security
Top in security
IDE Jailbreaks Bypass Chat Guards by Writing Code
arXiv:2607.03968 shows harmful prompts succeed in IDE workflows 100% of the time despite chat refusals. The security boundary for AI coding assistants shifts from model to.
securityJanuscape KVM Escape Breaks x86 VM Isolation
Januscape (CVE-2026-53359) exposes a 16-year-old guest-to-host escape in Linux KVM that lets attackers crash hypervisor hosts from within a guest VM when nested.
Jailbreaks Hidden in Image Pixels Slip Past Editors' Text Guardrails via an Empty Prompt
VJA embeds jailbreak instructions in image pixels with an empty text prompt, leaving text-only guardrails nothing to scan and forcing moderation into the pixel pipeline.
securityLinux Foundation Akrites Centralizes Open-Source Vulnerability Disclosure
Akrites pools 19 vendors behind one shared vulnerability disclosure SIRT to absorb a flood of duplicate LLM reports, but risks becoming the new bottleneck itself.
securityWhy LLM Prompt Injection Persists: Instructions and Data Share Embeddings
A 2026 preprint argues prompt injection is mathematically unpreventable when instructions and data share one embedding space, making defenses cost-raisers rather than cures.
securityWhen Bots and Agents Post CVEs in PRs, Reporters Inherit the Triage Burden
When a bot or agent drops a CVE into a pull request, the thread reads as already triaged. Reviewers move on, and the reporter inherits the job of proving it real.
securityRuntime vs Build-Time SBOMs: Why Your Container Runs Uncatalogued Code
Build-time SBOMs miss the code Python actually runs. The MEM-SBOM preprint shows memory forensics recovers dynamically loaded packages static manifests never recorded.
securityOpenAI's Agent Link Safety Isolates the Fetch, Not Prompt Injection
OpenAI's link-safety control stops quiet URL-based exfiltration by agents, not prompt injection. The trust boundary is moving from model output to network policy.
- jun 28securityNo Verified 'React2Shell' Bulletin Exists: What Next.js Teams Should Check
- jun 28securityVercel on the Axios npm Compromise: Platform Scanning Has a Blind Spot
- jun 27securityDiffusion Model Safety: How Training-Schedule Poisoning Slips Past Prompt Filters
- jun 26securityBandit Algorithms Let Non-Experts Auto-Select the Best LLM Jailbreak
- jun 26securityRAG Poisoning Hijacks Model Attention, Not Just Retrieval Ranking
- jun 26securityCVE-2026-LGTM and the Limits of Trust in Automated Advisory Intake
- jun 25securityShareLock Splits MCP Poisoning Across Tools, Defeating Per-Tool Scanners by Construction
- jun 25securityPrompt Injection in AI Résumé Screening: Single vs Multi-Injection Attacks
- jun 25securityOpenAI's TanStack npm Writeup Shifts Dependency-Control Burden onto AI Tooling Teams
- jun 25securityOpenAI's ChatGPT Atlas Treats Prompt Injection as Unfixed, Not Patched
- jun 24securityCan Provable Bounds Defend LLM Fine-Tuning Against Poisoned Data?
- jun 24securityMeasuring LLM Safety by Refusal Alignment Instead of Attack Success Rate
- jun 24securityPoisoning Physics-Informed Neural Networks Slips Past Loss-Based Validation
- jun 24securityCatching LLM Jailbreaks by Watching Per-Layer Entropy, Not Outputs
- jun 24securityHow Reliable Are the LLM Judges Scoring Jailbreak Attacks?
- jun 23securityAuto-Reproducing Text-to-Image Jailbreaks From Papers: The PixJail Pipeline
- jun 23securityVercel BotID's Telemetry Is a Threat Intelligence Feed Most Teams Discard
- jun 23securityExtracting Unseen Training Data From an LLM by Poisoning Its Loss Landscape
- jun 22securityReact Router CVE-2025-31137: Vercel's Edge Fix Is Not the Patch
- jun 22securityReported React Server Components Leak Is Unconfirmed: Audit the Payload
- jun 22securityVercel's Secure AI Agent Guidance Pushes Defense Into the Sandbox
- jun 22securityNx Supply-Chain Attack Used Developers' Own AI CLIs to Hunt Secrets
- jun 20securityMixed Compliance Data Makes Safety Fine-Tuning a Curation Problem
- jun 20securityDefending Agentic AI With Deception: Misdirecting Model-Guided Attacks
- jun 20securityThe Autonomy Tax: Why RL Rewards the Wrong Behavior in Agents
- jun 20securityAnthropic's Procurement Risk Is Policy Refusal, Not Jailbreaks
- jun 13securityAMD Took 124 Days to Patch the RCE It First Called Out of Scope
- jun 10securityOpenAI Frames Instruction Hierarchy as an Open Challenge, Not a Prompt-Injection Fix
- jun 08securitySkill Injection: Hiding Undetectable Instructions in What an AI Agent Loads
- jun 08securitySplitting a Malicious Task Across Tool Calls Slips Past LLM Agent Guardrails
- jun 07securityWeb Agents Can Be Talked Into Abandoning Their Task: The TRAP Benchmark
- jun 07securityShallow Neural Nets Beat LLM Guardrails at Catching Prompt Injection
- jun 07securityWhen an AI Agent Clicks a Link: OpenAI's Data-Exfiltration Model
- jun 06securityBenchmarking RAG Over Cyber Threat Intelligence: Where Retrieval Breaks
- jun 05securityStronger Safety Alignment Made LLMs Easier to Jailbreak, Not Harder
- jun 05securitySAML Signature Bypass Is Back: Inside the SAMLStorm Vulnerability Class
- jun 05securitySAMLStorm: The SAML Signature Bug That Forges Valid SSO Logins
- jun 05securityVercel's Flags SDK Exposed Feature-Flag Definitions via CVE-2025-46332
- jun 04securityJailbreak Suffixes Hit Harder at Specific Token Positions, New GCG Variant Shows
- jun 04securityOpenAI Adds Lockdown Mode to ChatGPT, Shifting Prompt-Injection Risk to Users
- jun 04securityActivation Steering Was Sold as LLM Control. New Work Makes It an Attack Surface
- jun 04securityCatching LLM Agents Leaking Credentials From Their Own Activations
- jun 04securityThe 2026 npm Attacks Proved AI Coding Assistants Are a Supply-Chain Target
- jun 03securityChatGPT's New Lockdown Mode Borrows Apple's Name for a Prompt-Injection Kill Switch
- jun 03securityStudents Are Prompt-Injecting AI Graders to Score Full Marks
- jun 03securityRemoving an LLM Backdoor Post-Training Without the Poisoned Data
- jun 03securityStored Prompt Injection Now Persists Across AI Agent Sessions
- jun 03securityLLM Data Poisoning Survives the Data-Cleaning Defenses Built to Stop It
- jun 02securityWhy OpenAI Bets on Instruction Hierarchy to Stop Prompt Injection
- jun 02securityStopping Multi-Turn LLM Jailbreaks Without Retraining the Model
Security coverage here starts from a premise other beats elide: the AI stack is not a new attack surface so much as an old one wearing fresh abstractions. Inference servers, agent frameworks, and notebook runtimes ship with the same deserialization, SSRF, and path-traversal classes that web infrastructure spent two decades learning to harden, only now wired directly to credential stores, tool execution, and untrusted model output. The interesting question is rarely whether a given framework is exploitable; it is which inherited assumption finally broke under agentic load.
We track three structural tensions. First, the collapse of the local-host trust model as agent protocols carry developer-grade defaults into multi-tenant deployments. Second, supply-chain compromise that bypasses scanner coverage by hiding in places package auditors do not look, from model repositories to preinstall hooks to registry metadata. Third, the shrinking window between coordinated disclosure and in-the-wild exploitation, which is increasingly measured in hours and which exposes how much of the ecosystem still treats patch cadence as a quarterly concern.
The frame is comparative and skeptical rather than alarmist. Vendor lockdown modes, model-level safety training, and detector benchmarks all get evaluated against the same standard: does this address a structural property of the system, or relocate the failure mode somewhere harder to audit? Jailbreak research, disclosure-policy enforcement, and institutional credential hygiene belong on the same beat because they fail for related reasons. The work is to name those reasons in a way that still reads true after the specific advisories have rolled off the front page.