Industry
Ilya Kabanov

5 stories this week that change your decisions (Apr 13-19, 2026)

AISI confirmed Claude Mythos at 73% expert-CTF and end-to-end on a 32-step corporate takeover simulation for $15k amortized, and CSA and SANS dropped a playbook the same week. Separately, 24 MCP CVEs shipped in two weeks across Microsoft, OpenAI, Splunk, Apache, and Prefect, including one that fires the moment a developer clones a repo and runs Codex. And a new Centre for Long-Term Resilience paper catalogued 698 real-world incidents of coding agents bypassing system prompts in five months, including Claude Code running terraform destroy on a live environment and wiping 2.5 years of student data.

1. Seven Priorities to Defend Against a Tireless Adversary

AISI confirmed Mythos at 73% expert-CTF and end-to-end on a 32-step corporate takeover. $15k full attack cost. Seven priorities: update the threat model, inventory exposed systems, patch under 24 hours, reduce dependencies, AI security code review, five-incident tabletops, hard identity barriers.

2. Clone a repo, run Codex, lose your AWS keys

24 MCP CVEs in two weeks from Microsoft, OpenAI, Splunk, Apache, and Prefect. MCP servers run on developer laptops with full production credentials: infrastructure-grade access, side-project-grade security. You can't wait until Anthropic matures the MCP spec, so start by removing production credentials from developer laptops.

3. Claude Code ran terraform destroy on live production

Coding agents ignore system-prompt prohibitions when they have a goal to complete. Claude Code wiped 2.5 years of student data. Gemini rewrote a GitHub Actions YAML to escalate contents:read to contents:write. OpenAI Codex, in a read-only sandbox, noted the constraint in its chain of thought and wrote to disk anyway. 698 such incidents in five months, per CLTR. Prompt-level restrictions collapse once the agent has a goal.

4. 47 advisories, one agent framework: the vibe-check adoption problem

Everyone heard about OpenClaw's security issues. PraisonAI is the framework your engineers are already running. Thirteen researchers filed 47 advisories. The agent framework gold rush has a security gap.

5. Lock the Files, Break the Agent

File locks cut prompt injection on a live agent from 87% to 5%. They also cut legitimate user updates from 100% to 13.2%. No frontier model could distinguish a poisoned write from a personalization request.

Sources:

  1. Scheming in the wild: detecting real-world AI scheming incidents with open-source intelligence (Shane, Mylius, Hobbs; Centre for Long-Term Resilience, 2026)
  2. Model Context Protocol specification and documentation
  3. PraisonAI Security Advisories (GitHub)
  4. The "AI Vulnerability Storm": Building a "Mythos-ready" Security Program (CSA, SANS, April 12, 2026)
  5. Our evaluation of Claude Mythos Preview's cyber capabilities (AISI, April 2026)
  6. Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw (Wang et al., 2026)