CISO Daily Briefing
Cloud Security Alliance Intelligence Report
Executive Summary
The last 48 hours produced a dense cluster of agentic-AI-specific incidents rather than routine CVE churn. JadePuffer is Sysdig’s documented first case of ransomware run end-to-end by an autonomous LLM agent, self-correcting a failed login in 31 seconds with no human directing individual steps. A now-patched Amazon Q Developer flaw let a booby-trapped repository silently auto-execute MCP configs and steal live AWS credentials — a pattern echoed in Cursor, Claude Code, and Windsurf. Unit 42’s audit of OpenClaw’s ClawHub marketplace found 80% of nearly 50,000 published agent skills showed behavior mismatches. On the governance side, CISA’s BOD 26-04 replaces calendar-based patch SLAs with risk-prioritized windows as short as three days, a shift CISOs should expect mirrored across vendor and regulatory expectations.
Overnight Research Output
JadePuffer: Inside the First Fully AI-Agent-Orchestrated Ransomware Attack
CRITICAL URGENCY
Summary: Sysdig documented JadePuffer as the first fully autonomous, LLM-agent-run ransomware operation: reconnaissance, credential theft, lateral movement, and extortion were all executed by the agent itself, with no human directing individual steps. The agent exploited a year-old Langflow RCE (CVE-2025-3248) and a Nacos authentication bypass, harvested LLM provider and cloud API keys, and self-corrected a failed login in 31 seconds before encrypting 1,342 configuration records with a key that was never stored, making recovery impossible even for a paying victim.
Key Sources:
Sysdig — JADEPUFFER: Agentic ransomware for automated database extortion
BleepingComputer — JadePuffer ransomware used AI agent to automate entire attack
Amazon Q Developer’s MCP Auto-Execution Flaw
CRITICAL URGENCY
Summary: Wiz Research found that Amazon Q Developer’s VS Code extension auto-loaded MCP server configs from a workspace file with no consent prompt, so simply opening a booby-trapped repository could execute attacker code and steal a developer’s live AWS session credentials. AWS patched the flaw (CVE-2026-12957) in Language Servers 1.69.0, but nearly identical MCP trust-boundary failures have now surfaced independently in Claude Code, Cursor, and Windsurf, pointing to a systemic design gap across AI coding assistants rather than a single vendor’s bug.
Key Sources:
Wiz Research — MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension
The Hacker News — Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
From Executive Order to Enforcement: BOD 26-04’s Patch Signal
HIGH URGENCY
Summary: CISA’s Binding Operational Directive 26-04, issued eight days ahead of its 30-day deadline under the June 2026 AI executive order, replaces uniform 15-to-30-day patch windows with a four-variable risk matrix that can compress remediation to three days for internet-exposed, actively exploited, automatable, full-control vulnerabilities. FedRAMP has already finalized companion rules requiring cloud providers to adopt the same timelines by December 7, 2026. CISOs should treat this as a preview of how AI-justified urgency will reshape patch SLAs well beyond federal agencies.
Key Sources:
CISA — BOD 26-04: Prioritizing Security Updates Based on Risk
The White House — Promoting Advanced Artificial Intelligence Innovation and Security
ClawHub Under the Microscope: Agentic AI Supply Chain Risk
HIGH URGENCY
Summary: Unit 42’s audit of OpenClaw’s ClawHub skill marketplace found that 80% of nearly 50,000 published agent skills showed some mismatch between declared and actual behavior, and roughly 5% carried multi-stage attack chains; five newly disclosed malicious skills had evaded automated scanning entirely, including two using novel “agentic” fraud techniques rather than conventional malware. This is the fourth distinct wave of ClawHub supply-chain incidents since February 2026, underscoring that marketplace-scale trust and curation failures will recur across every agentic AI skill ecosystem as adoption grows.
Key Sources:
Unit 42, Palo Alto Networks — OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat
Dark Reading — More Malicious OpenClaw Skills Threaten AI Supply Chain
Notable News & Signals
Phantom Squatting: Adversaries Pre-Register AI-Hallucinated Domains
Unit 42 found attackers pre-registering domains that LLMs reliably hallucinate for real brands across 913 companies, building phishing kits within weeks of flagging — extending “slopsquatting” from package names to brand infrastructure.
Topics Already Covered (No New Action Required)
- MCP risk guidance: CSA’s blog post “7 MCP Risks CISOs Should Consider and How to Prepare” (June 15, 2026) already covers general Model Context Protocol risk at an advisory level; today’s Amazon Q topic goes deeper into a specific, exploited incident rather than repeating that guidance.
- Agent skill risk guidance: CSA’s blog post “5 Claude Agent Skills Risks Every CISO Should Know” (June 25, 2026) already covers general agent-skill risk; today’s ClawHub topic adds a quantified, marketplace-scale audit not addressed there.