ShareLock — MCP Threshold Poisoning (No CVE Yet)

Disclosed June 26 via arXiv (preprint). Attacks MCP tool-trust model by distributing poisoning payloads below per-tool detection thresholds. Affects any enterprise agentic deployment with multiple simultaneously trusted MCP servers. No patch available; no published compensating control at time of writing. Prioritization: High — zero-day with no defense, affecting production-scale MCP deployments. See arXiv 2606.27027 for technical detail.

Exposed AI Inference Endpoints (Ollama / vLLM)

Sysdig’s LLMjacking investigation identified internet-accessible Ollama model servers as the primary vector. These endpoints typically run on port 11434 with no authentication by default. Exploit maturity is production-level: adversaries are actively scanning for and operationalizing these endpoints. Recommended action: Run nmap -p 11434 against internet-facing assets; enforce firewall rules; require API keys on all inference servers. See Sysdig research.

Gaslight macOS Implant — AI Triage Bypass

No CVE assigned (implant, not a vulnerability in a vendor product). Attack surface: macOS endpoints where users open untrusted files; secondary surface is any AI-assisted triage pipeline that processes untrusted file content without input sanitization. Compensating control: validate AI triage tool inputs; sandbox untrusted files before AI analysis; add adversarial input testing to SOC AI tool evaluation criteria. See SentinelOne Labs.

Notable Items Out of Scope for AI Safety Initiative

Also active this cycle: Cisco SD-WAN zero-day CVE-2026-20245 (actively exploited 2 months before disclosure — network infrastructure teams should treat as immediate priority) and DirtyClone Linux kernel privilege escalation CVE-2026-43503 (CVSS 8.8, patched May 21). Both fall outside the AI Safety Initiative scope but warrant attention from your vulnerability management team.

AI Inference Endpoint Exposure

Internet-accessible AI inference servers (Ollama, vLLM, llama.cpp) represent a new class of exposed management interface with no native authentication defaults. These endpoints are actively being discovered and operationalized by adversaries. Risk profile is similar to exposed Kubernetes API servers or unauthenticated Redis instances from prior threat cycles. Recommended control: treat AI inference endpoints as critical infrastructure; apply same network segmentation and authentication standards as database management interfaces.

Agentic AI Tool Permissions and NHI Risk

ShareLock’s attack path highlights the risk of agentic AI systems with broad tool permissions operating under compromised MCP configurations. Non-human identities (service accounts, API keys) held by AI agents may be leveraged to take unauthorized actions across cloud resources, SaaS platforms, or internal systems. As agentic deployments expand, reviewing the permission scope of AI agent identities is a near-term control priority. Least-privilege enforcement for AI agent tool access is an emerging must-have.

Agentic AI: Prompt Injection as Anti-Forensics

Gaslight’s technique — embedding fabricated system messages to confuse analyst AI — is directly replicable in any context where AI agents process untrusted content: document review, email analysis, code review, threat intelligence ingestion. AI security teams should test their agentic pipelines against adversarial input injection and validate that AI outputs are not the sole basis for security decisions without human review checkpoints.

MCP Security: Threshold Poisoning Changes the Defense Model

ShareLock’s threshold-based approach means that per-tool anomaly detection is insufficient as a sole control. Defensive implications: enterprises need behavioral baselines across tool clusters, not just individual tools; consider runtime MCP traffic analysis; restrict which tool combinations can execute simultaneously in high-stakes agentic workflows.

AI Governance: Continuous Monitoring Is Now Required

The NIST mathematical proof establishes that adaptive adversaries will always find a prompt that bypasses any fixed guardrail set. This is not a theoretical concern — it is a published proof. CISO implication: AI systems deployed in high-risk contexts (customer-facing, access control, financial authorization) require continuous red-teaming and monitoring programs, not periodic audits. Budget and staffing models for AI governance must reflect this.

AI-Enabled Social Engineering at Organizational Scale

The superpersuasion research documents a 5.9 percentage-point advantage for AI over professional human persuaders in real-money donation scenarios. For enterprise security, this translates to: spear-phishing with AI personalization outperforms human-crafted campaigns; vishing attacks using AI voice synthesis are more effective than human callers; board and executive influence operations are viable at scale. The gap is not closable by user training alone — architectural controls (multi-party authorization, out-of-band verification for high-value actions) are the required countermeasure.

MCP Vendor Ecosystem: Trust Without Verification

ShareLock’s attack succeeds precisely because enterprises trust MCP tools from multiple vendors simultaneously. The implicit assumption — that vendor-published MCP tools are safe — is now under challenge. Third-party risk reviews should include MCP server security posture; procurement processes should require security attestation for MCP tool vendors.

Miasma npm/Go Supply Chain Attack (Context)

An ongoing supply chain campaign (Miasma) has expanded to affect LeoPlatform, RStreams, and Verana Blockchain Go packages — a continuation of the Mini Shai-Hulud/TeamPCP campaign. CSA has existing supply chain coverage; this is incremental. Development teams consuming these packages should review dependency lists. Per The Hacker News (June 26 reporting).

Chrome Extension Supply Chain (Context)

A Chrome ad blocker extension with 10M+ installs was found to contain a dormant arbitrary JS execution payload — a novel browser supply chain risk. Important for endpoint security practitioners; falls outside AI Safety Initiative scope but warrants review by browser security and endpoint teams.

Open-Source AI Inference Servers: Default Insecurity

Ollama’s default configuration exposes the inference API without authentication on port 11434. This is a structural supply chain risk: developers deploy Ollama from documentation that does not prominently feature security hardening guidance. Organizations should add Ollama and similar tools to their software inventory and configuration baseline standards.

ENISA NIS360: EU Cybersecurity Maturity Improving (Context)

ENISA’s NIS360 report (May 2026) shows improvement in EU critical sector cybersecurity maturity. Useful governance context for organizations operating under NIS2 obligations; 4 weeks old and not AI-specific. No immediate action required.

AI Governance Posture Review Trigger

CISOs should treat the NIST proof as a trigger for reviewing AI governance program design. Specific questions: Does your AI security certification roadmap assume a “certify once” model? Are your AI controls reviewed on a continuous basis or only during audits? Do your AI risk assessments account for adaptive adversary behavior? These are now answerable against a published mathematical standard.

DPRK Cyber: Sustained Campaign Against AI Tools

North Korean threat actors have a documented history of iterating on novel techniques targeting macOS and cryptocurrency infrastructure. Gaslight’s prompt injection layer represents a meaningful capability upgrade — specifically designed to defeat a class of defensive tool that was not a meaningful adversary concern 18 months ago. Organizations in DPRK targeting sectors (financial services, crypto, defense, technology) should treat macOS security and AI triage tooling as a combined risk surface.

Russian State Cyber: STOCKSTAY Backdoor (Context)

Google’s TAG team documented the STOCKSTAY .NET backdoor targeting Ukrainian government and Italian foreign policy entities — sophisticated Russian state espionage tradecraft. Not AI-specific and outside this briefing’s primary scope, but relevant context for organizations with exposure in EU political, defense, or foreign policy sectors. See standard APT tracking channels for detail.

⚠ Gaslight — Active Malware Campaign

Active DPRK macOS implant with AI analyst evasion capability. No confirmed enterprise incidents in this cycle but attribution is high-confidence and targeting profile is broad. Classification: Validate Exposure. Assess macOS fleet exposure; validate AI triage tool resilience to adversarial inputs. If your org is in DPRK targeting sectors, brief incident response lead today.

▲ LLMjacking VAPT — Monitor Closely

In-the-wild autonomous offensive AI framework using stolen compute. Classification: Monitor Closely / Validate Exposure. Audit AI inference endpoint exposure immediately. If exposed endpoints are confirmed, escalate to incident response — assume compromise.

▲ ShareLock — Monitor Closely

Novel MCP attack with no published defense. Classification: Monitor Closely. No confirmed in-the-wild exploitation at time of writing, but the attack was published June 26 — weaponization window is open. Track arXiv and vendor security advisories for defensive guidance.

ℹ NIST Proof — Inform and Prepare

Published mathematical proof challenging static AI governance postures. Classification: Inform and Prepare. No immediate operational incident, but governance posture review is warranted this quarter. Prepare board note on AI governance implications.

Source Quality Assessment

High confidence items (Gaslight, LLMjacking, NIST proof, AI superpersuasion): Multiple independent primary sources; vendor research with technical artifact analysis; NIST-published and IEEE peer-reviewed.

Medium confidence items (ShareLock): Academic preprint not yet peer-reviewed; technique is credible and aligns with known MCP attack surface; no independent reproduction confirmed at time of writing.

Inferred: Specific enterprise exposure levels are not directly observable from public intelligence; internal exposure assessment is required to confirm relevance.

Key Unknowns

• Gaslight targeting scope: Which sectors are active targets in the current campaign wave beyond known DPRK-adjacent industries?

• ShareLock defense: When will mitigations be published, and what form will they take (MCP spec change, runtime monitoring, tool isolation)?

• LLMjacking VAPT scale: How many organizations have already had AI inference endpoints exploited without detection?

• Regulatory response to NIST proof: How quickly will compliance frameworks incorporate continuous-monitoring requirements?

• AI superpersuasion weaponization: Are threat actors already deploying frontier AI persuasion at scale against enterprise targets, or is this a near-term risk that has not yet fully materialized?