• #20: One Word: Additionally
    Jul 13 2026
    Top Story: One Word Beat GitHub's Guardrail — An attacker doesn't need an account, a password, or a single line of malicious code. China flags a Claude Code "backdoor." — On July 8, China's national vulnerability database (run by the MIIT) warned that Anthropic's Claude Code versions 2.1.91 through 2.1.196 transmitted users' location and identity data back to Anthropic's servers, and urged users to uninstall or upgrade. CISA reportedly turns Mythos on its own code. — Reuters reports (sourced, not officially confirmed) that CISA's Attack Surface Evaluation team is running Anthropic's Mythos model against federal code repositories to find vulnerabilities before adversaries do, and that the audits have already surfaced previously unknown flaws. Prompt injection gets a kill chain. — A new paper, The Promptware Kill Chain, co-authored by Bruce Schneier and Ben Nassi, maps how a single hidden instruction escalates through seven stages, from initial access to lateral movement to acting on its goal, borrowing the language security teams already use to describe malware campaigns. ModelScope agent flaw, still no patch (CVE-2026-2256). — The open-source AI-agent framework can be tricked into running arbitrary system commands through its Shell tool, and there's still no vendor patch. Curator's Corner: You Can't Lower the Odds Anymore. Lower the Blast Radius. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-07-13.html
    Show More Show Less
    11 mins
  • #19: Every Input Is a Potential Instruction
    Jul 6 2026
    Top Story: Anthropic Put Its Strongest Model Back Online. First It Had to Add a New Lock. — Three weeks ago, the US government took a commercial AI offline by order. Opening a repo with your AI assistant can hand your machine to a stranger. — Researchers at Mozilla's 0DIN group showed a clean-looking code project that compromises a developer's computer with no malicious code anywhere in it. A platform behind a million AI apps could let one customer's data leak to another. — Security firm Zafran found four flaws in Dify, a popular open-source tool for building AI apps, that let a low-privileged user cross the wall between tenants: silently reroute another company's AI conversations to a server they control, and read other tenants' uploaded documents by guessing a file's ID. Curator's Corner: Every Input Is a Potential Instruction Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-07-06.html
    Show More Show Less
    12 mins
  • #18: The Level Playing Field Is Ending
    Jun 29 2026
    Top Story: OpenAI Built Its Strongest Model Yet. Then Handed the Guest List to Washington — On Friday, June 26, OpenAI announced three new frontier models — Sol, its self-described "strongest model yet," plus Terra for everyday work and Luna as a cheaper option — and in the same breath said most people can't have them yet. The free, downloadable models are catching the paid frontier — fastest they ever have. — On the independent Artificial Analysis Intelligence Index, the leading open-weight model (Moonshot's Kimi K2.6) now ranks fourth overall and first among open models, about six points behind the top closed models from Anthropic, OpenAI, and Google — narrowing, but not matching them, and still clearly behind on the hardest tasks. Most companies deploying AI agents can't yet secure them — and some already got burned. — In a survey of 160+ security leaders, 72% said they're rolling out AI agents but only 29% have comprehensive controls for them, and about 1 in 5 has already had a security incident traced to an agent. Dream — $260M at a $3B valuation, to sell countries "sovereign AI." — Founded by ex-NSO Group CEO Shalev Hulio and former Austrian Chancellor Sebastian Kurz, Dream pitches governments on AI infrastructure they fully own and control rather than rent from foreign providers. NewCore — $66M seed at a $300M valuation, to give AI agents real identities. — Emerging from stealth, the startup (led by Dome9 founder Zohar Alon) treats AI agents as first-class members of the workforce that need managed identities and permissions, the way employees do. Curator's Corner: The Level Playing Field Is Ending Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-29.html
    Show More Show Less
    13 mins
  • #17: The Autonomous Adversary
    Jun 22 2026
    Top Story: LiteLLM, Hit Again. This Time the Whole Gateway Falls — An AI "gateway" is the traffic controller that sits between your applications and the models they call. ⚔️ Attack: SearchLeak. One booby-trapped link could have turned Microsoft 365 Copilot into a silent data thief. Microsoft has already fixed it. — Varonis demonstrated the chain (they did not find it used in the wild): a crafted, Microsoft-hosted search link carried hidden instructions that Copilot read and obeyed, then quietly exfiltrated whatever the victim could access: emails, files, calendar. 🔬 Research: a guard for AI agents cut attack success from 7-in-10 to about 1-in-40. — A new study (AgentRedBench / AgentRedGuard) built a way to stress-test agents that plug into business tools (email, CRM, ticketing) by hiding malicious instructions in the data those tools return, then measured how often the agent got hijacked. 🛡️ Defense: Microsoft says it's now using a team of AI agents to hunt security bugs in its own software at machine speed, and credits them with 10 of this month's fixes. — In a public write-up, Microsoft described an internal system (codename MDASH) that turns a panel of specialized AI agents loose on its hardest-to-review code (the core of Windows, its virtualization layer, and its identity systems) to find, confirm, and help patch flaws, feeding the results into the same code-review and patching pipelines its engineers already use. Curator's Corner: The Autonomous Adversary Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-22.html
    Show More Show Less
    12 mins
  • #16: Assume the Model Is Already Breached
    Jun 15 2026
    Top Story: A Directive at 5:21 PM, Two Frontier Models Gone by Morning — For the first time anyone can easily point to, the US government used export controls — the tool that governs missiles and advanced chips — to pull a deployed, commercial AI model off the market. The "Are you sure?" box in your AI coding assistant can lie about what you're approving. — Researchers at Adversa AI disclosed two flaws affecting popular AI coding tools. An attacker can turn a tool your AI agent trusts into a remote-control channel — without ever touching your infrastructure. — Tenet Security disclosed Agentjacking, an attack that abuses the connection between AI coding agents and Sentry, a popular error-monitoring service. Two new papers make the uncomfortable case that the model layer is the wrong place to fix this. — One, recasting prompt injection through "Contextual Integrity" theory, argues for an impossibility-style limit: a model may never be able to reliably separate the instructions it should trust from the hostile text it reads. OWASP turns that thesis into a to-do list — and treats agent risk as something already in production, not a forecast. — Its updated "State of Agentic AI Security and Governance" starts from the assumption that the model can be fooled, then tells teams to spend their effort on the controls around it: watch what each agent actually does at runtime, give it its own identity and the narrowest possible permissions, and wire in a circuit-breaker that can cut a misbehaving agent off mid-action. A public threat-landscape roundup grounds all of that theory in May's real attacks. — Microsoft Security Research's May 2026 threat-landscape roundup (Tanmay Ganacharya) distills a month of public findings into three dominant patterns: software supply-chain compromise (poisoned and typo-squatted npm packages, plus hijacked maintainer accounts, planting code that steals build-pipeline and cloud credentials), identity-driven cloud intrusion (one stolen identity — abused through password-reset social engineering — cascading into a cloud-wide Microsoft 365/Azure breach, an actor Microsoft tracks as Storm-2949, alongside adversary-in-the-middle phishing and a macOS infostealer wave), and direct attacks on AI agent software (publicly exposed AI apps left unauthenticated, and remote-code-execution flaws in agent frameworks). Curator's Corner: The Wall Faces the Wrong Way Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-15.html
    Show More Show Less
    12 mins
  • #15: Jailbreak Protection Isn't Enough
    Jun 8 2026
    Top Story: Catching the Attack Isn't Enough Anymore — For two years, the standard defense against prompt injection — hiding malicious instructions in something an AI reads, so it mistakes them for orders — has leaned on a single hope: make the model smart enough to notice. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-08.html
    Show More Show Less
    12 mins
  • #14: Hidden in White
    Jun 1 2026
    Top Story: Prompt Injection Goes Operational — For two years, prompt injection has mostly been a lab demo. ModelScope MS-Agent: a max-severity hole with no fix (CVE-2026-2256). — A command-injection flaw in Alibaba's widely used MS-Agent toolkit lets an attacker run arbitrary commands on the host running the agent (CVSS 9.8). LMDeploy: 13 hours from disclosure to exploitation (CVE-2026-33626). — Earlier this spring, a server-side request forgery flaw in the LMDeploy serving framework — think of it as tricking the server into making requests on the attacker's behalf — went from public advisory to active exploitation in roughly 13 hours, faster than any human patch cycle. CrewAI: four flaws in one agent framework. — The CrewAI orchestration framework picked up four separate vulnerabilities this spring (CVE-2026-2275, -2285, -2286, -2287), catalogued together by CERT/CC (VU#221883). Snowflake buys Natoma to govern what AI agents can touch. — Snowflake (NYSE: SNOW) signed a definitive agreement on May 27 to acquire Natoma, an enterprise platform that secures how AI agents connect to corporate systems through the Model Context Protocol (MCP) — the emerging standard for plugging agents into tools and data. CodeIntegrity raises $5M to put guardrails around agents at runtime. — The seed round (led by Syn Ventures, with Antler and Boost VC) backs a "deterministic control layer" for LLM agents — the idea that because agents behave unpredictably, you wrap them in enforceable, rule-based limits on what they're allowed to do in the moment. EU AI Act: deepfake-labeling rules approach their deadline. — The Act's Article 50 transparency obligations require that AI-generated and manipulated content be labeled or watermarked, with an enforcement window in August 2026. Pentagon formalizes its split with Anthropic. — After designating Anthropic a supply-chain risk in March, the Department of Defense moved in May to source frontier AI from other vendors. Anthropic's vulnerability-hunting AI is finding flaws faster than anyone can patch. — One month into Project Glasswing, Anthropic and roughly 50 partners say its restricted "Mythos" model has uncovered more than 10,000 high- or critical-severity vulnerabilities in the open-source software that underpins the internet — Cloudflare alone found 2,000 bugs, Mozilla fixed 271 in Firefox (about 10× its prior rate), and the UK's AI Security Institute called it the first model to clear both of its multi-step attack simulations end to end. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-01.html
    Show More Show Less
    13 mins
  • #13: The zero-day you can't patch
    May 25 2026
    Top Story: The Week Trust Broke Twice — Two stories landed in the same 72 hours that belong in the same frame. NVIDIA NemoClaw sandbox bypass (CVE-2026-24222). — Lasso Security demonstrated that AI agents running inside NVIDIA's NemoClaw/OpenShell sandbox can exfiltrate sensitive data through tools the sandbox explicitly allows. vm2 sandbox escape wave: 13 CVEs, CVSS 9.0–10.0. — Between May 4 and May 7, researchers disclosed 13 sandbox escape vulnerabilities in vm2, the popular Node.js library used to isolate untrusted JavaScript. Cisco: "Reading Between the Pixels" (multimodal prompt injection). — Cisco's AI research team published Part 2 of their VLM safety research, demonstrating that small pixel-level perturbations (bounded at 12.5%) can bypass safety filters in vision-language models. UK ICO: AI security is now a GDPR Article 32 duty. — The Information Commissioner's Office published a five-step guide declaring that AI-powered attacks (prompt injection, AI-enhanced phishing, deepfake social engineering, automated vulnerability exploitation) must be treated as present-day threats under GDPR's "appropriate technical and organizational measures" requirement. Verizon DBIR 2026: vulnerability exploitation overtakes stolen credentials. — For the first time, vulnerability exploitation is the #1 initial breach vector at 31%, surpassing stolen credentials which fell to 13%. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-05-25.html
    Show More Show Less
    13 mins