AI & LLM Breaches
LangGrinch: a serialization escaping bug turns LLM output into secret theft and RCE in LangChain Core
LangChain Core's serializer failed to escape user dictionaries carrying LangChain's internal 'lc' marker, so attacker-controlled data — reachable through prompt injection — was rehydrated as real LangChain objects, enabling environment-secret extraction and remote code execution.
vLLM's auto_map RCE: a model config that runs remote code even with trust_remote_code off
vLLM fetched and executed Python referenced by a model config's auto_map entry regardless of trust_remote_code=False, so loading an attacker's model repository silently ran their code.
CamoLeak: GitHub Copilot Chat turned into a silent private-repo exfiltration channel
Invisible instructions hidden in a pull request made GitHub Copilot Chat leak private source code and secrets one character at a time through GitHub's own image proxy.
The Gemini Trifecta: three injection paths into Google's AI assistant
Tenable disclosed three distinct injection flaws in Google Gemini — via cloud logs, poisoned search history, and the browsing tool — each capable of turning trusted data into attacker instructions or an exfiltration path.
ShadowLeak: a zero-click email that made ChatGPT's Deep Research agent leak a Gmail inbox
A single crafted email with hidden instructions made ChatGPT's Deep Research agent exfiltrate Gmail data from OpenAI's own servers, with no user action and nothing visible in the interface.
CurXecute: a Slack message that rewrote Cursor's MCP config into remote code execution
An indirect prompt injection reaching Cursor through an MCP server could rewrite the agent's mcp.json configuration and trigger command execution before the user could even reject the change.
MCPoison: Cursor trusted an MCP server by name, so its contents could change to code execution
Once a user approved an MCP server in Cursor, later silent edits to its configuration were trusted by name rather than by content — letting an attacker swap in a malicious command that ran on each project open.
The MCP server RCE pattern: when an AI's tool runs your words through a shell
A recurring flaw across the Model Context Protocol ecosystem: an MCP server passes an LLM-filled parameter to a shell without sanitization, so indirect prompt injection becomes remote code execution.
Comet: an AI browser that read your email when you asked it to summarize a page
Brave showed that hidden instructions on any webpage could hijack Perplexity's Comet browser when a user clicked summarize, letting it read the user's email and steal a one-time password for account takeover.
Amazon Q: a wiper prompt shipped inside a signed VS Code extension
An attacker merged a malicious pull request that planted a destructive system-prompt instruction into the Amazon Q Developer VS Code extension; it shipped to users and only failed to wipe files and AWS resources because of a syntax error.
MCP Inspector: a no-auth developer tool that let any website run code on your machine
Anthropic's MCP Inspector ran a local proxy with no authentication, so a malicious website could reach it through the browser and execute arbitrary commands on the developer's machine.
EchoLeak: the first zero-click data theft from a production AI assistant
A single crafted email with hidden instructions made Microsoft 365 Copilot exfiltrate a user's data with zero clicks — the first real-world zero-click prompt-injection data theft in a production AI assistant.
DeepSeek left a database open to the internet — chat history and API keys included
Wiz found a publicly reachable, unauthenticated DeepSeek database exposing over a million log lines — including plaintext chat history and API keys — with an open console that ran arbitrary SQL.
DeepSeek's system prompt, extracted: a jailbreak that talked the model past its own guardrails
Wallarm researchers used a novel jailbreak to make DeepSeek disclose its full hidden system prompt — the instructions and guardrails it refuses to reveal on direct request.
Slack AI: hidden text in a public channel that stole secrets from private ones
An attacker who could post to a public Slack channel could plant hidden instructions that made Slack AI leak secrets from private channels the attacker could not access.
Probllama: a path-traversal in Ollama's model puller became root RCE on exposed servers
A path-traversal in Ollama's model-pull endpoint let an attacker write arbitrary files and, by corrupting ld.so.preload, achieve remote code execution as root on internet-exposed instances.
The LlamaIndex safe_eval class: underscore-blocklist bypasses, exec on class names, and prompt-driven SQL injection
LlamaIndex repeatedly let prompt-influenced strings reach code evaluators and database queries — a blocklist that missed underscore-free payloads, an exec on an attacker class name, and an unparameterized vector-store delete — yielding RCE and SQL injection.
Air Canada's chatbot invented a refund policy — and a tribunal made the airline pay
Air Canada's support chatbot told a customer he could claim a bereavement fare retroactively — a policy that did not exist. A tribunal rejected the airline's claim that the bot was a separate entity and held Air Canada liable.
Malicious models on Hugging Face: ~100 pickle backdoors, and a scanner that could be walked past
JFrog found ~100 malicious models on Hugging Face that ran reverse shells the instant they were loaded via pickle deserialization — and later showed the community scanner meant to catch them, PickleScan, could be bypassed with a file-extension trick.
PoisonedRAG: five planted passages in a million-document corpus flip a RAG system's answer
PoisonedRAG showed that injecting as few as five crafted passages per target question into a knowledge base of millions of documents makes a RAG system return the attacker's chosen answer roughly 90% of the time.
The $1 Tahoe: prompt injection turns a dealership chatbot into a legally-binding salesman
Users prompt-injected a ChatGPT-powered dealership chatbot into agreeing to sell a Chevy Tahoe for $1 and calling the offer legally binding — a viral demonstration that a generic LLM bolted onto a business has no sense of authority or limits.
The LangChain eval-and-fetch class: how load_prompt, VectorSQLDatabaseChain, and SitemapLoader became RCE and SSRF
A recurring LangChain pattern — evaluating untrusted strings and fetching attacker-named URLs — produced remote code execution via load_prompt and VectorSQLDatabaseChain and server-side request forgery via the sitemap loader.
Samsung's ChatGPT leak: proprietary source code pasted into a chatbot, and a company-wide ban
Samsung engineers pasted proprietary source code and internal data into ChatGPT to get help, sending it to a third-party service outside company control — prompting Samsung to ban generative-AI chatbots for employees.