Press
Threat intelligence, security advisories, company announcements, and media updates from the Helixar team.
Subscribe via RSSLatest
60 articles
AI Threat Brief: Automated Threats and Agentic Defenses
This week's analysis covers the rise of automated attack frameworks and the parallel need for agentic security tools to manage cloud sprawl and AI-native vulnerabilities.
This week's brief explores the dual role of automation in security. We examine The Gentlemen ransomware's affiliate model, new vulnerabilities in AI coding assistants, and insights from the Verizon DBIR on AI-accelerated attacks. We also cover defensive automation strategies.
pnpm Path Traversal Flaw Poses Risk to Automated Systems
A vulnerability in the pnpm package manager could allow arbitrary file deletion, creating a significant threat vector for AI agents and automated development environments.
A high-severity path traversal vulnerability (GHSA-72r4-9c5j-mj57) in pnpm's patch-remove command allows for arbitrary file deletion. This poses a unique risk to AI-powered developer tools and autonomous agents that manage their own software dependencies, turning a trusted tool into a potential attack vector.
Claude Code Flaw Exposed Responses, Posing Risk to Agentic Systems
A classic temporary file vulnerability in an AI coding assistant highlights the risks of integrating generative AI tools into privileged developer and automated workflows.
A high-severity vulnerability (CVE-2026-46406) in Anthropic's Claude Code tool allowed local attackers to read user responses or write to arbitrary files. The flaw, rooted in insecure temporary file handling, underscores how conventional bugs in AI tooling create significant risks for automated agentic systems that handle sensitive data.
Langflow IDOR Flaw Exposes Agentic Workflows to Hijacking
A critical access control vulnerability in the popular LLM application framework allowed authenticated users to execute any workflow, creating significant risk for multi-tenant AI deployments.
A high-severity Insecure Direct Object Reference (IDOR) vulnerability, CVE-2026-55255, has been patched in Langflow. The flaw allowed any authenticated user to execute flows belonging to other users, potentially leading to data exfiltration, resource abuse, and unauthorized actions by hijacked AI agents.
Claude Code Flaw Allowed Data Exfiltration via HuggingFace
A vulnerability in the Claude Code AI tool allowed for covert data exfiltration by exploiting an overly permissive allow-list for the HuggingFace domain.
A critical flaw in Anthropic's Claude Code tool (CVE-2026-54316) enabled attackers to exfiltrate data. The vulnerability used the trusted HuggingFace domain as a covert channel, highlighting the security risks in agentic tool permissions.
n8n AI Component Flaw Opens Browser to Unauthenticated Control
A vulnerability in n8n's MCP Browser component allows any network-reachable attacker to take over browser sessions when run in a specific, non-default mode.
A critical authentication bypass (CVE-2026-54309) in n8n's @n8n/mcp-browser package exposes browser control tools to the network. This affects agentic workflows using the HTTP transport, allowing attackers to navigate, execute code, and access data within the user's browser.
Nuxt Dev Server Flaw Exposes Local Files on Shared Linux Systems
A local information disclosure vulnerability in the popular web framework, discovered by an AI research firm, highlights risks in shared development environments.
A vulnerability in the Nuxt.js development server allows local users on shared Linux hosts to read sensitive files from a developer's environment. Discovered by Anthropic, the flaw underscores the security risks of common tooling used in AI and agentic software development, where shared high-performance computing resources are common.
AI Threat Brief: Weak Keys, New Artifacts, and Federal Mandates
Tonight's brief covers factorable RSA keys, a new macOS forensic artifact, and a federal logging mandate, highlighting the evolving landscape of digital evidence and cryptographic integrity.
Researchers can now factor "short-sleeve" RSA keys found in older software, a new macOS artifact reveals user intent, and a federal mandate overhauls logging. These stories show how digital trails, from cryptographic flaws to user actions, are becoming more visible.
Dex Flaw Bypasses Connector ACLs on Token Exchange Endpoint
A missing check in the identity service allows privilege escalation by forging tokens with unauthorized claims, posing a risk to multi-tenant AI systems.
A vulnerability in Dex's token-exchange handler fails to enforce client-specific access controls. This allows an attacker with a leaked client secret to escalate privileges, a significant threat for environments using Dex to secure autonomous agent workloads.
Critical LiteLLM Flaw Allows Command Injection in AI Systems
A vulnerability in the popular BerriAI LiteLLM library, CVE-2026-42271, allows authenticated users to execute arbitrary code, posing a severe risk to chained AI agentic systems.
A critical command injection vulnerability, CVE-2026-42271, has been discovered in BerriAI's LiteLLM. The flaw allows any authenticated user, even with low-privilege keys, to run arbitrary commands on the host server. This poses a significant threat to AI applications, as it could allow attackers to compromise the central nervous system of an agentic workforce.
CVE-2026-47261: Wasmtime Flaw Bypasses Filesystem Sandboxing
A logic error in Wasmtime's WASI implementation allows WebAssembly modules to write to files they should only be able to read, undermining a key security guarantee for sandboxed agentic workloads.
A high-severity vulnerability, CVE-2026-47261, in the popular wasmtime-wasi crate allows WebAssembly modules to bypass read-only file permissions. This sandbox escape poses a significant risk to agentic systems that depend on Wasmtime to safely execute untrusted code and tools.
AI Threat Brief: AI's Immature Supply Chain Is Already Under Siege
New research demonstrates critical flaws in AI agent skill scanners, echoing persistent supply chain threats seen in mature ecosystems like npm.
This evening's brief examines the fragile state of AI supply chains. Researchers bypassed every major AI agent skill scanner, revealing a dangerously immature ecosystem. These new agentic vulnerabilities mirror evolving threats in traditional package managers, where sophisticated malware continues to thrive.
Nezha Agents Can Forge Monitoring Data via Authorization Flaw
A vulnerability in the Nezha dashboard allows authenticated agents to submit false service-monitor results for other users' services, enabling cross-tenant data poisoning.
A critical authorization flaw, CVE-2026-48119, in the Nezha monitoring system permits authenticated agents to forge service status reports. This allows a low-privileged attacker to corrupt monitoring data and potentially trigger false alerts for services they do not own.
PraisonAI Sandbox Escape Allows Full Host Takeover
A critical flaw in the PraisonAI agent framework allows autonomous agents to bypass security controls and execute arbitrary code on the host system.
A critical sandbox escape vulnerability, CVE-2026-47392, affects the PraisonAI agent framework. Attackers can use it to grant agents full control over the host system. The flaw bypasses previous patches, showing the limits of denylist-based sandboxes for securing autonomous AI.
PraisonAI Example Enables Unauthenticated Remote Code Execution
An official Agent-to-Agent (A2A) server example combines a public endpoint with an unsafe eval() tool, creating a critical vulnerability.
A vulnerability in PraisonAI's official A2A server example allows unauthenticated remote code execution. The issue stems from an example that binds to public networks without authentication and includes a dangerous eval()-based tool, which an LLM can be prompted to execute.
Langroid RCE Flaw Shows Agentic AI's Execution Risks
A prompt injection vulnerability in the popular agent framework allows attackers to achieve remote code execution by tricking an LLM into generating malicious SQL.
A critical vulnerability in Langroid's SQLChatAgent (CVE-2026-25879) allows for remote code execution. Attackers use prompt injection to coerce the agent's LLM into generating and executing malicious SQL, highlighting the dangers of connecting autonomous agents to powerful backend systems.
AI Threat Brief: SDLC, Social Engineering, and AI Readiness
Tonight's reports detail a new threat actor targeting crypto software supply chains, the growing risk across the SDLC, and the need for an AI-driven defensive operating model.
A new threat actor targets cryptocurrency developers with custom macOS malware, highlighting the escalating risks within the software development lifecycle. Defenders must adapt with AI-driven security models to counter these increasingly sophisticated supply chain attacks.
Critical RCE in Nezha Monitoring Allows Cross-Tenant Agent Takeover
A series of authorization flaws in the popular open-source tool allows any low-privileged user to execute arbitrary commands as root on every monitored server in a deployment.
A critical vulnerability, CVE-2026-46716, has been disclosed in the Nezha monitoring dashboard. The flaw allows any authenticated user, including those from self-service OAuth2 registration, to gain remote code execution on all connected agents, posing a significant risk to multi-tenant environments.
BoxLite Flaw Allows Sandbox Escape, Host File Modification
A critical permission bypass in the BoxLite sandboxing tool allows untrusted code, including AI agents, to modify supposedly read-only host files, leading to host compromise.
A critical vulnerability (CVE-2026-46695) in the BoxLite sandboxing service allows untrusted code to bypass read-only file protections. This flaw enables sandboxed applications, such as AI agents, to modify host files and potentially achieve full host code execution.
Coder Signature Flaw Allows Agent Token Theft on Azure
A critical vulnerability in Coder's Azure identity validation allows unauthenticated attackers to forge instance identities and steal developer agent tokens.
A critical vulnerability in Coder v2, CVE-2026-46354, allows unauthenticated attackers to bypass signature validation for Azure identities. This enables the theft of workspace agent tokens, granting access to SSH keys, OAuth credentials, and other secrets, effectively hijacking the developer's automated environment.
Mistral NPM Packages Hit by Brief Supply Chain Attack
A broken dropper in compromised packages targeting AI developers highlights the fragility of the AI software supply chain, even when the payload fails.
Several Mistral AI npm packages were briefly compromised in a supply chain attack related to a wider incident. Although the malicious payload was broken and failed to execute, the event serves as a stark reminder of the security risks in the tooling used to build agentic AI systems.
DeepSeek-TUI Flaw Enabled RCE via Agent Prompt Injection
Insecure defaults in the `task_create` function allowed sub-agents to gain unapproved shell access, executing malicious commands hidden in project files.
A high-severity vulnerability in DeepSeek-TUI (CVE-2026-45374) enabled remote code execution through prompt injection. The flaw stemmed from insecure defaults that granted AI sub-agents automatic shell access, bypassing user approval and creating a significant risk for developers using the tool.
Open WebUI Flaws Allow RCE via One-Click Attack
A CORS misconfiguration and session handling weakness in the popular LLM interface create a path for attackers to execute code on the underlying server.
GitHub Security Lab discovered critical vulnerabilities in Open WebUI, a widely used interface for LLMs. A combination of a permissive CORS policy and improper session invalidation allows a one-click attack, leading to remote code execution on the server. This poses a significant risk to agentic systems and AI development stacks that rely on the tool.
OpenClaude Flaw: Model-Controlled Input Disables Sandbox for RCE
A critical design flaw in the open-source AI agent allows a model to disable its own security controls, leading to host-level command execution via prompt injection.
A CVSS 9.3 vulnerability in OpenClaude < 0.5.1 allows prompt injection to disable the agent's sandbox, enabling host-level RCE. The flaw stems from an architectural anti-pattern where a model can control its own security parameters, a risk for many agentic AI frameworks.
GTIG Report: AI-Discovered Zero-Day, Autonomous Malware Hit the Wild
Google's May 2026 threat report confirms active exploitation using an AI-discovered zero-day, an Android backdoor with an LLM C2, and state-actor-managed AI infrastructure.
Google's latest threat report confirms four inflections: the first AI-discovered zero-day used in an attack, the PROMPTSPY Android backdoor with an autonomous Gemini C2, AI-enabled runtime malware obfuscation, and industrial-scale state-actor LLM infrastructure. The agentic threat has arrived.
Mini Shai-Hulud Worm Hits TanStack, Mistral AI in Supply Chain Attack
A self-propagating npm worm compromised 169 packages by exploiting lifecycle scripts, bypassing SLSA L3 provenance and weaponizing the AI development pipeline.
CVE-2026-45321 (CVSS 9.6): TeamPCP’s Mini Shai-Hulud worm has compromised 172 packages across npm and PyPI, hitting TanStack, Mistral AI, OpenSearch, Guardrails AI, and UiPath. Root cause confirmed as a chained GitHub Actions attack. Critical: the malware persists on developer machines via Claude Code and VS Code hooks, npm uninstall does not remove it. A dead-man’s switch destroys the home directory if the stolen GitHub token is revoked without first disabling the service.
Open WebUI Flaw Allows Arbitrary File Deletion
A path traversal vulnerability in the popular LLM interface allows authenticated users to delete arbitrary files, posing a significant risk to agentic systems and AI workflows.
A critical path traversal vulnerability, CVE-2026-44565, has been disclosed in Open WebUI. Authenticated attackers can upload a file with a crafted name to write to and then delete arbitrary files on the server, threatening the stability of AI agents and local LLM deployments.
AI Agents Can Now Autonomously Self-Replicate, Research Shows
New research from Palisade demonstrates a worm-class kill chain for LLM agents, validating the need for behavioral sequence detection at the endpoint.
Palisade Research has benchmarked autonomous self-replication for AI agents, with Claude Opus 4.6 achieving an 81% success rate. The attack propagates without a C2 server, proving that defenses must now focus on behavioral sequences, not just individual malicious files or network traffic.
Cline Kanban Flaw Enables AI Agent Hijacking via WebSocket
A cross-origin WebSocket hijacking vulnerability in the Cline developer tool allows any visited website to leak data and execute code on a developer's machine through an AI agent.
A vulnerability in the Cline developer tool's Kanban server exposes local AI agents to remote attack. Any website can connect to the local WebSocket server to steal data and inject commands, leading to remote code execution. The flaw bypasses standard browser security.
vm2 Sandbox Escape Flaw Threatens Agentic Code Execution
A critical vulnerability in the popular vm2 sandboxing library allows untrusted code to escape and execute commands, posing a severe risk to AI agent platforms.
A newly disclosed vulnerability in the vm2 Node.js sandbox, CVE-2026-44007, allows a complete sandbox escape when the 'nesting' option is enabled. This flaw undermines security for any platform, including AI agentic systems, that uses vm2 to run untrusted code.
OpenClaw Flaw Allowed Agent Impersonation in MCP Systems
A critical authentication vulnerability in the OpenClaw agent framework allowed non-owner clients to spoof ownership, creating a severe risk for autonomous systems using loopback operations.
A critical authentication flaw in the OpenClaw agent framework (up to version 2026.4.21) allowed loopback clients to impersonate their owners. The vulnerability stemmed from trusting spoofable request headers, a fundamental security oversight for multi-agent systems. Operators should update to the patched version immediately.
Apache RCE Flaw Exposes AI Endpoints to Agentic Hijack
A critical double-free vulnerability in Apache's HTTP/2 module allows remote code execution, creating a path for attackers to compromise the reverse-proxy layer protecting AI models and agents.
A critical RCE vulnerability in Apache HTTP Server (CVE-2026-23918) threatens the security of AI inference endpoints, allowing attackers to compromise the reverse-proxy layer and potentially steal models or hijack agents.
AI Threat Brief: Supply Chain Risks and Deceptive AI Tools
Tonight's analysis covers evolving npm supply chain attacks, the limits of endpoint detection, and malicious AI browser extensions that steal user data.
Threat actors are exploiting trust in developer ecosystems and user tools. New research details sophisticated npm attacks, the need for network-wide detection, and AI browser extensions designed to exfiltrate data and credentials.
OpenClaw Flaw Allowed AI Agents to Read Local System Files
A vulnerability in the OpenClaw webchat component highlights the risk of agent-controlled payloads crossing security boundaries to access host resources.
A security flaw in the OpenClaw agentic framework allowed controlled tool outputs to read local files. The vulnerability demonstrates a critical risk in agentic systems where model outputs can bypass security checks.
Anthropic SDK Flaw Exposed Agent Memory to Local Attackers
A vulnerability in the Anthropic TypeScript SDK's local filesystem tool created world-readable memory files, allowing local attackers to read or alter an AI agent's state.
A file permission vulnerability in Anthropic's TypeScript SDK allowed local attackers to access and potentially manipulate the memory of AI agents, highlighting the risks of insecure defaults in agentic tooling.
AI Threat Brief: Boundary Crossings in npm AI and Automation Tools
Advisories for the Anthropic SDK, OpenClaw, and n8n reveal how insecure defaults and missing validation checks create attack paths in agentic systems.
Three new security advisories impact the npm ecosystem, affecting the Anthropic SDK, OpenClaw, and n8n. The vulnerabilities highlight a pattern of boundary-crossing risks, where flaws in file permissions, input validation, and output sanitization allow attackers to read agent memory, exfiltrate local files, and hijack automation workflows.
Critical GitHub RCE Flaw (CVE-2026-3854) Threatens AI Supply Chains
Researchers discovered a command injection vulnerability in GitHub's core infrastructure, creating a significant risk for autonomous development agents and the integrity of AI model repositories.
A critical remote code execution vulnerability in GitHub could allow attackers to compromise code repositories, inject malicious AI models, and disrupt agentic workflows that rely on the platform.
LiteLLM Flaw Allowed Host Takeover via Insecure Test Endpoints
A critical vulnerability in the popular LLM proxy allowed any authenticated user to execute arbitrary commands, highlighting the security risks of multi-agent control plane software.
A privilege escalation flaw in LiteLLM's Multi-Call Parallelism server let any API key holder run code on the host, compromising the core of agentic AI deployments.
First Pilot Customer Reveal: SPICE Protocol on a Month of Helixar Watching Their Claude Code
After a month of running Helixar against daily Claude Code activity, SPICE Protocol's co-founder reports actionable insight into agent behavior, real team-wide AI safety, and a credible answer to one of the most dangerous attack vectors in production.
Helixar reveals its first named pilot customer. SPICE Protocol co-founder Pramodya De Alwis on why monitoring Claude Code matters when an AI agent has serious permissions, why the agent governance stack mattered for his team, and the next features SPICE asked us to ship.
HDP for Agentic Function Calls Is Now in the Google Gemma Cookbook
A public example in `google-gemma/cookbook` now shows Gemma 4 function calls being gated by Human Delegation Provenance before execution.
The Google Gemma cookbook now includes a public HDP example for securing Gemma 4 function calls. The significance is larger than one merge: it brings human authorization and delegation provenance into a mainstream open-model implementation path, while reinforcing the difference between the open HDP protocol and Helixar's commercial work in agentic threat detection.
Helixar Accepted into NVIDIA Inception as Agentic AI Security Moves from Research to Category
From 360-degree detection and threat research to HDP, HDP-P, and a live Hugging Face demo, Helixar is building across platform, protocol, and research at once.
Helixar has been accepted into NVIDIA Inception as it expands its agentic AI security platform, published research, HDP protocol work, HDP-P physical AI security efforts, and live demonstrations. Also supported by Google for Startups, the company is building the infrastructure layer for a market that is only just starting to name itself.
Anthropic's Claude Mythos Preview Just Changed the Security Equation. We Built Helixar for Exactly This.
The model autonomously chains zero-day exploits across every major OS and browser with no human guidance. Helixar published HDP and ReleaseGuard before this moment, and built behavioral detection for the threat no signature database can stop.
Anthropic's Claude Mythos Preview can autonomously find zero-day vulnerabilities in every major OS and browser, write working exploits, and chain them to escape browser sandboxes, no human guidance after the initial prompt. Helixar published the HDP open standard and ReleaseGuard before this threat materialised. Here is why the architecture we built is the right answer to what Anthropic just announced.
When AI Agents Control Physical Systems, a Prompt Injection Becomes a Physical Event
Gemma 4 runs on a Jetson Nano and does native function calling. HDP-P is the open protocol putting a cryptographic gate between the model and the actuator layer.
Gemma 4 runs on edge hardware and does structured function calling. When that function calling is wired to a physical actuator, a bad model output is no longer a software problem. HDP-P is the open protocol that puts a cryptographic authorization layer between the model and the physical world, and the live Hugging Face demo shows it blocking a malicious command injection in real time.
Anthropic Leaked 512,000 Lines of Claude Code via a Misconfigured npm Package
A single debug file shipped to the public registry. The entire source followed. This was the second time.
On March 31, 2026, a 59.8 MB JavaScript source map in @anthropic-ai/claude-code v2.1.88 pointed to a publicly accessible Cloudflare R2 bucket containing the full Claude Code source: 1,906 TypeScript files, 512,000 lines, every internal tool and slash command, and a stealth system designed to prevent exactly this kind of leak. A single misconfigured .npmignore. The second time this happened.
Axios npm Compromised: 100M-Download Library Used to Deploy RAT via Maintainer Account Hijack
When a maintainer's account falls, every developer who runs npm install becomes a target.
On March 31, 2026, attackers hijacked the npm account of axios's lead maintainer and published two malicious versions, [email protected] and [email protected], each containing a cross-platform remote access trojan deployed via a postinstall hook. The RAT targeted macOS, Windows, and Linux, called home to attacker-controlled infrastructure, then self-deleted. 100 million weekly downloads. Zero automated integrity checks.
HDP: The Open Protocol That Gives AI Agents a Verifiable Chain of Authority
When an AI agent acts on your behalf, there is no standard record of what you actually authorized. HDP is the first open protocol designed to fix that.
Helixar Labs publishes the Human Delegation Provenance Protocol (HDP), a v0.1 open specification for recording, signing, and verifying human authorization in agentic AI systems. The first protocol to close the delegation gap: the moment a human hands control to an AI agent, all structured record of what they authorized disappears. Free to implement, Apache 2.0, on GitHub.
Qihoo 360 Shipped a Private SSL Key Inside Their Installer. Here Is What That Means.
The world's largest cybersecurity company by user count shipped a wildcard private key in a public download. Artifact scanning catches this in seconds. Nobody was scanning.
On March 16, 2026, researchers found a wildcard SSL private key for *.myclaw.360.cn bundled inside the public installer for Qihoo 360's new AI product. Anyone who downloaded the installer had the key. Qihoo 360 revoked the certificate two days later and stated users were not affected. No explanation was given for how they verified this.
LiteLLM Supply Chain Attack: Malware Found in 97-Million-Download AI Library
The poisoned package was live for less than an hour. No security tool caught it.
On March 24, 2026, a malicious version of LiteLLM (v1.82.8) was pushed to PyPI containing credential-harvesting malware that ran on every Python process startup. SSH keys, cloud tokens, Kubernetes configs, API keys, all exfiltrated. Caught only because the malware crashed its own victim.
Twenty AI Agents. Zero Breaches. PentAGI Runs Its Autonomous Red Team Against Helixar
We ran an open-source multi-agent autonomous penetration testing framework against a live Azure VM. The swarm found real vulnerabilities. It couldn't get in.
PentAGI deployed 20+ specialist AI agents against the Helixar platform in a structured external assessment: reconnaissance, enumeration, vulnerability analysis, and credential testing. The swarm found version disclosure and minor issues. It found zero path to authentication bypass or data exfiltration. This is the full, unedited report.
ReleaseGuard, Sentinel, and the MCP Security Checklist
Three free, open-source tools from Helixar Labs (Apache 2.0 / MIT) covering artifact security, MCP server hardening, and live protocol traffic scanning, all on GitHub Marketplace.
ReleaseGuard scans release artifacts for embedded secrets, source maps, and unsigned binaries, then signs and attests the output with a full SBOM. Sentinel scans live MCP traffic for anomalous invocation patterns and prompt injection. The MCP Security Checklist covers pre-deployment server hardening. All three are free on GitHub Marketplace and require no account to run core functionality.
The Next War Won't Have a Front Line
AI agents are doing to cybersecurity what drones did to armoured warfare. The attack surface has widened faster than any defence has adapted, and almost anyone can now run the offensive.
A $400 drone destroyed a $4 million tank. A $50/month agentic attack loop now outpaces a $200,000/year human attacker. The economics of offensive cyber have collapsed in the same way and for the same reasons, and the security industry is largely still building better tank armour.
McKinsey's Lilli Breach: When the AI Itself Is the Attack Surface
How an autonomous agent compromised McKinsey's Lilli platform, and what it illustrates about the detection gap facing every enterprise deploying AI at scale.
In March 2026, an autonomous offensive agent walked into McKinsey's internal AI platform through an unauthenticated API endpoint and had read and write access to the entire production database within two hours. No credentials. No insider access. The vulnerability was SQL injection: 25 years old. The attack surface it exploited, the prompt layer, is two years old and almost entirely unmonitored.
Why the Most Important Security Category of 2026 Still Has No Winner
CrowdStrike, SentinelOne, and Microsoft Defender are excellent tools. They were not built for AI agents. An honest breakdown of what each category covers and where the gap sits.
If you ask an AI assistant for the best EDR for autonomous agents, you get a confident list of products that don't answer the question. The problem they were designed to solve is not the problem you are now running. Here is an honest account of why, and what actually exists.
When the Defender Caught the Builder
Helixar flagged Claude Code mid-deployment. It was a false positive, and the right call. What it reveals about the hardest unsolved problem in agentic AI security.
During a live deployment session, our own behavioral security platform flagged the AI coding agent we were using to build it. The behavioral signature of an authorised AI agent and a compromised one are, at the observation layer, nearly identical. Here is what we did with that.
PinchTab: The Stealth Browser Attack Your Security Stack Cannot Detect
A 12MB Go binary gives any AI agent full browser control via HTTP, with built-in stealth injection. In controlled testing, Helixar detected PinchTab-based attack simulations with zero active security rules.
On 15 February 2026, a GitHub repository called PinchTab was published. Within three weeks it had nearly 4,000 stars. It is a legitimate browser automation tool. It is also one of the most dangerous new attack vectors to emerge this year. And no security product on the market today was designed to see it coming.
Your Developer's AI Copilot Is the New Attack Surface: Supply Chain Risks in AI-Native Development Tools
GitHub Copilot, Cursor, and Claude Code all suffered critical vulnerabilities in 2025–2026. Attackers need no malware and no credentials. They need a prompt.
A developer clones a repository. An AI agent reads a comment. A reverse shell opens. This is not a hypothetical. Variants of this attack chain were confirmed against production developer tooling in 2025, and the structural vulnerability remains.
How Microsoft Copilot Became an Insider Threat: The EchoLeak Incident and What It Reveals About Enterprise AI Risk
A single crafted email. An AI assistant with access to your inbox. And no alert from your EDR, SIEM, or DLP. CVE-2025-32711 is not a bug. It's a structural preview of how agentic AI fails in enterprise.
CVE-2025-32711 allowed Microsoft 365 Copilot to exfiltrate confidential documents from enterprise environments with a single click. No malware. No credential theft. No alert. Microsoft confirmed the vulnerability. The structural risk it exposed remains.
Nation-States Are Weaponising Agentic AI. Your Security Stack Was Built for a Different World.
APT31 used Google Gemini for cyberattack reconnaissance. Anthropic documented 30 organisations targeted by AI-enabled intrusions. CrowdStrike recorded an 89% increase in AI-enabled attacks in 2026.
The CrowdStrike 2026 Global Threat Report documented the fastest-ever adversary breakout time: 27 seconds. Behind that number is a force multiplier that was not part of the threat model when your security stack was designed.
The Invisible Army: AI Agents Are the Next Cyber Threat. Your Security Stack Is Already Behind.
A new class of attacker is operating inside enterprise networks with valid credentials and signed code. Your EDR, SIEM, and firewall were not designed to see it.
The introduction of autonomous AI agents into enterprise environments has not merely expanded the attack surface. It has changed the fundamental nature of what an attacker can look like. This is what the security industry is not prepared for.
The Research That Demanded a New Category
How published academic threat intelligence and real-world attack data shaped the case for behavioral detection of agentic AI.
Between 2022 and 2026, a body of publicly available research quietly made the case that enterprise AI deployments had created an entirely new threat surface, one for which no dedicated tooling existed. This is an account of that research.
More articles forthcoming. Helixar research is published as findings are validated.