https://llm-threatintel.com/ Threat intelligence tracking malicious LLM tools, GenAI-assisted malware, supply chain compromises, LLMjacking operations, shadow AI risks, and nation-state GenAI adoption. en-gb Thu, 28 May 2026 06:56:36 +0000 https://llm-threatintel.com/posts/2026-05-28-cve-2026-48710-badhost-starlette-host-injection-ai.html https://llm-threatintel.com/posts/2026-05-28-cve-2026-48710-badhost-starlette-host-injection-ai.html Thu, 28 May 2026 00:00:00 +0000 CVE-2026-48710 (BadHost) is a critical vulnerability in Starlette versions before 1.0.1 affecting FastAPI-based applications that power modern AI infrastructure, including LLM inference servers, agent frameworks, and MCP gateways, enabling authentication bypass through manipulated HTTP headers. The vulnerability affects vLLM and LiteLLM inference servers, AI agent frameworks, MCP servers, and tools such as Ray Serve and BentoML. https://llm-threatintel.com/posts/2026-05-27-mcp-tool-poisoning-stdio-rce-vulnerability-may-2026.html https://llm-threatintel.com/posts/2026-05-27-mcp-tool-poisoning-stdio-rce-vulnerability-may-2026.html Wed, 27 May 2026 00:00:00 +0000 The OX Security disclosure in May 2026 illustrated how design decisions made early in a protocol's life create systemic risk later, and the vulnerability was not a memory bug or missing authentication check. OX Security researchers identified a systemic command injection vulnerability in Anthropic's MCP protocol that propagated across the AI ecosystem, with a full disclosure advisory including CVEs, affected platforms, and attack variants. https://llm-threatintel.com/posts/2026-05-27-claude-google-ads-malvertising-macos-infostealer-may-2026.html https://llm-threatintel.com/posts/2026-05-27-claude-google-ads-malvertising-macos-infostealer-may-2026.html Wed, 27 May 2026 00:00:00 +0000 An active malvertising campaign is abusing Google sponsored search results and Claude.ai's shared chat feature to deliver macOS infostealer malware to users searching for Claude downloads on Mac. Both attacks point to the real claude.ai domain because the malicious content is hosted inside Claude's own shared chat feature, and standard advice to verify the destination URL before clicking provides no protection here. https://llm-threatintel.com/posts/2026-05-27-fake-openai-privacy-filter-hugging-face-infostealer-may-2026.html https://llm-threatintel.com/posts/2026-05-27-fake-openai-privacy-filter-hugging-face-infostealer-may-2026.html Wed, 27 May 2026 00:00:00 +0000 On May 7, 2026, HiddenLayer identified malicious code in the Hugging Face repository Open-OSS/privacy-filter, which appeared among the platform's top trending repositories with over 200k downloads until its removal. The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines. https://llm-threatintel.com/posts/2026-05-26-microsoft-semantic-kernel-rce-cve-2026-26030.html https://llm-threatintel.com/posts/2026-05-26-microsoft-semantic-kernel-rce-cve-2026-26030.html Tue, 26 May 2026 00:00:00 +0000 Microsoft disclosed two critical vulnerabilities in Semantic Kernel, an open-source framework for building AI agents with over 27,000 GitHub stars, that allow attackers to cross from prompt injection to code execution primitives. CVE-2026-26030 affects Python package semantic-kernel prior to version 1.39.4, particularly when using the In-Memory Vector Store with filter functionality. Upgrading to version 1.39.4 or higher mitigates the risk. https://llm-threatintel.com/posts/2026-05-25-trapdoor-cross-ecosystem-crypto-stealer-ai-assistant-persistence.html https://llm-threatintel.com/posts/2026-05-25-trapdoor-cross-ecosystem-crypto-stealer-ai-assistant-persistence.html Mon, 25 May 2026 00:00:00 +0000 Socket researchers identified an active cross-ecosystem supply chain campaign called TrapDoor that has published 34+ malicious packages and 384+ versions across npm, PyPI, and Crates.io since May 22, 2026, targeting developers in crypto, DeFi, Solana, and AI communities. The campaign steals crypto wallets, SSH keys, AWS and GitHub tokens, and plants persistence through .cursorrules and CLAUDE.md files that inject hidden zero-width Unicode instructions into AI coding assistants like Cursor and Claude Code, causing future AI sessions to silently execute credential exfiltration routines. https://llm-threatintel.com/posts/2026-05-25-promptspy-canfail-longstream-genai-enabled-autonomous-malware.html https://llm-threatintel.com/posts/2026-05-25-promptspy-canfail-longstream-genai-enabled-autonomous-malware.html Mon, 25 May 2026 00:00:00 +0000 Google Threat Intelligence Group published a May 11, 2026 report documenting the transition from experimental to industrial-scale use of generative AI in adversarial workflows. The report reveals previously unreported capabilities in PromptSpy, an Android backdoor that uses the Gemini API to autonomously navigate victim devices in real time without human supervision, including biometric data capture and anti-uninstall overlays. Russia-nexus malware families CANFAIL and LONGSTREAM are confirmed using LLM-generated decoy code to obfuscate malicious payloads targeting Ukrainian organizations. https://llm-threatintel.com/posts/2026-05-24-tanstack-mistral-github-actions-pwn-request-may-2026.html https://llm-threatintel.com/posts/2026-05-24-tanstack-mistral-github-actions-pwn-request-may-2026.html Sun, 24 May 2026 00:00:00 +0000 On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. A coordinated supply chain attack on May 11, 2026 compromised over 170 npm packages and 2 PyPI packages, totaling 404 malicious versions. The attacker hit the entire TanStack router ecosystem (42 packages), Mistral AI's SDK suite (on both npm and PyPI), UiPath's automation tooling (65 packages), OpenSearch (1.3M weekly npm downloads), and Guardrails AI (PyPI). The packages passed SLSA provenance checks, carried valid signed certificates, and looked 100% legitimate to every security tool checking cryptographic proof of origin. https://llm-threatintel.com/posts/2026-05-22-grok-bankrbot-morse-code-prompt-injection-may-2026.html https://llm-threatintel.com/posts/2026-05-22-grok-bankrbot-morse-code-prompt-injection-may-2026.html Fri, 22 May 2026 00:00:00 +0000 An attacker exploited AI agents Grok and Bankrbot by sending a Morse code prompt via X, tricking them into transferring 3 billion DRB tokens (worth $150,000–$200,000) from a verified wallet on the Base network. The incident involved two security failures: Prompt Injection (OWASP LLM01:2025) via encoding and Excessive Agency (OWASP LLM06:2025). This demonstrates how encoding obfuscation bypasses LLM safety filters and how autonomous agents with financial permissions represent a systemic vulnerability. https://llm-threatintel.com/posts/2026-05-21-claude-code-socks5-sandbox-bypass-silent-patch.html https://llm-threatintel.com/posts/2026-05-21-claude-code-socks5-sandbox-bypass-silent-patch.html Thu, 21 May 2026 00:00:00 +0000 Wyze Labs researcher Aonan Guan publicly disclosed on 2026-05-20 a second network sandbox bypass in Anthropic's Claude Code CLI that let any code Claude Code executed inside its sandbox bypass the user's domain allowlist and exfiltrate AWS credentials, GitHub tokens, environment variables, model API keys, and local source code over a raw SOCKS5 connection that does not appear in HTTP egress logs. The flaw — a SOCKS5 hostname null-byte injection of the form attacker-host.com\x00.google.com — affected every Claude Code release from v2.0.24 (sandbox GA, 2025-10-20) through v2.1.89, roughly 130 versions over 5.5 months, and was silently patched in v2.1.90 on 2026-04-01 with no security note in the release notes. Anthropic closed Guan's HackerOne report #3646509 as a duplicate, declined to issue a CVE against Claude Code, and as of disclosure had not published a security advisory. https://llm-threatintel.com/posts/2026-05-21-mini-shai-hulud-antv-echarts-npm-639-versions-may-2026.html https://llm-threatintel.com/posts/2026-05-21-mini-shai-hulud-antv-echarts-npm-639-versions-may-2026.html Thu, 21 May 2026 00:00:00 +0000 On 2026-05-19, the Mini Shai-Hulud campaign (TeamPCP) hijacked the npm maintainer account atool and published 639 malicious versions across 323 unique packages in a ~30-minute automated burst — 558 of those across 279 packages in the @antv data-visualisation ecosystem plus echarts-for-react (~1.1M weekly downloads), timeago.js, size-sensor, and canvas-nest.js. The 498 KB obfuscated Bun stealer is byte-equivalent to prior Mini Shai-Hulud waves; it harvests 20+ credential classes (AWS, GCP, Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, DB strings), attempts Docker host-socket escape, and exfiltrates via HTTPS to t.m-kosche.com:443/api/public/otel/v1/traces (disguised as OpenTelemetry traces) with Session P2P as fallback. Microsoft Threat Intelligence advisory 2026-05-20. https://llm-threatintel.com/posts/2026-05-21-cve-2026-42208-litellm-sql-injection-active-exploit-may-2026.html https://llm-threatintel.com/posts/2026-05-21-cve-2026-42208-litellm-sql-injection-active-exploit-may-2026.html Thu, 21 May 2026 00:00:00 +0000 CVE-2026-42208 (CVSS score: 9.3) is an SQL injection that could be exploited to modify the LiteLLM proxy database; a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. The first exploitation attempt was recorded on April 26 at 16:17 UTC, roughly 26 hours and seven minutes after the GitHub advisory was indexed in the global GitHub Advisory Database, but this result is from May 14 publication window citing active May exploitation. https://llm-threatintel.com/posts/2026-05-21-confused-deputy-agentic-ai-operations-telemetry-attack-may-2026.html https://llm-threatintel.com/posts/2026-05-21-confused-deputy-agentic-ai-operations-telemetry-attack-may-2026.html Thu, 21 May 2026 00:00:00 +0000 Large language models in operational roles query telemetry, propose configuration changes, and in some deployments execute those changes against live infrastructure; vendors describe this as autonomous remediation or self-healing infrastructure, but recent survey characterizes it as a confused-deputy problem waiting to happen. Retrieval jamming floods the knowledge base with blocker documents that trigger refusal loops and stall incident response when needed; telemetry manipulation allows attackers who can influence metrics and logs to steer mitigation decisions without touching the model. https://llm-threatintel.com/posts/2026-05-21-intruder-1m-exposed-ai-services-misconfig-may-2026.html https://llm-threatintel.com/posts/2026-05-21-intruder-1m-exposed-ai-services-misconfig-may-2026.html Thu, 21 May 2026 00:00:00 +0000 The Intruder team scanned 1 million exposed AI services using certificate transparency logs and found that the AI infrastructure they investigated was more vulnerable, exposed, and misconfigured than any other software they have ever analyzed. Instances of agent management platforms including n8n and Flowise were exposed without authentication, with one Flowise instance exposing the entire business logic of an LLM chatbot service along with credential lists. https://llm-threatintel.com/posts/2026-05-19-cve-2026-44338-praisonai-auth-bypass-rapid-exploitation.html https://llm-threatintel.com/posts/2026-05-19-cve-2026-44338-praisonai-auth-bypass-rapid-exploitation.html Tue, 19 May 2026 00:00:00 +0000 GitHub published advisory GHSA-6rmh-7xcm-cpxj (CVE-2026-44338, CVSS 7.3) on May 11, 2026, disclosing an unauthenticated authentication bypass in PraisonAI's legacy Flask API server affecting versions 2.5.6 through 4.6.33; the fix is in 4.6.34. PraisonAI's src/praisonai/api_server.py hard-codes AUTH_ENABLED = False and binds to 0.0.0.0:8080 when launched directly, so any reachable caller can hit GET /agents and POST /chat without a token. Sysdig observed a probe identifying itself as User-Agent CVE-Detector/1.0 hitting the vulnerable /agents route at 17:40 UTC the same day — three hours and forty-four minutes after the advisory went live at 13:56 UTC. https://llm-threatintel.com/posts/2026-05-19-akamai-mcp-back-end-vulnerabilities-doris-pinot-alibaba-rds.html https://llm-threatintel.com/posts/2026-05-19-akamai-mcp-back-end-vulnerabilities-doris-pinot-alibaba-rds.html Tue, 19 May 2026 00:00:00 +0000 Akamai's Security Intelligence Group published research on May 13, 2026 disclosing three vulnerabilities in vendor-supplied MCP server implementations that front production database engines: Apache Doris (CVE-2025-66335, SQL injection), Apache Pinot via the StarTree mcp-pinot reference server (authentication bypass enabling SQL injection and database takeover), and Alibaba Cloud's alibabacloud-rds-openapi-mcp-server (unauthenticated information disclosure of vector-store metadata). Apache patched the Doris flaw in MCP server 0.6.1, StarTree added OAuth as an optional HTTP authenticator for Pinot, and Alibaba declined to fix the RDS server — Akamai escalated to CERT/CC for coordinated disclosure. https://llm-threatintel.com/posts/2026-05-19-cve-2026-42208-litellm-sql-injection.html https://llm-threatintel.com/posts/2026-05-19-cve-2026-42208-litellm-sql-injection.html Tue, 19 May 2026 00:00:00 +0000 LiteLLM, a popular open-source 'AI Gateway' making it easier to run OpenAI-style LLM queries across models and providers, has a serious vulnerability identified as CVE-2026-42208 affecting versions 1.81.16 up to just before 1.83.7. From version 1.81.16 to before 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter, allowing an unauthenticated attacker to send a specially crafted Authorization header to any LLM API route and read or modify data in the proxy's database, leading to unauthorized access to the proxy and the credentials it manages. https://llm-threatintel.com/posts/2026-05-19-openclaw-clawhu-skill-poisoning-campaign.html https://llm-threatintel.com/posts/2026-05-19-openclaw-clawhu-skill-poisoning-campaign.html Tue, 19 May 2026 00:00:00 +0000 Researchers identified 575 malicious skills within the OpenClaw ecosystem distributed by 13 developer accounts. The campaign targets both Windows and macOS systems, with a significant portion linked to two threat actors operating under the aliases 'hightower6eu' with 334 malicious skills and 'sakaen736jih' with 199 malicious skills. Trojanized skills masquerade as legitimate tools but instruct users to execute encoded commands or install hidden dependencies, and indirect prompt injection is used where hidden instructions cause AI agents to execute malicious actions on behalf of users. https://llm-threatintel.com/posts/2026-05-19-hugging-face-fake-openai-privacy-filter-infostealer.html https://llm-threatintel.com/posts/2026-05-19-hugging-face-fake-openai-privacy-filter-infostealer.html Tue, 19 May 2026 00:00:00 +0000 On May 7, 2026, researchers identified malicious code in the Hugging Face repository Open-OSS/privacy-filter, which appeared among the platform's top trending repositories with over 200k downloads until removal. The repository typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines. https://llm-threatintel.com/posts/2026-05-18-palo-alto-75-vulnerabilities-frontier-ai-mythos-may-2026.html https://llm-threatintel.com/posts/2026-05-18-palo-alto-75-vulnerabilities-frontier-ai-mythos-may-2026.html Mon, 18 May 2026 00:00:00 +0000 Palo Alto Networks found 75 vulnerabilities in its products—more than seven times the amount it usually finds in a month—after beginning to use advanced AI cybersecurity models from Anthropic and OpenAI. The company is among the first with access to Anthropic's Mythos Preview and OpenAI's GPT-5.5-Cyber, and now estimates organizations have just three to five months before attackers broadly gain access to these capabilities.