Modern Cyber with Jeremy Snyder - Episode
119

This Week in AI Security - 9th July 2026

This week covers a critical remote-code-execution flaw in the Cursor IDE, a fresh round of coding agents falling to bash obfuscation, a prompt-injection payment scam spreading through SEO poisoning, what one research team is calling the first end-to-end agentic ransomware event, and renewed attention on Anthropic's sleeper agents research and what it means for open-weight model adoption.

This Week in AI Security - 9th July 2026

Podcast Transcript

All right. Welcome back to another episode of This Week in AI security, coming to you for the week of the ninth of July, twenty twenty six. And it is a good thing that I have to share this week, which is that it seems like we're getting a little bit of a summer break. On the AI security story side. I am sure that it's going to pick up in a couple of weeks, but I'll take it while we can. It gives us a chance to dive deeper on a couple of the stories that are really interesting in today's rundown. So without further ado, let's dive in. So starting off, we've got a critical cursor AI code editor flaw that can lead to remote code execution. This is a nine point eight Cvss score sandbox sandbox escape bug in cursor. Cursor is an AI assisted IDE. So kind of a coding agent, if you will. It's used by many fortune five hundred companies.

There is a poisoned MCP server request or repo file that can break out of the sandbox and execute arbitrary operating system commands without user approval. It's a pretty elegant mechanism. One bug abuses the working directory parameter to add the attacker paths to the allow list. And then the other bug uses symlinks to trick path canonical canonicalization. And so that kind of puts the malicious commands into a trusted working directory. And those allow you to overwrite the cursor sandbox binary itself. And that is how the operating system can be compromised. So we have talked any number of times about IEDs and agents attack surface around this.

We've covered previous vulnerabilities around AI powered software or AI software, assistance tools, etc. and it really kind of, in my mind traces back to this theme of like, move fast and break things. And we're in this strategic arms race around AI adoption, everybody trying to get their tool ahead. And sometimes security bugs like this can be overlooked. All right, moving on to our next story. The folks over at adverse AI tested eleven open source coding agents, everything from Hermes, open code, root code, etc., and found that ten of them failed to guard against classic bash obfuscation. So bash obfuscation for those who aren't aware, is basically kind of creating aliases for various bash commands. And bash commands are kind of command line things. So those are things that let you do, like list the files in a directory, copy files from directory one to two, etc. and there are all kinds of spacing tricks and special characters that can be used with various flags and so on. It is kind of a supply chain aspect of this in the sense that, you know, these are tools that are being used to build and create different things in coding environments, right? So again, that IDE theme and poisoned Readme or Makefile in a cloned repo can trick the agent into exfiltrating AWS credentials if they are stored somewhere within that same kind of IDE environment. So again, it's not necessarily the AI itself, it's the tools that you're using to build on top of that. All right, moving on to our next a story about prompt injection embedded on web pages and in coding environments. We've talked about this a couple of times.

This is kudos to the team over at Zscaler Threat labs. And just by way of disclosure, Zscaler is an investor in Firetail, the company that I co-founded, and that is the makers of This week in AI security and the Modern cyber podcast family. Um, but basically, attackers are using SEO poisoning to rank malicious sites for queries that are pretty common, like how do I install Python request dash secure dash v2 and get traffic over onto those sites and then basically fake the instructions on the site to make it look like it's a legitimate developer focused tool for this open source package. And embedded in there is a hidden HTML prompt telling the agent to pay three dollars in cryptocurrency for an API key. And so twenty six LLMs were tested for were tricked into making payments here. Uh, two others misclassified a Typosquatting site as the real platform.

Um, so a number of things around this, this is kind of a thing that has transitioned, I think, from being hypothetical a few weeks back to being a real in the wild attack vector across a number of different areas. All right. Moving on to our next story. And it is our second to last story today. So like I said, a little bit of a summer vacation here, but it's one that I want to spend a little bit of time talking on. So kudos to the team over at Sysdig and their threat research team. They are calling this the first end to end Agentic ransomware event. Jade puffer. Now, I don't know and I don't know that anybody can definitively say yes or no. This is the first end to end Agentic ransomware event.

But what's interesting about it, from my perspective is that is there's a couple different things. So the first thing is that reportedly an AI agent was used to kind of, uh, conduct the reconnaissance and find the vulnerable sites. Second, is that actually connecting back to stories that we've talked about in a number of times on the, on the show, it is basically the Lang chain package and a vulnerability in Lang chain that was used to infiltrate the environment. So a common, you know, so kv e rather lang flow, not lang chain. Sorry about that, but a kV and the length Flow open source framework, which is a framework for building LLM applications. So you use an agent, you conduct reconnaissance, you find AI agents, and you try against those agents to find out if they're using lane flow and specifically unpatched versions or older versions that still have that CVE present in them.

Then you move on to the next phase, which is trying to infiltrate the sites. And in one of the cases here in the report, they observed traffic going from unauthenticated to authenticated in as little as 30s. And that's really interesting because it really points to the ability of an AI powered kind of infiltration tool to find a way into an environment. And then next, after getting into the environment and obtaining credentials or API keys, the next thing is moving on to code execution and dumping the database, collecting host information, environment variables, sensitive files, all this kind of stuff within a very, very brief period of time. So the entire attack reportedly is happening within just a couple of minutes. And that's a really, really rapid time frame or really short time frame for any, you know, defender to respond to. Definitely reinforces things that we've talked about in a number of times, which is, you know, the ability to discover and conduct reconnaissance across the internet is definitely something that goes up with agentic powered tools. Second, the need to patch and stay up to date with hardened versions or patch versions of open source libraries is super critical.

The ability to find flaws in open source libraries has definitely gone up with the advent of the cloud mythos, family and others. So all of that really ties together again. I can't say, and I don't think anybody can definitively say that this is the first, quote unquote, fully agentic ransomware operation, but it is a proof of concept, if nothing else, that this is something that, you know, as threat actors get more usage of AI and more experience with AI tools. It is a real threat to be aware of. All right. Moving on to our last story of the week, and it's again, one that I want to spend a little bit of time on. And this is a report in Forbes around anthropic sleeper agents research. And that is getting renewed attention.

And you might have heard this concept before. And really what it is is that, you know, if you're adopting various LLM technologies, some of them come with kind of a built in trigger switch that is a result of training materials that have been fed to the model. And it might be the case that the models operate normally for a certain period of time until that trigger switch gets flipped. And getting flipped can be simply the result of a various, you know, a certain prompt or a certain timing or something like that. And then they go from behaving properly to then doing bad things, anything like exfiltrating keys, credentials, sensitive data, whatever they might have access to. And, you know, one of the, there's a couple of interesting angles here.

First of all, one is that this seems to be primarily an issue or a concern around open source models or open weight models, as they are sometimes called. Of course, there is an argument or some criticism that could be levied against this. That is like it is, of course, an anthropic interest for consumers and businesses to not gravitate towards those models. There's also a geopolitical aspect to it, which is to kind of point the finger at Chinese models. I will also point out that there are models, open weight, open source models from from meta, for instance, and also from some European organizations. I can't recall the names off the top of my head. So, you know, it's not unreasonable to think that this is not specifically a Chinese origin risk. Um, the another interesting aspect is that, you know, Booz Allen Hamilton, they had a report talking about this and they, they, you know, put a statement in there that I don't necessarily agree with, which is that their statement is directly quote, the first link in the software supply chain is no longer the code, it's the AI models behind it, end quote. And a couple of things about that. Number one is if you've listened to the show for a little while, you'll know that we often have said now that the your prompt is your code, right? Your prompt is the set of instructions that tells the model what you want it to do, or tells the model the agent, rather how to use the model to then execute the actions that you want it to take. So I still think that there is a big chunk of code and there is, you know, your prompt. You can think of prompt as being part of your code as well. Both the embedded system prompts, as well as the interactive dynamic prompts that get generated during agent runtime execution. Both of those are part of code.

We've also talked in a number of times on the show about, you know, it's not always the LLM, it's also the infrastructure around it. If there are concerns around, let's say, using an open source open weight model for various things, do input, sanitization and validation, make sure that you know you're getting consistent prompts in limit the prompt agency. Make sure that you don't have a very kind of open ended prompt that can trigger unexpected outcomes and then run a lot of testing. And, you know, I think it's not unreasonable to think about ways that you can mitigate this, but it is very, very interesting to know that this is still a risk, especially when you think about the fact that this is, you know, open source code, right? And open source models. But these are large, complex things. And so it's, it's also difficult to think that every organization, as they adopt one of these tools is not just going to download and use it, you know, that every organization would take it, put it through some level of scrutiny before putting it into production. So some really interesting stuff here around this story. Um, other things that I think about is, you know, these models might pass your corporate audit or your AI red teaming slash pen test. Fine.

Because again, you're not triggering the exact set of scenarios that is going to, uh, you know, start leveraging some of these backdoors or start triggering some of the unexpected behavior. But what it does speak to, from my perspective, is the ability to have a good real time inventory of exactly what models are being used with, what workloads where, whether that is in simple employee, you know, prompt chat interactions or whether that's a genetic workflows with LLMs at the back end. You want to know what's where. So as soon as there is some issue that gets identified or communicated and circulated broadly in the real world, you know, oh, I do, or I don't have that model anywhere within my environment. Second, you need great observability data. You want to monitor every interaction in and out of that model. And very simply put, you can do this through observability pipelines. You can actually hook up all of the LM logs to go into a place and then run queries on that place to figure out, you know, what is or is not going on with that environment. So that is something that I will leave you with as a final thought for today's episode. Thanks for listening. Talk to you next week on another episode of This Week in AI security. Bye bye.

Protect your AI Innovation

See how FireTail can help you to discover AI & shadow AI use, analyze what data is being sent out and check for data leaks & compliance. Request a demo today.