AI Security
What AI actually does and does not do for security, what it lets attackers do, and what defenders need to know.
4 posts in this cluster
langflow CVE-2026-33017: the unauth RCE in your team's AI prototyping tool is exfiltrating your AWS keys in under 20 hours flat
Langflow — the visual builder for LLM agent chains used by AI engineers and MLOps teams — had its second unauthenticated RCE in two years pushed through the same exec() call. The vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow (note the _public_ — no auth by design), which routes attacker-supplied Python into exec() at src/lfx/src/lfx/custom/validate.py:397 with zero sandboxing. Sysdig honeypots logged the first probe 20 hours after disclosure on 2026-03-17, the first successful credential exfil within 25 hours, and active exploitation has continued through May 2026. The payload is purpose-built for AI infrastructure: dumps os.environ for AWS_*, OPENAI_*, ANTHROPIC_*, HF_TOKEN, PINECONE_*, SUPABASE_*, GITHUB_TOKEN; drops a 9.4MB Go binary (worker-linux-amd64) using utls for TLS fingerprint spoofing + embedded gitleaks for secret scanning; persists as keyhunter-worker.service; joins a NATS-based C2 botnet at 45.192.109.25:14222 subscribing to task.scan_cde, task.scan_web, task.validate_aws, task.validate_ai. Affected ≤ 1.8.1, patched in 1.9.0. NATS-as-C2 is the new technique infostealer botnets are converging on (sysdig writeup). Why AI/ML tooling is the new Jenkins: broad IAM, default-internet-exposed, :latest tags, high-value secrets in env, no auth gate. Full IOCs, the air-gap-first remediation order (the worker can detect revocation CLI invocations), and the IAM/key-rotation list to clean up after compromise.
we read 15 vibe-coded apps so you don't have to: 69 vulnerabilities, 5 patterns, one playbook
Tenzai's January 2026 study audited 15 web apps generated by AI tools (Cursor, Claude Code, Replit's agent mode, Devin, OpenAI Codex). Result: 69 distinct vulnerabilities. 0 of 15 had CSRF. 0 had basic security headers. 100% had SSRF. 24.7% of all AI-generated code shipped with a flaw. We replicated the methodology on 8 client codebases and found the same patterns. Five recurring vulns walked through with code: SSRF against AWS IMDS (the canonical exploit), hardcoded service-role keys in NEXT_PUBLIC_ client bundles, missing Supabase RLS policies (tested with one pg_tables query), wide-open CORS reflecting any origin with credentials, and Clerk unsafe_metadata trusted as auth (the privilege-escalation one-liner: window.Clerk.user.update). Why the AI does this (RLHF rewards 'the app works' not 'the app is secure'). The 5-step pre-flight you can run in under 10 minutes before shipping. Plus a downloadable PDF checklist for the email list.
The Wayback Machine Is Going Dark in 2026
241 news outlets now block the Internet Archive's crawlers. Reddit cut it off in August 2025. The New York Times added archive.org_bot to robots.txt at the end of 2025. Cloudflare blocks AI crawlers by default as of July 2025. Google Cache is gone. Bing Cache is gone. The open record of the web is narrowing fast, and that matters for journalists, OSINT operators, and bug bounty researchers who need archival evidence. Practical alternatives and a local-capture pipeline included.
Prompt Injection Attacks: The Complete Taxonomy for 2026
Prompt injection is the SQL injection of the LLM era. Direct, indirect, multimodal, stored, tool-chain, and training-time variants walked through with real incidents (Bing Chat, Slack AI, M365 Copilot) and the layered defenses that actually reduce risk. The SQL-injection-for-LLMs reference a serious AI security program needs.
Jump to another topic
Compliance & Regulatory →
Threat Intelligence →
Platform Security →
Consumer Privacy & Opsec →
Tools & Comparisons →
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.