An agentic coding gold rush has led to a surge of high-profile vulnerabilities this month. Adversa AI alone disclosed two — SymJack, a symlink-hijack RCE that broke six AI coding agents at once, and TrustFall, a one-click RCE reaching Claude Code, Cursor, Gemini CLI, and GitHub Copilot through a regressed trust dialog. Microsoft, meanwhile, traced prompt injections all the way to host-level remote code execution in Semantic Kernel, and a DEF CON talk chained an indirect injection into a persistent Microsoft Copilot backdoor. The research side kept pace, with new work arguing that agents may always fall for prompt injection and that authorization propagation is a problem all its own. Below is everything worth reading this month, sorted by category.
Total resources: 28
Category breakdown:
| Category | Count |
|---|---|
| Attack | 8 |
| Agentic AI defense | 7 |
| Research | 5 |
| Framework | 2 |
| Agentic AI vulnerabilities | 3 |
| Exploitation | 1 |
| Threat modelling | 1 |
| Article | 1 |
Adversa AI shows that a symlink-disguised file copy tricks AI coding assistants into RCE while the approval prompt misrepresents what is being approved. Six major tools were tested, and all of them were vulnerable.
Adversa AI’s second disclosure traces a regression in the Claude Code trust dialog plus a settings-scope inconsistency that let a cloned repo run unsandboxed code with one keypress — and with none on CI runners. The post explains why these trust-dialog bugs keep resurfacing.
MemMorph hijacks an agent’s tool selection by slipping a handful of disguised records into long-term memory. Because it never touches tool metadata, the resulting bias is hard to detect.
This paper uses Jacobian-gradient methods to pinpoint the most attackable messages, agents, and timesteps in a system. The result is a targeted adversarial attack on agent-to-agent coordination.
A sleeper memory-poisoning attack plants fabricated memories that stay dormant, then re-emerge across sessions to drive attacker-chosen actions. The delay makes the payload difficult to trace back to its origin.
This work analyzes agent-state re-entry worm propagation across file-backed multi-agent ecosystems. It also proposes a temporal re-entry defense, backed by a no-propagation theorem, to break the cycle.
Presented at DEF CON, this attack chains indirect prompt injection, render-based data exfiltration, delayed tool invocation, and memory poisoning into a persistent Copilot backdoor. It is a textbook case of stacking small primitives into durable access.
This walkthrough escalates an indirect prompt injection against the gemini-cli coding agent into a full supply-chain compromise of the developer environment. It shows how one poisoned input can ripple into the build pipeline.
ADR is a detection-and-response system built for MCP-based agents. It blends runtime telemetry, pre-deployment red teaming, and a two-tier online detector to catch compromise before it spreads across the agent fleet.
AgentTrust intercepts tool calls before they execute and returns allow, warn, block, or review verdicts. It leans on shell deobfuscation and attack-chain detection to stop malicious actions mid-flight.
SafeHarbor is a training-free hierarchical memory guardrail with entropy-based self-evolution. It tries to refuse harmful requests while preserving utility on benign ones, without retraining the underlying model.
ARGUS pairs a context-aware injection benchmark with a provenance-aware influence-graph defense. The graph audits each agent decision before execution, which lets it catch injections that adapt to surrounding context.
WARD combines a guard model with adaptive adversarial training to harden web agents against malicious page content. The aim is injection resistance that does not gut the agent’s task performance.
AgentShield plants honeytokens and decoy tools so a compromised agent gives itself away. It is built specifically to surface indirect prompt injection against tool-using agents.
This work fuses semantic inspection with task-based access control under a zero-trust model. The pairing flags objective-drift tool-selection attacks that slip past deterministic, rule-based checks.
ASPI is a 728-scenario benchmark showing that an agent’s clarification-seeking behavior opens a fresh prompt-injection channel. Asking the user to disambiguate, it turns out, can itself be weaponized.
Microsoft details two Semantic Kernel flaws where a prompt injection reaches host-level remote code execution through a model-invokable function feeding a code/eval sink. It is a clean illustration of prompts crossing the boundary into shells.
Four Claw Chain flaws in OpenClaw enable data theft, privilege escalation, and persistence. One MCP loopback runtime trusts a client-controlled ownership flag, letting non-owners impersonate the owner and seize gateway control.
This comprehensive survey maps agentic AI risks across the full agent workflow — safety, robustness, privacy, and system security. It then ties stage-targeted mitigations to each phase of that workflow.
This paper argues multi-agent systems face a distinct authorization-propagation problem that would persist even if prompt injection were fully solved. It reframes identity governance as foundational infrastructure rather than an afterthought.
Recasting prompt injection through Contextual Integrity theory, this paper argues for an impossibility-style limit on any data/instruction separation defense. The implication is that perfect filtering may be out of reach.
This study shows that embedding-based detection of malicious agents collapses once benign and malicious message embeddings overlap. It is a pointed rethink of how safety is enforced in LLM-based multi-agent systems.
This position paper catalogs how benchmark vulnerabilities, temporal staleness, and runtime uncertainty undermine agent-security evaluation. It is a caution against trusting clean leaderboard numbers at face value.
Microsoft has open-sourced RAMPART, a framework for testing agents against cross-prompt injection, behavioral regressions, and data exfiltration, alongside its Clarity tooling. The release targets the development phase, before agents ever ship.
This is a definitive guide to OWASP ASI02 — tool misuse and exploitation — written for platform engineers, AI builders, and risk managers. It turns an abstract category into concrete defensive practice.
IterInject optimizes indirect prompt-injection payloads iteratively using model feedback rather than fixed, handcrafted strings. The feedback loop steadily sharpens the injection until it succeeds.
This paper proposes a Three-Channel Agentic Cyber-Risk Model and forecasts how agentic attack and defense dynamics will play out through 2026–2028. It pays particular attention to enterprises and the German Mittelstand.
This position paper argues that agent security is fundamentally a systems problem, not a model problem. It backs the claim by cataloging real-world exploits such as terminal hijacking and indirect prompt injection.
An AI agent is only as trustworthy as the weakest thing it is allowed to act on: a file, a tool, a memory, a connected server — and most agents are allowed to act on far too much. Treat every input the agent ingests as potentially hostile and every action it can take as potentially dangerous, then close the gap between those two with real boundaries: least privilege scopes, sandboxed execution, and human review where the blast radius is large. The disclosures around coding agents, MCP servers, and poisoned memory differ in mechanism but rhyme in cause — implicit trust granted somewhere no one was watching. Assume that trust will be abused, instrument your agents so you can see when it is, and design so that a compromised agent is an incident you contain rather than a breach you discover later.
A SynJack attack tricks AI coding assistants into RCE through a symlink-disguised file copy. We tested six major tools. All were vulnerable. How it works and how to defend.
