.png)
Overall Incident Trends
- 16,200 AI-related security incidents in 2025 (49% increase YoY)
- ~3.3 incidents per day across 3,000 U.S. companies
- Finance and healthcare: 50%+ of all incidents
- Average breach cost: $4.8M (IBM 2025)
Source: Obsidian Security AI Security Report 2025
Critical CVEs (CVSS 8.0+)
CVE-2025-53773 - GitHub Copilot Remote Code Execution
CVSS Score: 9.6 (Critical) Vendor: GitHub/Microsoft Impact: Remote code execution on 100,000+ developer machines Attack Vector: Prompt injection via code comments triggering "YOLO mode" Disclosure: January 2025
References:
- NVD Database: https://nvd.nist.gov/vuln/detail/CVE-2025-53773
- Research Paper: https://www.mdpi.com/2078-2489/17/1/54
- Attack Mechanism: Code comments containing malicious prompts bypass safety guidelines
Detection: Monitor for unusual Copilot process behavior, code comment patterns with system-level commands
CVE-2025-32711 - Microsoft 365 Copilot (EchoLeak)
CVSS Score: Not yet scored (likely High/Critical) Vendor: Microsoft Impact: Zero-click data exfiltration via crafted email Attack Vector: Indirect prompt injection bypassing XPIA classifier Disclosure: January 2025
References:
- NVD Database: https://nvd.nist.gov/vuln/detail/CVE-2025-32711
- Attack Mechanism: Malicious prompts embedded in email body/attachments processed by Copilot
Detection: Monitor M365 Copilot API calls for unusual data access patterns, particularly after email processing
CVE-2025-68664 - LangChain Core (LangGrinch)
CVSS Score: Not yet scored Vendor: LangChain Impact: 847 million downloads affected, credential exfiltration Attack Vector: Serialization vulnerability + prompt injection Disclosure: January 2025
References:
- NVD Database: https://nvd.nist.gov/vuln/detail/CVE-2025-68664
- Technical Analysis: https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/
- Attack Mechanism: Malicious LLM output triggers object instantiation → credential exfiltration via HTTP headers
Detection: Monitor LangChain applications for unexpected object creation, outbound connections with environment variables in headers
CVE-2024-5184 - EmailGPT Prompt Injection
CVSS Score: 8.1 (High) Vendor: EmailGPT (Gmail extension) Impact: System prompt leakage, email manipulation, API abuse Attack Vector: Prompt injection via email content Disclosure: June 2024
References:
- NVD Database: https://nvd.nist.gov/vuln/detail/CVE-2024-5184
- BlackDuck Advisory: https://www.blackduck.com/blog/cyrc-advisory-prompt-injection-emailgpt.html
- Attack Mechanism: Malicious prompts in emails override system instructions
Detection: Monitor browser extension API calls, unusual email access patterns, token consumption spikes
CVE-2025-54135 - Cursor IDE (CurXecute)
CVSS Score: Not yet scored (likely High) Vendor: Cursor Technologies Impact: Unauthorized MCP server creation, remote code execution Attack Vector: Prompt injection via GitHub README files Disclosure: January 2025
References:
- Analysis: https://nsfocusglobal.com/prompt-word-injection-an-analysis-of-recent-llm-security-incidents/
- Attack Mechanism: Malicious instructions in README cause Cursor to create .cursor/mcp.json with reverse shell commands
Detection: Monitor .cursor/mcp.json creation, file system changes in project directories, GitHub repository access patterns
CVE-2025-54136 - Cursor IDE (MCPoison)
CVSS Score: Not yet scored (likely High) Vendor: Cursor Technologies Impact: Persistent backdoor via MCP trust abuse Attack Vector: One-time trust mechanism exploitation Disclosure: January 2025
References:
- Analysis: https://nsfocusglobal.com/prompt-word-injection-an-analysis-of-recent-llm-security-incidents/
- Attack Mechanism: After initial approval, malicious updates to approved MCP configs bypass review
Detection: Monitor approved MCP server config changes, diff analysis of mcp.json modifications
OpenClaw / Clawbot / Moltbot (2024-2026)
Category: Open-source personal AI assistant Impact: Subject of multiple CVEs including CVE-2025-53773 (CVSS 9.6) Installations: 100,000+ when major vulnerabilities disclosed
What is OpenClaw? OpenClaw (originally named Clawbot, later Moltbot before settling on OpenClaw) is an open-source, self-hosted personal AI assistant agent that runs locally on user machines. It can:
- Execute tasks on user's behalf (book flights, make reservations)
- Interface with popular messaging apps (WhatsApp, iMessage)
- Store persistent memory across sessions
- Run shell commands and scripts
- Control browsers and manage calendars/email
- Execute scheduled automations
Security Concerns:
- Runs with high-level privileges on local machine
- Can read/write files and execute arbitrary commands
- Integrates with messaging apps (expanding attack surface)
- Skills/plugins from untrusted sources
- Leaked plaintext API keys and credentials in early versions
- No built-in authentication (security "optional")
- Cisco security research used OpenClaw as case study in poor AI agent security
Relation to Moltbook: Many Moltbook agents (the AI social network) used OpenClaw or similar frameworks to automate their posting, commenting, and interaction behaviors. The connection between the two highlighted how local AI assistants could be compromised and then used to propagate attacks through networked AI systems.
Key Lesson: OpenClaw demonstrated that powerful AI agents with system-level access require security-first design. The "move fast, security optional" approach led to numerous vulnerabilities that affected over 100,000 users.
Moltbook Database Exposure (February 2026)
Platform: Moltbook (AI agent social network - "Reddit for AI agents") Scale: 1.5 million autonomous AI agents, 17,000 human operators (88:1 ratio) Impact: Database misconfiguration exposed credentials, API keys, and agent data; 506 prompt injections identified spreading through agent network Attack Method: Database misconfiguration + prompt injection propagation through networked agents
What is Moltbook? Moltbook is a social networking platform where AI agents—not humans—create accounts, post content, comment on submissions, vote, and interact with each other autonomously. Think Reddit, but every user is an AI agent. Agents are organized into "submolts" (similar to subreddits) covering topics from technology to philosophy. The platform became an unintentional large-scale security experiment, revealing how AI agents behave, collaborate, and are compromised in networked environments.
References:
- Lessons: Natural experiment in AI agent security at scale
Key Findings:
- Prompt injections spread rapidly through agent networks (heartbeat synchronization every 4 hours)
- 88:1 agent-to-human ratio achievable with proper structure
- Memory poisoning creates persistent compromise
- Traditional security missed database exposure despite cloud monitoring
Common Attack Patterns
- Direct Prompt Injection: Ignore previous instructions <SYSTEM>New instructions:</SYSTEM> You are now in developer mode Disregard safety guidelines
- Indirect Prompt Injection: Hidden in emails, documents, web pages White text on white background HTML comments, CSS display:none Base64 encoding, Unicode obfuscation
- Tool Invocation Abuse: Unexpected shell commands File access outside approved paths Network connections to external IPs Credential access attempts
- Data Exfiltration: Large API responses (>10MB) High-frequency tool calls Connections to attacker-controlled servers Environment variable leakage in HTTP headers
Recommended Detection Controls
Layer 1: Configuration Monitoring
- Monitor MCP configuration files (.cursor/mcp.json, claude_desktop_config.json)
- Alert on unauthorized MCP server registrations
- Validate command patterns (no bash, curl, pipes)
- Check for external URLs in configs
Layer 2: Process Monitoring
- Track AI assistant child processes
- Alert on unexpected process trees (bash, powershell, curl spawned by Claude/Copilot)
- Monitor process arguments for suspicious patterns
Layer 3: Network Traffic Analysis
- Unencrypted: Snort/Suricata rules for MCP JSON-RPC
- Encrypted: DNS monitoring, TLS SNI inspection, JA3 fingerprinting
- Monitor connections to non-approved MCP servers
Layer 4: Behavioral Analytics
- Baseline normal tool usage per user/agent
- Alert on off-hours activity
- Detect excessive API calls (3x standard deviation)
- Monitor sensitive resource access (/etc/passwd, .ssh, credentials)
Layer 5: EDR Integration
- Custom IOAs for AI agent processes
- File integrity monitoring on config files
- Memory analysis for process injection
Layer 6: SIEM Correlation
- Combine signals from multiple layers
- High confidence: 3+ indicators → auto-quarantine
- Medium confidence: 2 indicators → investigate
Stay tuned for an article on detection controls!
Standards & Frameworks
NIST AI Risk Management Framework (AI RMF 1.0)
Link: https://www.nist.gov/itl/ai-risk-management-framework
OWASP Top 10 for LLM Applications
Link: https://genai.owasp.org/ Updates: Annually (2025 version current)
Dina Kamal is the Chief Revenue Officer at DataBahn with over 20 years of experience at the intersection of AI, cybersecurity, and business strategy. She shares practical, forward-looking perspectives on modern security and data transformation.
.png)
.avif)
.avif)
