Security

Last week, *The Register* reached out to the major AI application vendors—Microsoft, SAP, Oracle, Salesforce, ServiceNow, and Workday—and asked a simple question: How much liability do you accept when your AI agents make bad decisions? Microsoft and SAP declined to comment. Oracle, Salesforce, ServiceNow, and Workday didn't respond. That silence is your answer. For every CISO, CRO or head of legal deploying AI today, that silence has a direct consequence: You are the insurer of last resort for your vendor's model.

On March 18, Meta's internal AI agent exposed sensitive user and company data to engineers who shouldn't have seen it. The exposure lasted two hours. Meta classified it as Sev-1. Here's the part that should concern every security architect: the agent was fully authenticated. It had valid credentials. It passed every identity check. And it still caused a data breach. This is the post-authentication gap.

Last year, researchers disclosed EchoLeak (CVE-2025-32711), a zero-click Indirect Prompt Injection in Microsoft 365 Copilot. A poisoned email forced the AI assistant to silently exfiltrate sensitive business data to an external URL. The user never saw it, never clicked a link, and never authorized the transfer, but the data left anyway. Most leaders I talk to think they are "covered" because their LLM provider is SOC2 compliant or has a signed DPA. However, in the eyes of the law, the liability remains with the deployer

On February 23rd, [Anthropic published](https://www.anthropic.com/news/detecting-and-preventing-distillation-attacks) something the industry had suspected but hadn't seen documented at this scale. Three Chinese AI labs (DeepSeek, Moonshot AI, and MiniMax) ran coordinated campaigns against the Claude API. They generated over 16 million exchanges through approximately 24,000 fraudulent accounts. The goal was not to steal user data but to steal the model itself.

Aurascape's research team this week published SilentBridge, a class of indirect prompt injection attacks against Meta's Manus AI agent. The attack exfiltrated email, extracted secrets, achieved root-level code execution, and exposed cross-tenant media files via CDN — all three variants scored CVSS 9.8 (Critical): network-exploitable, no privileges required, no user interaction. The user had authorized Gmail and the agent used it exactly as permitted. Vulnerabilities discovered September 2025, Manus mitigated November 2025, coordinated disclosure February 2026.

The Clinejection attack chained prompt injection, cache poisoning, and a credential isolation failure into a supply chain compromise. Here is the attack anatomy and what structural controls actually stop it.

Most RAG stacks retrieve top-K chunks first and enforce permissions later in the app. At scale, this breaks the trust boundary and degrades retrieval quality. When users only have access to a subset of the corpus, post-filtering collapses top-K into a tiny context window, even when many relevant authorized chunks exist deeper in the index. The fix is to make retrieval identity-aware so authorization becomes part of ranking. In the blog, I walk through how to design identity-aware retrieval so access control is enforced during search, not after it.

Aikido Security recently uncovered a new class of CI/CD vulnerabilities they call **PromptPwnd**. The gist of the issue is simple: steps in the CI/CD workflows (e.g. GitHub Actions and GitLab pipelines) are increasingly using AI agents like Gemini CLI, Claude Code and OpenAI Codex to triage issues, label pull requests or generate summaries. These workflows sometimes embed untrusted user content—issue titles, PR descriptions or commit messages—directly into the prompts fed to the model. In this blog I will explore the core of the issue and some potential solutions.

The core of the issue with the Antigravity failure was that the AI assistant treated data as instructions, then executed those instructions through its tool layer with no human in the loop. This can happen not just in IDEs but agents in general.In this blog, I will demonstrate the failure using a local model and some scripting and will present good practices on how to prevent them.

From a development perspective, most AI security problems come from the workflow around the model, not the model itself. The issues usually show up in the inputs, the data paths, and the decisions that run without any guardrails.

Earlier this month, attackers compromised a popular npm maintainer via a phishing attack, then published malicious versions of 18 widely-used packages (including debug) that together have over 2 billion weekly downloads. These packages injected browser-side malware that intercepted cryptocurrency transactions, replacing wallet addresses with attacker-controlled ones using visually similar strings to evade detection. This was a supply chain attack with no CVE assigned at the time, meaning regular SCA scanners, which rely on published CVEs, could not detect it. In this post, I will explore an alternative approach of scanning for behavioral patterns and heuristics using small language models.

You have probably seen an email from your bank, Gmail, or Netflix that says, "We noticed a login from a new device." In this blog, I will discuss browser fingerprinting - one of the simplest techniques that can be used to identify the user device. This technique can be used for security, analytics, personalization, fraud prevention, etc.

AI adoption is accelerating across industries, transforming how businesses operate and innovate. As companies embrace AI, it is crucial to understand the security and privacy implications. This article will explore security considerations when building custom AI solutions and integrating AI into business operations.