Summary: The nginx-ui MCP integration exposes an unauthenticated /mcp_message endpoint that allows any network attacker to restart nginx, manipulate configuration files, and achieve full server takeover without credentials (CVSS 9.8). Recorded Future listed this among 31 actively exploited vulnerabilities in March 2026, and Shodan shows approximately 2,689 exposed instances globally. Dubbed “MCPwn,” this is the first documented weaponization of a Model Context Protocol integration—making it a bellwether for the broader MCP security conversation.

Action Required: Immediately patch nginx-ui to the latest version. Audit all MCP-enabled management interfaces for authentication controls. Block external access to /mcp_message endpoints at the network layer. Any organization adopting MCP tooling should verify that MCP endpoints are not exposed without authentication middleware.

View Full Research Note

Summary: Elastic Security Labs documented a sophisticated campaign (REF6598) targeting finance and cryptocurrency professionals via LinkedIn/Telegram social engineering under a fabricated VC firm persona. The attack chain abuses Obsidian’s community plugin ecosystem as the malware delivery mechanism, uses AI-generated lure sites for credibility, and deploys the PHANTOMPULSE RAT with Ethereum blockchain transaction data as its C2 channel—rendering traditional network-layer detection ineffective. Cross-platform capability (Windows and macOS) and targeting of high-net-worth individuals in regulated sectors makes this immediately relevant to financial services CISOs.

Action Required: Review and restrict enterprise policies for third-party plugins in productivity applications (Obsidian, VS Code, etc.). Implement detection for blockchain-based C2 patterns. Alert security awareness teams about VC-impersonation social engineering targeting finance staff.

View Full Research Note

Summary: Cisco Talos documented a sustained campaign (active since October 2025) in which threat actors use n8n’s free cloud-hosted webhook infrastructure to deliver malware and fingerprint targets, bypassing security filters by exploiting n8n’s trusted domain reputation. Malicious n8n webhook emails surged 686% between January 2025 and March 2026. This represents the maturation of a technique class—abusing legitimate AI workflow SaaS platforms as anonymizing delivery infrastructure—that applies equally to Zapier, Make, Dify, and similar platforms. A separate CVSS 10.0 RCE in n8n itself (CVE-2026-21858) compounds the risk.

Action Required: Audit AI automation platform allow-list policies at the perimeter. Enforce webhook authentication on all n8n instances. Review egress filtering for AI workflow platform domains. Evaluate whether trusted-domain exceptions for automation platforms are creating security blind spots.

View Full Research Note

Summary: Researchers from the University of California documented the first systematic study of the LLM router ecosystem—third-party services that sit between AI agents and model providers for load balancing and cost control. Of 428 routers tested (28 paid, 400 free), 28 malicious instances were identified actively stealing credentials, injecting commands into model responses, accessing cloud credential canaries, and using time-delayed trigger mechanisms to evade detection. Real cryptocurrency theft has been confirmed. This represents a structural supply chain risk distinct from model-level threats: enterprises using third-party routing for cost optimization may be running untrusted code in their AI stack with zero visibility.

Action Required: Inventory all third-party AI routing services in use across the organization, including OpenRouter, LiteLLM-compatible proxies, and marketplace AI routing services. Evaluate trust posture of each. Implement monitoring for unexpected credential access or response injection patterns in AI pipelines. The March 2026 TeamPCP wave targeting Trivy, LiteLLM, KICS, and Axios compounds this risk.

View Full Research Note