|
If your agent can read an email, it can be attacked through that email.
That's not a hypothetical. It happened. Multiple times. In production. And most teams building agents right now have no idea they're exposed. Everyone's focused on what agents can do — almost nobody's thinking about what can be done to them. The attackers have already noticed.
📷 Part 1: Indirect Prompt Injection
The Attack That Hides in Your Data
Direct prompt injection is what most people know: a user types "ignore your previous instructions" into the chat. Easy to guard against. Not the real problem.
Indirect prompt injection (IDPI) is the real problem. It happens when malicious instructions are embedded in content the agent retrieves — not in what the user types. An attacker plants a hidden instruction in a document, webpage, email, or database record. Your agent fetches that content as part of a legitimate task. The model processes the hidden instruction as if it were legitimate input. The agent takes an action the attacker intended — not the user.
In late 2025, researchers at Lakera demonstrated this in an agentic IDE environment. A developer's agent read a Google Docs file as part of a task. That file contained invisible text with an embedded instruction. The agent fetched additional instructions from an attacker-controlled MCP server, executed a payload, harvested credentials from the environment, and exfiltrated them — all without a single user interaction. Zero clicks. Full compromise.
The OWASP Top 10 for LLM Applications has listed prompt injection as #1 since 2023. A January 2026 review of 78 studies found that 100% of tested coding agents — including Claude Code, GitHub Copilot, and Cursor — are vulnerable, with adaptive attack success rates exceeding 85%.
🛠️ Part 2: Tool Use Exploitation
When Permissions Become the Attack
The second major vector isn't about tricking the model — it's about abusing the tools the model already has permission to use. Most agent frameworks default to granting broad permissions for convenience. In 2025, 39% of companies reported AI agents accessing unintended systems. 32% saw agents enabling inappropriate data downloads.
|
Failure Mode 1: Over-privilege
Agent has access it doesn't need. A web browsing agent with file write permission. A summarization agent with API call capability. Trim permissions to the minimum required for the specific task — not the maximum you might ever need.
|
|
Failure Mode 2: No approval gates
Agents taking destructive or irreversible actions — sending emails, committing code, making purchases — without human confirmation. The principle: if an action can't be undone, a human should confirm it.
|
|
Failure Mode 3: Tool output blindness
Not validating what tool calls return before acting on them. If your agent calls an external API and that API returns content containing instructions, and your agent processes that content without sanitization — you've just created an indirect injection vector through your own toolchain.
|
CVE-2025-59944 (Cursor): A case-sensitivity bug in Cursor's protection logic meant that a file path like .cursor/./mcp.json bypassed security checks on .cursor/mcp.json. An attacker could overwrite the MCP configuration file and inject instructions that persisted into future code generations — originating from a connected MCP server. One character. Agentic blast radius.
🔒 Part 3: Sandboxing — Your Last Line of Defense
Assume injection happens. Assume the agent gets compromised. What's the blast radius? That's the sandboxing question. Most teams haven't answered it.
Docker isolates processes using Linux namespaces and cgroups — but shares the host kernel. When an AI agent can write and execute arbitrary code, the shared kernel becomes a liability. The UK AI Safety Institute's SandboxEscapeBench (March 2026) found that GPT-5 can break out of standard container sandboxes approximately half the time, at ~$1 per escape attempt. Standard Docker is not a security boundary for frontier-model agents. It's a speed bump.
| Technology |
How It Works |
Use When |
| Docker/Podman |
Namespace isolation, shared kernel |
Low-risk, trusted code only |
| gVisor |
Syscall interception in userspace |
Most production agent workloads |
| Kata Containers |
Hardware-virtualized containers |
Untrusted code, multi-tenant |
| Firecracker microVMs |
Full VM isolation, lightweight |
Highest-security workloads |
| Hardware enclaves (SEV-SNP) |
Confidential compute |
Regulated industries |
gVisor is the practical sweet spot — Google's Agent Sandbox, launched as a CNCF project at KubeCon NA 2025, uses it as the primary isolation layer. Firecracker (AWS) gives you sub-second VM startup with full VM-level isolation. Beyond isolation technology, the deeper principle is capability-based security: issue credentials per-task, revoke access when done, never give an agent a long-lived production API key, filter network egress.
🚨 Part 4: Real Incident Breakdowns
|
Incident 1: Zero-Click RCE via MCP IDE (2025)
A developer's coding agent was tasked with reading a Google Docs file for context. The file contained invisible text directing the agent to contact a specific MCP server. That server's instructions included a payload that harvested environment variables (including API keys), exfiltrated them, and deleted the evidence. No user interaction. No alerts triggered.
Stopped by: content sanitization before processing, MCP call approval gate, network egress whitelist.
|
|
Incident 2: CVE-2025-59944 — Cursor IDE Config Hijack
Cursor's protection logic used case-sensitive matching on the MCP config path. A crafted path bypassed the check. An attacker could overwrite the MCP configuration file via a connected MCP server — reconfiguring the agent's tools, injecting persistent instructions into future sessions, setting up a supply chain attack on all code the developer would subsequently generate.
Root cause: a single-character implementation error. Stopped by: normalized path comparison, immutable config files at the filesystem level.
|
|
Incident 3: Slack AI Indirect Injection (2025)
A hidden instruction embedded in a Slack message triggered Slack's AI assistant to insert a malicious URL into a summarized response. Users received a link that appeared to be from Slack's AI but led to an attacker-controlled domain. The AI was doing exactly what it was designed to do — the input it summarized contained the attack.
Stopped by: strict prompt structure, output filtering for URLs in summarization contexts, human review of AI-generated links.
|
⚖️ Part 5: Anthropic Managed Agents vs DIY
Anthropic's Claude Managed Agents (launched April 8, 2026) bets that the infrastructure layer of agent security is too hard for most teams to get right, so they should outsource it. Managed Agents handles sandboxed code execution, scoped permissions, checkpointing, end-to-end tracing, and credential management — with no long-lived keys in agent environments.
|
What you gain with Managed Agents
A security posture that would take a dedicated platform team months to build, available in days. The default configuration is more secure than most DIY setups. Tested against the attack patterns above.
|
|
What you give up
Model portability (Claude-only), data sovereignty (runs on Anthropic's infrastructure), and pricing control. For regulated industries (healthcare, finance, legal) or teams needing model flexibility: DIY with gVisor/Firecracker + scoped credentials + content sanitization is the answer — but you have to actually build it.
|
The security floor has moved. The OWASP Agentic AI Top 10 (December 2025, 100+ security experts) is now the baseline. If you're building production agents and haven't mapped your architecture against it, you're shipping blind.
|
The Three Things to Do This Week
1. Audit your agent's permissions. List every API key, database credential, and filesystem path your agent has access to. Ask: which ones does it actually need? Revoke the rest.
2. Add a sanitization layer to tool outputs. Before your agent processes content from external sources — web pages, files, emails, API responses — strip anything that looks like instruction format. This raises the cost of injection significantly.
3. Upgrade your sandbox. If you're running agent code execution in standard Docker, evaluate gVisor or Kata Containers. "It's in a container" is no longer a meaningful security claim for frontier model workloads.
|
🔥 Weekly AI Roundup: April 11–17
|
1. Anthropic's Claude Mythos Preview: The Model They Won't Release
Anthropic dropped Claude Mythos Preview — and then didn't release it publicly. Internal testing found it can autonomously identify and exploit zero-day vulnerabilities in every major OS and browser. It discovered CVE-2026-4747 — a 17-year-old FreeBSD RCE vulnerability — entirely on its own and demonstrated the full exploit chain. Anthropic gave it to a small group of security researchers under gated access. The model's existence is a signal: the security threat landscape just got significantly more complex.
Available in gated preview on AWS Bedrock and Google Vertex AI. — Anthropic, April 2026
|
|
2. Meta Debuts Muse Spark from Its New AI Lab
Meta launched its first model from Meta Superintelligence Labs: Muse Spark (internally codenamed "Avocado"). First release from the unit overseen by Alexandr Wang after the $14B acquisition that brought Scale AI's leadership into the company. Meta's AI capex guidance for 2026: $115–135 billion — roughly twice last year's spend.
— Reuters, CNBC, Meta blog, April 8
|
|
3. GLM-5.1 Breaks Into the Top 3 — First Frontier Open Model There
Zhipu AI's GLM-5.1 hit #3 on Code Arena, surpassing Gemini 3.1 and GPT-5.4. First open-weight model to break into the top 3 of a major code benchmark. Achieves 94.6% of Claude Opus 4.6's coding performance at open-weight pricing. If you haven't priced in the option to run capable open models self-hosted — for cost, data sovereignty, or compliance — GLM-5.1 is a reason to revisit.
— Cryptointegrat.com, April 2026
|
|
4. DeepSeek V4 Is Coming — Could Be the Pricing Event of Q2
Expected within weeks: 1 trillion total parameters, 32 billion active via MoE, 1 million token context window, Apache 2.0 license, expected pricing of $0.14–0.30 per million input tokens. For reference, comparable frontier models run $3–15/M tokens. If it delivers on benchmark claims while running on Huawei Ascend 950PR chips — bypassing Nvidia export restrictions — this will be the most disruptive pricing event of Q2.
— Reuters, April 3
|
|
5. Replit + Accenture: Enterprise Vibecoding Is Official
Accenture announced an investment in Replit and is adopting the platform internally across its 700,000+ employees. The goal: "secure vibecoding to enterprises globally." This is the enterprise validation moment for the AI-assisted development category. Other enterprises evaluating whether to allow AI coding tools now have cover to move.
— Accenture / Replit announcement, April 2026
|
|
🔒 Premium Exclusive
The Full AI Agent Security Toolkit
| ✅ OWASP Agentic AI Top 10 Breakdown — All 10 risks mapped to real architecture patterns, with specific mitigations for each. |
| ✅ Production-Ready Agent Execution Stack — gVisor isolation, network egress filtering, and credential vaulting. Copy-paste ready config. |
| ✅ Managed Agents vs. DIY Decision Matrix — When to use Anthropic's infrastructure vs. roll your own, with specific criteria for regulated industries. |
| ✅ Prompt Injection Test Harness — A test suite for evaluating your agent's vulnerability to the three injection patterns in this issue. |
$12/month. Early subscriber pricing.
Get Premium Access — $12/mo
|
|
📅 Issue #8 Preview — April 24–26
Multi-Agent Systems Architecture
How to design agent networks that are actually reliable. Agent-to-agent trust (and why most implementations get it wrong). What the emerging orchestration frameworks get right and wrong.
|
|