Artificial intelligence has been framed as the defender’s advantage: copilots drafting detections, agents triaging alerts, LLMs classifying malware faster than any human team. As Innovate Cybersecurity has argued, AI is now the defining layer of modern security operations. The corollary most teams haven’t absorbed: if AI is the environment, it is also a target — and increasingly a weapon. Four pieces of research disclosed within days of each other make that concrete, and the CVE-era playbook won’t surface any of it.
Three show attackers manipulating the defender’s AI. A North Korea–linked macOS strain called Gaslight embeds fabricated “system” messages to make an AI triage agent doubt its session and abort — an attack on perception. A Mozilla 0DIN proof-of-concept shows a clean GitHub repository coaxing an agentic coding tool into opening a reverse shell while “fixing” a setup error — an attack on autonomy, with no exploit code in the repo itself. JFrog found hijacked npm packages hiding execution in a code-editor task and pulling payloads from blockchain transactions, showing a harmless face at scan time — an attack on the trust boundary AI-assisted scanning depends on.The fourth inverts the relationship. Ransomware operator JadePuffer exploited a known Langflow flaw, then handed the intrusion to an LLM that reasoned its way from an exposed server through credential theft, lateral movement, and irrecoverable encryption, largely without a human operator. The attacker didn’t manipulate someone else’s AI — they brought their own.
For three of the four, there is no vulnerability to patch; these are abuses of designed behavior, not flaws, which is why vulnerability management misses them. Langflow is the exception that proves the rule: a neglected CVE opened the door, but autonomous reasoning did the damage. The CISO mandate: govern AI as its own asset class — humans in the loop for consequential verdicts, constrained agentic dev tooling, supply-chain controls that assume deception, a hardened surface for the exposures an attacker’s agent will find first, behavior-based detection at machine speed, and red-teaming against the OWASP LLM Top 10 and MITRE ATLAS. Detail and tooling follow below.
Gaslight: Malware That Argues With the Analyst
SentinelOne Labs documented Gaslight, also reported by BleepingComputer: a Rust backdoor attributed with high confidence to a North Korea–linked actor, carrying a 3.5 KB payload of 38 fabricated “system” messages — fake logs, crash reports, token-expiration and static-analysis alerts, formatted to look legitimate.
None of it describes what the malware does. The strings are prompt injection aimed at the LLM-assisted triage agent examining the file, built to make it doubt its own session and abort the analysis. SentinelOne didn’t show Gaslight defeating a specific commercial platform, but the intent is the story: a nation-state actor now ships anti-analysis logic written for the model, not the sandbox. “The AI cleared it” is not a verdict you can bank when strings inside the artifact can argue the analyst into standing down.
The Clean Repo That Opens a Shell
Mozilla’s 0DIN showed an agentic coding tool, told to clone a benign-looking repo, induced to execute a payload — with no exploit code anywhere for a scanner or reviewer to catch.The chain weaponizes helpfulness. A routine pip3 install -r requirements.txt installs a package engineered to throw an error instructing the agent to run a follow-up command that resolves an attacker-controlled DNS TXT record and executes the result. The demo used Claude Code; the agent never decided to open a shell, it decided to fix an error. Because the payload lives in DNS rather than the repo, a repo that reviewed clean yesterday can deliver something else tomorrow. It’s a proof-of-concept, but the gap is real: an agent that fetches and runs remote content without surfacing its execution chain is an unmonitored code-execution path through your SDLC.
Poisoned Dependencies, Hidden in Plain Sight
JFrog Security Research found two hijacked npm packages — html-to-gutenberg and fetch-page-assets — hiding execution in a VS Code task set to runOn: “folderOpen”, disguising the payload as a padded, empty-looking font file, then pulling encrypted JavaScript from blockchain transactions before dropping a Python infostealer.
The editor-task trigger sidesteps the install-time hooks scanners watch most closely, and blockchain staging keeps the package inert at audit time and live later. JFrog has separately flagged PyPI packages using prompt injection to make AI scanners “look away” — the same idea migrating into open source. The attacker isn’t beating your signatures; they’re exploiting the assumption that analysis-time behavior predicts runtime behavior.
When the Attacker Is the Agent
A ransomware incident disclosed July 3, reported by SecurityWeek citing Sysdig, shows the inverse: JadePuffer ran a largely autonomous, agentic ransomware attack via Langflow, entering through CVE-2025-3248, a critical missing-authentication flaw CISA had already flagged as exploited.
What followed is the point. The LLM ran reconnaissance, harvested secrets, dumped the database, scanned the network, set persistence, then pivoted to a production server, forged a JWT against Nacos’s default signing key, and encrypted 1,342 configuration items with a key that was never persisted — recovery is effectively impossible. Sysdig observed the model correcting failed payloads and parsing free-text context to act on its meaning, rather than pattern-matching it: the same capability defenders prize in their own AI, turned against them. Agentic tooling, Sysdig notes, lowers the barrier for complex intrusions to a capable model rather than a capable human, at near-zero cost.
The Pattern — and What to Do About It
Gaslight attacks perception. The 0DIN chain attacks autonomy. The npm campaign attacks the trust boundary AI scanning depends on. Langflow inverts it, automating the reasoning an operator used to supply. For three of the four there’s no CVE to prioritize — abuses of design, not flaws, which is precisely why vulnerability management misses them.
As Novacoast’s penetration testers have argued in these pages, severity scores like CVSS were never a measure of real risk; Langflow bridges both worlds. These behaviors map cleanly to the OWASP Top 10 for LLM Applications and MITRE ATLAS — adopt that vocabulary first. None of this argues for pulling AI from the stack; it argues for governing it as its own asset class. Tooling below is illustrative of each category, not an endorsement.
- Human in the loop for consequential verdicts. Insert review at the point of consequence; treat early-terminating analysis as a signal to escalate. Inventory agent authority with AI-SPM tools — Wiz AI-SPM, Palo Alto Prisma AIRS, Microsoft Defender for Cloud, Lasso Security.
- Constrain agentic dev tooling. Require agents to surface their execution chain before running setup commands; sandbox them (Codespaces, dev containers, ephemeral VMs); front them with DNS filtering (Cisco Umbrella, DNSFilter, Cloudflare Gateway) and runtime guardrails (Protect AI, Robust Intelligence, Lakera Guard).
- Harden the supply chain against time-of-analysis deception. Pair SCA and malicious-package detection (Socket, Snyk, Endor Labs, JFrog Xray) with runtime dependency monitoring and Sigstore/SLSA provenance; hunt for hidden runOn: “folderOpen” tasks and disable workspace-trust auto-execution by policy.
- Shrink the surface an attacker’s agent finds first. Get frameworks like Langflow and stores like Nacos off the public internet, rotate default signing keys, prioritize by EPSS/KEV over CVSS, and run cloud runtime detection (Sysdig, Wiz Defend, Falco).
- Detect on behavior, at machine speed. Lean on ITDR for credential abuse and JWT forgery, and behavior-based detection over static indicators — agent-generated payloads mutate on every run.
- Red-team the AI layer itself. Fold OWASP LLM Top 10 and MITRE ATLAS into your risk framework and test your own pipelines for prompt-injection, agent abuse, and autonomous exploitation before an attacker does.
When the Defender Becomes the Target
For two years the industry asked what AI could do for the defender. These incidents ask the harder question: what happens when the defender is the target, and the attacker has an agent too? This exposure comes from your own modernization, running parallel to a new capability handed to your adversary — both invisible to the machinery built for the old world. Govern it now as a managed risk, or meet it later as an incident.