Find notable cyber news and cases, enriched with sources, timelines, and signals.

Agent data injection proof-of-concept attacks expose trusted-data flaws in AI agents

Technical Analysis
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

Researchers disclosed agent data injection (ADI), a new attack class that can make shipping AI agents misclick, run attacker commands, and trust fake history across web and coding tools. The technique abuses trusted data fields such as sender names, button IDs, and prior tool results instead of smuggling direct instructions, which weakens defenses built for classic prompt injection. In tests against Claude in Chrome, Google's Antigravity, Nanobrowser, Claude Code, OpenAI's Codex, and Google's Gemini CLI, planted reviews, forged comments, and fake tool records changed agent behavior. The findings raise immediate risk for agents that ingest attacker-editable web content or GitHub text, especially where approval prompts hide the specific action being taken.

Related Happenings

Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex

Technical Analysis
H score28 First: 10.07.2026 16:45 Last: 10.07.2026 16:45 Sources 1

About this happening: Researchers demonstrated a proof-of-concept exploit that can force remote code execution in Anthropic’s Claude Code and OpenAI’s Codex, exposing a trust-boundary f...

HalluSquatting indirect prompt-injection attack on AI coding assistants

Technical Analysis
H score3 First: 08.07.2026 18:07 Last: 08.07.2026 18:07 Sources 1

About this happening: Researchers demonstrated HalluSquatting, an indirect prompt-injection technique that can push AI coding assistants to fetch attacker-controlled resources and execute code....

Indirect prompt-injection web campaigns targeting AI agents

Campaign
H score37 First: 06.07.2026 18:00 Last: 06.07.2026 18:00 Sources 1

About this happening: Two real-world campaigns are using indirect prompt injection and SEO poisoning to steer AI agents into fraudulent actions and false legitimacy judgments. The lures...

SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware

Technical Analysis
H score22 First: 06.07.2026 09:33 Last: 06.07.2026 09:33 Sources 1

About this happening: SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...

Sentry agentjacking analysis shows malicious error events can trigger AI coding agents

Technical Analysis
H score38 First: 11.06.2026 12:15 Last: 11.06.2026 12:15 Sources 1

About this happening: Researchers described Agentjacking as a new attack against AI coding agents that abuses Sentry DSNs and MCP to inject fake error data, causing agents like Claude...

Timeline

  1. 16.07.2026 14:32 1 articles · 2h ago

    Researchers define agent data injection as a trusted-data attack on AI agents

    Initial Disclosure

    Researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft introduced agent data injection (ADI) in a July 6 paper, describing a class of attacks that corrupt trusted data an AI agent relies on instead of smuggling direct instructions. The team reported the findings to affected vendors before publication, and OpenAI, Google, and Anthropic acknowledged the reports.

    Show sources
  2. 16.07.2026 14:32 2 articles · 2h ago

    Planted reviews and forged GitHub comments steer AI agents into unsafe actions

    Technical Analysis Update

    On web agents such as Claude in Chrome, Google's Antigravity, and Nanobrowser, a planted product review reused a real button ID so the agent meant to click "Read More" and clicked "Buy Now" instead. On coding assistants such as Claude Code, OpenAI's Codex, and Google's Gemini CLI, a forged GitHub comment faked a maintainer's author line and could make the assistant run an attacker's command after approval. The same technique proved effective against OpenAI's GPT-5.2 and GPT-5-mini, Anthropic's Claude Opus 4.5 and Sonnet 4.5, and Google's Gemini 3 Pro and Flash.

    Show sources
  3. 16.07.2026 14:32 1 articles · 2h ago

    ChatGPT's Atlas browser resists a click attack with random element IDs

    Mitigation Patch Update

    ChatGPT's Atlas browser resisted the click attack because it tags each page element with a random, unguessable ID instead of a simple counter, and the researchers found that random tags roughly halved success in testing. Against the purpose-built agent defenses they evaluated, classic prompt-injection style order smuggling was almost entirely blocked, while ADI still succeeded up to 50% of the time.

    Show sources