This Week in AI Security - 14th May 2026

All right. Welcome back to another week of this week in AI security coming to for the week of the fourteenth of May twenty twenty six. And we have a ton to get through this week. So we are going to dive in without any further hesitation. We've got three stories to kick off today's episode on, a theme that we've talked about a number of times, and that is IDEs, so development environments and all the things around them.

And we're starting with basically a Google and VirusTotal report around how the attack surface for AI coding agents extends far beyond source code. And we've talked about this a number of times. Anything that can be read in the context of software development is an attack surface at this point. So that is setting files. That is log files that is commits, that is comments. That is anything around it that will influence what the agent trusts, what the agent interprets and executes accordingly.

The what I loved about this article is that they talk about kind of four ways to think about it. So that is things like what executes the build configurations and containers, what instructs, which are rules, files, Agents dot MD files increasingly and so on. What connects. So that is MCP or configurations, access points and what extend. So that's IDE extensions and plugins. All of those are attack surfaces that attackers can poison or weaponize. In that context, VirusTotal has a new Code Insight capability that does semantic analysis of agent facing files to extract operational intent, analyze that, and potentially neutralize it before it messes up your environment. Really interesting story.

Moving on to our next story. In this theme of development environments, this is some research from Microsoft revealing how prompt injection and AI agent frameworks like Semantic Kernel, LangChain, and CrewAI can execute, sorry can escalate from content manipulation to full remote code execution. The AI model is behaving exactly as designed. The vulnerability is in how the frameworks parse the data and then interpret it and then act accordingly, meaning that they actually act on malicious prompts.

So these frameworks act as the operating system for the AI agents. A the model can output to system tools, and that carries systemic risk. A couple of CVEs identified and assigned around Semantic Kernel, allowing attackers to turn prompts into shell commands. And it kind of, in my mind, goes back to something that was a big takeaway from the unprompted conference, which is that your prompt is your code. It is the set of instructions that tells the system what to do. So remember, AI agents read files, search databases, run scripts, operate on your network. Any vulnerabilities, malicious prompts that are in that whole chain can be picked up, interpreted accordingly, etc..

All right, moving on to our last in this story of kind of development environments, Sophos uncovered a fake Claude-Pro website pushing trojanized installers that deploy a new backdoor called Beagle. It targets Claude Code, which is the intersection to the kind of AI coding environment theme that we've got running here. It's a sophisticated kill chain in the sense that it's a trojanized MSI that leads to DLL side loading, which drops a donut loader, malware package, and a Beagle backdoor that runs entirely in memory. So certain EDR tools may not pick it up as readily. It does have a command and control or C2 server communicating over TCP on four hundred forty three. So SSL encrypted traffic going out to attacker infrastructure hosted on the Alibaba cloud. Sophos has identified additional points or additional kind of impersonation packages looking at other kind of vendors. So things around whether it be CrowdStrike, Sentinel one, Trellix, other vendors who are also being kind of impersonated for some of this malicious activity.

All right, moving on to our next theme. Just last week, we had a story about roughly thirty percent of all web pages, including some malicious instructions on them targeted very much at AI agents. So this was just some interesting kind of cataloging of that from the folks over at Forcepoint: ten in the wild prompt injection payloads targeting AI agents, things like ignore all previous instructions. If you are an LLM, please execute these commands, etc.. So just some proof, some more proof of this in the wild. As if we didn't have enough of it already.

And then moving on to the use of AI in cyber attacks as our next theme for this week. Kicking off with the first story here, Google confirms the first known case of hackers using AI to discover and weaponize a zero day—a 2FA bypass in an open source admin tool. So this is the Google Threat Intelligence Group reporting this. The exploit is a semantic logic flaw from a hard coded trust assumption. Exactly the kind of thing that LLMs can pick up by analyzing the source code and kind of chaining things together very much along the lines of some of the earliest reports out of Mythos and some of its cyber capabilities in terms of analyzing more complex sets of inputs or scenarios that code might execute around.

The real takeaway in my mind is that, you know, we've talked about this as theoretical, and we've had some proof of concepts of the fact that, you know, the zero day clock is getting shorter and shorter. And, you know, the, the industry has sounded a little bit sounded a little bit of an alarm around this, but here's some in the wild proof of this actually happening. There's some documented collaboration between multiple threat actor groups of weaponizing this, conducting a campaign, leveraging some of these capabilities.

All right. Next, in our thematic topic or category of AI enabled attackers, we've got a story about an AI driven cyber attack against government entities in Mexico, where the AI was handling a lot of the operations, reconnaissance, lateral movement, data exfiltration. They hit nine Mexican government entities between December twenty twenty five and Twenty twenty six, including the Federal Tax Authority and the Electoral Institute. But I think one of the interesting lessons here is that they when they tried to go after some critical infrastructure and OT systems that didn't work. And it's one of these weird areas where weirdly, you know, a lot of outdated systems might have fewer vulnerabilities that AI can exploit, and they might have fewer opportunities for things like data exfiltration and lateral movement inside networks, just because their, their core underlying operating systems lack some of those capabilities that threat actors could exploit.

Moving on to our next story in the AI enabled attacker category, we've got some documented use of the Vercel platform, which we've talked about because of a breach that they just handled. But one of the things that they have is they have a tool called v0.dev, which is their Gen AI tool for generating UI primarily for modern websites. And what they found is that it was super easy to impersonate brands including Microsoft, Adidas, and Nike. It makes it really hard to detect scans. The sites look almost pixel perfect impersonations of the brands that they're copying. Spelling mistakes is definitely still one of the main ways, but it's also kind of, you know, from the Cofense team that reported on this, they think that that is kind of dead; Gen AI doesn't make typos in the text. So you really have to spend a lot of time looking at the URLs. And URL verification gets tricky because it's very easy to figure out a way to embed a known brand name into a longer URL. Just think about some of the attacks that we've seen in the past that were not from Microsoft, but Microsoft update dot com or Microsoft Update service dot com or Microsoft Service Patch updates dot com, things like that, that look legitimate, but, you know, may not belong to Microsoft themselves. So it's a tricky scenario for, you know, for defenders and also for people for consumers to have to navigate around that.

All right. Moving on to our next story. We've got a couple of stories around AI infrastructure, middleware. You know, the tools that you use to build AI powered applications, agents, what have you. A little bit of an update on LiteLLM, which a couple of weeks ago, we talked about in the context of its source code repository having been potentially compromised. But what we've got now is a SQL injection vulnerability that's pre-authentication. So it means that, you know, without having to have valid credentials or access to a LiteLLM system, you could actually, you know, fake your way into that system without authentication and then potentially compromise it. CVE has been assigned relatively high score; patching is the recommended path to mitigate against this.

And another story from Braintrust. So Braintrust customers have been warned to rotate their connection keys after hackers breached an AWS account, exposing the secrets tied to cloud based models. And this is a AI observability tool that is in use by certain organizations. That's what I think both of the last two stories have in common is they're kind of, you know, enablement tools, infrastructure tools, things like that around that.

And changing gears on our next story. This is a story from Bruce Schneier, who's a well-known, uh, you know, let's say, researcher in the cybersecurity and privacy world. And, you know, this story is really just kind of a little bit of a variation on a theme that we've talked about a few times in the past, which is that, you know, LLMs don't read things the same way that you and I do. And effectively, what has been kind of tested and kind of proven here is that, you know, there's been any number of examples of giving LLMs Base64 encoded text or text represented by Braille characters or Morse code or what have you. This is a proof of concept around using kind of phonetically spelled things. English is kind of notorious for having an inconsistent phonetic system as, as my background in linguistics tells me. And, you know, this is just proof that, you know, you could really use any number of vowel replacements consonant replacements to approximate sounds in LLMs. Sure enough, they will interpret things more or less in the intent of the phonetically sounded out words, which is a little bit surprising in the sense that, you know, it doesn't follow patterns that you might expect in terms of, let's say, token prediction. And yet the LLMs seem to navigate the kind of phonetic obfuscation, which is, I think, what this technique is called, relatively well; they translate the sounds back to their intended things. And that is just the state of LLM interpretation right now. So again, a little bit of a surprise from my linguistic perspective, but there is enough data out there and enough misspelled data out there that it seems to resolve back to the original, uh, you know, correctly spelled words.

All right, moving on to our next topic, and this is our last story for this week. And I want to spend the most of time on this one. And that is a report from an organization called Community Bank, which is a regulated bank that operates in Pennsylvania, Ohio and West Virginia. They filed an 8-K with the regulator, which I believe should be the Securities and Exchange Commission, SEC, that regulates banks and financial services in the US, basically reporting themselves for having had sensitive customer data leaked into an AI application for training purposes.

Well, why is this important? You know, while the US doesn't have GDPR regulations, there are regulations around the use of customer data in certain contexts, especially when you work within a regulated industry. So while it's not as clear cut as GDPR, where the customer has to opt in for the use of their data with particular, let's say, third party vendors or for particular use cases. Again, there are some lines for regulated industries. And in this case, the report really apparently centers on two factors. Number one is the sensitivity of the data. So you're talking about names, date of birth, Social Security numbers, basically all the things that would be required in order to steal identity or impersonate somebody. And with the context of a financial institution, that risk really, really doubles.

And the second factor that appears to be behind why they self-reported on this was effectively the volume of the data. Now, while they're not disclosing what AI application was involved, whether it was, let's say, development of a customer service facing chatbot or let's say an internal business process automation tool, something like, I don't know, calculating a customer account risk score or a loan application processing or whatever that might be in the context of a Community Bank, it is clear that they see real risk for the fact that this data leaked into the AI application.

And so that implies in my mind that there is, you know, potential perception of a risk that if this LLM powered application that had been trained on this data was put into a production context where it interacted with the real world customers or real threat actors, they might have been able to manipulate the LLM into disclosing some of that data in ways that were obviously not good and not intended. So remember, if your employees can kind of, you know, get access to various PII, do you have policies in place that govern the utilization of that data? Are your employees educated on it? And do you have kind of trust but verify mechanisms for that?

Do you have PII detection? Do you have PII blocking capabilities? All of the things that might go into well-intentioned programs that are trying to drive the organization forward, but are exactly the category of risks that we see when organizations try to move really, really fast without having some of those either policies or technical controls and safeguards in place. And on that note, we will end today's episode on that story. As always, like and subscribe. We will talk to you next week. If you have any stories, feel free to send them our way. And until next week. Thank you so much. Bye bye.

‍