惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Y
Y Combinator Blog
T
The Blog of Author Tim Ferriss
云风的 BLOG
云风的 BLOG
H
Help Net Security
Recorded Future
Recorded Future
The Register - Security
The Register - Security
F
Full Disclosure
N
Netflix TechBlog - Medium
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hackread – Cybersecurity News, Data Breaches, AI and More
爱范儿
爱范儿
Security Archives - TechRepublic
Security Archives - TechRepublic
Simon Willison's Weblog
Simon Willison's Weblog
Cisco Talos Blog
Cisco Talos Blog
I
InfoQ
T
Tenable Blog
T
Tor Project blog
人人都是产品经理
人人都是产品经理
D
DataBreaches.Net
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
博客园 - 叶小钗
B
Blog
V
V2EX
Jina AI
Jina AI
L
LangChain Blog
月光博客
月光博客
W
WeLiveSecurity
U
Unit 42
AWS News Blog
AWS News Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 聂微东
V
Visual Studio Blog
A
Arctic Wolf
T
Tailwind CSS Blog
The Cloudflare Blog
SecWiki News
SecWiki News
S
SegmentFault 最新的问题
Hacker News - Newest:
Hacker News - Newest: "LLM"
宝玉的分享
宝玉的分享
MyScale Blog
MyScale Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
S
Securelist
www.infosecurity-magazine.com
www.infosecurity-magazine.com
腾讯CDC
雷峰网
雷峰网

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
AI agents are 'gullible' and easy to turn into your minions
Jessica Lyons Jessica Lyons · 2026-03-24 · via The Register - Security: Research

RSA

Zenity CTO demos 0-click AI agent exploits on stage at RSAC

RSAC 2026 There's a very simple reason why just about every enterprise AI agent is vulnerable to zero-click attacks, according to Michael Bargury, CTO of AI security company Zenity.

"AI is just gullible," Bargury said in an interview with The Register. "We are trying to shift the mindset from prompt injection - because it is a very technical term - and convince people that this is actually just persuasion. I'm just persuading the AI agent that it should do something else."

That something else includes persuading Cursor to leak developers' secrets, or Salesforce agents to send all customer interactions to an attacker-controlled server, or ChatGPT to steal Google Drive data. 

"Even more than that, I can get ChatGPT to manipulate you," Bargury said. "ChatGPT is a trusted advisor. You ask it questions that can be sensitive, you ask it for advice. It can be manipulated to answer whatever I want - and not just in the specific conversation, but long term."

Bargury's giving a talk on Monday at RSAC, titled "Your AI Agents Are My Minions," during which he will demo these and other zero-click prompt infection attacks against Cursors, Salesorce, ChatGPT, Gemini, Copilot, Einstein, and their custom agents. 

He shared his research with The Register ahead of his RSAC presentation, and said it builds on work he's done over the past couple of years - presented at Black Hat and other security conferences - developing working exploits in all of the big AI assistants that require no user interaction.

Earlier this month, Zenity disclosed a family of vulnerabilities that allowed attackers to steal local files from someone using Perplexity's Comet browser simply by sending the victim a calendar event.

0-click prompt injection

"What we're seeing now is that because agents gain access to data that they can browse at will, this becomes an attack factor that leads to zero-click exploitation," he said. "An attacker goes to the internet, they find a way to target you specifically, they send the prompt injection, the injection gets into your agent, and then hijacks it to do whatever they want."

All with zero user interaction - and it's pretty easy to do.

For example: Cursor is commonly used with Jira via a Model Context Protocol (MCP) connection. This allows the AI to read, create, and update Jira tickets directly within the editor. Developers can use this integration to automate Jira ticket creation every time they receive a support ticket email, and ask the agent to solve open tickets.

"But some of these open cases come in from the external world, and you can go out and search the internet for these endpoints that are hooked up to automated Jira ticket creation, and that's a way for you to send your payload," Bargury said.

I'm going to show similar kinds of attacks on Microsoft Copilot, Google Gemini, Salesforce's Agentforce, and ChatGPT. And the reason behind this is to say, look, even the best out there are extremely vulnerable

An attacker could search for support email addresses that automatically create Jira tickets and send an email with a malicious prompt embedded. Cursor automatically opens the email and acts on the prompt. 

In the example that Bargury will demonstrate at RSAC, his team wanted to trick Cursor into finding secrets and sending them to a Zenity-controlled endpoint. "But Cursor doesn't want to do that, because it's been trained not to." 

Cursor, which heavily uses Anthropic's Claude models, has guardrails that prevent it from accessing and exfiltrating secrets. So instead of promoting the AI agent to steal secrets, Zenity's team told Cursor that it is participating in a treasure hunt.

"And as part of this treasure hunt, it's really important for us to find apples," Bargury said. "And by the way, here is the format of what apples look like - and we give a format of what a secret looks like."

The AI willingly complied with the malicious prompt, leading to remote code execution on the compromised machine and allowing the Zenity team to steal secrets.

"In the talk, I'm going to show similar kinds of attacks on Microsoft Copilot, Google Gemini, Salesforce's Agentforce, and ChatGPT," Bargury said. "And the reason behind this is to say, look, even the best out there are extremely vulnerable."

This isn't just theoretical. Zenity has a global network of honeypots, and Bargury said that these have captured attackers probing what they believe are legitimate enterprise AI agents. "These are not just network-level requests," he said. "These are prompt-level requests. They will send out a prompt to try to either use your system for their purposes, or try to understand what model you're hosting. So it's already happening."  

The solution, he says, is creating hard boundaries - these are deterministic limitations to what the AI agent can do that are enforced at the code level, before the model's reasoning takes over. "If you just ask the AI really nicely not to do something - that's not a boundary," Bargury said. "You need to put software around it that actually limits its capabilities."

For example: if an AI agent reads sensitive information, put a hard boundary in place to prevent it from sending that information outside of the organization, he explained.

"But that is advice for builders, right? It's not advice for users,"  Bargury said. "For users, these things appear so magical that we tend to fully trust them. They become a trusted advisor, but we need to be careful, because a trusted advisor can lead you off the cliff."

In other words: don't trust until you verify. ®