AI Sec Watch

OpenAI introduced new capabilities to the Agents SDK, a toolkit for developers building AI agents that can work with files and run commands on computers. The update includes a model-native harness (a framework optimized for OpenAI models) and native sandbox execution (a controlled, isolated computer environment where agents can safely run code and access files). The SDK aims to bridge the gap between flexibility and production-readiness by providing developers with standardized infrastructure that keeps agents aligned with how frontier models (the most advanced AI models available) work best.

Mallory is a new AI-powered threat intelligence platform (a system that gathers and analyzes information about cyber threats) designed to help security teams quickly understand which threats are actually dangerous to their organization. Instead of overwhelming teams with alerts, the platform analyzes thousands of threat sources, checks them against each company's specific vulnerabilities, and provides prioritized actions that security teams can take immediately.

A Q1 2026 security report by OWASP documents major AI and agentic AI (AI systems that can take autonomous actions) exploits, showing a shift from theoretical risks to real-world attacks targeting AI agent identities, permissions, and supply chains. Key incidents include a Mexican government breach where attackers used Claude to automate reconnaissance and exploitation, affecting 150 GB of sensitive data, along with other incidents involving prompt injection (tricking AI by hiding malicious instructions in its input), privilege abuse, and supply-chain vulnerabilities in AI tools.

OpenAI launched GPT-5.4-Cyber, a specialized AI model designed to help security teams find and fix vulnerabilities faster, while expanding access through its Trusted Access for Cyber program to thousands of defenders and hundreds of teams. The company acknowledged that AI models are dual-use tools (meaning they can be repurposed for both good and bad purposes) and that adversaries could potentially reverse-engineer the model to find exploitable vulnerabilities before they're fixed, so OpenAI plans to scale defenses alongside access by strengthening safeguards against jailbreaks (techniques to bypass safety restrictions) and adversarial prompt injections (tricking an AI by hiding malicious instructions in its input).

mcp-server-kubernetes versions 3.4.0 and earlier have an argument injection vulnerability (a type of attack where an attacker sneaks extra commands into a tool by exploiting how input is processed) in the port_forward tool. The vulnerability exists because the code builds a kubectl command (a tool for managing Kubernetes clusters) by concatenating strings with user input and splitting on spaces, instead of using a safer array-based method like other tools in the codebase. This allows attackers to inject malicious kubectl flags to expose internal services or target resources in unintended ways.

Traditional identity and access management (IAM) tools, which control who can access systems and resources, were not designed to secure AI agents (autonomous software programs that perform tasks independently), which operate at high speed with unpredictable access patterns. Curity announced Access Intelligence, a new security layer that grants agent permissions at runtime (during execution, not beforehand) and uses OAuth tokens (credentials that allow access to specific resources) to carry information about each agent's purpose, ensuring agents can only access resources matching their intended task.

The `ConformityCheck` class in giskard-checks was automatically treating the `rule` parameter as a Jinja2 template (a template language that evaluates expressions), which could allow arbitrary code execution if check definitions came from untrusted sources. While the library is only used locally by developers, this hidden behavior made it easy to accidentally pass untrusted input without realizing expressions would be evaluated.

The RegexMatching check in giskard-checks has a ReDoS vulnerability (regular expression denial of service, where a specially crafted regex pattern causes the regex engine to hang by backtracking excessively through text). An attacker with write access to check definitions can craft malicious regex patterns that make the testing process hang indefinitely, disrupting automated testing environments like CI/CD pipelines (continuous integration/continuous deployment automation).

AI agents access AWS resources through the Model Context Protocol (MCP, a system that lets AI tools interact with cloud services), but unlike traditional software with predictable behavior, agents can dynamically choose different actions based on context. The main security risk is that agents operate at machine speed and will use any permissions (IAM roles, API keys, or OAuth scopes) they're granted, so misconfigured access controls can cause large-scale damage quickly. The source recommends three security principles for controlling AI agent access to AWS resources, with an emphasis on using MCP servers rather than direct API access because MCP provides better monitoring and control.