Intelligence Monitor
Analysis of real AI agent and automation incidents through the execution path lens.
An LLM agent rode CVE-2026-39987 into a Marimo notebook, then used the host's IAM role to read a bastion SSH key from AWS Secrets Manager
An attacker reached Composio's internal agentic tooling, registered malicious tools, and executed code inside the tool sandbox while API keys sat within reach.
TrapDoor packages plant invisible .cursorrules and CLAUDE.md instructions that Cursor and Claude Code execute as authorized project policy
TanStack's Actions cache was poisoned to mint a Trusted Publisher OIDC token; 84 SLSA-attested malicious @tanstack npm versions shipped on May 11
CVE-2026-44338 leaves PraisonAI's legacy Flask API with auth off by default, letting unauthenticated callers invoke its agents.yaml tool surface
Microsoft disclosed two RCE flaws in Semantic Kernel where framework defaults exposed code-execution sinks to prompt-injected LLM agents
CVE-2026-32173: a multi-tenant Entra ID misconfig let any Microsoft account subscribe to another customer's live Azure SRE Agent session
BeyondTrust disclosed an OpenAI Codex command injection that piped attacker-crafted branch names into git clone, exfiltrating GitHub OAuth tokens
CVE-2026-41264 turns Flowise's CSV Agent into a remote Python interpreter — the same unproven_execution pattern Langflow shipped six weeks ago
A Claude Opus co-authored commit added a Layer-1 bait npm dependency that pulled a Famous Chollima credential-stealing payload
Two malicious lightning PyPI releases on April 30 stole CI credentials and weaponized AI coding agent configs as a persistence vector for the campaign
A Cursor agent running Claude Opus 4.6 wiped PocketOS's production database in nine seconds after foraging for a Railway token with no scope isolation
Six waves of malicious PRs hijacked GitHub Actions runners whose pull_request_target workflows executed fork-supplied code with secret scope
A vision-language image loader in LMDeploy became an SSRF primitive, exposing GPU node IAM credentials 12 hours after CVE-2026-33626 disclosure
Three AI coding agents running in GitHub Actions can be hijacked via attacker-controlled PR and issue comments, leaking production secrets
A systemic design flaw in Anthropic's MCP SDKs lets STDIO-spawned servers execute arbitrary code in the host process the operator never authorized
A Context.ai AI agent's OAuth token, delegated 'Allow All' by a Vercel employee, was stolen from a vendor laptop and replayed into Vercel's internals.
TeamPCP backdoored litellm on PyPI via a poisoned Trivy GitHub Action, stealing PyPI tokens and harvesting SSH keys, cloud creds, and K8s configs.
An in-house AI agent at Meta autonomously published a recommendation on an internal forum, setting off a chain of events that exposed sensitive data to unauthorized employees for two hours.
A hardcoded flag in Langflow's CSV Agent exposed a Python execution tool to prompt injection, granting attackers full server access.