Context Window: AI Security Podcast

Asaf Nakash

Context Window is your weekly AI security podcast — the biggest stories in AI security, LLM security, agentic AI risks, and cybersecurity for AI in under 15 minutes. Every story, every take, every "here's what this actually means" is curated and verified by Asaf Nakash, who builds AI security products at one of the world's largest security platforms. Two AI voices. One human editor. Zero hallucinations guaranteed — or at least we're working on it.

  1. 3 dgn geleden

    #16: Assume the Model Is Already Breached

    Top Story: A Directive at 5:21 PM, Two Frontier Models Gone by Morning — For the first time anyone can easily point to, the US government used export controls — the tool that governs missiles and advanced chips — to pull a deployed, commercial AI model off the market. The "Are you sure?" box in your AI coding assistant can lie about what you're approving. — Researchers at Adversa AI disclosed two flaws affecting popular AI coding tools. An attacker can turn a tool your AI agent trusts into a remote-control channel — without ever touching your infrastructure. — Tenet Security disclosed Agentjacking, an attack that abuses the connection between AI coding agents and Sentry, a popular error-monitoring service. Two new papers make the uncomfortable case that the model layer is the wrong place to fix this. — One, recasting prompt injection through "Contextual Integrity" theory, argues for an impossibility-style limit: a model may never be able to reliably separate the instructions it should trust from the hostile text it reads. OWASP turns that thesis into a to-do list — and treats agent risk as something already in production, not a forecast. — Its updated "State of Agentic AI Security and Governance" starts from the assumption that the model can be fooled, then tells teams to spend their effort on the controls around it: watch what each agent actually does at runtime, give it its own identity and the narrowest possible permissions, and wire in a circuit-breaker that can cut a misbehaving agent off mid-action. A public threat-landscape roundup grounds all of that theory in May's real attacks. — Microsoft Security Research's May 2026 threat-landscape roundup (Tanmay Ganacharya) distills a month of public findings into three dominant patterns: software supply-chain compromise (poisoned and typo-squatted npm packages, plus hijacked maintainer accounts, planting code that steals build-pipeline and cloud credentials), identity-driven cloud intrusion (one stolen identity — abused through password-reset social engineering — cascading into a cloud-wide Microsoft 365/Azure breach, an actor Microsoft tracks as Storm-2949, alongside adversary-in-the-middle phishing and a macOS infostealer wave), and direct attacks on AI agent software (publicly exposed AI apps left unauthenticated, and remote-code-execution flaws in agent frameworks). Curator's Corner: The Wall Faces the Wrong Way Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-15.html

    12 min.

  2. 8 jun

    #15: Jailbreak Protection Isn't Enough

    Top Story: Catching the Attack Isn't Enough Anymore — For two years, the standard defense against prompt injection — hiding malicious instructions in something an AI reads, so it mistakes them for orders — has leaned on a single hope: make the model smart enough to notice. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-08.html

    12 min.

  3. 1 jun

    #14: Hidden in White

    Top Story: Prompt Injection Goes Operational — For two years, prompt injection has mostly been a lab demo. ModelScope MS-Agent: a max-severity hole with no fix (CVE-2026-2256). — A command-injection flaw in Alibaba's widely used MS-Agent toolkit lets an attacker run arbitrary commands on the host running the agent (CVSS 9.8). LMDeploy: 13 hours from disclosure to exploitation (CVE-2026-33626). — Earlier this spring, a server-side request forgery flaw in the LMDeploy serving framework — think of it as tricking the server into making requests on the attacker's behalf — went from public advisory to active exploitation in roughly 13 hours, faster than any human patch cycle. CrewAI: four flaws in one agent framework. — The CrewAI orchestration framework picked up four separate vulnerabilities this spring (CVE-2026-2275, -2285, -2286, -2287), catalogued together by CERT/CC (VU#221883). Snowflake buys Natoma to govern what AI agents can touch. — Snowflake (NYSE: SNOW) signed a definitive agreement on May 27 to acquire Natoma, an enterprise platform that secures how AI agents connect to corporate systems through the Model Context Protocol (MCP) — the emerging standard for plugging agents into tools and data. CodeIntegrity raises $5M to put guardrails around agents at runtime. — The seed round (led by Syn Ventures, with Antler and Boost VC) backs a "deterministic control layer" for LLM agents — the idea that because agents behave unpredictably, you wrap them in enforceable, rule-based limits on what they're allowed to do in the moment. EU AI Act: deepfake-labeling rules approach their deadline. — The Act's Article 50 transparency obligations require that AI-generated and manipulated content be labeled or watermarked, with an enforcement window in August 2026. Pentagon formalizes its split with Anthropic. — After designating Anthropic a supply-chain risk in March, the Department of Defense moved in May to source frontier AI from other vendors. Anthropic's vulnerability-hunting AI is finding flaws faster than anyone can patch. — One month into Project Glasswing, Anthropic and roughly 50 partners say its restricted "Mythos" model has uncovered more than 10,000 high- or critical-severity vulnerabilities in the open-source software that underpins the internet — Cloudflare alone found 2,000 bugs, Mozilla fixed 271 in Firefox (about 10× its prior rate), and the UK's AI Security Institute called it the first model to clear both of its multi-step attack simulations end to end. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-06-01.html

    13 min.

  4. 25 mei

    #13: The zero-day you can't patch

    Top Story: The Week Trust Broke Twice — Two stories landed in the same 72 hours that belong in the same frame. NVIDIA NemoClaw sandbox bypass (CVE-2026-24222). — Lasso Security demonstrated that AI agents running inside NVIDIA's NemoClaw/OpenShell sandbox can exfiltrate sensitive data through tools the sandbox explicitly allows. vm2 sandbox escape wave: 13 CVEs, CVSS 9.0–10.0. — Between May 4 and May 7, researchers disclosed 13 sandbox escape vulnerabilities in vm2, the popular Node.js library used to isolate untrusted JavaScript. Cisco: "Reading Between the Pixels" (multimodal prompt injection). — Cisco's AI research team published Part 2 of their VLM safety research, demonstrating that small pixel-level perturbations (bounded at 12.5%) can bypass safety filters in vision-language models. UK ICO: AI security is now a GDPR Article 32 duty. — The Information Commissioner's Office published a five-step guide declaring that AI-powered attacks (prompt injection, AI-enhanced phishing, deepfake social engineering, automated vulnerability exploitation) must be treated as present-day threats under GDPR's "appropriate technical and organizational measures" requirement. Verizon DBIR 2026: vulnerability exploitation overtakes stolen credentials. — For the first time, vulnerability exploitation is the #1 initial breach vector at 31%, surpassing stolen credentials which fell to 13%. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-05-25.html

    13 min.

  5. 18 mei

    #12: Agentic Speed — both sides of the race just went AI

    Top Story: The Race at Agentic Speed — Two things happened in the same week that belong in the same sentence. TeamPCP releases Shai-Hulud source code, launches BreachForums "supply chain challenge." — The group posted the complete worm framework to GitHub (since removed, but forked) with detailed deployment instructions, and announced a contest on BreachForums offering $1,000 in Monero to anyone who uses it to compromise open-source packages. TanStack CI cache poisoned, hitting OpenAI and Mistral AI. — A pull request from a throwaway fork (attributed to TeamPCP's ongoing supply-chain campaign) triggered a workflow that wrote to the shared CI cache. node-ipc compromised via inactive maintainer account (690K weekly downloads). — Three malicious versions exfiltrate credentials and secrets via DNS TXT queries to a fake Azure-themed domain — same package that shipped protestware in 2022, different attacker, far more capable. Palo Alto Networks' first AI-driven "Patch Wednesday" produced 26 CVEs — versus their typical fewer than five. — As part of Project Glasswing and the Trusted Access for Cyber program, Palo Alto ran frontier models (Mythos, Claude Opus 4.7, GPT-5.5-Cyber) against their own 130+ products. XBOW independently benchmarks Anthropic's Mythos for offensive security. — Confirmed: Mythos is "a significant step up over all existing models" for finding vulnerability candidates from source code. Akamai acquires LayerX for $205M (all-cash). — AI and browser security platform providing shadow AI discovery, gen-AI data loss prevention, and protection for AI browsers and plugins. OpenAI in talks with EU regulators to provide access to a cyber-focused GPT-5.5 model — that can identify and exploit software vulnerabilities, after EU cybersecurity agencies were unable to gain access to Anthropic's Mythos. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-05-18.html

    10 min.

  6. 11 mei

    #11: Look, an Instruction!

    Top Story: The Prompt Was the Payload — Two Agent-Framework RCEs in Seven Days — Two independent disclosures landed inside seven days, and they collapse to the same sentence: a model read an instruction it shouldn't have trusted, and a tool downstream did exactly what the parsed text said. Cisco announces intent to acquire Astrix Security. — Cisco's May 4 blog post by SVP Peter Bailey says Astrix will fold into Cisco Identity Intelligence, Cisco Secure Access, Duo IAM, and Splunk. An X user drained ~$150,000 from a Grok-linked Bankr wallet via Morse-encoded prompt injection (May 4, 2026). — The mechanics, per Giskard's write-up: the attacker first sent a "Bankr Club Membership NFT" to Grok's auto-provisioned wallet, which granted the holder "Executive" permissions and bypassed standard transfer limits. HiddenLayer — "AI Threat Landscape Report 2026." — The headline figure surfaced via the report's coverage: roughly 1 in 8 reported AI breaches now involves agentic systems, alongside the recurring supply-chain-of-models statistic that 93% of orgs use public or open-weight model repositories and most don't scan inbound models consistently. The full PDF is gated; numbers are reported as cited unless you pull the original. Curator's Corner: "Look, an instruction!" That's the bug. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-05-11.html

    15 min.

  7. 4 mei

    #10: Signed by Claude, Written by a Worm

    Top Story: TeamPCP Returns — "Mini Shai-Hulud" Hits Two Ecosystems Simultaneously — After a 26-day pause, TeamPCP is back. Curator's Corner: When Trust Is the Exploit Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-05-04.html

    11 min.

  8. 27 apr

    #9: Three Layers, Three Attack Surfaces, One Agent

    Top Story: MCP STDIO RCE — The Connector Layer Has an Authority Problem — On April 23, the Cloud Security Alliance — an independent industry research body — and OX Security, an established Israeli software-supply-chain security vendor (founded 2021, $34M seed from Insight Partners and Team8), jointly disclosed an architectural vulnerability in the Model Context Protocol's STDIO transport — the most common transport used by local MCP servers across the open-source agent ecosystem. Curator's Corner: Three Layers, Three Attack Surfaces, One Agent Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-04-27.html

    14 min.
Bekijk alles (16)

Info

Context Window is your weekly AI security podcast — the biggest stories in AI security, LLM security, agentic AI risks, and cybersecurity for AI in under 15 minutes. Every story, every take, every "here's what this actually means" is curated and verified by Asaf Nakash, who builds AI security products at one of the world's largest security platforms. Two AI voices. One human editor. Zero hallucinations guaranteed — or at least we're working on it.

Informatie

Suggesties voor jou