AI Security Incidents 2026

Comprehensive breach log and vulnerability timeline for AI/LLM security in 2026

Last updated: May 2026 — includes May 2026 incidents • View Case Studies

April 22, 2026 (exploited within 12 hours)

A Server-Side Request Forgery vulnerability in the open-source LMDeploy LLM inference toolkit was exploited just 12 hours after disclosure. Attackers weaponized the vision-language module's load_image() function, which failed to validate whether URLs pointed to internal or private IP addresses. First attacks originated from Kowloon Bay, Hong Kong, following a classic cloud exploitation playbook: OOB DNS confirmation, AWS IMDS credential theft, and rapid internal port scanning.

Defender Guidance:

• Enforce IMDSv2 with hop limit of 1
• Egress filtering: block access to loopback and private IP ranges
• Network namespace isolation for inference containers
• Monitor for OAST domains (interactsh, burpcollaborator, requestrepo)

References:

• Sysdig: Exploit Analysis in 12 Hours
• The Hacker News: LMDeploy Flaw Exploited

September 2025 – April 2026

Six research teams disclosed exploits against Claude Code, GitHub Copilot, OpenAI Codex, and Google Vertex AI over nine months. Every attack followed the same pattern: AI coding agents held credentials, executed actions, and authenticated to production systems without human session anchoring. The target was never the model—it was the credentials underneath.

Key Insight: "Enterprises believe they've 'approved' AI vendors, but what they've actually approved is an interface, not the underlying system." — Merritt Baer, CSO at Enkrypt AI

References:

• VentureBeat: Six Exploits, IAM Never Saw Them
• BeyondTrust: Codex Command Injection Analysis

2026

Palo Alto Networks Unit 42 discovered that the default Google service identity (P4SA) attached to every Vertex AI agent had excessive permissions by design. Stolen credentials granted unrestricted access to every Cloud Storage bucket in the project—and reached restricted Google-owned Artifact Registry repositories. The compromised P4SA functioned like a 'double agent,' with access to both user data and Google's own infrastructure.

References:

• Unit 42: Double Agents in Vertex AI

April 6, 2026

A critical vulnerability in OpenClaw's /pair approve endpoint allowed unauthorized pairing of AI agents, enabling attackers to gain administrative control over OpenClaw instances without proper authentication. The flaw was in the pairing token validation logic, which failed to enforce time-bound constraints and could be replayed by malicious actors.

References:

• NIST NVD — CVE-2026-33579
• OpenClaw/Hermes Security Guide

April 2026

A sandbox escape vulnerability in Claude Code enabled arbitrary file writes outside the designated workspace. Attackers could craft malicious prompts that bypassed path validation, allowing them to write to sensitive system files, overwrite configuration, or plant persistent backdoors on the host system.

References:

• NIST NVD — CVE-2026-39861
• Anthropic Security Advisory

March–April 2026

An authentication bypass vulnerability in Langflow allowed unauthenticated attackers to access and execute AI workflows, potentially exposing connected data sources, APIs, and internal LLM configurations. The vulnerability was under active exploitation in the wild, with multiple threat actors targeting exposed Langflow instances.

References:

• NIST NVD — CVE-2026-21445
• Langflow Security Advisories

April 2026

A critical vulnerability in the Model Context Protocol (MCP) ecosystem exposed approximately 200,000 AI servers to Remote Code Execution (RCE). The flaw allowed attackers to compromise MCP-connected AI agents, traverse networks, and execute arbitrary commands on both the agent and connected server infrastructure. This was one of the largest AI infrastructure exposures in 2026.

References:

• MCP Security Guide
• Agentic AI Security

April 2026

The Mercor breach exposed 4TB of AI training data through a supply chain attack targeting the LiteLLM proxy. Attackers gained access to model configurations, API keys, and proprietary training datasets used by multiple organizations. The incident highlighted the risks of centralized AI middleware and the cascading impact of supply chain compromises in LLM infrastructure.

References:

• Mercor Security Notice
• LiteLLM Security Advisories

April 2026

Security researchers demonstrated an LLM-driven attack that escalated from initial access to full AWS administrator privileges in just 8 minutes. The attack leveraged an AI agent with excessive permissions, chaining prompt injection with automated cloud API calls to discover credentials, enumerate IAM policies, and assume a privileged role. The incident underscored the dangers of over-permissioned AI agents in cloud environments.

References:

• OWASP LLM Top 10 — Excessive Agency
• Agentic AI Security Guide

April 2026

A malicious PyPI package named hermes-px was discovered masquerading as a legitimate Hermes agent utility. When installed, it exfiltrated developer prompts, source code snippets, and environment variables to remote command-and-control servers. The package targeted AI developers using Hermes-based frameworks, exploiting the trust developers place in agent ecosystem packages.

References:

• PyPI Security Notices
• OpenClaw/Hermes Security Guide

April 19–21, 2026

Vercel disclosed a security breach traced to Context.ai, an AI office suite startup. An attacker compromised a Vercel employee's Google Workspace via Context.ai's OAuth integration, then pivoted into Vercel's internal systems. The breach exposed internal systems, environment variables, and non-sensitive data. Attackers shopped stolen data for $2M. This represents a new class of supply chain attack where AI agent OAuth permissions become an identity attack path.

References:

• The Register: AI-pwned Vercel
• SpecterOps: Identity Attack Path Analysis
• Vectra Guard: Detection Gap Analysis
• Akeyless: Ephemeral Secrets Case

April 15–16, 2026

Johns Hopkins researcher Aonan Guan discovered a critical vulnerability dubbed 'Comment and Control' affecting AI coding agents from Anthropic (Claude Code), Google (Gemini CLI), and Microsoft (GitHub Copilot Agent). By injecting malicious instructions via GitHub pull request titles, issue bodies, and PR comments, attackers could trick agents into extracting API keys, tokens, and credentials — which were then posted as PR comments. All three vendors paid bug bounties but have not issued CVEs or public warnings.

References:

• The Register: Agents Hooked Into GitHub
• VentureBeat: Three AI Agents Leaked Secrets
• Aonan Guan: Comment and Control Research
• The Next Web: Bug Bounties, No CVE

May 7–9, 2026

A malicious Hugging Face repository impersonating OpenAI's Privacy Filter project (Open-OSS/privacy-filter) reached #1 on the platform's trending list and accumulated 244,000 downloads before removal. The repository shipped a loader.py file that disabled SSL verification, decoded a base64 URL, and executed a PowerShell command chain to deploy a Rust-based infostealer targeting browser data, Discord tokens, cryptocurrency wallets, SSH/FTP credentials, and system information. HiddenLayer researchers discovered the campaign and linked it to an npm typosquatting operation distributing the WinOS 4.0 implant.

Defender Guidance:

• Verify repository ownership and check for typosquatting before downloading
• Scan all model files and code before execution
• Reimage affected machines and rotate all stored credentials
• Invalidate browser sessions, tokens, and replace cryptocurrency seed phrases

References:

• HiddenLayer: Malicious Hugging Face Repository Analysis
• BleepingComputer: Fake OpenAI Repo Delivers Infostealer

May 7, 2026 (campaign active February–April 2026)

A fake Claude AI website at claude-pro[.]com distributed a trojanized Claude installer that deployed the previously undocumented Beagle Windows backdoor. The 505MB archive contained an MSI installer that added malicious files to the Windows Startup folder. Sophos researchers traced the attack chain from a G Data-signed updater (NOVupdate.exe) sideloading a malicious DLL, through DonutLoader, to the final Beagle backdoor — a relatively simple but effective remote access tool supporting command execution, file upload/download, and directory operations. The campaign is linked to PlugX activity based on shared infrastructure and tactics.

Defender Guidance:

• Only download Claude from the official anthropic.com website
• Monitor for NOVupdate.exe, avk.dll, and NOVupdate.exe.dat in Startup folders
• Block C2 domains: license[.]claude-pro[.]com and IP 8.217.190[.]58
• Hunt for Beagle indicators across endpoint detection

References:

• Sophos: Donuts and Beagles — Fake Claude Site Spreads Backdoor
• Malwarebytes: Fake Claude Site Installs Backdoor
• BleepingComputer: Fake Claude AI Delivers Beagle Malware

Related Resources