Ilya Kabanov

5 AI security stories this week that change your decisions (Mar 23-29, 2026)

Offense got cheaper, faster, and wider this week. A local 4B model matched frontier APIs on offensive tasks, the window from disclosure to active exploitation shrank to hours, and a single threat actor's supply chain campaign crossed three independent ecosystems in five days.

1. 464 enthusiasts prompt injected 13 frontier AI models with 272K prompts from 41 real-world agent scenarios

A competition to prompt-inject AI models and hide the attack from the user. Claude Opus 4.5 was hardest to break at 0.5% ASR. Gemini 2.5 Pro struggled at 8.5%.

2. Seven scanners for malicious AI agent skills agree on only 0.12%

238,180 skills from three marketplaces and GitHub. On the marketplace where scanners overlapped, they agreed on just 33 out of 27,111. Even the best pair shared only 49% of their flags. 95.8% of skills flagged as high-risk by two methods were false positives.

3. 95.8% Linux privilege escalation by a 4B model, 100x cheaper than Opus

TU Wien researchers post-trained Qwen3-4B using reinforcement learning with verifiable rewards. It achieves 95.8% success on privilege escalation at $0.005 per attempt versus $0.62 for Claude Opus, and keeps all target data local.

4. TeamPCP supply chain attack: three hits in five days

A threat actor called TeamPCP poisoned Trivy's GitHub Action tags, harvested CI/CD secrets from every runner that executed them, and used stolen credentials to independently compromise Checkmarx and LiteLLM. Aqua says it is still propagating.

5. 24 AI CVEs in one week, one exploited in 20 hours

An advisory was published Tuesday evening. By Wednesday afternoon, attackers had built working exploits from the text alone and were harvesting API keys from AI pipelines. That was one of 24 AI CVEs this week. Here's what to patch, what to watch, and what it means for your stack.

And as the week closed, Anthropic accidentally leaked draft documents about Claude Mythos. The company describes it as "by far the most powerful AI model we've ever developed" and warns it "presages an upcoming wave of models that can exploit vulnerabilities in ways that far outpace the efforts of defenders." Their plan: give defenders early access to get a head start.

Sources:

  1. How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition (Dziemian et al., 2026)
  2. Malicious Or Not: Adding Repository Context to Agent Skill Classification (Holzbauer et al., 2026)
  3. Post-Training Local LLM Agents for Linux Privilege Escalation with Verifiable Rewards (Normann et al., 2026)
  4. Aqua Security: Update: Ongoing Investigation and Continued Remediation (March 24, 2026)
  5. How attackers compromised Langflow AI pipelines in 20 hours (Sysdig TRT)