CISO Daily Briefing
ALT CISO BRIEFING
Cloud Security Alliance Intelligence Report — Decision-Oriented Edition
1. Executive Summary
The past 48 hours mark a qualitative inflection point for AI-related security risk. Three distinct attack classes targeting AI development infrastructure were disclosed or confirmed in a single 24-hour window on June 11–12, 2026 — the first coordinated wave of production-grade exploits against AI toolchains. The most urgent is Agentjacking, a structural attack that hijacks AI coding agents (Claude Code, Cursor) through injected Sentry error events and executes attacker-controlled code in trusted agent sessions. Sentry has declared the flaw architecturally indefensible; no patch will be issued.
Separately, a supply chain attack compromised over 400 Arch Linux (AUR) packages with a credential stealer and eBPF rootkit, targeting developer secrets including API keys, cloud tokens, and Git credentials. A third disclosure — a patched but slow-to-adopt RCE chain in LangGraph — enables remote code execution against self-hosted AI agent deployments. On the governance side, NIST published a mathematical proof that static AI safety guardrails are provably insufficient, with direct implications for EU AI Act and AI RMF compliance programs. Strategically, Anthropic disclosed internal data showing 8× code acceleration driven by Claude, a signal that threat actor capabilities face the same acceleration curve.
| Priority | Issue | Why It Matters | Recommended Action | Escalation? |
|---|---|---|---|---|
| Critical | Agentjacking via Sentry MCP — no patch available | AI coding agents execute attacker instructions from poisoned error events; bypasses all conventional controls | Audit & restrict Sentry MCP connections today | Yes if widely deployed |
| Critical | AUR supply chain: 400+ packages, credential stealer + eBPF rootkit | Developer secrets (API keys, tokens, SSH, Git) exfiltrated; rootkit hides itself from standard tools | Audit Arch Linux usage in developer environments today | Yes if developer machines confirmed affected |
| High | LangGraph RCE chain — patched but slow adoption expected | SQL injection + deserialization chain enables RCE on self-hosted AI agent deployments with 50M+ monthly downloads | Identify and patch LangGraph deployments within 48 hours | Yes if self-hosted LangGraph confirmed |
| High | NIST proof: static AI guardrails are mathematically insufficient | Directly affects AI RMF compliance evidence and EU AI Act Article 9 risk management obligations | Initiate review of AI governance control designs this week | Yes for regulated industries |
| High | RSI inflection: Anthropic 8× code acceleration signal | Suggests threat actors with comparable AI face same acceleration; conventional threat projection models are underestimating forward risk | Brief security leadership; update threat horizon planning | Board / Risk Committee |
2. Overall Risk Posture
Rationale: Two critical-urgency disclosures (Agentjacking, AUR supply chain) directly targeting AI developer infrastructure, one unpatched structural vulnerability, and an active wave of developer credential theft collectively elevate near-term risk for organizations with AI development pipelines.
Key Drivers: First production-grade attack class against AI coding agent trust chains; supply chain compromise targeting developer secrets; LangGraph RCE with slow patch adoption expected; NIST formally invalidating static AI safety controls.
Change Since Yesterday: Worsened. The Agentjacking and AUR disclosures on June 11–12 represent a qualitative step change from research-grade to operational attack tooling against AI development infrastructure.
Executive Posture: Validate exposure to Agentjacking and AUR compromise within 24 hours. No broad incident response activation unless internal exposure is confirmed, but security teams should treat both as active until ruled out.
3. Top Priority Items
Agentjacking — AI Coding Agents Compromised via Sentry MCP Server Injection
AUR Supply Chain Compromise — 400+ Packages, eBPF Rootkit, Developer Credential Theft
ps/netstat are insufficient if rootkit is present). Rotate all developer credentials (cloud tokens, API keys, SSH keys, Git tokens) as a precaution on affected machines. Restrict AUR usage to curated/vetted package lists or migrate to enterprise Linux distributions for developer machines.
LangGraph RCE Chain — SQL Injection + Deserialization Enabling Remote Code Execution
get_state_history() endpoint with user-controlled filter parameters as a compensating control. Add LangGraph version monitoring to vulnerability management program.
NIST Mathematical Proof: Static AI Guardrails Are Provably Insufficient
RSI Inflection Signal: Anthropic's 8× Acceleration — Threat Horizon Implications
4. Vulnerability and Exposure Intelligence
Structural / No Patch Agentjacking via Sentry MCP Server
Disclosure: June 12, 2026 — Tenet Security / The Hacker News
Status: Sentry has confirmed the architectural flaw is indefensible. No CVE issued; no patch planned. The attack surface is any AI coding agent (Claude Code, Cursor) connected to the Sentry MCP server in an environment where Sentry receives attacker-influenced error events.
Compensating Controls: Disable Sentry MCP connections for AI coding agents; implement agent action confirmation requirements; audit CI/CD pipelines for Sentry webhook exposure.
CVE-2025-67644CVE-2026-28277 LangGraph RCE Chain
Severity: CVSS 7.3 / 6.8 (chain enables RCE) — Check Point Research
Status: Patches available in latest LangGraph release. Active patch adoption expected to be slow for self-hosted open-source deployments. No confirmed active exploitation at time of writing.
Attack Path: User-controlled filters to get_state_history() → SQL injection → msgpack deserialization → RCE on application server.
Prioritization: High for organizations with self-hosted LangGraph in production AI agent deployments. Lower for LangChain Cloud customers (separate assessment required).
Supply Chain AUR Package Compromise — 400+ Packages
Disclosure: June 11–12, 2026 — BleepingComputer / Arch Linux Official
Status: Active incident. Arch Linux team has issued an advisory. Packages identified include widely-used developer tools. eBPF rootkit persistence makes post-compromise detection non-trivial with standard tooling.
Scope: Rust credential stealer targeting API keys, cloud tokens, SSH credentials, Git tokens. eBPF rootkit on root-privileged installs hides own processes and socket connections.
Prioritization: Critical for organizations with Arch Linux developer endpoints. Standard antivirus and process-listing tools are insufficient for detection after rootkit installation.
5. Threat Landscape Changes
AI Development Infrastructure Enters the Active Attack Surface
The June 11–12 disclosure cluster represents the first coordinated wave of production-grade exploits against AI development infrastructure. Prior AI security disclosures were predominantly research demonstrations (prompt injection proofs-of-concept, adversarial examples). These three events — Agentjacking, LangGraph RCE, AUR credential stealer — are operational attacks against real deployed systems.
The common thread is developer toolchain targeting: attackers are focusing on the machines, credentials, and agentic workflows that build and deploy AI systems, rather than the AI models themselves. This is a rational attacker choice: developer machines carry high-value credentials with broad access, and AI coding agents operate with elevated trust and reduced human oversight.
Supply Chain Attacks Evolving: Community Package Repositories as Attack Vector
The AUR compromise demonstrates that threat actors are actively targeting community-maintained Linux package repositories as supply chain entry points. Unlike curated repositories (apt, yum, brew), AUR relies on community trust and git history integrity rather than cryptographic package signing by verified maintainers. Package name squatting on abandoned packages is an established technique now being used at scale against developer tooling.
The addition of eBPF rootkit persistence to a supply chain payload represents a significant capability escalation. Previous supply chain attacks typically deployed conventional malware detectable by endpoint tools; eBPF rootkits operate at kernel level and specifically evade standard detection mechanisms.
MCP Server Trust Chains as a New Persistent Attack Vector
Agentjacking establishes a new persistent attack class: poisoning MCP server data sources (error trackers, ticketing systems, log aggregators) to inject malicious instructions into AI agent workflows. This is not a transient exploit — it is a structural property of any architecture where AI agents autonomously process data from external sources via MCP servers without human confirmation. Organizations that deploy MCP-connected AI coding agents should expect this attack class to be extended to other MCP data sources (Jira, GitHub Issues, Datadog, PagerDuty) in the near term.
6. Cloud, SaaS, Identity, and NHI Risk
Elevated NHI (Non-Human Identity) Risk from Developer Credential Theft
Both the Agentjacking and AUR supply chain attacks specifically target non-human identities: API keys, cloud provider tokens, service account credentials, and Git tokens stored in developer environments. These credentials typically carry production-level access and are harder to rotate than human passwords because they are embedded in CI/CD pipelines, deployment scripts, and automated workflows. A successful attack against a developer machine now represents a potential non-human identity compromise with blast radius far beyond the individual endpoint.
- Agentjacking exfiltrates environment variables and API keys from AI agent sessions
- AUR credential stealer specifically targets cloud tokens (AWS, GCP, Azure) and SSH/Git credentials
- Organizations should treat developer endpoints as high-value NHI stores requiring privileged access management controls
AI Coding Agent Sessions as Privileged Access Contexts
AI coding agents (Claude Code, Cursor, Copilot Workspace) operate with access to developer credentials, file systems, and execution environments. Agentjacking demonstrates that these agent sessions are now a primary attack target rather than an incidental risk. Organizations should apply privileged access management principles to AI coding agent sessions: least-privilege credential scoping, session monitoring, action confirmation requirements for sensitive operations, and isolation between agent contexts and production credential stores.
7. AI, Automation, and Agentic Risk
Agentjacking: The First Weaponized MCP Prompt Injection Attack
Agentjacking is the first publicly documented case of a weaponized, operational prompt injection attack delivered through an MCP server integration. Unlike prior prompt injection demonstrations (adversarial documents, crafted web pages), this attack uses a legitimate, high-trust data source — a Sentry error event — as the injection carrier. The AI agent processes the Sentry event as a trusted remediation task and executes the embedded instructions without triggering conventional security controls.
The CSA AI Safety Initiative has covered prompt injection and MCP protocol risks at the architectural level. Agentjacking is the first concrete operational instance that maps those abstract risks to a specific, reproducible attack path with confirmed business impact. CISOs should treat this as the proof-of-concept event that validates the MCP trust model risk thesis.
LangGraph: Production AI Agent Frameworks Now Have Weaponizable CVEs
The LangGraph RCE chain (CVE-2025-67644, CVE-2026-28277) marks a maturation of AI framework security: production-grade AI agent orchestration systems now have catalogued, weaponizable vulnerabilities with published exploit chains. This is the expected progression as AI frameworks move from research tools to enterprise production infrastructure — the same vulnerability discovery lifecycle that affected enterprise middleware, web frameworks, and container runtimes is now applying to AI agent frameworks.
RSI Acceleration: Modeling the Threat Horizon
Anthropic’s internal productivity data (8× code acceleration, 80%+ AI-authored merges) is the most direct empirical evidence to date of the AI productivity multiplier operating at scale inside a frontier AI lab. The security implication is not that Anthropic itself represents a threat, but that threat actors with access to comparable AI capability — including nation-state actors, well-resourced criminal organizations, and other AI labs in less regulated environments — face the same productivity multiplier for offensive capability development. Security investment timelines, vulnerability window assumptions, and detection response requirements should all be revisited in light of this data.
8. Third-Party, Supplier, and Ecosystem Risk
Sentry: Structural Security Limitation Declared by Vendor
Sentry’s confirmation that the Agentjacking vulnerability is “technically not defensible” represents an unusual category of third-party risk: a major monitoring platform vendor acknowledging a structural limitation that creates permanent downstream exposure for customers using AI agent integrations. Unlike a patchable CVE, this requires architectural changes in how customers configure AI agent access to Sentry. Organizations should reassess Sentry’s role in AI coding agent workflows and either eliminate the MCP integration or implement explicit compensating controls.
LangChain Ecosystem: OSS AI Framework Vulnerability Management Gap
LangGraph’s 50+ million monthly downloads and the availability of a published RCE exploit chain before many deployments are patched illustrates a systemic gap in open-source AI framework vulnerability management. Unlike commercial software with mandatory security advisory distribution, open-source framework updates require organizations to actively monitor changelogs, CVE databases, and security researcher outputs. Organizations using LangGraph, LangChain, or similar open-source AI frameworks should add these to their software composition analysis and vulnerability management programs immediately.
Community Package Repository Trust Model at Scale
The AUR compromise affects a repository model that is present across multiple Linux distributions: AUR (Arch), COPR (Fedora), PPAs (Ubuntu), and comparable community-maintained ecosystems. While Arch Linux is less common in enterprise production environments than RHEL or Ubuntu, it is frequently used by technical and AI/ML developer teams who may be running it on personal development machines that also carry enterprise credentials. The eBPF rootkit technique is portable beyond AUR to any package manager that executes build scripts with elevated privileges.
9. Regulatory, Legal, and Policy Developments
NIST Formal Proof: Implications for AI RMF and EU AI Act Compliance
The NIST finding that static AI guardrails are provably insufficient has three immediate compliance implications:
- EU AI Act Article 9: Risk management systems designed around static technical safeguards may need to be re-scoped to demonstrate continuous monitoring and adaptation capabilities
- NIST AI RMF: Organizations implementing the MAP, MEASURE, and MANAGE functions based on static guardrail inventories should assess whether their evidence structures satisfy NIST’s evolving guidance
- ISO 42001: Annex A control categories for AI system security may require supplementary continuous-monitoring controls rather than reliance on configuration-time guardrail deployment
For regulated industries (financial services, healthcare, critical infrastructure), this finding may trigger pre-emptive regulator inquiries about AI safety control adequacy. Legal and compliance teams should be briefed this week.
Fable 5 / Mythos 5 Export Control Order — Continuing Coverage
The BleepingComputer and The Hacker News stories from June 13 confirm ongoing coverage of the U.S. government’s suspension of foreign national access to Fable 5 and Mythos 5 models. CSA has now published a neutral, source-rated analysis of what is currently known — The Fable 5 / Mythos 5 Export-Control Action — which separates established fact from contested claims and reaches no verdict. No new regulatory action warranting immediate attention has been reported. Monitor for formal rulemaking or expansion to other frontier AI vendors.
10. Sector and Peer Intelligence
Technology, AI-First, and Developer-Heavy Organizations at Highest Exposure
This briefing cycle’s disclosures disproportionately affect organizations with active AI development pipelines, developer-heavy workforces, and production AI agent deployments. Cloud-native technology companies, fintech, AI product companies, and research organizations that use AI coding agents as part of their standard developer workflow are the primary risk cohort for Agentjacking and AUR. LangGraph RCE most directly affects organizations that have deployed self-hosted multi-agent systems — increasingly common in enterprise automation and data pipeline contexts.
Oracle PeopleSoft and China-Nexus APT Activity
Two significant but separately categorized events were active this cycle: a CVSS 9.8 RCE in Oracle PeopleSoft (CVE-2026-35273, attributed to ShinyHunters, targeting universities) and confirmed China-Nexus Velvet Ant activity deploying PAM/OpenSSH backdoors for decade-long persistence. Both represent active threats to organizations in their respective sectors (higher education for PeopleSoft; government, defense, and critical infrastructure for Velvet Ant). Neither introduces novel attack techniques relative to the CSA corpus, but affected sector peers should validate exposure this week.
11. Geopolitical and Macroeconomic Cyber Risk
AI Capability Acceleration as a Geopolitical Multiplier
The RSI inflection signal from Anthropic has geopolitical implications beyond the immediate enterprise context. Nation-state actors with frontier AI access — including those operating without Western AI governance constraints — face the same productivity multiplier for offensive cyber capability development. The same-day zero-day exploitation patterns, autonomous vulnerability discovery tools, and AI-assisted attack automation documented in 2026 are consistent with adversaries benefiting from accelerating AI productivity. CISOs should assume that the gap between threat actor capability development and enterprise detection/response capabilities may compress faster than conventional threat projection models anticipate.
Export Control Volatility: AI Technology Access and Ecosystem Risk
The ongoing Fable 5 / Mythos 5 export control order, combined with existing restrictions on AI chip exports, suggests a period of continued volatility in AI technology access controls. Organizations with global developer teams should assess whether AI tool availability and capability will remain uniform across geographies, and whether compliance obligations around AI tool usage will require differentiated policies by region.
12. Incident and Crisis Watch
Agentjacking — AI Coding Agent Compromise Validate Exposure
No confirmed enterprise incidents reported at time of writing, but the attack requires no prior foothold and Sentry has confirmed no patch is available. Organizations with Claude Code or Cursor using the Sentry MCP server should treat this as an active exposure to validate, not a hypothetical to monitor.
Next step: Security engineering to confirm whether Sentry MCP is enabled in any AI coding agent configurations. Report to CISO by end of business today.
AUR Supply Chain Compromise — Active Credential Theft Validate Exposure
Active compromise confirmed by Arch Linux official advisory. Organizations with Arch Linux developer endpoints should assume potential credential compromise and act accordingly. eBPF rootkit presence requires specialized forensic tooling for reliable detection.
Next step: Endpoint security and developer platform teams to inventory Arch Linux usage and initiate credential rotation protocol for any affected machines within 24 hours.
LangGraph RCE — Patched, Slow Adoption Risk Patch Required
Patches are available but passive adoption is expected to be slow for self-hosted open-source deployments. No confirmed active exploitation reported. Risk window is the interval between disclosure and full patch deployment across the LangGraph ecosystem — estimated weeks to months for long-tail deployments.
Next step: Platform engineering to identify all LangGraph deployments and confirm patch status within 48 hours.
Velvet Ant (China-Nexus) PAM/OpenSSH Backdoor — Long-Duration APT Monitor
Decade-long persistence campaign using PAM and OpenSSH login stack modification. Primarily relevant to government, defense, and critical infrastructure organizations. No new technique relative to existing CSA APT coverage but escalation threshold is confirmed internal exposure.
Next step: Threat intelligence team to assess sector relevance. No broad action required unless the organization is in an affected sector with Linux-based authentication infrastructure.
13. Recommended Actions
Immediate Actions — Within 24 Hours
| Action | Suggested Owner | Priority | Rationale |
|---|---|---|---|
| Audit AI coding agent configurations for Sentry MCP connections; revoke where not business-critical | Security Engineering + Developer Platform | Critical | No patch available; structural exposure confirmed by vendor |
| Implement agent action confirmation requirements for any agent operation involving credentials or environment variables | Security Engineering | Critical | Primary compensating control for Agentjacking in absence of a vendor patch |
| Inventory Arch Linux developer endpoints; initiate eBPF-aware forensic scan and credential rotation for affected machines | Endpoint Security + Developer Platform | Critical | Active supply chain compromise; standard endpoint tools insufficient for post-rootkit detection |
| Identify self-hosted LangGraph deployments; confirm patch status and apply patches | Platform Engineering / AI Engineering | High | Published RCE exploit chain; patch available but adoption slow |
Near-Term Actions — Within 2–7 Days
| Action | Suggested Owner | Priority | Rationale |
|---|---|---|---|
| Develop and publish internal guidance on MCP server trust model risks for AI coding agent configurations | Security Engineering + CISO Communications | High | Agentjacking is likely the first of many MCP-based attacks; proactive policy prevents future exposure |
| Add LangGraph, LangChain, and open-source AI framework packages to software composition analysis and vulnerability monitoring | Vulnerability Management | High | AI frameworks now have weaponizable CVEs; absence from SAST/SCA is a coverage gap |
| Initiate AI governance control design review against NIST AI guardrail incompleteness proof; brief legal and compliance | CISO Office + Chief Compliance Officer | High | NIST formal finding may create compliance exposure for static-guardrail AI governance programs |
| Apply privileged access management principles to developer machines: scope NHI credentials to least privilege; rotate credentials on high-risk endpoints | Identity and Access Management | High | Both Agentjacking and AUR compromise specifically target developer-held NHI credentials |
| Brief security leadership on RSI acceleration thesis and its implications for threat projection and security investment timelines | CISO Office | Medium | Strategic signal that should inform multi-year planning; not an operational emergency |
Strategic Watch Items — Weeks to Months
| Item | Owner | Horizon |
|---|---|---|
| Develop AI agent security architecture standard: least-privilege credentials, MCP server trust tiers, human confirmation thresholds | Security Architecture | 4–8 weeks |
| Re-evaluate threat detection and response velocity assumptions given RSI acceleration evidence | CISO Office + Threat Intelligence | This quarter |
| Commission a 12-month forward threat modeling exercise incorporating non-linear AI capability growth curves | CISO Office | Next planning cycle |
| Transition AI governance programs from static-guardrail to continuous-monitoring architectures in preparation for EU AI Act and AI RMF updates | Chief Compliance Officer + Security Architecture | 6–12 months |
14. CISO Talking Points
CEO / Board
“We are tracking the first wave of production-grade attacks specifically targeting AI development tools, including a structural vulnerability that has no patch available. Our immediate priority is to confirm whether our AI coding tools are exposed, rotate any credentials that may have been compromised in a related supply chain attack, and ensure our AI agent configurations include appropriate human oversight checkpoints. I will update you within 48 hours on our exposure status. Separately, new evidence from Anthropic suggests the AI threat landscape is accelerating faster than our current models assume — I recommend we schedule a strategy session to revisit our threat horizon planning.”
Legal and Compliance
“NIST published a formal mathematical proof last week establishing that static AI safety guardrails are provably insufficient against adaptive adversarial inputs. This directly affects how we need to structure our AI governance evidence for EU AI Act Article 9 compliance and NIST AI RMF implementation. We need to schedule time this week to assess whether our current AI governance control designs need to transition from static configuration to continuous monitoring architectures before our next compliance review.”
Security Operations and Developer Platform Teams
“There are two active items requiring your attention today. First: audit all AI coding agent configurations for Sentry MCP server connections and disable them unless business-critical — this is a structural vulnerability with no vendor patch. Second: inventory all Arch Linux developer endpoints and initiate a credential rotation and forensic review protocol — over 400 AUR packages were compromised with a credential stealer and an eBPF rootkit that standard tooling cannot detect. I need a status report by end of business today on both items.”
Engineering Leadership
“Two security issues directly affect our AI engineering stack this week. LangGraph has a patched but critical RCE vulnerability — please verify that all self-hosted LangGraph deployments are updated. Separately, AI coding agent sessions are now a confirmed attack vector through MCP server integrations — I need your team to review agent configurations and implement explicit confirmation steps for any operations that access credentials or modify environment variables. These are not theoretical risks: both are confirmed, operational attack techniques disclosed this week.”
Risk Committee
“The risk landscape for AI development infrastructure materially worsened this week. Two items warrant elevation to the risk register: first, a structural, unpatched vulnerability in AI coding agent integrations with no vendor fix available; second, empirical evidence that AI productivity acceleration at frontier AI labs creates a corresponding acceleration in offensive threat actor capability that our current threat models do not adequately capture. I am requesting a risk register update and a dedicated session to revisit our threat horizon assumptions.”
15. Metrics and Risk Indicators
Risk Direction: Worsening
The number of active, unpatched attack vectors against AI development infrastructure increased from zero to two within a 24-hour window. The RSI acceleration signal suggests this trajectory will continue. The availability of a published RCE exploit chain for LangGraph, combined with typical slow patch adoption for open-source frameworks, will keep the vulnerability exposure window elevated for weeks. The only positive indicator is that patches exist for LangGraph CVEs and the AUR compromise has an official advisory — both are containable with prompt action.
16. Rolling Watchlist
17. Sources, Confidence, and Unknowns
Source Quality and Confidence Assessment
Agentjacking: Confirmed by The Hacker News (June 12); Sentry vendor acknowledgment of architectural limitation; independent security researcher disclosure by Tenet Security. Vendor confirmation of “technically not defensible” is confirmed. Unknown: Whether additional MCP servers share the same vulnerability class; scale of any unreported exploitation.
AUR Supply Chain: Confirmed by Arch Linux official advisory, BleepingComputer, and The Hacker News. Package count (400+) is confirmed. eBPF rootkit behavior confirmed by technical analysis. Unknown: Full list of compromised packages; number of affected developer endpoints across enterprises; whether credentials stolen to date have been exploited.
LangGraph CVEs: CVEs are catalogued with CVSS scores. Exploit chain published by Check Point Research. Patches available in LangGraph latest release. Unknown: Rate of patch adoption across self-hosted deployments; whether exploit chain has been integrated into offensive toolkits.
NIST AI Guardrail Proof: Peer-reviewed mathematical proof published by NIST CSRC; official NIST announcement June 9, 2026. The mathematical claim itself is high-confidence. Unknown: How quickly EU and ISO bodies will incorporate this finding into framework updates; how regulators will interpret compliance implications.
RSI Acceleration Thesis: Anthropic productivity data (8× code acceleration, 80%+ AI-authored merges) is empirical, sourced from Import AI 460 (Jack Clark, Anthropic co-founder) and The Anthropic Institute. The extrapolation to threat actor capability acceleration is analytical inference — directionally well-supported by 2026 attack trend data but not a confirmed observation. Unknown: Whether adversary AI productivity matches frontier lab productivity; the timeline for commodity attacker access to comparable capability.
Topics Already Covered — No New Research Action Required
- Fable 5 / Mythos 5 Export Control Order: Covered by CSA’s neutral analysis The Fable 5 / Mythos 5 Export-Control Action. BleepingComputer and THN stories (June 13) confirm continuing coverage but no new research note warranted unless formal rulemaking is initiated or additional vendors are affected.
- Oracle PeopleSoft CVE-2026-35273 (ShinyHunters zero-day, universities): CVSS 9.8 RCE flaw, but enterprise ERP vulnerability guidance is well-established in the CSA corpus and no novel AI-relevant dimensions justify a new research note.
- China-Nexus Velvet Ant PAM/OpenSSH Backdoor: Decade-long persistence via login stack modification is extensively covered in existing CSA threat intelligence publications; no MCP/agentic AI angle present.
- Google Lawsuit Against Chinese Smishing Network (Gemini AI for PhaaS): LLM-assisted phishing content generation is already part of the CSA AI threat corpus; primary novelty here is legal rather than technical.