๐ฆ๐๐๐ ๐ฎ.๐ฌ ๐ถ๐ ๐ต๐ฒ๐ฟ๐ฒ โต
Last year we released the SAIL Framework: a practical, process-oriented guide to securing AI systems across their lifecycle. The community made it real. 50,000+ downloads, and security teams turned it into working AI security roadmaps.
SAIL 2.0 takes on the next phase of enterprise cybersecurity: securing the agentic workforce.
Co-developed with practitioners, for practitioners. Free for the community.
Use it to:
โ Build an AI security roadmap and benchmark maturity, phase by phase
โ Turn standards mappings into compliance checklists: EU AI Act, ISO, OWASP, DASF, AIUC-1
โ Run vendor assessments and RFPs with agentic-literate questions
โ Give security, legal, compliance, and engineering one shared vocabulary
Download SAIL 2.0, or use the SAIL Skill to turn the framework into a working roadmap: https://t.co/tTMd31Uxf2
Google's AI powered GitHub workflows that allowed any external attacker, with nothing more than a public GitHub issue, to a full supply chain compromise of the gemini-cli repository, Google's AI coding agent with 101,000+ stars.
The attack worked in four steps:
> The vector. An attacker opens a public Issue on a Google GitHub repository.
> The mechanism. Google deployed a Gemini-powered AI agent to read and triage incoming public issues automatically. The attacker hides instructions inside the issue text. When the agent reads the issue, the prompt injection takes control of the agent.
> The exploit. Under the attacker's instructions, the Gemini agent extracts the workflow internal secrets from the build environment and exfiltrates them to an attacker-controlled server. From those credentials, the attacker pivots to a token with full write access on the repository.
> The impact. Full supply-chain compromise. The attacker can push arbitrary code to the main branch of gemini-cliโs repository, which then ships to every downstream user.
7/ Full threat report, TTPs, IoCs, and detection signatures:
https://t.co/Bj8AsZGTbD
If you want to learn how @Pillar_sec helps organizations mitigate and avoid this risks:
https://t.co/lx268fID38
1/ So threat actors just realized they can use your very own coding agents after an initial access. They don't need to write or use malware anymore - they can use yours.
๐งต
6/ At this point, we have no confirmed evidence the exfiltration was successful beyond the initial access itself.
But the takeaway is clear: AI Coding agent are becoming post-exploitation target for threat actors.
Welcome my new latest findings at @Pillar_sec:
- Unauthenticated Expression Evaluation via Form Node in n8n (CVE-2026-27493, CVSS v4 9.5)
- Expression Sandbox Escape Leading to RCE in n8n (CVE-2026-27577, CVSS v4 9.4) Highly recommended to update n8n to patched versions.
I open-sourced my macOS terminal setup.
One script. Five minutes. Ghostty, tmux, Starship, and 15+ modern CLI tools replacing the defaults you've been tolerating.
https://t.co/isQbtsyDrl
@0xcyberbro Broadly speaking, it mostly have been adopted by individuals hyping and fomoing rather then Enterprises. Most of the instances we were monitoring were ad-hoc deployments with default conf.
An openclaw default conf instance running on enterprise infra/dev machine is a time bomb.
January and early Feb 2026 have been a wake-up call for AI security. At https://t.co/LmX6Wa7AXa , weโve been tracking a shift from "messing with LLMs" to owning the AI infrastructure.
Here are the 3 critical research pieces you need to read to understand the new playbook: ๐งต
3/ Caught in the Wild: Clawdbot Attacks
We deployed honeypots mimicking Clawdbot gateways and saw protocol-aware exploits within hours. Attackers aren't guessing, theyโre reading the source code to exfiltrate chat history, API keys, and run code. ๐ https://t.co/Rlpt2XfKF9
2/ Operation Bizarre Bazaar
The first attributed LLMjacking campaign with a commercial supply chain. Attackers are systematically scanning for exposed AI endpoints (Ollama, vLLM, MCP) to resell access on criminal marketplaces https://t.co/y6K5l3hYd5