Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Ai-Powered Supply Chain Attacks: Unveiling the Dark Side of Trust



A recent study has revealed a series of AI-powered supply chain attacks that exploit vulnerabilities in popular AI models, including GitHub comments and Microsoft Copilot Studio. These vulnerabilities can be used by malicious actors to hijack chat sessions, exfiltrate sensitive data, and execute malicious instructions. As security researchers emphasize, "You cannot build a security control on a system that changes its mind." The discovery of these vulnerabilities highlights the importance of verifying metadata and ensuring the integrity of user-supplied data.

  • The rise of artificial intelligence (AI) has introduced new vulnerabilities in supply chains, which can be exploited by malicious actors.
  • A series of AI-powered supply chain attacks have been identified, highlighting the importance of verifying metadata and ensuring user-supplied data integrity.
  • A vulnerability in GitHub comments allows attackers to turn pull requests into attack vectors for API key and token theft, dubbed "Comment and Control."
  • Another vulnerability, "Claudy Day," enables attackers to silently hijack a user's chat session and exfiltrate sensitive data with a single click.
  • ToolJack is a novel attack that allows local attackers to manipulate an AI agent's perception of its environment and produce unintended downstream effects.
  • The discovery of these vulnerabilities highlights the need for organizations to prioritize security measures and ensure the integrity of user-supplied data.



    • The rise of artificial intelligence (AI) has brought about unprecedented efficiency and innovation across various industries, from healthcare to finance. However, this rapid advancement has also introduced new vulnerabilities that can be exploited by malicious actors. A recent study published in Manifold Security sheds light on a series of AI-powered supply chain attacks that have been identified, highlighting the importance of verifying metadata and ensuring the integrity of user-supplied data.

    The study reveals how a Claude-powered GitHub Actions workflow ("claude-code-action") can be tricked into approving and merging pull requests containing malicious code with just two Git configuration commands. This attack exploits the lack of input sanitization and inadequate separation between system instructions and user-supplied data, allowing an attacker to embed malicious prompts that override the agent's intended behavior.

    One vulnerability, codenamed Comment and Control, was discovered in GitHub comments, which enables attackers to turn pull request titles, issue bodies, and issue comments into attack vectors for API key and token theft. Another vulnerability, codenamed Claudy Day, allows an attacker to silently hijack a user's chat session and exfiltrate sensitive data with a single click. This attack pipeline requires no additional integrations, tools, or Model Context Protocol (MCP) servers.

    Moreover, Anthropic Claude Code Security Review has been found vulnerable to prompt injection via GitHub comments, allowing an attacker to turn pull request titles, issue bodies, and issue comments into attack vectors for API key and token theft. The prompt injection attack, codenamed Comment and Control, weaponizes an AI agent's elevated access and its ability to process untrusted user input to execute malicious instructions.

    Furthermore, a trio of vulnerabilities have been identified in Claude that, when chained together, allow an attacker to silently hijack a user's chat session and exfiltrate sensitive data with a single click. The attack pipeline requires no additional integrations, tools, or MCP servers. This vulnerability has been dubbed Claudy Day, which is similar to ForcedLeak in that the system processes public-facing lead form inputs as trusted instructions.

    The vulnerabilities discovered in Claude have significant implications for AI-powered workflows and supply chains. As researchers note, "You cannot build a security control on a system that changes its mind." The attack exploits the lack of input sanitization and inadequate separation between system instructions and user-supplied data, allowing an attacker to embed malicious prompts that override the agent's intended behavior.

    In addition to these findings, another novel attack called ToolJack has been discovered. This attack allows a local attacker to manipulate an AI agent's perception of its environment and corrupts the tool's ground truth to produce unintended downstream effects, including poisoned data, fabricated business intelligence, and bogus recommendations.

    The development of this attack demonstrates that compromising the protocol boundary yields control over the agent's entire perception. "Where MCP Tool Shadowing poisons tool descriptions to influence agent behavior across servers and ConfusedPilot contaminates a RAG retrieval pool, ToolJack operates as a real-time infrastructure attack on the communication conduit itself," Preamble researcher Jeremy McHugh said.

    The discovery of these vulnerabilities highlights the importance of verifying metadata and ensuring the integrity of user-supplied data. As security researchers emphasize, "The pattern likely applies to any AI agent that ingests untrusted GitHub data and has access to execution tools in the same runtime as production secrets -- and beyond GitHub Actions, to any agent that processes untrusted input with access to tools and secrets: Slack bots, Jira agents, email agents, deployment automation."

    In conclusion, the vulnerabilities discovered in Claude demonstrate the potential risks associated with AI-powered supply chains. As researchers continue to uncover new vulnerabilities, it is essential for organizations to prioritize security measures and ensure the integrity of user-supplied data.


    A recent study has revealed a series of AI-powered supply chain attacks that exploit vulnerabilities in popular AI models, including GitHub comments and Microsoft Copilot Studio. These vulnerabilities can be used by malicious actors to hijack chat sessions, exfiltrate sensitive data, and execute malicious instructions. As security researchers emphasize, "You cannot build a security control on a system that changes its mind." The discovery of these vulnerabilities highlights the importance of verifying metadata and ensuring the integrity of user-supplied data.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Ai-Powered-Supply-Chain-Attacks-Unveiling-the-Dark-Side-of-Trust-ehn.shtml

  • https://thehackernews.com/2026/04/google-patches-antigravity-ide-flaw.html

  • https://bughunters.google.com/learn/invalid-reports/ai-products/antigravity-known-issues

  • https://www.techradar.com/pro/googles-ai-powered-antigravity-ide-already-has-some-worrying-security-issues

  • https://www.bleepingcomputer.com/news/security/claude-code-leak-used-to-push-infostealer-malware-on-github/

  • https://cybersecurityforme.com/the-claude-ai-data-breaches-timeline/

  • https://dev.to/waxell/forcedleak-what-salesforce-agentforces-cvss-94-exploit-reveals-about-ai-agent-governance-1mb0

  • https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce/

  • https://www.fbi.gov/wanted/cyber/apt-41-group

  • https://attack.mitre.org/groups/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://en.wikipedia.org/wiki/Advanced_persistent_threat


    • Published: Tue Apr 21 09:37:30 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us