Short takes on breaking AI security news — 200–400 words, direct, no hedging. Ofir Stein's unfiltered reactions to what's happening right now.
The Mercor breach isn't just a vendor incident — it's a structural exposure of every major AI lab's proprietary alignment data, hidden behind a supply chain nobody audited.
Perplexity's CTO calls it clunky auth and wasted context — but the real reason MCP is breaking down is that it was never designed for production trust boundaries.
On March 31, the axios npm package was compromised with a RAT in the exact same window Anthropic released Claude Code v2.1.88 — a concrete demonstration of the transitive dependency blast radius problem.
Someone audited 9 public MCP servers and found tool poisoning works 84.2% of the time when auto-approval is on — and the industry is still acting surprised.
Zenity's Michael Bargury demoed live exploits against 6 major AI agents at RSAC 2026 — all zero-click, all using attacker-controlled content. The lesson isn't about better filters.
Zenity CTO Michael Bargury demoed zero-click prompt injection attacks live at RSAC 2026 against five major AI platforms. The lesson isn't 'LLMs are bad' — it's that every enterprise agent is a privileged executor with no identity boundary.
Obsidian's telemetry shows nearly 40% of enterprise AI agents carry toxic risk combinations — and every existing security tool is flying blind to it.
Check Point Research documented VoidLink — a sophisticated Linux malware framework built in under a week by a single developer using an AI-powered IDE. The implication: the security industry's threat model is built on a proxy that no longer holds.
BeyondTrust found that AWS Bedrock AgentCore's isolated sandbox leaks DNS — enabling C2, reverse shells, and S3 exfiltration. AWS responded by updating the docs.
GitGuardian's 2026 report shows 28.65M hardcoded secrets on public GitHub — but the real alarm is in the numbers for AI infrastructure. LLM orchestration and RAG credentials are leaking five times faster than model API keys, and the consequences are categorically different.
Two critical unauthenticated RCE vulnerabilities in n8n — CVE-2025-68613 (CVSS 9.9) and CVE-2026-21858 "ni8mare" (CVSS 10.0) — hit the CISA Known Exploited Vulnerabilities catalog on March 12. With 24,700+ instances exposed, this is a direct hit on the nervous system of AI agent infrastructure.
The Clinejection attack didn't exploit code — it exploited trust, using a prompt-injected GitHub issue to turn an AI triage bot into a supply-chain attack vector that silently installed a second AI agent on 4,000 developer machines.
Zenity Labs demonstrates how a single calendar invite can silently hijack an agentic browser, traverse local files, and steal 1Password credentials — no click required.
Unit 42 just confirmed what we've been building against: indirect prompt injection is live, weaponized, and hitting production AI systems right now.
Oasis Security demonstrated that a malicious website can silently hijack an OpenClaw agent over WebSocket, gaining full shell and API access with zero user interaction. This is the localhost trust problem, and it's not new — but agents make it catastrophically worse.
Microsoft and independent researchers have confirmed that AI agent memory can be poisoned through summarized content — and the industry is shipping memory-enabled agents at scale while barely acknowledging the threat.
A new npm worm campaign exploits slopsquatting — AI hallucinating wrong package names — to hit developers who use AI coding tools. This isn't a bug. It's a new attack class.
The MCP exposure crisis isn't a hacker story — it's what happens when infrastructure designed for local dev ships to production unchanged.
Two critical flaws in Claude Code — RCE via malicious settings files, silent API key interception — show that the real attack surface isn't the model. It's the config layer your agent trusts before any dialog appears.
The Moltbook multi-agent incident proves that per-agent guardrails are a necessary but dangerously incomplete defense. When agents interact, behavior emerges that no single prompt anticipated.
The first documented offensive MCP pipeline in the wild proves that controlling the server means controlling the agent — and behavioral defenses are useless against that.
Daily threat intelligence on agentic security — one story, one sharp take.