Breach intelligence · sourced research desk
Every breach, reproduced as a fixable pattern.
Breachwire is a sourced research desk documenting real security breaches in AI/LLM apps, web applications, and PWAs — each with root cause, detection, prevention, and a red→green fix, mapped to OWASP, NIST AI RMF, and MITRE ATLAS.
57 sourced reports · mapped to OWASP, NIST AI RMF, MITRE ATLAS
AI & LLM Breaches
LangGrinch: a serialization escaping bug turns LLM output into secret theft and RCE in LangChain Core
LangChain Core's serializer failed to escape user dictionaries carrying LangChain's internal 'lc' marker, so attacker-controlled data — reachable through prompt injection — was rehydrated as real LangChain objects, enabling environment-secret extraction and remote code execution.
vLLM's auto_map RCE: a model config that runs remote code even with trust_remote_code off
vLLM fetched and executed Python referenced by a model config's auto_map entry regardless of trust_remote_code=False, so loading an attacker's model repository silently ran their code.
CamoLeak: GitHub Copilot Chat turned into a silent private-repo exfiltration channel
Invisible instructions hidden in a pull request made GitHub Copilot Chat leak private source code and secrets one character at a time through GitHub's own image proxy.
The Gemini Trifecta: three injection paths into Google's AI assistant
Tenable disclosed three distinct injection flaws in Google Gemini — via cloud logs, poisoned search history, and the browsing tool — each capable of turning trusted data into attacker instructions or an exfiltration path.
ShadowLeak: a zero-click email that made ChatGPT's Deep Research agent leak a Gmail inbox
A single crafted email with hidden instructions made ChatGPT's Deep Research agent exfiltrate Gmail data from OpenAI's own servers, with no user action and nothing visible in the interface.
CurXecute: a Slack message that rewrote Cursor's MCP config into remote code execution
An indirect prompt injection reaching Cursor through an MCP server could rewrite the agent's mcp.json configuration and trigger command execution before the user could even reject the change.
MCPoison: Cursor trusted an MCP server by name, so its contents could change to code execution
Once a user approved an MCP server in Cursor, later silent edits to its configuration were trusted by name rather than by content — letting an attacker swap in a malicious command that ran on each project open.
The MCP server RCE pattern: when an AI's tool runs your words through a shell
A recurring flaw across the Model Context Protocol ecosystem: an MCP server passes an LLM-filled parameter to a shell without sanitization, so indirect prompt injection becomes remote code execution.
Comet: an AI browser that read your email when you asked it to summarize a page
Brave showed that hidden instructions on any webpage could hijack Perplexity's Comet browser when a user clicked summarize, letting it read the user's email and steal a one-time password for account takeover.
Amazon Q: a wiper prompt shipped inside a signed VS Code extension
An attacker merged a malicious pull request that planted a destructive system-prompt instruction into the Amazon Q Developer VS Code extension; it shipped to users and only failed to wipe files and AWS resources because of a syntax error.
MCP Inspector: a no-auth developer tool that let any website run code on your machine
Anthropic's MCP Inspector ran a local proxy with no authentication, so a malicious website could reach it through the browser and execute arbitrary commands on the developer's machine.
EchoLeak: the first zero-click data theft from a production AI assistant
A single crafted email with hidden instructions made Microsoft 365 Copilot exfiltrate a user's data with zero clicks — the first real-world zero-click prompt-injection data theft in a production AI assistant.
DeepSeek left a database open to the internet — chat history and API keys included
Wiz found a publicly reachable, unauthenticated DeepSeek database exposing over a million log lines — including plaintext chat history and API keys — with an open console that ran arbitrary SQL.
DeepSeek's system prompt, extracted: a jailbreak that talked the model past its own guardrails
Wallarm researchers used a novel jailbreak to make DeepSeek disclose its full hidden system prompt — the instructions and guardrails it refuses to reveal on direct request.
Slack AI: hidden text in a public channel that stole secrets from private ones
An attacker who could post to a public Slack channel could plant hidden instructions that made Slack AI leak secrets from private channels the attacker could not access.
Probllama: a path-traversal in Ollama's model puller became root RCE on exposed servers
A path-traversal in Ollama's model-pull endpoint let an attacker write arbitrary files and, by corrupting ld.so.preload, achieve remote code execution as root on internet-exposed instances.
The LlamaIndex safe_eval class: underscore-blocklist bypasses, exec on class names, and prompt-driven SQL injection
LlamaIndex repeatedly let prompt-influenced strings reach code evaluators and database queries — a blocklist that missed underscore-free payloads, an exec on an attacker class name, and an unparameterized vector-store delete — yielding RCE and SQL injection.
Air Canada's chatbot invented a refund policy — and a tribunal made the airline pay
Air Canada's support chatbot told a customer he could claim a bereavement fare retroactively — a policy that did not exist. A tribunal rejected the airline's claim that the bot was a separate entity and held Air Canada liable.
Malicious models on Hugging Face: ~100 pickle backdoors, and a scanner that could be walked past
JFrog found ~100 malicious models on Hugging Face that ran reverse shells the instant they were loaded via pickle deserialization — and later showed the community scanner meant to catch them, PickleScan, could be bypassed with a file-extension trick.
PoisonedRAG: five planted passages in a million-document corpus flip a RAG system's answer
PoisonedRAG showed that injecting as few as five crafted passages per target question into a knowledge base of millions of documents makes a RAG system return the attacker's chosen answer roughly 90% of the time.
The $1 Tahoe: prompt injection turns a dealership chatbot into a legally-binding salesman
Users prompt-injected a ChatGPT-powered dealership chatbot into agreeing to sell a Chevy Tahoe for $1 and calling the offer legally binding — a viral demonstration that a generic LLM bolted onto a business has no sense of authority or limits.
The LangChain eval-and-fetch class: how load_prompt, VectorSQLDatabaseChain, and SitemapLoader became RCE and SSRF
A recurring LangChain pattern — evaluating untrusted strings and fetching attacker-named URLs — produced remote code execution via load_prompt and VectorSQLDatabaseChain and server-side request forgery via the sitemap loader.
Samsung's ChatGPT leak: proprietary source code pasted into a chatbot, and a company-wide ban
Samsung engineers pasted proprietary source code and internal data into ChatGPT to get help, sending it to a third-party service outside company control — prompting Samsung to ban generative-AI chatbots for employees.
Web Application Breaches
Oracle E-Business Suite: a zero-day RCE fueled a Cl0p extortion wave
The Cl0p ransomware group exploited an unauthenticated RCE zero-day in Oracle E-Business Suite before patches existed, using an attacker-controlled XSL stylesheet to run commands and drive a data-theft extortion campaign.
npm's Shai-Hulud: phished maintainers, poisoned chalk and debug, a self-spreading worm
A September 2025 wave of npm attacks began with a phishing email that poisoned chalk, debug and other packages with over two billion weekly downloads, and escalated into Shai-Hulud, a self-propagating worm that stole developer tokens and republished malware automatically.
SharePoint 'ToolShell': insecure deserialization to unauthenticated RCE and key theft
Attackers exploited an insecure-deserialization flaw in on-premises SharePoint as a zero-day, gaining unauthenticated RCE and stealing the server's cryptographic machine keys to forge authentication tokens and persist.
CitrixBleed 2: a memory leak that handed attackers live session tokens
An out-of-bounds memory read in Citrix NetScaler ADC and Gateway let unauthenticated attackers extract session tokens from device memory, hijacking authenticated sessions and bypassing multi-factor authentication.
Next.js middleware: one spoofed header skipped authentication entirely
A spoofable internal header, x-middleware-subrequest, let attackers make Next.js skip middleware entirely — bypassing authentication and authorization checks enforced there on self-hosted deployments.
tj-actions/changed-files: a retagged GitHub Action leaked CI secrets from 23,000 repos
A widely used GitHub Action was compromised so that its version tags pointed to malicious code that dumped CI/CD secrets into build logs, exposing secrets across an estimated 23,000 repositories.
polyfill.io: how one bought domain poisoned 100,000+ websites overnight
A popular free JavaScript CDN changed ownership and began serving malicious code to an estimated 100,000+ sites that loaded it by name instead of by hash.
Snowflake customer breaches: no MFA, stolen passwords, 160+ companies
The threat group UNC5537 logged into more than 160 Snowflake customer environments using passwords stolen by infostealer malware, exploiting the absence of enforced multi-factor authentication rather than any flaw in Snowflake itself.
The XZ Utils backdoor: a two-year social-engineering supply-chain attack
A malicious backdoor was patiently inserted into the xz/liblzma compression library by a long-trusted maintainer persona, designed to break sshd authentication and grant remote unauthorized access, scoring the maximum CVSS 10.0.
Fortinet FortiOS SSL VPN: an out-of-bounds write became unauthenticated RCE
An out-of-bounds write in the FortiOS SSL VPN daemon let remote, unauthenticated attackers run arbitrary code via crafted HTTP requests; Fortinet disclosed it under active exploitation and CISA added it to the KEV catalog within a day.
GraphQL batching and introspection: when flexibility becomes attack surface
GraphQL's introspection and aliasing features, left unrestricted, leak the full schema and let a single request pack many operations — defeating rate limits and enabling brute-force of authentication codes and other secrets.
Ivanti Connect Secure: two bugs chained into unauthenticated RCE
Attackers chained an authentication bypass (CVE-2023-46805) with a command-injection flaw (CVE-2024-21887) in Ivanti Connect Secure and Policy Secure gateways to achieve unauthenticated remote code execution, deploying webshells and stealing credentials.
Stored XSS to account takeover: the web's most common bug class
Cross-site scripting is the single most common vulnerability class in bug bounty and the #1 entry on the CWE Top 25; injected script running in a victim's browser can steal session tokens and drive full account takeover.
MOVEit Transfer: one SQL injection, thousands of organizations breached
The Cl0p ransomware group exploited an unauthenticated SQL injection in Progress MOVEit Transfer to deploy a web shell and exfiltrate data from thousands of organizations worldwide.
Toyota T-Connect: a hardcoded access key sat public on GitHub for five years
A subcontractor published Toyota T-Connect source code to a public GitHub repository with a database access key embedded, leaving customer data reachable for roughly five years and exposing about 296,000 customers' details.
Optus: an unauthenticated API endpoint exposed millions of customers
An internet-exposed Optus API endpoint required no authentication, allowing an attacker to pull the personal records of millions of customers directly from the service.
Log4Shell: one log line that gave the internet remote code execution
A JNDI-lookup feature in the ubiquitous Apache Log4j logging library let unauthenticated attackers run arbitrary code on any server that logged an attacker-controlled string, scoring a maximum CVSS 10.0.
Codecov Bash Uploader: a modified build tool that quietly stole CI secrets
Attackers extracted a cloud credential from a Codecov Docker image and used it to alter the widely used Bash Uploader script so that it exfiltrated environment variables and secrets from customers' CI pipelines.
Capital One: SSRF to cloud metadata to 106 million records
An attacker exploited a server-side request forgery flaw in a misconfigured web application firewall to query the EC2 instance metadata service, steal over-permissive IAM credentials, and exfiltrate roughly 106 million customer records from cloud storage.
PWA & Startup Breaches
Langflow: one unauthenticated POST turns an AI workflow builder into a shell
Langflow, an open-source AI agent workflow builder, shipped endpoints that execute attacker-supplied code without authentication — CVE-2025-34291 (CVSS 9.4) and CVE-2026-33017 (CVSS 9.8), the latter weaponized within 20 hours of disclosure to deploy Monero cryptominers on exposed servers.
Chat & Ask AI: 300 million messages readable by anyone with the project URL
The AI app Chat & Ask AI exposed around 300 million messages tied to 25 million users because its Firebase Security Rules were set to public, letting anyone with the project URL read, modify, or delete data without authentication.
Flowise CustomMCP: a config field piped straight into Function() gives CVSS 10 RCE
Flowise's CustomMCP node passed the untrusted mcpServerConfig field into JavaScript's Function() constructor, giving unauthenticated remote code execution (CVSS 10.0) on instances without API-key protection.
The Tea app breach: a Firebase database left open, then an API that trusted any user
The women's safety app Tea suffered two breaches rooted in authentication and authorization failures: a Firebase database left open because security policies were never configured, and a second flaw letting any user use their own API key to download other users' chats.
The vibe-coding RLS epidemic: AI-built apps shipped with no lock on the database
Apps generated by the AI builder Lovable frequently shipped Supabase backends with Row-Level Security missing — so anyone with the public key could read private tables. A scan of 1,645 apps found roughly 170 exposed.
OmniGPT: 34 million chat lines leaked — with the credentials and keys users pasted in
A threat actor claimed to have breached AI chatbot OmniGPT and leaked around 30,000 user emails and phone numbers plus 34 million lines of chat messages that reportedly contained credentials, API keys, and billing details users had pasted into conversations.
Ollama in the open: 1,139 LLM servers on Shodan, hundreds answering with no auth
Cisco used Shodan to find 1,139 internet-exposed Ollama instances on port 11434, of which 214 were actively serving live models with no authentication — open to arbitrary prompts, model extraction, and resource abuse.
The unlocked memory of AI apps: exposed vector databases with no authentication
Vector databases that back RAG applications are frequently deployed with no authentication, letting attackers who reach them exfiltrate embeddings, partially reconstruct source documents via model inversion, and poison retrieval — a documented misconfiguration class.
sk- in the browser: thousands of OpenAI keys shipped in client code and public repos
Cyble found OpenAI API keys exposed at scale — over 5,000 GitHub repositories and around 3,000 public websites shipping sk- keys in client-side JavaScript or committed source, where automated scanners abuse them within hours or minutes.
The PWA that installs like a native app — and the push channel that phishes you after
ESET documented phishing that installs banking-app lookalikes as WebAPKs with no untrusted-source warning, and Matrix Push C2 shows how the browser push channel is then abused to deliver spoofed OS-level notifications carrying phishing and malware.
The .env harvest: 90,000 secrets scraped from exposed files, then cloud extortion
Unit 42 documented an extortion campaign that scanned the internet for publicly exposed .env files, harvested over 90,000 environment variables including cloud, SaaS, and AI keys across 110,000 domains, then used them to break into cloud accounts and extort victims.
WotNot's open bucket: 346,000 passports and medical records with no password
AI chatbot startup WotNot left a Google Cloud Storage bucket of 346,381 files — including passport scans, medical records, and resumes — accessible to anyone on the internet with no authentication.
Sisense: a hardcoded token in the code repo unlocked terabytes of customer data
Attackers reached Sisense's self-managed GitLab repository, found a hardcoded credential to the company's Amazon S3 buckets, and exfiltrated several terabytes of customer data including access tokens, email passwords, and SSL certificates — prompting a rare CISA warning.
The XSS that won't die: service-worker cache poisoning in PWAs
A single same-origin XSS in a Progressive Web App can be escalated into a persistent person-in-the-middle over cached content — one that outlives the original XSS fix.
The ChatGPT Redis bug: a cancelled request handed you a stranger's chat history
A race condition in the open-source redis-py client let cancelled requests return another user's cached data, exposing chat titles and, for about 1.2% of ChatGPT Plus subscribers, some billing information.