Security firm Sysdig says it found what it believes is the first ransomware attack carried out from start to finish by an AI agent. The operator, which Sysdig calls JADEPUFFER, used a large language model to handle the whole job: breaking in, stealing credentials, moving through the network, then encrypting and wiping a company's production database. The way in was an old, already-patched flaw in Langflow, an open-source tool for building AI apps that is often left exposed online with cloud keys nearby. Once inside, the agent mapped the machine and swept it for secrets, including API keys for AI services and credentials for major cloud providers, before destroying data.
Microsoft researchers detailed AutoJack, an attack that turns an AI browsing agent into a route for running code on the user's machine. If the agent is steered to open an attacker's web page, that page's JavaScript can reach a privileged local service on the same host and spawn a process, with no credentials and no further interaction once the page loads. A planted link, poisoned URL field, or prompt injection is enough to trigger it. The demonstrated flaw sits in AutoGen Studio, the prototyping interface for Microsoft's AutoGen agent framework. The lesson: once an agent browses the open web and can reach local services, localhost is no longer a trust boundary.
Researchers at Tenet Security have disclosed Agentjacking, a new attack that turns AI coding assistants like Claude Code, Cursor, and Codex into tools for running an attacker's code on a developer's machine. The trick abuses Sentry, a widely used error-tracking service: anyone can submit a fake error event using a project's DSN, a public write-only key embedded in website code, and the AI agent, fetching that event through Sentry's MCP integration, cannot tell the malicious instructions from real diagnostics and runs them with the developer's privileges. No phishing, malware, or server breach is needed, and it bypasses traditional controls because every step is technically authorized. Tenet found 2,388 exposed organizations.
Check Point has disclosed three now-patched flaws in LangGraph, the popular LangChain framework for building AI agents, that can be chained for remote code execution on self-hosted servers. The chain combines an SQL injection (CVE-2025-67644) with an unsafe msgpack deserialization bug (CVE-2026-28277): an attacker who can reach the agent's stored-state endpoint plants a malicious checkpoint that runs code when loaded. A compromised LangGraph server exposes everything the agent can touch, including model API keys, customer data, and internal network access. It is only exploitable in self-hosted deployments using the SQLite or Redis checkpointer; LangChain's managed LangSmith platform is not affected.
Researchers at Cyera have disclosed a chain of four vulnerabilities in OpenClaw, an open-source autonomous AI agent platform that Nvidia and Tencent have built enterprise products on top of. The chain - CVE-2026-44112 (CVSS 9.6), CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118 - lets an attacker who can influence the agent's input (through a malicious plugin, prompt injection, or compromised tool output) break out of the OpenShell sandbox, read environment-stored API keys, elevate to owner-level privileges, and write persistent backdoors. Each step looks like normal agent behavior. Shodan and Zoomeye between them counted 65,000 to 180,000 public OpenClaw instances earlier in May. All flaws are fixed in OpenClaw 2026.4.22.
A high-severity Docker Engine flaw allows attackers to bypass authorization plugins with a single oversized HTTP request. CVE-2026-34040 (CVSS 8.8) stems from an incomplete fix for CVE-2024-41110 from July 2024 - the original patch missed requests over 1MB, which get forwarded to the Docker daemon without their body, so the AuthZ plugin sees nothing to block while the daemon processes the full malicious payload. The result: a privileged container with root access to the host filesystem, exposing AWS credentials, SSH keys, Kubernetes configs, and everything else on the machine. Critically, Cyera researchers demonstrated that AI coding agents running inside Docker sandboxes can be tricked via prompt injection into crafting the bypass request themselves - no human attacker needed.