This week's edition of our security review is all about the security challenges that arise from the use of Generative AI systems and AI Agents. By the looks of it, it's compulsory that if you're using these systems every day, you must know their security implications (that's if you don't know already). And if you're in the loop already, this should serve as a reminder of why you should take it more seriously.
Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments
It's my first time reading this kind of attack that uses prompt injection.
Here is what's going on:
Zscaler says it identified two campaigns relying on indirect prompt injection, including a payment scam hiding behind API documentation, and a typosquatting operation promoting a crypto platform that impersonates DeBank.
As part of the first campaign, the threat actor has been using SEO poisoning to target AI agents searching for the Python library requests-secure-v2.
As part of the second campaign, a threat actor is promoting a fraudulent website typosquatting the decentralized finance portfolio tracker DeBank. The indirect prompts used in this campaign tell the AI agents that the impersonating website is the legitimate DeBank domain.
CrowdStrike Uncovers New Prompt Injection Techniques
I am not surprised. I mean, as humans, when we notice that a system is deemed secure or at least, it was advertised that it does not allow certain things, we find a way to make it do that very same thing. While reading the article, I greatly admired the creativity of the prompt injection. It just shows you, and as things stand, GenAI systems can be tricked.
From the article:
Prompt injection is no longer just about obvious jailbreaks. Adversaries can manipulate AI systems through hidden context, delayed triggers, semantic constraints, boundary spoofing, formatting tricks, encoded payloads, and implied procedural knowledge.
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware
A key lesson from this article: as a developer using Generative AI in your daily activities, always inspect the package names in the AI-generated code.
From the article:
The trap is not code that runs by itself. It works because these assistants keep a terminal among their built-in tools, so once the planted instructions take over, "install a bot" is simply something the assistant can do.
What makes it practical is that the fake names are not random. In the researchers' experiments, the mistake was consistent: across different phrasings and across models from different companies,
Why AI Governance Without Guardrails Is Theater
What I learned from this article is this: any organization that needs AI to work effectively for them, needs all hands on deck. No if's. No but's.
Here is why:
AI governance isn’t only about what’s allowed. It’s about what’s possible in the architecture, what’s safe in the threat model, and what’s useful to the business.
AI Coding Tools Tricked Into Hacking Developer Machine via Decades-Old Technique
The title says it all. Now, the question: what made this possible?
Here you go:
Dubbed GhostApproval, the attack has been successfully tested against Claude Code, Amazon Q Developer, Cursor, Google Antigravity, Augment, and Windsurf.
In a GhostApproval attack, hackers plant a symbolic link in a seemingly benign repository that masquerades as a normal project file but actually points to a sensitive location outside the workspace.
When a developer opens the repo in an AI coding assistant and instructs it to make edits, the agent follows the symlink and performs the write on the target specified by the attacker.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)