Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: data-exfiltration (4 articles)Clear

Microsoft warns poisoned MCP tool descriptions can make AI agents leak data

Microsoft is warning that attackers can hijack AI agents through poisoned tool descriptions, the plain-text notes that tell an agent what a tool does. Because agents connect to systems through the Model Context Protocol and read these descriptions to decide how to act, an attacker who updates a trusted third-party tool can bury a hidden instruction in its description, telling the agent to quietly collect and exfiltrate data on its next task. Many setups pick up description changes without re-approval, so the poisoned version goes live silently. Each step the agent takes looks legitimate and runs with the user's own permissions, so no alarm fires.

Check
Inventory the MCP tools and servers your AI agents can use, especially third-party ones, and check whether your setup re-approves or reviews tool descriptions when they change rather than trusting updates automatically.
Affected
Organizations running AI agents connected to third-party MCP tools without re-approval on description changes; a poisoned description can redirect the agent to exfiltrate data using the user's own permissions, invisibly.
Fix
Require review when tool descriptions change, pin and verify tool sources, scope agents with least privilege, log every tool invocation at the infrastructure layer, and gate sensitive actions behind human approval.

One-click Microsoft 365 Copilot flaw could silently steal emails and codes

Researchers at Varonis disclosed SearchLeak, a flaw chain in Microsoft 365 Copilot Enterprise Search that let a single click on a legitimate microsoft.com link silently pull a victim's emails, calendar, and indexed files, including security and MFA codes, with no password or further interaction. It worked by smuggling instructions into the search URL's query parameter, which Copilot obeyed as commands, then exfiltrating the data through a Bing image request that bypassed content protections. Because the link used a real Microsoft domain, anti-phishing filters were unlikely to flag it. Microsoft assigned CVE-2026-42824, rated it critical, and fixed it on its backend, so no customer action is required.

Check
No patching is needed since Microsoft fixed this server-side; instead review what data Microsoft 365 Copilot can access and whether broad permissions would amplify a similar AI-assistant flaw.
Affected
Microsoft 365 Copilot Enterprise Search users were exposed (CVE-2026-42824) before Microsoft's server-side fix; the broader risk is any AI assistant that mixes untrusted input with access to internal data.
Fix
No customer action is required, as Microsoft has remediated the flaw. To reduce future AI-assistant risk, tighten Copilot data permissions, apply least privilege to identities, and monitor assistant activity.

West Pharmaceutical Services hit by ransomware - $3B injectable-packaging supplier disclosed data theft and encryption in SEC 8-K, global shipping and manufacturing disrupted

West Pharmaceutical Services - the Pennsylvania-based S&P 500 maker of injectable pharmaceutical packaging and drug delivery components, with annual revenues over $3 billion and 10,800 employees - filed an SEC 8-K disclosing a 'material cybersecurity attack.' The company detected the intrusion on May 4, 2026, and confirmed on May 7 that attackers had exfiltrated data and encrypted certain systems. West took infrastructure offline globally for containment, engaged Palo Alto Networks' Unit 42 for forensics, and partially restored core enterprise, shipping, and manufacturing systems by May 13. No ransomware group has publicly claimed the attack, and West says it has 'taken steps intended to mitigate the risk of dissemination of the exfiltrated data.'

Check
Check whether your organization is a downstream customer of West Pharmaceutical Services (injectable vials, syringes, stoppers, drug delivery components), audit purchase orders and delivery delays from May 4 onward, and review supplier-risk assessments.
Affected
Customers and supply-chain partners of West Pharmaceutical Services - primarily biopharma manufacturers and contract drug fillers that depend on West for injectable packaging and delivery systems. Scope of stolen data not yet disclosed.
Fix
Engage West directly for an authoritative status update on your specific product lines, activate alternate-supplier contingencies for time-critical injectables, and treat any new emails referencing West order numbers as untrusted until verified through known account contacts.

GemStuffer campaign turned RubyGems into a clandestine data drop - 150+ malicious gems hid scraped UK council portal pages inside Ruby packages

Socket researchers found more than 150 RubyGems packages doing something the registry was never built to do: smuggling scraped data out of UK council websites. The malicious gems fetch pages from Lambeth, Wandsworth, and Southwark's public meeting portals, bundle the responses into a normal-looking .gem archive, and push it back to RubyGems using a hardcoded API key. The attacker then downloads the data as a public gem version. Whether GemStuffer is registry spam, a worm being tested, or a deliberate trial of package-registry abuse, the mechanics are intentional - and it landed the same week RubyGems froze new account signups over a separate flood of malicious packages.

Check
Search dependency manifests and gem caches for gems published from newly registered RubyGems accounts in May 2026 with junk names, and review outbound traffic from CI runners for connections to council .gov.uk subdomains.
Affected
Any developer workstation, CI agent, or container image that allows arbitrary outbound gem installs from rubygems.org. UK local government portals (Lambeth, Wandsworth, Southwark) had public pages scraped through this channel.
Fix
Restrict gem installs to internal mirrors with allowlists, block outbound HTTP to council .gov.uk domains from build agents, and use Socket's published GemStuffer indicators to block known malicious gems.