CISO Daily Briefing
Cloud Security Alliance — AI Safety Initiative
Executive Summary
Today’s intelligence scan reveals a convergence of three accelerating trends reshaping the AI security threat landscape. AI agents are transitioning from passive attack targets to active attack infrastructure—a new “Agent Commander” promptware framework demonstrates full command-and-control systems powered by chained prompt injections rather than traditional malware. Simultaneously, the LeakNet ransomware gang has operationalized ClickFix social engineering with a Deno JavaScript runtime loader, extending the ClickFix threat from infostealers into ransomware staging—a meaningful escalation in a technique that already accounts for 47% of Microsoft Defender Experts notifications. On the supply chain front, hidden instructions in repository README files are hijacking AI coding assistants, exploiting the implicit trust these tools place in project documentation.
Governance developments are significant: the NSA and seven allied nations have published the most comprehensive AI supply chain security guidance to date, establishing an eight-nation coordinated position on AI BOM requirements, cryptographic integrity validation, and threat modeling across the full AI pipeline. This guidance carries immediate compliance relevance for government contractors and critical infrastructure operators.
The most strategically concerning development is structural: AI agents are flooding open-source vulnerability trackers with auto-generated, low-quality, and frequently hallucinated bug reports. CVE volume reached 48,185 in 2025—a ninth consecutive record year—while NVD enrichment capacity has fallen to 28%. The curl project shut down its bug bounty program after 95% of submissions proved invalid. This is a tragedy-of-the-commons dynamic that threatens the foundational signal quality of coordinated vulnerability disclosure.
Agent Commander: Promptware C2
CRITICAL
AI agents weaponized as full C2 infrastructure via chained prompt injections—a new malware class where attack logic is encoded in prompt sequences that propagate through agent tool-call chains.
- Conventional EDR/SIEM cannot detect promptware
- Enables persistence and lateral movement in agentic workflows
- Research note timed out—coverage pending
LeakNet: ClickFix + Deno Ransomware
HIGH
ClickFix social engineering combined with Deno runtime loader for stealthy data extortion campaigns. ClickFix surged 517% in H1 2025; Deno now adopted by both criminal and state-sponsored actors.
- Bypasses both network-layer and endpoint controls simultaneously
- State actor MuddyWater also using Deno loader (Dindoor backdoor)
- Full research note published
README Injection: AI Coding Agent Hijacking
HIGH
Hidden instructions in repository README files exploit the trust AI coding assistants place in project documentation, enabling credential exfiltration and silent code modification.
- Distinct from package-level and skill-layer injection vectors
- Targets the documentation layer as a new attack surface
- Research note timed out—coverage pending
NSA Allied AI Supply Chain Guidance
HIGH
Eight-nation coordinated guidance covering six AI/ML supply chain components: training data, models, software, infrastructure, hardware, and third-party services. Introduces AI BOM requirements.
- Compliance implications for government contractors
- Signals AI BOM will follow SBOM regulatory trajectory
- Full research note published
AI Agents Flooding Vulnerability Disclosure
HIGH
AI-generated vulnerability reports overwhelming triage capacity across bug bounty platforms, CVE infrastructure, and open-source maintainers. Signal integrity crisis in coordinated disclosure.
- curl shut down bug bounty: 95% submissions invalid
- NVD enrichment down to 28% of new CVEs
- Full research note published
Completed Research Notes
LeakNet Extortion: ClickFix and Deno Runtime Loader TTPs
HIGH URGENCY
Summary: The LeakNet data extortion group combines ClickFix social engineering for initial access with a Deno JavaScript runtime loader for stealthy payload delivery. ClickFix induces victims to paste and execute obfuscated commands via the Windows Run dialog, bypassing browser security, email gateways, and web proxies entirely. Deno—a legitimate, digitally signed runtime—then executes malicious JavaScript payloads while evading endpoint detection tools that whitelist trusted binaries. ESET documented a 517% increase in ClickFix attacks in H1 2025, and Microsoft’s 2025 Digital Defense Report identified ClickFix as the leading initial access method observed by Microsoft Defender Experts.
Threat actor convergence: ThreatDown documented the first Deno weaponization in CastleRAT campaigns (GrayBravo/TAG-150). Iran’s MuddyWater subsequently deployed the Dindoor backdoor using Deno against U.S. financial, aviation, and defense-sector targets in March 2026. The rapid adoption across both criminal and state-sponsored actors indicates Deno abuse is in an active diffusion phase. The Velvet Tempest affiliate cluster has used the CastleLoader chain to deliver Termite ransomware.
What this means for your organization: The ClickFix-to-Deno chain exploits two structural gaps simultaneously: clipboard-based execution bypasses network controls, and Deno’s trusted signature bypasses endpoint controls. The narrowest detection window is behavioral—monitor for unexpected Deno processes with outbound network connectivity followed by memory injection. Restrict Win+R for non-administrative users. Audit application allowlisting to ensure Deno is not permitted on end-user workstations. Update security awareness training to include ClickFix scenarios. Review cloud storage permissions and Rclone deployment, as LeakNet’s exfiltration model leverages cloud storage for bulk data theft.
BleepingComputer — “LeakNet ransomware uses ClickFix and Deno runtime for stealthy attacks” (March 17, 2026)
ThreatDown/Malwarebytes — CastleRAT: First cyberattack to abuse Deno runtime (2025)
The Hacker News — MuddyWater Dindoor backdoor campaign (March 2026)
CISA/FBI/HHS Joint Advisory AA25-203A — Interlock Ransomware ClickFix (July 2025)
Eight-Nation AI/ML Supply Chain Risk and Mitigation Guidance
GOVERNANCE
Summary: On March 4–5, 2026, the NSA’s AI Security Center and seven allied national cybersecurity agencies (US, UK, Canada, Australia, New Zealand, Japan, South Korea, Singapore) released the most expansive multinational guidance to date on securing AI/ML systems from supply chain compromise. The guidance defines a six-component AI/ML supply chain—training data, models, software, infrastructure, hardware, and third-party services—and maps specific threat classes to each. It builds on a May 2025 predecessor addressing AI data security and reflects coordinated intent across eight Western nations that AI security should receive the same rigor applied to critical software infrastructure.
Key controls: The AI Bill of Materials (AI BOM) is positioned as the foundational control—a structured inventory of all training datasets, pre-trained models, fine-tuning data, and framework versions. The guidance recommends mandatory cryptographic integrity validation for all externally sourced model files, threat modeling mapped to MITRE ATLAS and NIST AML taxonomies, and contractual requirements for vendors to verify training data integrity and restrict customer data use for model training. Frontrunning poisoning and split-view poisoning are identified as primary training data threats; Python pickle deserialization is flagged as a code execution vector in model files.
What this means for your organization: Treat this guidance as a procurement evaluation framework. Review existing AI vendor contracts for data provenance guarantees and customer data use restrictions. Establish an AI BOM inventory for all production AI systems—organizations that cannot enumerate their training datasets, models, and library versions cannot assess supply chain risk. Anticipate that AI BOM requirements will be incorporated into future compliance frameworks following the SBOM regulatory trajectory. Government contractors and critical infrastructure operators should begin compliance alignment now. Organizations deploying agentic AI should map additional supply chain exposure at the tool and prompt layers.
NSA AI Security Center et al. — “AI/ML Supply Chain Risks and Mitigations” (March 4, 2026)
Australian Cyber Security Centre — AI/ML Supply Chain Guidance (March 2026)
Canadian Centre for Cyber Security — Joint Guidance (March 2026)
Read Full Research Note: NSA Allied AI Supply Chain Guidance
Noise Over Signal: AI Agents Flood Vulnerability Disclosure Pipelines
STRATEGIC RISK
Summary: The vulnerability disclosure ecosystem is experiencing a signal integrity crisis driven by AI-generated report flooding. The curl project shut down its HackerOne bug bounty program in January 2026 after 95% of 2025 submissions proved invalid, with volume running eight times above historical norms. Bugcrowd recorded a 334% spike in queue length from unvalidated AI automation. CVE publication hit 48,185 in 2025, a ninth consecutive record, while NVD enrichment capacity fell to 28% (from 46.2% in 2024). FIRST forecasts a 2026 median of 59,427 CVEs with an upper bound exceeding 117,000. CISA formally pivoted the CVE program from a “Growth Era” to a “Quality Era” in September 2025.
The dual-use paradox: The same AI capabilities fueling noise are producing genuinely high-quality research. AISLE’s AI-driven OpenSSL audit found 12 unknown vulnerabilities including a 27-year-old bug. OpenAI’s Aardvark system yielded 10 CVE identifiers. The crisis is one of governance and incentive alignment—bug bounty rewards make high-volume, low-quality automated submissions economically rational even when 95% are invalid. Open-source maintainers are the most exposed tier, with volunteer capacity structures fundamentally incompatible with AI-scale report volumes.
What this means for your organization: Security teams consuming NVD-integrated vulnerability data should treat enrichment gaps as a structural risk, not a temporary issue. Incorporate CISA Vulnrichment, ENISA EUVD, and vendor advisories as parallel enrichment sources. Invest in EPSS and SSVC as alternatives to base CVSS scores for patch prioritization. If operating bug bounty programs, audit for AI submission flooding patterns and implement graduated enforcement. Assess whether open-source projects in your software supply chain have maintainer capacity sufficient to absorb current disclosure volumes—sponsor maintainer security capacity through OpenSSF Alpha-Omega or direct contributions. SOC teams should account for CVE enrichment gaps in alert prioritization algorithms.
Daniel Stenberg — curl bug bounty program termination (January 2026)
Bugcrowd — Policy changes to address AI slop submissions (2025)
HackerOne — 9th Annual Hacker-Powered Security Report: 210% spike in AI reports (October 2025)
CISA — CVE Quality for a Cyber Secure Future (September 2025)
FIRST — Vulnerability Forecast 2026 (February 2026)
Axios — AI Agents Spam Open Source Security Volunteers (March 10, 2026)
Read Full Research Note: AI Agents and Vulnerability Disclosure Signal Integrity
Research Notes Pending (Timed Out)
Agent Commander: Promptware-Powered Command and Control
TIMED OUT — CRITICAL
Summary (from intelligence report): Security researcher wunderwuzzi (Embrace The Red) published “Agent Commander: Promptware-Powered Command and Control” on March 16, 2026, detailing a framework that weaponizes AI agents as full C2 infrastructure via chained prompt injections. Unlike prior agent exploitation techniques (WebSocket hijack, CI/CD cache poisoning, Unicode injection), “promptware” describes a new malware class where the entire attack logic is encoded in crafted prompt sequences that propagate through AI agent tool-call chains—enabling persistent, multi-stage attack campaigns without traditional malware implants.
Why this is critical: Enterprise security teams deploying agentic AI workflows face an entirely new persistence and lateral movement paradigm that conventional EDR and SIEM tooling cannot detect. The attack logic lives in prompt context rather than in executable code, making it invisible to file-based and behavioral detections designed for traditional malware.
What this means for your organization: Organizations deploying multi-agent AI systems should immediately assess their prompt injection surface area at the orchestration layer. Monitor for anomalous agent tool-call chains and unexpected inter-agent communication patterns. Apply MAESTRO Layer 4 (Agent Trust Boundaries) threat modeling to any agentic workflow with external data ingestion. This topic requires full research note treatment and will be prioritized in the next pipeline run.
Embrace The Red (wunderwuzzi) — “Agent Commander: Promptware-Powered Command and Control” (March 16, 2026)
Hidden Instructions in README Files Hijacking AI Coding Assistants
TIMED OUT — HIGH
Summary (from intelligence report): Intelligence confirmed on March 17, 2026 documents active exploitation of a supply chain vector in which malicious actors embed hidden or obfuscated instructions in repository README and documentation files. These instructions specifically target AI coding assistants that ingest project context before generating code or taking actions. When a developer’s AI coding tool opens a repository, it reads the README as authoritative context, executing embedded instructions that may exfiltrate credentials, modify code silently, or redirect tool behavior.
Structural distinction: This attack vector exploits the implicit trust model that AI coding agents apply to repository documentation. It is structurally distinct from existing Unicode instruction injection (which targets agent Skills configuration files) and from GlassWorm/PhantomRaven (which target package registries). The documentation layer—README files, CONTRIBUTING, and similar artifacts—is a previously unaddressed injection surface for AI coding assistant hijacking.
What this means for your organization: Audit your development teams’ AI coding assistant configurations. Implement controls to sanitize or review repository documentation before AI assistants ingest it. Consider sandboxing AI coding assistant operations so that instructions from repository files cannot trigger credential access, network requests, or file system modifications outside the project scope. Treat repository documentation as untrusted input in AI assistant threat models.
no-security newsletter — “Hidden Instructions in README Files Make AI Agents Vulnerable” (March 17, 2026)
tl;dr sec #319 — AI agent security research context
Embrace The Red — prior research on AI agent context injection techniques
Research Pipeline Status
Today’s intelligence scan identified 5 priority topics. The research pipeline completed 3 of 5 research notes before timeout limits were reached. The two incomplete notes—Agent Commander and README Injection—are queued for priority processing in the next pipeline cycle.
LeakNet ClickFix + Deno Loader
Published
NSA Allied AI Supply Chain Guidance
Published
AI Agents & Vulnerability Disclosure
Published
Agent Commander Promptware C2
Timed Out
README Injection AI Coding Agents
Timed Out
Notable Monitored Items
GlassWorm ForceMemo Campaign: GitHub Token Theft
Force-pushing malware into Python repositories for GitHub token theft (March 16). Covered by existing CSA research on GlassWorm Open VSX transitive dependency attacks. Monitor for new variants but no new research note required.
Pentagon Formally Designates Anthropic as Strategic Partner (Update)
March 17 update to existing coverage. The Pentagon has formally designated Anthropic as a strategic partner, an escalation from the previously documented relationship. This is an update to existing CSA analysis rather than a new topic. Review existing risk assessments for AI vendor concentration in defense applications.
OpenClaw Prompt Injection / CNCERT Advisory
Ongoing monitoring of OpenClaw prompt injection vectors and CNCERT advisories (March 14–17). Adequately covered by existing CSA enterprise OpenClaw best practices guide and original research note. No new action required.
Slopoly AI-Generated Malware / Interlock Ransomware
Continued evidence of AI-assisted malware generation in ransomware operator toolchains. Conceptually covered by existing CSA publications on AI-powered ransomware variant proliferation. Trend is accelerating rather than plateauing—ensure variant detection rules are current.
Topics Already Covered (No New Action Required)
- GlassWorm ForceMemo Campaign: Covered by CSA_research_note_glassworm_open_vsx_transitive_dependency_attack_20260316
- MacSync / ClickFix macOS Infostealer: Covered by CSA_research_note_macsync_clickfix_macos_ai_tool_infostealer_20260316
- CrackArmor / AppArmor Container Escape: Covered by CSA_research_note_crackarmor_linux_apparmor_container_escape_20260314
- Colluding LoRA Fine-Tuning Alignment Bypass: Covered by CSA_research_note_colluding_lora_llm_alignment_bypass_finetuning_20260316
- OpenClaw Prompt Injection / CNCERT Advisory: Covered by enterprise-openclaw-best-practices-v2 and original OpenClaw research note
- Pentagon-Anthropic Strategic Partnership (Update): Update to CSA_research_note_pentagon_anthropic_ai_militarization_enterprise_risk_20260311
- AI-Generated Slopoly Malware / Interlock Ransomware: Covered by CSA_research_note_ai_powered_ransomware_generation_variant_proliferation_20260315
- Chrome 0-days CVE-2026-3909 / CVE-2026-3910: Browser vulnerabilities outside AI safety scope; apply vendor patches per normal cadence
- DRILLAPP / Russia-Ukraine Cyber Espionage: Geopolitical cyber conflict; outside current research priority scope
- Konni / EndRAT KakaoTalk Propagation: Traditional APT spear-phishing; outside AI safety scope