Skip to content

Update ASI_Agentic_Exploits_Incidents.md #727

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 3, 2025
Merged

Update ASI_Agentic_Exploits_Incidents.md #727

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c853695
Update ASI_Agentic_Exploits_Incidents.md
almogbhl Sep 30, 2025
fb806d7
Update links
almogbhl Sep 30, 2025
0e750b6
adjust spaces, wording and dates
almogbhl Sep 30, 2025
9537b57
trim CVE
almogbhl Sep 30, 2025
61cf50f
naming
almogbhl Sep 30, 2025
464120b
added ForcedLeak
almogbhl Sep 30, 2025
dcc9ba1
Added Agentic AI and Visual Studio Code
almogbhl Oct 1, 2025
6886086
added postmark-mcp supply chain attack
almogbhl Oct 2, 2025
155adef
Merge remote-tracking branch 'upstream/main' into patch-1
almogbhl Oct 2, 2025
7217a39
added google gemini trifecta
almogbhl Oct 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 18 additions & 16 deletions ...y_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,21 +15,23 @@ Similarly, any aspects relating to incident response should be discussed with th

## Exploits & Incidents Table

| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis |
| Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis<br>(Vendor / CVE / Discoverer) |
|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------|
| **EchoLeak (Zero-Click Prompt Injection)** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | https://arxiv.org/abs/2509.10540 |
| **GitPublic Issue Repo Hijack** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | https://www.docker.com/blog/mcp-horror-stories-github-prompt-injection/ |
| **Hub MCP Prompt Injection (Cross-Context)** | *(details missing)* | *(unspecified)* | - |
| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | - |
| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | [-](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks/) |
| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | https://medium.com/@ismailkovvuru/the-amazon-q-vs-code-prompt-injection-explained-impact-and-learnings-for-devops-3a9d2f752dea |
| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | https://archive.ph/sknx5 |
| **ToolShell RCE via SharePoint – CVE-2025-53770 (Jul 2025)** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | - |
| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses/ |
| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | - |
| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | - |
| **Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | - |
| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | - |
| **ShadowLeak - Sept 2025 ** | Chains gmail and web search access with indirect prompt injection for ChatGPT Deep Research abuse | | *(unspecified)*| | https://www.radware.com/blog/threat-intelligence/shadowleak/ |

| **EchoLeak (Zero-Click Prompt Injection) – Jun 2025** | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)<br> • [Aim Security](https://www.aim.security/post/echoleak-blogpost) |
| **GitPublic Issue Repo Hijack – May 2025** | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) | • — <br> • —<br> • [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability) |
| **Hub MCP Prompt Injection (Cross-Context) – Jun 2025** | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution) | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)<br> • [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)|
| **Replit Vibe Coding Meltdown – Jul 2025** | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | • [Replit](https://blog.replit.com/introducing-a-safer-way-to-vibe-code-with-replit-databases) <br> • — <br> • [SaaStr](https://www.saastr.com/replits-new-release-address-most-of-the-challenges-we-hit-vibe-coding-but-is-prosumer-vibe-coding-really-ready-for-commercial-apps-yet) |
| **Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025** | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) | • — <br> • — <br> • [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks) |
| **Amazon Q Prompt Poisoning – Jul 2025** | Destructive prompt in extension risked file wipes | T02 + T17 (Supply Chain) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-8217) <br> • — |
| **Google Gemini CLI File Loss – Jul 2025** | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss | T11 (Unexpected RCE) | • [Google](https://github.com/google-gemini/gemini-cli/issues/4586) <br> • — |
| **ToolShell RCE via SharePoint – Jul 2025** | RCE exploit in SharePoint leveraged by agents | T11 (Unexpected RCE) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53770) <br> • [Eye Security](https://research.eye.security/sharepoint-under-siege) |
| **AgentSmith Prompt-Hub Proxy Attack – Jul 2025** | Proxy prompt agent exfiltrated API keys | ASI17 (Supply Chain) | • — <br> • — <br> • [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)|
| **OpenAI ChatGPT Operator Vulnerability – Feb 2025** | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | • —<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-7021)<br> • [Google](https://github.com/google/security-research/security/advisories/GHSA-mmgx-755h-wr74)|
| **Microsoft Copilot Studio Security Flaw – 2025** | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | • —<br> • —<br> • [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)|
| **Flowise Pre-Auth Arbitrary File Upload – Mar 2025** | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) <br> • [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) |
| **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025** | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)|
**ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)<br> • —<br>• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) |
**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)<br>• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)<br>• — |
**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft) |
| **Google Gemini Trifecta — Sep 2025** | Indirect prompt injection through logs, search history, and browsing context can trick Gemini into exposing sensitive data and carrying out unintended actions across connected Google services. | • ASI01 (Agent Behaviour Hijack) <br> • ASI02 (Tool Misuse & Exploitation)| • —<br> • —<br> • [Tenable](https://www.tenable.com/blog/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing) |
---