In partnership with
PRESENTED BY
Cyber AI Chronicle
By Simon Ganiere · 21st June 2026
The dangerous part of an AI agent is not the model. It is everything the model has been allowed to trust.
Last week, Agentjacking showed how attacker-controlled error telemetry could become an instruction source. This week, the same failure appeared across the rest of the stack: a malicious webpage reaching a localhost service through an agent, third-party skills whose behaviour bears little resemblance to their labels, and AI gateways capable of turning a low-privilege account into control of every model request passing through them.
That is a meaningful shift, but not the one the headlines suggest. We have not crossed into autonomous cyberwar. Most of this week's strongest evidence remains vulnerability research and proof-of-concept work, with no confirmed exploitation. The operational change is simpler. AI deployments are assembling new trust chains from browsers, plugins, gateways, model files and natural-language instructions. Security teams often inventory the model and ignore the chain.
Attackers are economically rational. They do not need to defeat the model if the infrastructure around it will execute their instructions for them.
If you have been enjoying the newsletter, it would mean the world to me if you could share it with at least one person 🙏🏼 and if you really really like it then feel free to offer me a coffee ☺️
AI Threat Tempo
🔗 AI Supply Chain & Developer Tool Abuse: ↑↑ 133.3%
Seven high-scoring articles covered poisoned agent skills, malicious IDE plugins and hijacked model uploads. Significance: AI supply-chain risk now spans instructions, credentials and model artefacts. A software bill of materials that stops at packages is incomplete.
📜 AI Governance & Defensive Innovation: ↑↑ 100%
Defensive research shifted towards behavioural verification of agent components, while AutoJack exposed a localhost trust assumption absent from most AI governance registers. Significance: acceptable-use policies do nothing for a tool that behaves differently from its declaration.
🤖 AI Autonomous & Agentic Attacks: ↑ 66.7%
AutoJack demonstrated agent-mediated host code execution from one malicious page. No exploitation was observed, and affected builds were pre-release. Significance: the technique matters more than the installed base. An agent turns localhost into a remotely reachable trust boundary.
🛡️ AI System Vulnerabilities: ↑ 60%
Research exposed critical weaknesses in LiteLLM, Microsoft 365 Copilot and the Vertex AI upload path. Significance: compromise of the AI control plane can expose prompts, credentials and downstream agent responses at once.
🤖 AI-Enabled Social Engineering: ↓ 80%
One high-scoring story covered the disruption of Outsider Enterprise, continuing last week's reporting on the same operation. Significance: lower article volume is not lower risk, but it is not evidence of a fresh surge either.
LLM traffic converts 3× better than Google search
58% of buyers now start their research in ChatGPT or Gemini, not Google. Most startups aren't showing up there yet.
The ones that are get cited by the AI tools their buyers, investors, and future hires already use. And they convert at 3×.
Download the free AEO Playbook for Startups from HubSpot and get the exact steps to start showing up. Five minutes to read.
Interesting Stats
80%: Of 49,943 OpenClaw skills analysed, four in five behaved differently from their declared purpose. Bad documentation is now a security control failure.
18.9%: Of those behavioural deviations were classified as adversarial, not merely sloppy or undocumented.
Nearly 70,000: Installs accumulated by malicious JetBrains plugins masquerading as AI coding tools before the campaign was exposed.
Three Things Worth Your Attention
1. The Agent Skill Registry Has an Integrity Problem
Unit 42 analysed all 49,943 skills in the OpenClaw public registry by comparing what each skill claimed to do with what its code and instructions actually did. Eighty per cent deviated from their declaration. Nearly one in five deviations was adversarial. The worst 5%, 2,490 skills, contained multi-stage attack chains dominated by credential exfiltration and instruction override.
The uncomfortable point is not that public registries contain malicious content. We learned that lesson from browser extensions, mobile apps and package repositories. The new problem is that an agent skill can hide consequential behaviour in three places at once: metadata, executable code and natural-language instructions. Traditional code scanning sees only part of the object.
This is the exception spiral in miniature. Teams permit a useful third-party skill, compensate with another control, then add more permissions when the workflow breaks. The agent accumulates capability while the original decision trace disappears. Eventually nobody can explain why a weather plugin can read environment variables.
On Monday, ask for an inventory of agent skills and MCP tools, including source, owner, permissions, network destinations and the behaviour observed at runtime. Block new installations until declared and actual behaviour are compared. A signed package proves who shipped it. It does not prove what it does.
2. AutoJack Makes localhost a Remote Attack Surface
Microsoft's AutoJack research chained three weaknesses in pre-release AutoGen Studio builds. A browsing agent loaded an attacker-controlled page, satisfied a localhost origin check by virtue of running locally, reached an unauthenticated MCP path, then passed attacker-selected commands to a handler with no allowlist. The result was code execution under the developer's account.
This follows last week's Agentjacking disclosure, but the distinction matters. Agentjacking poisoned trusted error telemetry. AutoJack uses the agent itself to cross a boundary that developers still treat as local. Both are confused-deputy failures, but they enter through different doors.
Apply Rosling's fear instinct. AutoJack is not an active campaign. Microsoft reported no exploitation, stable PyPI release 0.4.2.2 was unaffected, and the vulnerable population was limited to pre-release builds. Calling it a mass threat would be theatre.
The architecture is the signal. Browsing agents make server-side request forgery assumptions look quaint because the requester is an authorised local process acting on untrusted content. Audit agents that can browse, fetch documents or inspect tickets for access to localhost services and private address space. Deny those routes by default, require authentication even locally, and allowlist executable commands. “Only reachable from localhost” is no longer a control when an agent can be sent there.
3. The AI Gateway Is Becoming a Privileged Control Plane
A three-CVE chain in LiteLLM allowed a default low-privilege user to mint a wildcard API key, promote themselves to proxy administrator and reach remote code execution through an unsafe custom guardrail. A compromised gateway could expose provider keys, database credentials and prompts in transit. Researchers also showed it could forge model responses sent to downstream agents.
Separately, Unit 42's Pickle in the Middle research abused predictable Vertex AI staging-bucket names and a roughly 2.5-second race to replace an uploaded model with a malicious pickle payload. Google patched the affected SDK versions before disclosure, and neither case has confirmed exploitation.
These are not merely vulnerabilities “in AI”. They expose the concentration of privilege around AI infrastructure. Gateways see every request and often hold every provider credential. Model pipelines convert artefacts into running code. Compromise either layer and an attacker may alter what agents see, not just steal what users send.
Map AI gateways and model-serving pipelines as tier-zero services. Patch LiteLLM to 1.83.14-stable, rotate credentials if an exposed instance may have been accessed, and upgrade google-cloud-aiplatform to 1.148.0 or later. Most importantly, monitor model-response integrity and administrative actions. Availability monitoring will not tell you when the gateway is lying convincingly.
In Brief: AI Threat Scan
🤖 AI-Enabled Social Engineering: Following last week's Google action, the FBI and partners disrupted Outsider Enterprise, seizing infrastructure linked to more than one million fraudulent URLs and 3.8 million stolen payment-card records. This is continuity, not a separate campaign.
🔗 AI Supply Chain Abuse: At least 15 malicious JetBrains plugins stole AI API keys under the guise of coding assistants and review tools. The marketplace supplied trust; the plugins monetised it.
🛡️ AI System Vulnerabilities: The one-click SearchLeak flaw in Microsoft 365 Copilot chained parameter-to-prompt injection, a streaming sanitiser race and Bing image fetching to exfiltrate data accessible through Microsoft Graph. Microsoft mitigated it server-side, with no observed exploitation.
🔬 Research & Detection: A developer avoided a fake-recruiter repository attack after running the code through an AI agent in a read-only sandbox. AI reduced risk because the permissions were constrained. There is a lesson hiding in plain sight.
Patch Now: AI-Relevant CVEs
CVE | Product | CVSS | Type | Status | AI relevance | Patch |
|---|---|---|---|---|---|---|
CVE-2026-47101, CVE-2026-47102, CVE-2026-40217 | LiteLLM | 9.9 chain | Auth bypass, privilege escalation, RCE | 🟢 Patched, no known exploitation | Gateway takeover exposes provider keys, prompts and downstream agent responses | ✅ 1.83.14-stable |
CVE-2026-42824 | Microsoft 365 Copilot | Critical | Prompt injection and data exfiltration | 🟢 Mitigated, PoC only | Copilot search could expose mail, files and MFA codes available through Graph | ✅ Server-side mitigation |
LiteLLM is the priority because organisations control the deployment and the gateway concentrates credentials. AutoJack and Pickle in the Middle have no CVE identifiers, so they are excluded from the table, not from the remediation queue.
The Bottom Line
What changed this week is not model capability. It is the amount of privilege accumulating in the layers around the model.
AutoJack, malicious skills and the LiteLLM chain all exploit ordinary trust decisions: localhost is safe, marketplace metadata is honest, a low-privilege gateway user stays low privilege. AI makes the consequences larger because the compromised component can influence subsequent actions at machine speed. The model is the multiplier, not the root cause.
What looks scarier than it is: a single webpage “taking over AI agents everywhere”. AutoJack affected narrow pre-release builds, was patched in source and had no observed exploitation. The systemic lesson is serious. The immediate population risk is not.
Stop treating AI governance as a register of approved models. Build the register around authority: what can each agent read, which systems can instruct it, what tools can it invoke, which credentials sit in its gateway, and how you verify that a skill behaves as declared. If your governance process cannot answer those questions, it is ceremonial security with a chatbot attached.
On Monday, pick one production agent and trace every source of instruction from input to action. The undocumented trust edge is where the real report begins.
Wisdom of the Week
He who blames others has a long way to go on his journey. He who blames himself is halfway there. He who blames no one has arrived."
AI Influence Level
Level 4 - Al Created, Human Basic Idea / The whole newsletter is generated via Codex workflow based on hundreds of news and research articles. Human-in-the-loop to review the selected articles and subjects.
Reference: AI Influence Level from Daniel Miessler
Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.