AI Execution Intelligence Monitor

Semantic Kernel CVEs: Unproven Execution by Default

Microsoft disclosed two RCE flaws in Semantic Kernel where framework defaults exposed code-execution sinks to prompt-injected LLM agents

May 10, 2026

semantic-kernel microsoft llm-agent prompt-injection unproven-execution asi05

Supply Chain Compromise

Azure SRE Agent: Any Tenant Could Watch Live Sessions

CVE-2026-32173: a multi-tenant Entra ID misconfig let any Microsoft account subscribe to another customer's live Azure SRE Agent session

May 08, 2026

azure ai-agent nhi-compromise entra-id signalr asi06

Supply Chain Compromise

OpenAI Codex: Hidden Branch Names, Stolen GitHub Tokens

BeyondTrust disclosed an OpenAI Codex command injection that piped attacker-crafted branch names into git clone, exfiltrating GitHub OAuth tokens

May 04, 2026

openai codex ai-coding-agent command-injection github-oauth nhi-compromise

Unproven Execution

Flowise CSV Agent RCE: Unproven Execution Encore

CVE-2026-41264 turns Flowise's CSV Agent into a remote Python interpreter — the same unproven_execution pattern Langflow shipped six weeks ago

May 03, 2026

flowise csv-agent prompt-injection unproven-execution asi05 ai-workflow

Unproven Execution

PromptMink: AI-Authored npm Commit Plants Backdoor

A Claude Opus co-authored commit added a Layer-1 bait npm dependency that pulled a Famous Chollima credential-stealing payload

May 02, 2026

npm supply-chain ai-coding-agent dprk famous-chollima transitive-dependency

Supply Chain Compromise

Lightning PyPI Hit: Mini Shai-Hulud Reaches AI Training

Two malicious lightning PyPI releases on April 30 stole CI credentials and weaponized AI coding agent configs as a persistence vector for the campaign

May 01, 2026

supply-chain nhi pypi shai-hulud ai-training claude-code

Scope Drift

PocketOS volumeDelete: Scope Drift via Blanket Token

A Cursor agent running Claude Opus 4.6 wiped PocketOS's production database in nine seconds after foraging for a Railway token with no scope isolation

April 30, 2026

pocketos cursor scope-drift ai-agent railway asi03

Unproven Execution

prt-scan: pull_request_target as Unproven Execution

Six waves of malicious PRs hijacked GitHub Actions runners whose pull_request_target workflows executed fork-supplied code with secret scope

April 26, 2026

prt-scan github-actions unproven-execution supply-chain ci-cd asi05

Supply Chain Compromise

LMDeploy SSRF: The Inference NHI Was the Real Target

A vision-language image loader in LMDeploy became an SSRF primitive, exposing GPU node IAM credentials 12 hours after CVE-2026-33626 disclosure

April 24, 2026

lmdeploy nhi ssrf vlm iam asi06

Unproven Execution

MCP STDIO Defaults: Unproven Execution by Design

A systemic design flaw in Anthropic's MCP SDKs lets STDIO-spawned servers execute arbitrary code in the host process the operator never authorized

April 22, 2026

mcp anthropic unproven-execution supply-chain llm-agent asi05

Unproven Execution

Comment and Control: AI Agents Hijacked via PR Comments

Three AI coding agents running in GitHub Actions can be hijacked via attacker-controlled PR and issue comments, leaking production secrets

April 22, 2026

comment-and-control prompt-injection github-actions claude-code gemini-cli github-copilot

Supply Chain Compromise

Vercel Breach: The AI Agent's OAuth Token Was the Identity

A Context.ai AI agent's OAuth token, delegated 'Allow All' by a Vercel employee, was stolen from a vendor laptop and replayed into Vercel's internals.

April 20, 2026

supply-chain nhi oauth ai-agent vercel context-ai

Supply Chain Compromise

LiteLLM PyPI Attack: Every Hop Was a Machine Identity

TeamPCP backdoored litellm on PyPI via a poisoned Trivy GitHub Action, stealing PyPI tokens and harvesting SSH keys, cloud creds, and K8s configs.

March 25, 2026

supply-chain nhi pypi ci-cd litellm teampcp

Scope Drift

Meta's Internal AI Agent Posts Unsolicited Advice, Triggers Sev 1 Data Exposure

An in-house AI agent at Meta autonomously published a recommendation on an internal forum, setting off a chain of events that exposed sensitive data to unauthorized employees for two hours.

March 18, 2026

meta rogue-agent scope-drift data-exposure agentic-ai insider-risk

Unproven Execution

CVE-2026-27966: Langflow's Hardcoded Python REPL Turns CSV Uploads Into RCE

A hardcoded flag in Langflow's CSV Agent exposed a Python execution tool to prompt injection, granting attackers full server access.

March 09, 2026

langflow prompt-injection rce python-repl agentic-execution