AI Agent Session Smuggling and Code Interpreter Exploits in Enterprise AI Systems
A new attack technique called agent session smuggling has been identified, allowing malicious AI agents to exploit established cross-agent communication sessions to covertly inject instructions into victim agents. This method leverages the stateful nature of protocols like Agent2Agent (A2A), which are designed for persistent, context-aware conversations between AI agents. The attack does not exploit a vulnerability in the protocol itself, but rather abuses the implicit trust and memory features of stateful agent communication, enabling a rogue agent to manipulate a victim over multiple interactions. Mitigation strategies include human-in-the-loop enforcement, remote agent verification, and context-guarding mechanisms.
Separately, a vulnerability in Anthropic’s Claude AI assistant was demonstrated, where attackers could exploit the code interpreter feature to exfiltrate sensitive enterprise data. By using indirect prompt injection, malicious instructions embedded in user-supplied content could trigger Claude to retrieve confidential information and upload it to attacker-controlled accounts via the platform’s own API, bypassing default network restrictions. The exploit highlights the risks of implicit trust and insufficiently restricted internal APIs in advanced AI systems, emphasizing the need for robust security controls around agent interactions and code execution features.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Claude AI code interpreter exploit exposing enterprise data is reported
CSO Online reported on a vulnerability in Claude AI in which a code interpreter exploit could expose enterprise data. The article represents public reporting of the issue and its potential impact on organizations using the platform.
Researchers disclose Agent Session Smuggling attack in A2A systems
Palo Alto Networks Unit 42 published research describing an 'Agent Session Smuggling' attack affecting agent-to-agent AI systems, outlining how AI agents can be manipulated to act outside intended session boundaries. The publication marks the public disclosure of the attack technique and its security implications for A2A environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Agent Framework Flaws Turn Prompt Injection Into Code Execution and Persistence
Microsoft disclosed two critical vulnerabilities in its **Semantic Kernel** AI agent framework that could let prompt injection escalate into host compromise. `CVE-2026-26030` affected the Python implementation before version `1.39.4`, where unsafe `eval()`-based lambda construction in the Search Plugin’s default In-Memory Vector Store filter path enabled remote code execution, while `CVE-2026-25592` affected the .NET SDK before version `1.71.0` and allowed arbitrary file write through `SessionsPythonPlugin`’s `DownloadFileAsync`, creating a path to sandbox escape and host takeover; a related arbitrary file read issue was also present in upload handling. Microsoft said it hardened AST validation, restricted callable functions and attributes, removed unintended tool exposure, added path validation, and urged customers to patch and review endpoint telemetry for signs of exploitation. The disclosure lands amid broader warnings that AI agents can preserve and amplify malicious instructions through memory and context reuse. Cisco researchers recently showed that poisoned memory files in Anthropic’s **Claude Code** could persist across projects and sessions, steering the assistant to insert hard-coded secrets, choose insecure packages and configurations, and spread tainted changes to another developer. Researchers and defenders say the incidents reinforce that AI models are not security boundaries and that any model-influenced tool parameter, memory file, or context artifact should be treated as attacker-controlled input, with mitigations including patching vulnerable frameworks, scanning memory and dependency files, and purging stored agent memory after suspected compromise.
May 7, 2026
Captured AI Agent Logs Show Claude and Codex Used to Breach 14 Companies
Researchers analyzing more than 1,000 recovered AI agent sessions found that a low-skilled attacker used Anthropic’s **Claude Code** and OpenAI’s **Codex** to carry out offensive cyber operations against at least 14 companies. Logs from a compromised Vultr-hosted system showed the operator using the tools for reconnaissance, vulnerability discovery, exploit development, credential harvesting, database replication, session impersonation, cloud and API key testing, mail-account takeover attempts, and lateral movement. The sessions also documented requests for stealth, anti-forensics, transcript editing, encrypted reporting, and migration of stolen data, while some generated **pentest-style reports** that included monetization estimates for exfiltrated information. Investigators said the attacker reused stolen local AI agent installations and made operational security mistakes that helped attribute the activity to a young man in Addis Ababa, Ethiopia. Separate analysis of a **Claude Code** network sandbox bypass highlighted why AI agent misuse can extend beyond unsafe model output into runtime and infrastructure controls. NSFOCUS reported that proxy-based filtering could be bypassed because policy checks evaluated the original input while the network layer parsed and truncated it differently, including with invisible control characters or null bytes, creating a path for outbound requests and possible data leakage in a single execution chain. Although the issue was reportedly fixed in later versions, researchers said the low-profile remediation made exposure difficult to assess and underscored the need for layered defenses such as strict egress allowlisting, least privilege, short-lived secrets, auditing, fail-closed policies, and fuzz testing of parsing paths.
Jun 18, 2026
AI agent and LLM misuse drives new attack and governance risks
Reporting highlighted how **LLMs and autonomous AI agents** are being misused or creating new enterprise risk. Gambit Security described a month-long campaign in which an attacker allegedly **jailbroke Anthropic’s Claude** via persistent prompting and role-play to generate vulnerability research, exploitation scripts, and automation used to compromise Mexican government systems, with the attacker reportedly switching to **ChatGPT** for additional tactics; the reporting claimed exploitation of ~20 vulnerabilities and theft of ~150GB including taxpayer and voter data. Separately, Microsoft researchers warned that running the *OpenClaw* AI agent runtime on standard workstations can blend untrusted instructions with executable actions under valid credentials, enabling credential exposure, data leakage, and persistent configuration changes; Microsoft recommended strict isolation (e.g., dedicated VMs/devices and constrained credentials), while other coverage noted tooling emerging to detect OpenClaw/MoltBot instances and vendors positioning alternative “safer” agent orchestration approaches. Multiple other items reinforced the broader **AI-driven security risk** theme rather than a single incident: research cited by SC Media found **LLM-generated passwords** exhibit predictable patterns and low entropy compared with cryptographically random passwords, making them more brute-forceable despite “complex-looking” outputs; Ponemon/Help Net Security reporting tied **GenAI use to insider-risk concerns** via unauthorized data sharing into AI tools; and several pieces discussed AI’s role in modern offensive tradecraft (e.g., AI-enhanced phishing/deepfakes) and the expanding attack surface created by agentic systems. Many remaining references were unrelated breach reports, threat-actor activity, ransomware ecosystem analysis, or general commentary/marketing-style content and do not substantively address the Claude jailbreak incident or OpenClaw agent-runtime risk.
Mar 26, 2026