Summary: A scan of over one million AI services sourced from certificate transparency logs found that AI infrastructure is more exposed and misconfigured than any other software class studied. Chatbots are publicly exposing full conversation histories; agent management platforms (n8n, Flowise) are reachable from the internet without authentication; and AI tool integrations grant implicit access to every connected system. Intruder’s scan identified hundreds of OpenClaw management interfaces exposed publicly, with the ClawdBot/OpenClaw ecosystem alone averaging 2.6 CVEs per day. This is not a theoretical risk: each exposed AI service management dashboard represents a direct path to credential theft, data exfiltration, and supply-chain leverage across every enterprise system the AI tool touches.

Key Actions: Audit all self-hosted AI infrastructure for internet-accessible management interfaces immediately. Require authentication on all Flowise, n8n, LiteLLM, and OpenClaw management endpoints. Treat exposed AI service dashboards with the same incident urgency as exposed RDP or VNC instances. Apply network segmentation to isolate AI infrastructure management planes from internet-routable addresses.

Read Full Research Note (link pending)

Summary: PyTorch Lightning version 2.6.3 — a deep learning framework with 11 million monthly downloads — was compromised to deliver a credential-stealing payload via build pipeline compromise rather than a malicious package upload. Unlike the ClawHub and HuggingFace model-hub attacks previously covered by CSA, this attack targets the Python ML framework supply chain at the source. The malicious payload executes silently on import, downloads a JavaScript runtime, and runs an 11.4 MB obfuscated credential harvester targeting browsers, .env files, and cloud service credentials. The maintainer has reverted to version 2.6.1; forensic investigation of how the build pipeline was breached is ongoing. The downstream blast radius — ML engineers with cloud credentials — represents a high-value target class for attackers seeking cloud infrastructure access.

Key Actions: Pin PyTorch Lightning to v2.6.1 across all ML environments immediately. Audit and rotate cloud credentials for any environment that imported v2.6.3. Review build pipeline access controls for ML toolchains. Implement SBOM validation and dependency pinning as standard practice for ML framework dependencies.

View Full Research Note

Summary: Researcher wunderwuzzi (EmbraceTheRed) presented “Copirate 365” at DEF CON, disclosing CVE-2026-24299 — a command injection vulnerability in Microsoft 365 Copilot’s service backend that enables information disclosure across any attacker-reachable network. Unlike earlier M365 Copilot prompt injection research that targeted individual user sessions, this technique operates through the backend command execution path and can affect any organization that has deployed M365 Copilot with default configurations. Microsoft 365 Copilot is now embedded in email, Teams, SharePoint, and calendar workflows for tens of millions of enterprise users, making the blast radius of a systematic exploitation campaign potentially catastrophic. Patch availability from Microsoft is not yet confirmed.

Key Actions: Contact Microsoft for CVE-2026-24299 remediation status and patch timeline immediately. Review Copilot deployment configurations against Microsoft’s hardening guidance. Assess whether Copilot should be scoped to lower-sensitivity environments pending a patch. Ensure Copilot access policies exclude sensitive data repositories until the vulnerability is resolved.

View Full Research Note

Summary: The April 2026 Context.ai breach — which cascaded into a supply chain attack on Vercel and its downstream customers — illustrates a structural identity risk that is being amplified by AI tool adoption: OAuth tokens created when employees connect AI tools to enterprise SaaS environments are persistent, do not expire when employees leave, do not reset when passwords change, and are invisible to most perimeter security controls. Wiz’s technical analysis and THN’s reporting on the cascade estimate that enterprises now average 40–50 automated credentials per employee, with AI agent connections and OAuth grants accounting for a growing share. The attack pattern — compromise one SaaS AI tool, pivot via trusted OAuth tokens to downstream enterprise customers — is a systemic risk distinct from any single CVE. The Context.ai/Vercel incident is the clearest current-cycle illustration, but the structural issue is broader than any single breach.

Key Actions: Conduct a full OAuth grant audit across enterprise identity providers, specifically targeting AI tool integrations created by individual employees. Implement token expiry enforcement and automated revocation upon employee departure for all AI-tool OAuth grants. Establish detection rules for anomalous OAuth-based access patterns from AI integration accounts. Inventory all “shadow AI” tool connections to enterprise SaaS that were created without IT authorization.

View Full Research Note