro-Tasking' — splitting instructions across multiple context…

Claude Code · Runtime Gate

2025-10-08HighPP: Partial

CamoLeak: Copilot flaw let attackers silently steal private data

Researchers reported a Copilot Chat flaw that could leak private source code and secrets through prompt injection.

GitHub Copilot Chat · Credential Gate

2025-10-01HighPP: Partial

Figma file content triggers shell metacharacter injection and RCE on dev machine

The figma-developer-mcp (Framelink) MCP server, widely used in Cursor for AI-assisted design-to-code workflows, passed unsanitized Figma file data directly to Node.js…

Framelink Figma MCP · Tool-Call Gate

2025-09-29CriticalPP: Partial

Malicious npm MCP server silently BCC'd up to 15K corporate emails/day

The postmark-mcp npm package appeared legitimate for 15 versions. In v1.0.16, the package began silently adding a BCC header to every outgoing email, routing copies to an…

postmark-mcp (npm) · Tool-Call Gate

2025-07-18HighPP: Partial

Replit's AI agent wiped a production database

SaaStr founder Jason Lemkin reported Replit's AI agent deleted production database data during a code freeze.

Replit Agent · Data Mutation Gate

2025-07-01HighPP: Partial

Crafted symlink and path prefix bypass escape Anthropic Filesystem MCP sandbox

Cymulate Research Labs discovered two vulnerabilities in Anthropic's official Filesystem MCP server. CVE-2025-53110 (CVSS 7.3): the server used naive prefix-matching to enforce…

Anthropic Filesystem MCP · Runtime Gate

2025-07-01CriticalPP: Partial

Malicious MCP server injects shell commands during OAuth flow for RCE

The mcp-remote npm package (437K+ downloads), used as an OAuth proxy to connect AI clients to remote MCP servers, passed the authorization_endpoint URL from server metadata…

mcp-remote · Runtime Gate

2025-06-13CriticalPP: Partial

MCP Inspector's open port + browser CSRF = unauthenticated RCE on dev machine

Anthropic's MCP Inspector development tool accepted connections without authentication by default. When chained with a browser 0.0.0.0-day CSRF vulnerability, this allowed a…

MCP Inspector · Runtime Gate

2025-06-13CriticalPP: Partial

Path traversal in MCP host exposed token controlling 3,000+ apps

Smithery's MCP hosting platform accepted a dockerBuildPath parameter without validation. An attacker submitting a build request with a path traversal payload could read arbitrary…

Smithery MCP Hosting · Credential Gate

2025-06-12HighPP: No

Zero-click M365 Copilot prompt injection silently exfiltrates email and files

EchoLeak is a zero-click, indirect prompt injection vulnerability in Microsoft 365 Copilot (CVE-2025-32711). An attacker sends a benign-appearing email containing a hidden prompt…

Microsoft 365 Copilot · Tool-Call Gate

2025-05-26HighPP: Yes

Malicious GitHub issue hijacks AI to exfiltrate private repo data

Invariant Labs demonstrated that a malicious GitHub Issue containing a hidden prompt injection payload could hijack an AI assistant connected via the GitHub MCP server. The…

GitHub MCP · Tool-Call Gate

AI Agent Incident Tracker

All tracked incidents

Staged payload defeats every scanner, reaches 26K agents via ClawHub

23 plugins squat @openclaw/ and @clawhub/ scopes on the ClawHub registry

144 Mastra npm AI agent packages backdoored via typosquat RAT, LLM keys targeted

Sapphire Sleet hijacked Mastra npm, injected RAT into 1.1M weekly downloads

One malicious link made Copilot exfiltrate your email and MFA codes

A booby-trapped document gives M365 Copilot a persistent backdoor

US govt shuts down Fable 5 globally — jailbreak, no advance notice

No-auth path traversal in Langflow left 7,000 AI pipelines open to RCE

LangGraph checkpoint SQL injection chains to full RCE on self-hosted agents

Actively exploited: LiteLLM flaw chains to full RCE (CVSS 10.0)

Fake Sentry errors hijack AI coding agents — 85% success, 2,388 orgs exposed

Hades worm poisoned AI tool config files to steal 294K developer secrets

One malicious issue made Claude Code leak CI/CD secrets undetected

Miasma worm took down 73 Microsoft repos and stole AI tokens

Fake Claude Code installers steal credentials straight from memory

A threat actor used Claude to build an AI-native ransomware toolkit

Meta's support chatbot handed over Instagram accounts at scale

Three chained Claude.ai bugs add up to silent data exfiltration

BadHost: one character bypasses auth on millions of MCP servers

Poisoned Postgres MCP image — pulled 100K+ times — leaks prod tokens

One poisoned VS Code extension exfiltrated 3,800 GitHub repos

Gemini deleted 28,745 lines of code, then faked the post-mortem

LLM-generated attacks breached Composio's remediation pipeline

34 supply chain packages planted AI-poisoning CLAUDE.md on developer machines

Mage AI's default install: unauthenticated RCE with cluster-admin

Defender finds Mage AI and MCP servers wide open in the wild

ClaudeBleed: a zero-permission extension can fully hijack Claude

One malicious link makes Claude Code run attacker commands

Supply-chain worm hit TanStack, Mistral AI, and 170+ packages

Open WebUI file upload could delete any file on the host

PraisonAI shipped with auth off — scanners found it in 4 hours

Vibe-coded apps shipped as ready-made SSRF proxies

An LLM agent went from CVE to database dump in under an hour

Claude Code OAuth tokens stolen by a man-in-the-middle MCP server

Cline's open WebSocket let anyone hijack the agent and run code

One click in a coding agent hands attackers your machine

Prompt injection turns Semantic Kernel into remote code execution

Fake OpenAI repo hit #1 trending — 244K downloads of an infostealer

Azure SRE Agent streamed live commands to anyone with an Entra ID

One AWS breach leaked every customer's AI provider API keys

Researchers drained API keys from three vendors' coding agents

Production database and backups gone in 9 seconds

Gemini CLI headless mode and --yolo flag enabled CVSS 10.0 CI runner RCE

Claw Chain: 245,000 AI agent servers exposed by four chained CVEs

Poisoned Bitwarden CLI harvested AI coding keys from 334 developers

Vercel breached — customer data stolen via compromised OAuth tokens

A PR title stole API keys from Claude Code, Gemini, and Copilot

Windsurf zero-click attack auto-registered malicious MCP STDIO server

Empty IP whitelist = allow all: 2,600+ nginx-ui MCP endpoints fully open

Vertex AI predictable bucket let attacker swap pickle for cross-tenant RCE

A branch name was all it took to steal GitHub tokens from Codex

Backdoored LiteLLM on PyPI stole env vars, SSH keys, and cloud creds

AI coding agents quietly shipped vulnerable dependencies

Azure MCP SSRF leaked managed identity token for privilege escalation

Claude Code rewrote its own tests to make a bug disappear

Meta AI forum agent posted dangerous config publicly, exposing data for 2 hours

Autonomous agent breached McKinsey Lilli via SQL injection, 46M messages exposed

Claude Code ran Terraform — production, database, and snapshots gone

OpenClaw deleted 200 emails and ignored every stop command

Cline 2.3.0 supply chain attack silently installed OpenClaw on 4K machines

Owockibot leaked hot-wallet keys it was told never to touch

1,184 ClawHub skills delivered AMOS stealer to 40K OpenClaw instances

Captured logs: hackers ran Claude Code as C2 for 18 days of live intrusions

One hardcoded key exposed 1.5M agent tokens to full hijack

Cloned Oura MCP server with fake contributors deployed StealC infostealer

AI trading agents moved $27M in SOL without human approval after exec compromise

WebSocket hijacking in OpenClaw Control UI leads to RCE

Cursor's allowlist bypass: shell env poisoning turned 'git' into RCE

Claude Code ran recon and password sprays on a water utility

Attackers drove Claude and GPT-4.1 at a water utility's OT systems

Copilot Studio's default setting enables invisible agent backdoors

An AI coding bot's blunder reportedly took down AWS

30+ CVEs across every major AI IDE — prompt injection chains to RCE

Chinese APT used jailbroken Claude Code for autonomous nation-state espionage

CamoLeak: Copilot flaw let attackers silently steal private data

Figma file content triggers shell metacharacter injection and RCE on dev machine

Malicious npm MCP server silently BCC'd up to 15K corporate emails/day

Replit's AI agent wiped a production database