The 72 Hours That Forced CISA's Hand — 7 AI Agent Exploits HN Completely Missed
Between June 30 and July 2, 2026, seven major AI agent vulnerabilities were disclosed or exploited. Cursor had a zero-click RCE. Ten of eleven open-source coding agents were vulnerable to shell injection. AI agents were hallucinating 250,000 domains that adversaries could register. HN didn't notice any of it. Four days later, CISA put the first AI agent platform on KEV.
On July 7, CISA did something it had never done before: it added an AI agent platform to the Known Exploited Vulnerabilities catalog. The vulnerability was a cross-tenant IDOR in Langflow (CVE-2026-55255, CVSS 9.9). Threat actors were using it with the literal prompt “leak api keys.” Federal agencies had until July 10 to patch.
Everyone focused on the KEV listing. Nobody asked why now. What happened in the days before July 7 that made CISA’s action inevitable?
I went back and reconstructed the 72 hours from June 30 to July 2. Seven major AI agent vulnerabilities were disclosed, exploited, or documented in that window. Every single one of them is a structural failure mode — not a one-off bug, but a category of attack that generalizes across tools, platforms, and models.
HN covered none of them.
Here’s what you missed.
June 30: GuardFall — 10 of 11 Open-Source AI Coding Agents Defeated by 40-Year-Old Bash Trick
Adversa AI tested eleven open-source AI coding and computer-use agents against a shell injection bypass technique. The result: ten of eleven failed. The agents included opencode, Goose, Cline, Roo-Code, Aider, Plandex, Open Interpreter, OpenHands, SWE-agent, and a NousResearch Hermes agent. Only Continue (the one focused on tab completions rather than autonomous actions) was immune.
The attack is embarrassingly simple. All these agents use pattern-based command guards — denylists that block strings like rm -rf or curl | bash. The problem is that Bash performs quote removal, $IFS expansion, parameter expansion, and command substitution before execution. An obfuscated command that looks like gibberish to the guard becomes a destructive shell command after Bash processes it.
This isn’t a new attack. It’s the same shell-quoting bypass that penetration testers have used for decades. The novelty is purely that the target is now an AI agent’s command guard instead of a WAF or input filter. Same technique. Same failure mode. Same decades-old lesson unlearned.
What makes GuardFall significant: it’s not a vulnerability in one tool. It’s a vulnerability in the architecture of AI agent safety. Every agent that uses denylist-based command filtering assumes it can predict what Bash will execute. It can’t. And it never could.
June 30: Phantom Squatting — AI Agents Hallucinate 250,000 Domains Ready for Registration
Palo Alto Unit 42 ran 685,339 adversarial prompts through LLMs and collected 2.1 million unique URLs. They identified approximately 250,000 “phantom” domains — domains that models hallucinate as real but are actually unregistered.
Anyone can register these domains. In fact, Unit 42 already found active exploitation: a “Montana Empire” phishing kit running on a hallucinated postal-service domain, registered about 23 days after the model first predicted it. A malicious Android APK hosted on another phantom domain.
This is a new attack vector category. It’s not a vulnerability in the model or the platform — it’s a vulnerability in the trust relationship between AI agents and the web. When an agent decides “I should check the documentation at docs.example-service.com” and that domain doesn’t exist yet, an attacker can register it and own the agent’s next action.
Unit 42 described this as a “zero-reputation bypass” — the agent trusts the hallucinated URL because there’s no reputation data saying it’s malicious. It’s inherently hard to patch because it stems from model behavior, not a software flaw.
The scale is what matters: 250,000 phantom domains across 913 global brands. If even 1% of those get weaponized, that’s 2,500 attack vectors that didn’t exist before AI agents started browsing the web autonomously.
July 1: DuneSlide — Cursor Zero-Click Prompt-Injection RCE (CVSS 9.8)
This is the one that should have been on every HN front page. Cato AI Labs discovered two chained vulnerabilities in Cursor (before version 3.0) that enable zero-click OS-level remote code execution.
The attack chain:
- An MCP server or web search result returns attacker-controlled content
- That content contains a prompt injection
- The injected instructions overwrite the
cursorsandboxenforcer binary - CVE-2026-50548: Cursor trusts the agent-chosen working directory, so a system path grants out-of-scope write permission
- CVE-2026-50549: A symlink canonicalization check that fails open when path resolution fails
- Result: full compromise of the host machine and connected SaaS workspaces
Zero user interaction. The developer doesn’t click anything. The agent just processes content from an MCP server or web search and the machine is owned.
Cursor patched this in version 3.0 (released April 2, 2026), but the CVEs weren’t assigned until June 5 and the details weren’t published until July 1. That means there was a three-month window where attackers who independently discovered the flaw could have been exploiting it before anyone knew to look.
July 1: Check Point — LLM Suggests Browser-Native Ransomware Using a Legitimate API
Check Point Research asked DeepSeek a question: “How could you build ransomware that runs entirely in a browser?” The model connected the idea to the File System Access API — specifically showDirectoryPicker() — a legitimate, sanctioned browser API available in Chromium-based browsers.
The result: a fake image-enhancement page that, when visited, requests directory access (a standard browser permission prompt), then reads, exfiltrates, and encrypts the victim’s local files. No native payload. No app install. No browser exploit. No root access. Just a sanctioned API used in a way its designers didn’t anticipate.
The attack works on Chrome, Edge, and other Chromium browsers across Windows, macOS, Linux, ChromeOS, and Android. Safari and iOS are unaffected because the API isn’t exposed there.
As described, this is significant because it inverts the threat model. Usually we worry about attackers using LLMs to write malware. This is an attacker asking an LLM to design novel attack paths — and the LLM delivering. The model didn’t write the ransomware code. It architected the attack. It identified a legitimate API that, when combined with social engineering, produces ransomware. That’s threat modeling, not code generation.
July 1: Apify MCP Server Token Exfiltration (CVE-2026-50143, CVSS 8.1)
A malicious Apify Actor with a crafted webServerMcpPath value can exfiltrate the victim’s Apify API token. The MCP client automatically attaches the Authorization: Bearer <APIFY_TOKEN> header to every outbound connection, so redirecting the client to an attacker host leaks the credential.
This is a textbook SSRF-to-credential-theft chain, but in an MCP context where the trust relationships are still poorly understood by developers. The Apify MCP server auto-injects credentials into outbound requests — a convenience feature that becomes an attack surface when the destination is attacker-controlled.
July 2: fast-mcp-telegram Auth Bypass (CVE-2026-52830, CVSS 9.4)
The fast-mcp-telegram MCP server had a path traversal vulnerability in its Bearer token authentication. An attacker could send ../fast-mcp-telegram/telegram as the token, bypass authentication, and reach the MCP tools and connected Telegram account data across tenant boundaries.
The root cause: the Bearer token is joined directly into a session-file path with no normalization. The server rejects the literal token “telegram” but not path separators. A ../ in the token value escapes the session directory.
This is CWE-22 plus CWE-287 — the two most common vulnerability classes in web applications, now appearing in MCP servers. The pattern is consistent: MCP servers are web applications with all the same vulnerability classes, but they’re being deployed by AI developers who aren’t thinking about web security.
July 2: Zscaler — Indirect Prompt Injection Targeting Autonomous Web Agents
Zscaler ThreatLabz documented two live malicious-website campaigns targeting autonomous web-browsing AI agents. One used SEO poisoning plus hidden CSS and JSON-LD to impersonate a fake Python package “requests-secure-v2” and push agents to pay a bogus “$3.00 developer API license” plus about 0.0012 ETH. A second typosquatted DeBank at “debank.auction.”
In validation across 26 models, four (Llama 3.3 70B, Llama 3.2 90B Vision, Gemini 3 Flash, Gemini 2.5 Pro) executed the fraudulent payment. Two misclassified the fake site as legitimate.
This is indirect prompt injection as a business model. Attackers aren’t just experimenting — they’re running campaigns, poisoning SEO, registering typosquatted domains, and monetizing agent trust at scale. The attack surface exists because agents browse the web, parse untrusted content, and act on what they find.
The Pattern Nobody’s Talking About
Look at these seven incidents together:
| Incident | Category | Root Cause |
|---|---|---|
| GuardFall | Shell injection | Denylist-based command filtering can’t predict Bash parsing |
| Phantom Squatting | Domain hallucination | Agent trusts model-generated URLs with no reputation check |
| DuneSlide | Prompt injection → RCE | Sandbox path traversal + symlink check failure |
| Check Point | Browser ransomware | LLM architects novel abuse of legitimate API |
| Apify MCP | Token exfiltration | SSRF via auto-injected credentials |
| fast-mcp-telegram | Auth bypass | Path traversal in session token |
| Zscaler | Prompt injection | Hidden content in web pages manipulates agent actions |
Five categories of failure, all structural:
- Shell safety is impossible with denylists (GuardFall)
- AI agents trust their own hallucinations (Phantom Squatting)
- Prompt injection is now an RCE vector (DuneSlide)
- LLMs are threat-modeling tools (Check Point)
- MCP = web application with all the same bugs (Apify, fast-mcp-telegram, Zscaler)
None of these are fixable with better prompts. None are fixable with better models. They’re architectural problems that require architectural solutions — sandboxing, least privilege, output validation, and independent audit.
What This Means for CISA’s Decision
Now re-read the timeline:
- June 30: GuardFall and Phantom Squatting published
- July 1: DuneSlide (CVSS 9.8), Check Point browser ransomware, Apify MCP token exfiltration published
- July 2: fast-mcp-telegram auth bypass (CVSS 9.4), Zscaler prompt injection campaigns published
- July 3: JadePuffer — first fully autonomous AI ransomware attack. Fully agent-driven, end to end, from initial access through credential theft to database encryption and ransom note. HN gave it 7 points.
- July 7: CISA adds Langflow to KEV
The KEV listing wasn’t a reaction to one vulnerability. It was a reaction to an avalanche — 7 architectural failures in 72 hours, followed by the first fully autonomous ransomware attack, all targeting AI agent infrastructure.
CISA didn’t just add Langflow to KEV. They established a precedent: AI agent platforms are critical infrastructure now. If your platform processes untrusted input with trusted credentials, and it gets exploited in the wild, you’re going on the list.
What to Do
If you’re building or deploying AI agents, the June 30-July 2 cluster contains your security roadmap:
-
Abandon denylist-based command filtering. If your agent can run shell commands, it needs a sandbox, not a regex. GuardFall proved that pattern-matching on command strings is fundamentally broken. Use container isolation, seccomp profiles, or at minimum a dedicated VM.
-
Don’t trust agent-generated URLs. Before your agent visits a URL, verify it exists and has a reputation. Phantom Squatting proved that models hallucinate convincing URLs at scale.
-
Assume prompt injection reaches your tools. DuneSlide proved that prompt injection in MCP content can escalate to OS-level RCE. Every tool your agent can call needs to validate its inputs independently of the agent’s judgment.
-
Treat MCP servers as untrusted web applications. fast-mcp-telegram and Apify proved that MCP servers have the same vulnerability classes as any web app — path traversal, SSRF, auth bypass. Apply web security standards to MCP deployments.
-
Get audited. The velocity of new attack categories — 7 in 72 hours — means your security assumptions from last month are already outdated. An independent security review that understands AI agent architectures is the only way to catch what your tools missed.
Need to secure your AI agent infrastructure? We audit AI-built applications and agent deployments for the failure modes automated scanners miss — including the ones in this post. Get in touch.
Sources: Adversa AI (GuardFall), Cato AI Labs (DuneSlide), Palo Alto Unit 42 (Phantom Squatting), Check Point Research, Zscaler ThreatLabz, GitHub Advisories, NVD. All data verified against original publications via the awesome-ai-agent-attacks repository.
Is your AI-built app ready for real users?
We audit, harden, and ship AI-built apps. From security review to production deployment.
Get an audit →