Google patched a critical flaw in Gemini CLI, the command-line tool developers use to interact with Gemini models from CI pipelines and dev workstations. CVSS 10.0. The bug let an attacker execute arbitrary code on the developer's machine by feeding crafted input to the CLI - specifically through the same pattern that compromised LiteLLM and several other AI tools recently. A separate but related set of flaws in Cursor, the AI-powered IDE, also enables code execution. The pattern across all these AI dev tools is the same: input validation gaps where attacker-controlled prompts or model output reach a shell or code execution path.
Two related stories show AI-powered developer tools becoming a fresh attack surface. First, Pillar Security disclosed a now-patched vulnerability in Google's agentic IDE Antigravity that allowed prompt injection to escape the Strict Mode sandbox and achieve arbitrary code execution. The flaw combined Antigravity's file-creation capability with insufficient input sanitization in its find_by_name tool: injecting the -X (exec-batch) flag via the Pattern parameter forced the underlying fd utility to execute arbitrary binaries against workspace files. An attacker could stage a malicious script then trigger it through a seemingly legitimate search - no user interaction needed once the prompt injection lands. The attack can be delivered via indirect prompt injection: a user pulls a harmless-looking file from an untrusted source containing hidden comments that instruct the AI agent to stage and trigger the exploit. Google patched on February 28. Second, Manifold Security researchers showed a Claude-powered GitHub Actions workflow (claude-code-action) can be tricked into approving and merging malicious pull requests by setting Git's user.name and user.email to match a trusted developer (in the demo: Andrej Karpathy). On first submission Claude flagged for manual review. On resubmission, Claude approved it - the AI overrode its own earlier judgment on retry. The common thread: AI agents cannot treat attacker-controllable metadata as a trust signal, and non-determinism across retries means you cannot build a security control on an AI that changes its mind.
Backfill from April 15: OX Security disclosed an architectural flaw in the official Model Context Protocol SDKs (Python, TypeScript, Java, Rust) that lets attacker-controlled JSON config trigger arbitrary OS commands via the STDIO transport. Roughly 200,000 publicly reachable MCP servers and 150 million SDK downloads inherit the issue. OX has tied 14 CVEs to the same root cause across LiteLLM (patched), Bisheng (patched), Windsurf (zero-click RCE in Cursor-style IDEs, still reported), Flowise, LangFlow, GPT Researcher, Agent Zero, and DocsGPT. Anthropic declined to patch the protocol, calling the behavior 'expected.'
Backfill from April 21: Anthropic confirmed an unauthorized Discord group quietly accessed Mythos - the company's most powerful AI cybersecurity tool, restricted to about 40 vetted partners including Apple, Microsoft, and Google. The group got in on the same day Mythos was announced (April 7) by piggybacking on a member who works at one of Anthropic's third-party contractors, then guessed the model's URL based on naming patterns from previously leaked information. Anthropic says the group used Mythos to build websites, not for attacks - but they had quiet access for two weeks. Mozilla used Mythos to find and patch 271 Firefox bugs.
Cloud development platform Vercel disclosed a security incident on April 19 after a threat actor claiming to be ShinyHunters posted stolen data for sale on a hacking forum. Vercel CEO Guillermo Rauch confirmed the initial access came through a breach at Context.ai, an enterprise AI platform one Vercel employee had signed up for using their Vercel enterprise account with 'Allow All' OAuth permissions. Attackers compromised Context.ai, stole the OAuth token, took over the employee's Google Workspace account, and pivoted into Vercel environments. Once inside, they accessed environment variables not marked as 'sensitive' - these are stored unencrypted at rest, unlike sensitive env vars which Vercel encrypts. The attacker posted 580 employee records (names, emails, account status, activity timestamps) as a teaser, plus screenshots of an internal Vercel Enterprise dashboard. They claim to also have access keys, source code, database data, and API keys, though Vercel characterizes impact as a 'limited subset' of customers. Mandiant is engaged. This is the cleanest real-world example to date of the AI supply chain risk pattern everyone has been warning about: a third-party AI tool with broad OAuth scopes becomes the initial access vector into your primary infrastructure.
TrustStrike Labs