Multiple reports warn that the most immediate AI security risk is attackers hijacking trusted workflows—AI copilots/agents, CI pipelines, SaaS admin planes, and identity control points—rather than “AI” being a standalone threat category. Commentary and research highlight how prompt-injection-style techniques can turn normal user actions (e.g., clicking a legitimate-looking link) into silent data exfiltration or unsafe tool use, and how autonomous agents can still complete scams even when they can correctly label a page as phishing. 1Password introduced an open-source benchmark, Security Comprehension and Awareness Measure (SCAM), to test whether AI agents behave safely in realistic workplace tasks (email triage, link clicking, retrieving credentials from a vault, and form-filling) using production-like APIs; in testing, models that could identify phishing when asked still proceeded to retrieve and submit real credentials during routine workflows.
Microsoft research described AI recommendation poisoning affecting 31 companies across 14 industries, where hidden instructions embedded in “Summarize with AI” links attempt to inject persistent directives into an assistant’s memory via URL prompt parameters, biasing future recommendations (e.g., prioritizing a specific domain/company). Separately, identity-focused analysis argues that as AI increases automation and API-driven decisioning, identity becomes the enterprise control plane, making IAM architecture and resilience (including where policy evaluation and authorization live) a central security concern at “AI scale.” Two SC Media opinion pieces broaden the theme: one ties recent supply-chain and developer-workflow compromises (e.g., malicious packages/actions and token theft) to the same “trusted workflow” abuse pattern, while another discusses mobile apps as an early-warning surface for supply-chain risk (including AI arriving via third-party SDKs), but it is more forward-looking guidance than incident reporting.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Mitiga published a proof-of-concept showing that a trojanized Claude Code skill could abuse Slack integration to send phishing messages from a trusted user account across an organization. The disclosure also included Slack-focused detection ideas, such as monitoring audit logs for agent installation, unusual send_message activity, and suspicious OAuth scope expansion.
Researchers reported that Anthropic Claude Code Security Review, Google Gemini CLI Action, and Microsoft GitHub Copilot integrations with GitHub Actions could be abused to steal API keys and access tokens. The article also describes a separate dispute over Anthropic’s Model Context Protocol design, which researchers said could expose up to 200,000 servers, while vendors reportedly paid bug bounties but did not issue CVEs or public advisories for the platform-level issues.
Microsoft disclosed research showing that assistants such as ChatGPT, Claude, Grok, and Microsoft 365 Copilot can be manipulated through hidden instructions embedded in 'Summarize with AI' links and URL prompt parameters. It also shared threat-hunting guidance for detecting these links in email and Microsoft Teams messages.
1Password released the Security Comprehension and Awareness Measure (SCAM) under the MIT License, along with tooling to replay scenarios and export video results. The benchmark is intended to help researchers and enterprises evaluate whether AI agents behave safely in realistic workflows.
In SCAM testing, 1Password found that providing a short security-skills document significantly reduced critical failures and, for several models, eliminated them across repeated runs. Some models still remained inconsistent or continued to fail specific scenarios, including forwarding notes containing embedded passwords and access keys.
1Password evaluated eight AI models across 30 realistic workplace security scenarios, finding safety scores ranging from 35% to 92% and critical failures in every model under baseline conditions. The tests showed agents could recognize phishing in isolation yet still perform unsafe actions such as entering credentials into attacker-controlled pages or forwarding secrets.
Over a 60-day period, Microsoft recorded 50 unique prompt-based memory-poisoning attempts tied to 31 companies, showing that hidden instructions in AI-summary links were being used to manipulate assistant recommendations. The activity was attributed largely to legitimate businesses rather than typical cybercriminal SEO operators.
NIST's Center for AI Standards and Innovation published research on AI agent hijacking, using the open-source AgentDojo framework and Claude 3.5 Sonnet agents to measure how indirect prompt injection attacks can drive harmful actions. The study introduced new attacks and high-impact scenarios such as remote code execution, database exfiltration, and automated phishing, and found that repeated attack attempts significantly increased compromise rates.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
mitiga.io
Open sourcego.theregister.com
Open sourcescworld.com
Open sourcedarkreading.com
Open sourcesecurity.com
Open sourcehelpnetsecurity.com
Open sourcenist.gov
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.