So What Happened?

What a week. The lines between legitimate AI tools and malicious infrastructure are getting blurrier by the day. We're seeing threat actors turn trusted AI platforms into command-and-control servers, while researchers are confirming our worst fears: the fundamental ways LLMs work might be inherently insecure.

Attackers are getting incredibly creative, hijacking AI agents through invisible prompts and abusing OpenAI's own API to hide in plain sight. At the same time, a universal vulnerability affecting every version of Windows ever released reminds us that while we're focused on the new threats, the old ones haven't gone anywhere. It's a complex landscape, but we've got you covered.

TL;DR

  • Attackers Turn OpenAI API into a C2 Channel
    The SesameOp backdoor now uses OpenAI's Assistants API for command-and-control. By blending malicious traffic with legitimate API calls, attackers evade detection while maintaining stealthy persistence on compromised systems.

  • AI Agents Are Being Hijacked by a Single Prompt
    AI browsers like ChatGPT Atlas are shipping with prompt injection flaws. Attackers can embed hidden commands on webpages to hijack the agent, risking exposure of sensitive user data.

  • Researchers Conclude Prompt Injection May Be Unfixable
    Academic research suggests prompt injection is a core architectural flaw in LLMs. Since models can't tell trusted commands from untrusted data, current defenses are proving ineffective against sophisticated attacks.

  • Decades-Old Windows Driver Puts Every Single Device at Risk
    A critical privilege escalation flaw (CVE-2025-24990) exists in a modem driver on every Windows version ever released. This gives attackers an easy path to full system control after initial access, exposing a massive and overlooked attack surface.

THIS WEEK’S EXPERT OPINION

BOAZ BARZEL | Field CTO at OX Security

We are watching attackers evolve faster than defenders because AI isn’t just a tool, it’s a thinking layer. The SesameOp case shows the shift clearly: attackers no longer need to build covert infrastructure; they simply hijack legitimate AI platforms as their command center. Meanwhile, agentic browsers act like overly helpful interns with your passwords. A screenshot, a webpage visit, or a subtle color-coded message is enough to silently rewrite intent. The common thread is not technical sophistication. It’s our willingness to hand control over to systems that appear smart and convenient. We are giving AI the keys, and then we are surprised when someone else learns how to drive it better than we can.

The research community is finally admitting what many have avoided: prompt injection is a structural flaw in the way LLMs work. There are too few reliable defenses today, and the tools themselves are still unknown to the majority who use them. The result is simple: the more we automate decision-making, the more we multiply our exposure. This is about rethinking how much autonomy we hand to systems that can be influenced by untrusted inputs. If AI is going to think for us, it will also be tricked for us. We all see the AI thinking, but it is not for us; it is for itself. These tools cannot distinguish between good and bad. That is why we need to design and operate under the assumption that the system can and will be turned against us. Otherwise, we are not practicing security. We are practicing wishful thinking.

— Boaz

Help us keep sharing important stories

Share this newsletter with a friend

© 2026 VibeSec.io.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv