CISO Daily Briefing
Cloud Security Alliance — AI Safety Initiative Intelligence Report
Executive Summary
The AI serving stack — inference frameworks, orchestration platforms, and AI-integrated developer tools — has emerged as a high-tempo exploitation target this cycle. Three CVEs across PraisonAI, LiteLLM, and LMDeploy were weaponized within 4 to 36 hours of public disclosure, establishing a new exploitation baseline that enterprise patching cycles cannot match. A novel attack class called Living Off the Agent (LOTA) was formally documented, describing adversaries who hijack enterprise AI agents — and their elevated permissions — to move laterally across cloud APIs, code repositories, and data stores. Concurrently, Sysdig disclosed a NATS-based C2 technique explicitly targeting AI API keys alongside cloud credentials, signaling that these secrets are now primary exfiltration targets.
On the governance front, CISA and international partners published the first substantive government-level agentic AI security framework. The strategic picture is more urgent: in a single week (May 8–14), the US deleted AI security testing guidelines, the EU moved to exclude US firms from sovereign cloud contracts, and China published its first agentic AI standard — a three-way governance fracture that will create material compliance risk for multinational enterprises within 12–24 months.
Overnight Research Output
Rapid Exploitation of AI Inference Frameworks: The Sub-24-Hour Attack Window
HIGH URGENCY
Summary: Three AI serving-layer CVEs — PraisonAI (CVE-2026-44338, authentication bypass), LiteLLM (CVE-2026-42208, SQL injection), and LMDeploy (CVE-2026-33626, SSRF) — were each actively exploited within hours of public disclosure. Sysdig’s threat research documented this as a pattern, not coincidence: threat actors maintain standing scanning infrastructure tuned to AI inference and orchestration frameworks. Enterprises without automated patching pipelines for AI serving infrastructure are operating under assumption of breach from the moment a CVE drops.
Key Sources:
Sysdig — CVE-2026-44338: PraisonAI Authentication Bypass in Under 4 Hours
Sysdig — CVE-2026-33626: LMDeploy SSRF Exploited in 12 Hours
“Living Off the Agent” (LOTA): AI Agents as Lateral Movement Infrastructure
HIGH URGENCY
Summary: The “Living Off the Agent” (LOTA) attack class describes adversaries who compromise an enterprise AI agent and then exploit its existing elevated permissions, trusted relationships, and tool-use capabilities to move laterally — directly analogous to Living Off the Land (LOTL) techniques. The pattern is already confirmed in the wild: Microsoft Copilot CVE-2026-24299 is under active exploitation, and Claude Code MCP token theft was disclosed on May 18. Enterprise AI agents granted access to cloud APIs, code repositories, and communication systems represent high-value pivot points that current EDR and SIEM tooling was not built to detect.
Key Sources:
Embrace The Red — CoPirate 365: Plundering Microsoft Copilot (CVE-2026-24299)
no.security daily digest, May 13, 2026: “Living Off the Agent (LOTA) — New Attack Class” — and May 18, 2026: “Claude Code Under Siege: MCP Token Theft”
NATS-as-C2: Novel Exfiltration Targeting Cloud Credentials and AI API Keys
HIGH URGENCY
Summary: Sysdig’s threat research team disclosed a novel command-and-control technique abusing the NATS messaging system — a legitimate, widely deployed cloud-native protocol used in Kubernetes and microservices environments — as a covert C2 channel. By blending malicious traffic into trusted NATS flows, attackers bypass network inspection tools that detect conventional C2 signatures. The explicit targeting of AI API keys (OpenAI, Anthropic, Cohere) alongside cloud IAM credentials marks a maturation of threat actor interest in AI infrastructure secrets as first-class exfiltration targets.
Key Sources:
CISA International Framework: Secure Adoption of Agentic AI
GOVERNANCE
Summary: On May 1, 2026, CISA and international partners (UK NCSC, Australian Cyber Security Centre, and others) published the first substantive government-level framework specifically for enterprise deployment of autonomous AI agents. The guide addresses prompt injection, tool-use abuse, agent-to-agent communication risks, and identity federation for non-human agents — filling a gap that has left security programs without formal governance for AI agent deployments. Its international endorsement gives compliance departments across multiple jurisdictions a single authoritative reference point.
Key Sources:
Global AI Security Governance Divergence: US, EU, and China Fracture in One Week
STRATEGIC RISK
Summary: Three independent geopolitical developments in the week of May 8–14 collectively signal the onset of a fractured global AI security governance landscape. The US Commerce Department deleted AI security testing guidelines while 32 US lawmakers independently demanded White House action on AI cybersecurity — exposing a domestic regulatory vacuum. Simultaneously, the EU moved to structurally exclude US firms from sovereign cloud AI contracts, and China published its first comprehensive agentic AI security standard. For multinational enterprises, these three diverging regimes create a compliance bifurcation challenge: AI systems acceptable under one jurisdiction may be disqualifying under another.
Key Sources:
no.security daily digest, May 8–14, 2026 (US guideline deletion, EU sovereign cloud exclusion, China agentic AI standard, US Congressional letter)
Schneier on Security — How Dangerous Is Anthropic’s Mythos AI? (May 18, 2026)
Notable News & Signals
MiniPlasma/YellowKey Windows Zero-Days — PoC on Fully Patched Systems
High-severity OS-layer vulnerabilities CVE-2026-42945 and associated YellowKey bugs have a public proof-of-concept running on fully patched Windows systems. Outside AI scope but warrants immediate enterprise advisory routing.
Shai-Hulud npm Clone Campaign Continues (May 15–18)
BleepingComputer and The Hacker News both reported new npm packages mimicking the Shai-Hulud campaign pattern (May 15–18). These are follow-on incidents to the campaign already covered in CSA’s mini-shai-hulud research note — no net-new threat actor capability documented.
Turla/Kazuar P2P Botnet Evolution (Secret Blizzard)
Russian APT Secret Blizzard (Turla) evolved its Kazuar backdoor to use peer-to-peer infrastructure for C2 resilience. Significant for government and defense sectors; outside AI-specific scope of this initiative.
Schneier Analysis: Anthropic’s Mythos AI and Offense-Defense Imbalance
Bruce Schneier published analysis on May 18 examining the offense-defense asymmetry in AI-assisted security, using Anthropic’s Mythos research as a case study. Provides strategic context for the AI-enabled threat acceleration seen throughout this cycle.
Topics Already Covered — No New Action Required
- npm Supply Chain / Shai-Hulud Worm Clones: Covered by CSA_research_note_mini-shai-hulud-ai-toolchain-supply-chain_20260518. Follow-on clone packages reported May 15–18 are the same campaign — no new note warranted.
- OpenClaw Claw Chain Vulnerabilities (CVE-2026-44112/44113/44115): Covered by CSA_research_note_openclaw-claw-chain-sandbox-escape_20260518. Additional THN vendor advisory coverage on May 15 does not extend the analysis.
- AI-Developed Autonomous Zero-Day Discovery: Covered by CSA_research_note_ai-developed-zero-day-autonomous-exploit_20260518. Schneier / Mythos analysis and Mozilla’s 271-bug pipeline are contextually related but within existing coverage scope.
- ENISA CVE Root Governance: Covered by CSA_research_note_enisa-cve-root-dual-governance_20260518. ENISA’s May 6 announcement of four new CNAs under its root is an operational update, not a new governance development.
- Post-Quantum Harvest-Now-Decrypt-Later: Covered by ai-infrastructure-post-quantum-harvest-now-decrypt-later-v1. Wiz companion announcement on May 18 is commercial product news, not a new research topic.