Cyber AI Chronicle

By Simon Ganiere ·28^th June 2026

Welcome back!

The model is not where attackers are finding the cheapest path this week. The cheaper path is the trust we wrapped around the model.

Last week, the story was agent supply chains: AutoJack, LiteLLM, Vertex AI and poisoned skills. This week is the continuation, but not a repeat. The fresh evidence moved closer to daily enterprise work. A developer opens a Git repository and an AI coding assistant can inherit cloud credentials. A security employee receives a legitimate OpenAI notification and may be pulled into an attacker-owned workspace. A malware analyst lets an LLM triage a sample and the sample contains instructions designed to make the analyst disappear.

That is not autonomous cyberwar. It is more prosaic and more useful to attackers. AI is increasing the value of old trust mistakes: workspace configuration, SaaS tenancy, browser sessions, local developer environments and analysis pipelines. The uncomfortable conclusion is simple. If your AI inventory stops at models, it is already missing the attack surface.

🔗 AI Supply Chain & Developer Tool Abuse: ↓ 57.1%

Fewer high-scoring stories than last week, but the quality improved: Amazon Q flaws allowed malicious repositories to trigger command execution and cloud credential theft. Significance: developer AI tools now deserve the same scrutiny as CI/CD runners.

🛡️ AI System Vulnerabilities: ↓ 50%

Gaslight embedded prompt injection into malware to disrupt AI-assisted triage, while AutoGen remains a contextual reminder from last week.
Significance: AI security tooling is becoming a target, not only a defender.

🤖🏃 AI Autonomous & Agentic Attacks: ↓ 20%

The strongest current story is still agent tooling abuse, especially Amazon Q and MCP-style trust failures. Research on AI agent traps put a number on the problem: NIST tests saw malicious prompt instructions succeed in 57% of tasks.
Significance: the permission model matters more than the personality of the agent.

🤖 AI-Enabled Social Engineering: ↑↑ 100%

Poisoned Tenant used legitimate OpenAI invitation emails to impersonate corporate ChatGPT workspaces. Unit 42 also tracked AI-generated instruction videos across 800+ phishing URLs.
Significance: brand trust has become an AI platform attack primitive.

🔍 AI-Accelerated Vulnerability Exploitation: ↑↑ 100%

AI-driven vulnerability discovery is now producing operational volume: Athena processed 20,000+ findings and 2,000+ patches across 500 open source projects, according to The Register.
Significance: discovery is accelerating faster than triage capacity.

The detailed ones. The ones with examples and edge cases. Wispr Flow lets you speak them instead — clean, structured, ready to paste into any AI tool. Free on Mac, Windows, and iPhone.

Try Wispr Flow free

Wiz disclosed two Amazon Q Developer extension vulnerabilities, CVE-2026-12957 and CVE-2026-12958, where a malicious repository could cause the assistant to process .amazonq/mcp.json configuration and run attacker-controlled commands. The practical result was ugly: AWS credentials, API keys, SSH agent sockets and session tokens could be exposed when a developer opened the wrong project.

This is last week's agent-supply-chain theme becoming more concrete. AutoJack showed that localhost trust collapses when agents browse untrusted content. Amazon Q shows that workspace trust collapses when coding assistants automatically process repository configuration. Both are confused-deputy problems, but this one sits directly inside a normal developer workflow.

The economic logic is obvious. Attackers do not need to compromise AWS if they can compromise the developer whose shell already holds the credentials. Fake coding tests, malicious pull requests and typosquatted sample repositories are low-cost paths into high-value cloud identities.

On Monday, treat AI coding assistants as privileged developer tools. Disable automatic execution of workspace-provided agent or MCP configuration where possible, pin approved versions, and audit whether cloud credentials are loaded into developer shells by default. Convenience is becoming a credential exposure pattern.

Unknown actors used fraudulent OpenAI organisation invites in a campaign Push Security called Poisoned Tenant. The emails came from OpenAI's real notification infrastructure, passed authentication checks, and invited employees of cybersecurity firms into attacker-created ChatGPT workspaces impersonating their companies. In at least one tenant, the attacker posed as the CEO and pre-assigned invited users Owner privileges.

This is not phishing in the old sense. There is no obviously fake sender domain to block and no broken logo to mock in awareness training. The attacker borrows the platform's legitimate trust channel, then waits for employees to paste source code, internal notes or customer data into what they believe is the corporate workspace.

It also exposes a visibility gap. Many organisations have started approving enterprise AI tools, but few can answer which tenants their employees have joined, who owns them, and whether data is leaving through a shadow workspace. Visibility is security, especially when the workspace looks legitimate.

The control is not another training slide. Require tenant allowlisting for enterprise AI platforms, monitor invitations from approved AI services, and give employees a verified internal landing page for sanctioned workspaces. If your users must decide tenant legitimacy from an email invitation, the attacker has already chosen the battleground.

SentinelOne's Gaslight macOS malware, attributed with high confidence to North Korea-aligned actors, is a Rust-based backdoor and infostealer using Telegram for command and control. The novel part is not the Keychain theft or browser credential collection. The novel part is a 3.5 KB embedded prompt injection block containing 38 fabricated error messages, designed to make LLM-assisted malware triage tools abort, doubt their session state, or truncate analysis.

Be careful with the hype. There is no public evidence that Gaslight successfully bypassed a named commercial AI analysis platform. That matters. But the intent matters too. The malware is written with the AI analyst as a target.

This is the state clock versus event clock problem in miniature. A triage system may record that analysis failed, but unless it captures why the failure happened, the defender sees a tool error rather than adversarial behaviour. That is how ceremonial security creeps into automation: the process ran, the dashboard updated, and nobody noticed the sample had instructed the assistant to stop thinking.

SOC teams using LLM-assisted analysis should separate untrusted artifact text from system instructions, log model refusals and analysis aborts as security events, and scan samples for prompt-injection strings before passing them to triage agents. The tool is useful. Treat its input as hostile.

🤖 AI-Enabled Social Engineering: Unit 42 found an active phishing campaign using AI-generated instruction videos to trick users into extracting their own session cookies through browser DevTools. The campaign used more than 800 URLs and updated lures such as "Appeal Request" and "Verified Badge."

🦠 AI-Assisted Malware: BleepingComputer's Gaslight coverage reinforces the same point from a second write-up: prompt injection is moving into malware anti-analysis tradecraft.

🤖🏃 Autonomous & Agentic Attacks: Research on agent traps highlighted content injection, semantic manipulation and memory poisoning as attack classes against autonomous agents. Useful taxonomy, but not a confirmed campaign.

🔍 AI Vulnerability Exploitation: The Athena and Akrites efforts described by The Register show AI vulnerability discovery becoming an operational-volume problem, with thousands of findings moving toward disclosure.

🔗 AI Supply Chain Abuse: A fake AI agent skill called brand-landingpage reportedly passed major security scanners by swapping externally hosted payloads after approval and reached approximately 26,000 agents. Static scanning does not protect runtime fetches.

📜 AI Governance & Defense: Five Eyes leaders warned that AI can make risk assumptions stale within months. The useful part is not the warning. It is the mundane prescription: reduce attack surface, patch faster, fix identity and prepare response.

The urgent action is developer fleet hygiene: verify Amazon Q extensions across VS Code, JetBrains, Eclipse and Visual Studio are on patched language server versions. The Cisco and Ubiquiti CVEs this week are serious, but they are not AI-relevant enough for this edition's patch table.

The thing that changed this week is proximity. Last week's risks were mostly in agent infrastructure and research disclosures. This week, the attack surface moved into places employees already touch: repositories, ChatGPT workspaces, AI-assisted triage tools.

The scary-but-noisy story is "autonomous AI agents attacking everything." The real story is less cinematic. Attackers are finding normal trust edges where AI tools have been given too much authority and too little context. That is how economics works. They will take the cheapest path.

CISOs should stop asking only which models are approved. Ask which systems can instruct them, which repositories they parse, which tenants users can join, which credentials sit in developer sessions, and what happens when an artifact tells the analysis tool to stop.

On Monday, pick one AI-enabled developer workflow and trace authority end to end. Not the slideware version. The real one. The first undocumented trust edge you find is probably more important than the model risk register.

Level 4 - AI Created, Human Basic Idea / The newsletter is generated via Codex workflow based on current Overwatch intelligence data and source articles. Human-in-the-loop review is required before publication.

Reference: AI Influence Level from Daniel Miessler