CuraSec

tag: Ai-Agents · 2 items

2026-07-11 · CrowdStrike Blog · source ↗ #ai-agents#identity-security#agentic-ai
  • Engineer — Learn: AI agent identity risks (non-human identities, credential sprawl, OIDC/service account misuse) are an emerging design concern worth factoring into how agentic workloads are architected, but no patch or immediate action is indicated.
  • SOC/IR — Learn: Understanding how AI agents acquire and use credentials could inform future detection logic around anomalous non-human identity activity, but no IOCs or TTPs are provided here.
  • Leader — Plan: If your org is deploying AI agents, review whether your identity governance policies cover non-human agent credentials — this is a quarter-horizon policy gap before it becomes a control gap.
2026-07-11 · BleepingComputer · source ↗ #prompt-injection#ai-agents#supply-chain
  • Engineer — Plan: Research-grade but practical: any AI coding agent with access to .env or secrets files is a potential exfiltration path via a malicious image in a PR. Audit what filesystem scope your AI code-review agents hold, and restrict or deny access to credential files and secret stores.
  • SOC/IR — Learn: Novel TTP — prompt injection embedded in images bypasses AI reviewers that never inspect image content, then coerces coding agents into exfiltrating secrets. No active exploitation or IOCs reported; file for future detection work around anomalous AI-agent file reads.
  • Leader — Plan: Demonstrates that AI coding-agent tools carry unchecked secret-exfiltration risk through a non-obvious vector. Before broader AI agent adoption, establish a policy governing what repository paths and credentials these tools may access, and confirm existing vendor tools have equivalent controls.