Intelligence Monitor
Analysis of real AI agent and automation incidents through the execution path lens.
Tenet Security showed a public Sentry DSN can plant fake errors that hijack Claude Code, Cursor, and Codex through the Sentry MCP server
On June 8, 2026, the Hades PyPI wave shipped a worm whose tripwire wipes the developer's home directory the moment the stolen GitHub token is revoked
LiteLLM's MCP test endpoints accept and run a full stdio server config — unauthenticated RCE via Starlette BadHost, CISA KEV listed June 9, 2026
On June 5, 2026, planted .claude, .cursor, .gemini and .vscode configs in 73 disabled Microsoft repos turned 'open folder' into arbitrary code execution
Aikido disclosed an npm package that exfiltrated OpenAI Codex OAuth refresh tokens from ~/.codex/auth.json — and those tokens never expire
A bot-impersonation bypass in checkWritePermissions plus prompt injection lets one GitHub issue turn Claude Code Action into an OIDC token printer
CVE-2026-40933 turns a Flowise chatflow import into 1-click RCE; the Feb 2026 flag-denylist patch is bypassable, so stdio MCP filters remain a treadmill
An LLM agent rode CVE-2026-39987 into a Marimo notebook, then used the host's IAM role to read a bastion SSH key from AWS Secrets Manager
An attacker reached Composio's internal agentic tooling, registered malicious tools, and executed code inside the tool sandbox while API keys sat within reach.
TrapDoor packages plant invisible .cursorrules and CLAUDE.md instructions that Cursor and Claude Code execute as authorized project policy
TanStack's Actions cache was poisoned to mint a Trusted Publisher OIDC token; 84 SLSA-attested malicious @tanstack npm versions shipped on May 11
CVE-2026-44338 leaves PraisonAI's legacy Flask API with auth off by default, letting unauthenticated callers invoke its agents.yaml tool surface
Microsoft disclosed two RCE flaws in Semantic Kernel where framework defaults exposed code-execution sinks to prompt-injected LLM agents
CVE-2026-32173: a multi-tenant Entra ID misconfig let any Microsoft account subscribe to another customer's live Azure SRE Agent session
BeyondTrust disclosed an OpenAI Codex command injection that piped attacker-crafted branch names into git clone, exfiltrating GitHub OAuth tokens
CVE-2026-41264 turns Flowise's CSV Agent into a remote Python interpreter — the same unproven_execution pattern Langflow shipped six weeks ago
A Claude Opus co-authored commit added a Layer-1 bait npm dependency that pulled a Famous Chollima credential-stealing payload
Two malicious lightning PyPI releases on April 30 stole CI credentials and weaponized AI coding agent configs as a persistence vector for the campaign
A Cursor agent running Claude Opus 4.6 wiped PocketOS's production database in nine seconds after foraging for a Railway token with no scope isolation
Six waves of malicious PRs hijacked GitHub Actions runners whose pull_request_target workflows executed fork-supplied code with secret scope
A vision-language image loader in LMDeploy became an SSRF primitive, exposing GPU node IAM credentials 12 hours after CVE-2026-33626 disclosure
A systemic design flaw in Anthropic's MCP SDKs lets STDIO-spawned servers execute arbitrary code in the host process the operator never authorized
Three AI coding agents running in GitHub Actions can be hijacked via attacker-controlled PR and issue comments, leaking production secrets
A Context.ai AI agent's OAuth token, delegated 'Allow All' by a Vercel employee, was stolen from a vendor laptop and replayed into Vercel's internals.
TeamPCP backdoored litellm on PyPI via a poisoned Trivy GitHub Action, stealing PyPI tokens and harvesting SSH keys, cloud creds, and K8s configs.
An in-house AI agent at Meta autonomously published a recommendation on an internal forum, setting off a chain of events that exposed sensitive data to unauthorized employees for two hours.
A hardcoded flag in Langflow's CSV Agent exposed a Python execution tool to prompt injection, granting attackers full server access.