This Week in AI Security - 11th December 2025

All right. Welcome back to another episode of This Week in AI security coming to you for the week of eleventh of December twenty twenty five. We've got five stories to get into today, so let's get started.

So a couple of the first ones are going to be variations on a theme. So the first one refers to a prompt injection vulnerability in GitHub actions. And the crux of this story is effectively that more and more organizations are starting to use AI and specifically AI agents or agentic powered processes to process their GitHub actions. And you can think of the GitHub actions as being all the things that happen after code is read. And in some organizations that's simply like, hey, let's go submit the code into the repository. But in other organizations that might be things like check for dependencies, do some smoke testing, maybe do a sample build, maybe test within a staging environment or something like that. And the crux of this vulnerability is that when you use an agentic solution for a process like this, or for automating a process like this, the agent can read malicious instructions that get put into various code repos. So if your code repository has any kind of malicious contributor, whether that is a bad actor inside the organization, so kind of an internal threat or an insider threat, or whether that is your organization has been compromised in some way, some credentials have been stolen, what have you somebody could put a commit into your repository with the malicious set of instructions that'll get picked up by the AI agent that is automating the process. So that is the first thing. And that is called prompt Poned pool. For those of you who are into leetspeak, you might recognize that term. That's that's what this has been dubbed. And apparently every new kind of vulnerability that gets reported needs a name of itself.

So moving on to our second story. This one is I disaster, where the IDE from the development environment is really kind of doing the beginning of that word here. And this is a very similar kind of vulnerability in the sense that you can bypass an LLM's guardrails to hijack the context and perform the attacker's bidding by having malicious stuff inside. The agent here. And so you put that into something like a, um, like a plugin to an IDE that has the, that has an agentic flow that will kind of interact with the plugin and research or read prompts out of that environment. Um, so this has been proven to be vulnerable to, to be a legitimate vulnerability for a number of different popular Ides and extensions cursor, windsurf, Chrome dev, GitHub copilot, Z-Ro. On and on and on. So all of these have been assigned CV identifiers, because this does seem to be pretty much a common thread across all of them. And again, it really comes back to that core issue of if you've got some malicious text that some kind of agent is going to read, there's a good chance that the agent will act on those malicious prompts or that malicious text.

Next, a the next one is called Gemini Jack. This is a vulnerability in the enterprise edition of Google Gemini. The disclosure on this one is a little bit, uh, less than with the others. This has been disclosed to Google. There is already news that Google is working to remediate this. Um, but effectively it is a prompt injection technique. And the suggestion is that you need to pass your prompts through a layer of security that analyzes them for potential issues. And if this sounds familiar, you know, you can think back to the past several weeks of episodes that we've done where we talk about the fact that it's really possible to embed malicious prompts in so many different ways. We've talked about the hamburger attack. We talked about adversarial poetry in a recent episode. So more of the same in terms of the risk around kind of prompt injection through various mechanisms and being able to introduce it. And in this case, it was a Google Gemini Enterprise Edition that was specifically tested, disclosed to Google responsibly. Kudos to the team over there that identified this and reported it. And kudos to Google for reacting to it.

Next, we've talked about AI browsers several times over the last couple of weeks, and all of the risks that they take. So what do you do about that? Well, Gartner, the research firm, is out there delivering a new advisory that says effectively block all AI browsers for the foreseeable future. And they looked at perplexities, comet, OpenAI's ChatGPT Atlas and any of the number of other ones that are up and coming. And they really find the risks that we've talked about several times to be pretty much inherent to any kind of browser. And it goes everywhere from, let's say, like overprivileged browsers taking on the user identity to all the other kind of potential stuff. So data leakage, rogue actions, cascading failures, etc., etc. So I don't know exactly what to make of this, and I'll be curious to see what the reaction from the industry is. Gartner obviously is one of the leading analyst firms, and they've spent some considerable time. It's unusual for them to issue this type of advisory. In my years working in the enterprise IT space, I have rarely seen this type of advisory come out of there, so I'll be curious to see what the fallout and the reaction is from this. But I certainly understand the motivation for taking this position, giving, again all the vulnerabilities that we've covered over the last several weeks.

All right, moving on to our last story. And this is really the big story of the week, the recent release of the OWASp top ten risks. And for those who are familiar with the OWASp top ten, these are effectively a threat model or a risk landscape for new technologies. And there are many, many versions of them. Everything from the OWASp Web Application Top ten to the API top ten to the LLM top ten. And now the Agentic risk. And I'll just read them quickly. We won't have time to go through all of them, but they are: agent goal hijack, tool misuse and exploitation, identity and privilege abuse, Agentic supply chain vulnerabilities, unexpected code execution, memory and context poisoning, insecure integration into insecure agent to agent communication and cascading failures. And the last two are unfortunately obscured on my screen as I'm reading this out to you, but hopefully you'll be able to get those as well. Um, bear with me one second and I will pull those up. Should have had this ready. Human agent trust, exploitation and rogue agents. So some very interesting stuff on this side. Um, and I think it's really useful for a lot of organizations as they think about developing agentic solutions to refer back to this threat model and ask themselves the question of, hey, for what we're building, have we taken into account these risks? And if not, should we? And what should we do about it, in fact?

So I'm going to leave it there. We're not going to go into all of the risks. We'll probably unpack them on the blog or on future episodes of this week in AI security. Or maybe we'll have a guest on Modern Cyber to dive into them in a little bit more detail. But that's it for this week. Again, pretty much thematic stuff that has been recurrent over the last several weeks. And then the introduction of this new OWASp top ten. Talk to you next time. Bye bye.