Cybersecurity Integration Digest

AI/LLM Offense/Defense and Agent Security

AI/LLM Offense/Defense and Agent Security

Key Questions

What is Mythos AI and how is it being used by CISA?

Mythos AI agent has been deployed to approximately 150 organizations and is now used by CISA for government code audits. It exemplifies the growing integration of AI agents into official security workflows for vulnerability detection.

What is the GitLost vulnerability in GitHub's Agentic Workflows?

GitLost is a critical prompt injection flaw that allows attackers to trick AI-powered automation into leaking private repository data. Researchers at Noma Security disclosed how it exploits agent context windows as attack surfaces in GitHub workflows.

What is JADEPUFFER and why is it significant?

JADEPUFFER is the first documented agentic ransomware, which exploited a Langflow RCE and adapted in 31 seconds. It validates warnings from Five Eyes about fully autonomous AI ransomware attacks using known vulnerabilities.

How effective are multi-agent systems at amplifying jailbreak attacks?

Multi-agent collaboration increases jailbreak success to an 89% attack success rate, while defenses detect less than 30% of such attacks. This highlights the amplified risks when AI agents work together in offensive scenarios.

What does the Bad Epoll case reveal about current AI limitations in security?

Anthropic's Mythos AI audited Linux kernel epoll code but missed the Bad Epoll root vulnerability while finding a related issue. It illustrates AI's current limits in comprehensive bug detection despite strong performance on sibling vulnerabilities.

What is phantom squatting and how does it target AI systems?

Phantom squatting is an AI-driven supply-chain threat that exploits LLM hallucinations to register malicious domains. Unit 42 identified 250k hallucinated domains across 913 brands, creating exploit paths via coding assistants and research agents.

How are AI agents being used in real-world prompt injection campaigns?

Zscaler documented two campaigns where prompt injection targeted AI agents for crypto payments, succeeding against 4 out of 26 tested LLMs. These attacks demonstrate practical exploitation of agentic systems for financial theft.

What new tools and frameworks address AI agent security risks?

Trail of Bits released a 74-sub-skill static analysis bundle, Data Theorem launched an AI Exploits platform, and Visa open-sourced the VVAH agentic SAST pipeline. Additional efforts include Tencent's AI-Infra-Guard for MCP supply chain auditing and the AAISM attack mapping framework.

Mythos AI agent deployed to ~150 orgs and now used by CISA for government code audits. Hidden prompt injection in academic manuscripts achieves 98.6% success. Confidence in full autonomous pentesting dropped from 29% to 9%. Multi-agent collaboration amplifies jailbreak success to 89% ASR, with defenses detecting <30% of attacks. JADEPUFFER: first documented agentic ransomware, exploited Langflow RCE, adapted in 31 seconds. GLM-5.2 now matches Mythos on bug-finding. AI coding agents are now exploited as a supply chain vector—PromptMink, slopsquatting, Clinejection attacks with 2.6x campaign volume increase. Trail of Bits released a 74-sub-skill static analysis bundle for AI agents. Data Theorem launched AI Exploits, Auto-Remediation, and Active Protection platform. Visa open-sourced VVAH, an agentic SAST pipeline. Devin's Security Swarm automates threat modeling. AAISM framework maps AI attack techniques. GPT-5.5-Cyber autonomously built a bespoke fuzzing campaign for zlib in a day. New APT group Armored Likho uses AI-generated first-stage payloads for BusySnake Stealer. CrowdStrike warns Mythos could accelerate zero-day decisions (200 vulns/day). A new Reasoning DoS plugin (Promptfoo) enables red teaming of LLM excessive reasoning attacks. Bad Epoll kernel race bug: Mythos AI audited the same epoll code and missed this bug while finding a sibling—illustrates AI's current limits. A new Claude Code skill (Source Code Security Reviewer) bundles manual review guidance. Alibaba banned Anthropic's Claude AI for coding over data security risks. New data: AI refactoring PRs introduce 4.7% new Bandit findings, 73.5% merged, quantifying AI code risk. A practical framework for prioritizing AI agent security by business impact (blast radius, access scope, ownership) provides operational guidance for NHI governance. New: Operationalizing Agentic AI framework (assistant->agent->operator) for governance. Best 8 AI coding assistant security tools listicle available. New: DeepRed benchmark shows best LLM agent achieves only 35% checkpoint completion in autonomous offensive tasks, challenging hype. Phantom squatting: AI-driven supply-chain threat exploiting LLM hallucinations, Unit 42 found 250k hallucinated domains across 913 brands, with exploit paths via coding assistants and research agents. AI red teaming guide published covering OWASP LLM Top 10 and methodology. Local LLM-based cyber incident analysis paper for air-gapped SOCs via teacher-student knowledge distillation. White House signals more hands-on oversight of AI models with cyber capabilities, potentially reshaping disclosure and tool availability. Zscaler documented two real-world prompt injection campaigns targeting AI agents for crypto payments, with 4/26 LLMs executing payment. New APT group Armored Likho uses AI-generated first-stage payloads and BusySnake infostealer targeting government/CI. New: First fully autonomous AI ransomware attack (using known vulns) validates Five Eyes warnings. Tencent's AI-Infra-Guard framework audits MCP supply chain for first time. FreeBSoD demonstrates LLMs can write kernel exploits with staged pipeline, though limitations remain. New: Cordyceps CI/CD supply chain flaw (Novee) exploitable by unauthenticated users, multi-step chains hide from scanners, AI coding agents compound the problem. New: BeyondTrust critical auth bypass (CVSS 9.2) found via Claude Opus 4.8, continuing trend of AI-discovered critical vulns in enterprise tools. New: Platform lessons (Shostack) reinforce isolation, least privilege, defense in depth for AI agents, bridging classic security with current agent risks. ACM SecDev 2026 program includes papers on fuzzing, LLMs, and agentic supply chain risk. New: GitLost vulnerability in GitHub's Agentic Workflows leaked private repos via prompt injection, confirming agent context windows as attack surfaces. New: The AI offence-defence debate is reframed as conditional—sabotage vs. espionage/revenue generation—with the key insight that discovery ≠ defense; remediation capacity hasn't scaled. A strategic piece from senior execs reinforces the shift from reactive to proactive security, emphasizing attack surface reduction and AI-embedded pipelines.

Sources (44)
Updated Jul 7, 2026