diff --git a/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
index f59c55e..2b6777e 100644
--- a/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md	
+++ b/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md	
@@ -19,9 +19,43 @@ response should be discussed with the **CTI initiative** responsible for publish
 
 | Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis<br>(Vendor / CVE / Discoverer) |
 |------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------|
+|**Mar 2026**| **Cursor Prompt Injection Whitelist Bypass RCE** | Malicious website triggered indirect prompt injection, bypassing auto-run whitelist for zero-consent command execution. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31854)<br> • [Y4tacker](https://github.com/Y4tacker) |
+|**Mar 2026**| **Excel XSS Weaponizes Copilot Agent Exfil** | Excel XSS triggered Copilot Agent mode into exfiltrating user data via unintended network egress. Zero-click exploitation. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26144)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-26144)<br> • — |
+|**Mar 2026**| **WeKnora MCP Tool Name Collision Hijack** | Malicious MCP server registered tool names that silently overwrote legitimate ones. Combined with prompt injection in tool output, enabled context exfiltration and tool hijack. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI07 (Insecure Inter-Agent Communication) | • [Tencent](https://github.com/Tencent/WeKnora/security/advisories/GHSA-67q9-58vj-32qx)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-30856)<br> • [aleister1102](https://github.com/aleister1102) |
+|**Mar 2026**| **Agent Commander Promptware Botnet C2** | Prompt injection turned coding agents into remotely controlled bots that polled an attacker server for instructions, ran recon, and exfiltrated data autonomously. | • ASI01 (Agent Goal Hijack)<br> • ASI06 (Memory & Context Poisoning)<br> • ASI10 (Rogue Agents) | • —<br> • —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2026/agent-commander-your-agent-works-for-me-now/) |
+|**Mar 2026**| **GitHub Copilot CLI Bash Parameter Expansion RCE** | Copilot CLI rated bash parameter expansion patterns as safe read-only commands, enabling RCE via prompt injection in repo files or MCP responses. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [GitHub](https://github.com/github/copilot-cli/security/advisories/GHSA-g8r9-g2v8-jv6f)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-29783)<br> • — |
+|**Mar 2026**| **GlassWorm Worm Infiltrates MCP Ecosystem** | Malicious npm package impersonated WaterCrawl MCP server using invisible Unicode-encoded JavaScript payloads. MCP subprocess trust model gave the package full access to developer credentials and filesystems. Part of a 5th-wave campaign hitting 150+ repos and 72+ VS Code extensions. | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • —<br> • —<br> • [Koi Security](https://www.koi.ai/blog/glassworm-hits-mcp-5th-wave-with-new-delivery-techniques) |
+|**Mar 2026**| **PleaseFix Perplexity Comet Browser Zero-Click Hijack** | Weaponized calendar invite triggered zero-click exfiltration in Perplexity Comet agentic browser. Second exploit manipulated 1Password via agent-authorized workflows for full account takeover. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI03 (Identity & Privilege Abuse)<br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> • —<br> • [Zenity Labs](https://zenity.io/research/pleasefix-vulnerabilities) |
+|**Feb 2026**| **ContextCrush Context7 MCP Server Poisoning** | Context7 MCP server served unsanitized third-party rules to coding agents. Poisoned libraries caused credential exfiltration and file deletion across Cursor, Claude Code, and Windsurf. | • ASI01 (Agent Goal Hijack)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI06 (Memory & Context Poisoning) | • [Upstash](https://github.com/upstash/context7/security)<br> • —<br> • [Noma Security](https://noma.security/blog/contextcrush-context7-the-mcp-server-vulnerability/) |
+|**Feb 2026**| **hackerbot-claw Autonomous CI/CD Pipeline Campaign** | Autonomous bot exploited GitHub Actions workflows across 7 repos (Microsoft, DataDog, Aqua, awesome-go) over 4 days. Achieved RCE in multiple targets and stole a PAT from aquasecurity/trivy plus a GITHUB_TOKEN from awesome-go. | • ASI03 (Identity & Privilege Abuse)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE))<br> • ASI10 (Rogue Agents) | • [Aqua Security](https://github.com/aquasecurity/trivy-vscode-extension/security/advisories/GHSA-8mr6-gf9x-j8qg)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-28353)<br> • [Adnan Khan](https://github.com/AdnaneKhan) |
+|**Feb 2026**| **Claude Code Command Injection via cd Bypass** | Directory change combined with write operations bypassed write protection on sensitive folders like .claude, allowing file creation or modification without user confirmation. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25722)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Claude Code Command Injection via Piped sed** | Piped sed commands bypassed file write restrictions, allowing writes to sensitive directories and paths outside the project. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25723)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Claude Code Sandbox Escape via settings.json Injection** | Bubblewrap sandbox failed to protect settings.json when missing, allowing malicious code to inject persistent hooks that execute with host privileges on restart. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25725)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Claude Code Symlink Permission Deny Bypass** | Permission deny rules were not enforced when following symbolic links, allowing unintended file access outside allowed directories. | • ASI02 (Tool Misuse & Exploitation) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25724)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Claude Code Command Injection via find Bypass** | Command parsing flaw let attackers bypass the confirmation prompt and execute untrusted commands via the find command. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-24887)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Claude Code ZSH Clobber Arbitrary File Writes** | ZSH clobber syntax bypassed directory restrictions, enabling arbitrary file writes outside the working directory without user approval. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-24053)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Claude Code Domain Validation Bypass Exfiltration** | Trusted domain checks used startsWith matching, so attacker-controlled domains like modelcontextprotocol.io.example.com passed validation, enabling automatic data exfiltration. | • ASI02 (Tool Misuse & Exploitation) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-24052)<br> • [nil221](https://hackerone.com/nil221) |
+|**Feb 2026**| **Copilot JetBrains Command Injection RCE** | Command injection in GitHub Copilot for JetBrains allowed remote code execution. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21516)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-21516)<br> • — |
+|**Feb 2026**| **n8n Zero-Click Agent Workflow RCE** | Public form submission injected expressions into n8n workflow engine via double-evaluation and SpreadElement sandbox escape. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [n8n](https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-27493)<br> • [Pillar Security](https://www.pillar.security/blog/zero-click-unauthenticated-rce-in-n8n-a-contact-form-that-executes-shell-commands) |
+|**Feb 2026**| **Moltbook Agent Platform 1.5M Keys Exposed** | Misconfigured Supabase on AI agent social network exposed 1.5M agent API keys and 35K emails. Write access enabled mass prompt injection into agent-to-agent content. | • ASI03 (Identity & Privilege Abuse)<br> • ASI06 (Memory & Context Poisoning) | • —<br> • —<br> • [Wiz Research](https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys) |
+|**Feb 2026**| **Docling AI Parser RCE via Unsafe YAML** | Malicious document fed to Docling AI parser triggered RCE through unsafe PyYAML deserialization. Shadow vulnerability in transitive dependency invisible to security tooling. | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Docling](https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-24009)<br> • [Oligo Security](https://www.oligo.security/blog/docling-rce-a-shadow-vulnerability-introduced-via-pyyaml-cve-2026-24009) |
+|**Feb 2026**| **Microsoft AI Recommendation Memory Poisoning** | 31 companies across 14 industries embedded hidden prompt injections in AI summarize buttons. Pre-filled URL parameters poisoned AI assistants long-term memory, biasing future health and finance recommendations. | • ASI06 (Memory & Context Poisoning)<br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> • —<br> • [Microsoft Security](https://www.microsoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/) |
+|**Feb 2026**| **AWS Kiro Command Injection via Directory Names** | Unsanitized directory name passed to child_process.exec in AWS Kiro enabled command injection when the agent ran git operations. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [AWS](https://aws.amazon.com/security/security-bulletins/2026-001-AWS/)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-0830)<br> • [AWS](https://aws.amazon.com/security/security-bulletins/2026-001-AWS/) |
+|**Feb 2026**| **MCP TypeScript SDK Cross-Client Data Leak** | MCP TypeScript SDK leaked responses between concurrent clients due to JSON-RPC message ID collisions in shared transport instances. | • ASI07 (Insecure Inter-Agent Communication) | • [MCP SDK](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-25536)<br> • [ahabian](https://github.com/ahabian) |
+|**Feb 2026**| **DockerDash Ask Gordon MCP Meta-Context Injection** | Malicious Dockerfile LABEL fields hijacked Docker Ask Gordon AI, which forwarded weaponized metadata to the MCP Gateway for unvalidated command execution. RCE in CLI; data exfiltration in Desktop. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Docker](https://docs.docker.com/desktop/release-notes/#4500)<br> • —<br> • [Noma Security](https://noma.security/blog/dockerdash-two-attack-paths-one-ai-supply-chain-crisis/) |
+|**Feb 2026**| **MS-Agent Shell Tool Command Injection RCE** | ModelScope MS-Agent Shell tool used regex-based denylists bypassed via tokenization tricks. Attacker-induced agent executed arbitrary OS commands. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [ModelScope](https://github.com/modelscope/ms-agent)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-2256)<br> • [Itamar Yochpaz](https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326) |
+|**Feb 2026**| **Cursor Git Hooks Sandbox Escape RCE** | Prompt injection caused agent to write malicious git hooks, escaping the sandbox. Git auto-triggered attacker commands without user interaction. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-26268)<br> • [Credits](https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r) |
+|**Feb 2026**| **Clinejection AI Triage Bot Supply Chain Attack** | Prompt injection in a GitHub Issue title hijacked Cline AI triage bot, which installed a typosquatted package. Cascading compromise: CI/CD cache poisoned, 3 publishing tokens stolen, malicious cline@2.3.0 pushed to ~4,000 machines in 8 hours. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE))<br> • ASI08 (Cascading Failures) | • [Cline](https://github.com/cline/cline/security/advisories/GHSA-9ppg-jx86-fqw7)<br> • —<br> • [Adnan Khan](https://adnanthekhan.com/posts/clinejection/) |
+|**Feb 2026**| **RoguePilot GitHub Copilot Codespaces Repository Takeover** | Hidden instructions in a GitHub Issue hijacked Copilot in Codespaces. Agent checked out a PR with a symlink to GITHUB_TOKEN, then exfiltrated it via JSON schema auto-fetch for full repo takeover. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI03 (Identity & Privilege Abuse)<br> • ASI04 (Agentic Supply Chain Vulnerabilities) | • —<br> • —<br> • [Orca Security](https://orca.security/resources/blog/roguepilot-github-copilot-vulnerability/) |
+|**Jan 2026**| **Orval MCP Client Code Injection RCE** | MCP server generation used unsanitized OpenAPI spec fields, enabling code injection during tool code generation. | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Orval](https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-22785)<br> • [nirhaas](https://github.com/nirhaas) |
+|**Jan 2026**| **Cursor Terminal Allowlist Bypass via Shell Built-ins** | Shell built-ins (export, typeset, declare) bypassed Cursor Auto-Run allowlist. Environment variable poisoning turned trusted commands into zero-click RCE vectors. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-22708)<br> • [Danus365](https://github.com/Danus365) |
+|**Jan 2026**| **MaliciousCorgi AI Extensions Harvest Developer Code** | Two VS Code AI extensions ran triple-channel exfiltration: real-time file capture, server-triggered bulk harvesting, and developer profiling via hidden analytics SDKs. Both remained live in the VS Code marketplace at disclosure. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> • —<br> • [Koi Security](https://www.koi.ai/blog/maliciouscorgi-the-cute-looking-ai-extensions-leaking-code-from-1-5-million-developers) |
+|**Jan 2026**| **Claude Weaponized in Mexican Government Breach** | Jailbroken Claude orchestrated attacks against Mexican government agencies for a month. Autonomously generated recon scripts, SQLi payloads, and credential-stuffing tools. 150 GB exfiltrated including 195M taxpayer records. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI10 (Rogue Agents) | • —<br> • —<br> • [CovertSwarm](https://www.covertswarm.com/post/claude-ai-jailbreak-mexico-government-data-breach) |
+|**Jan 2026**| **Claude Code Pre-Trust API Key Exfiltration** | Malicious repos exfiltrated Anthropic API keys by overriding ANTHROPIC_BASE_URL before the trust dialog appeared (CVE-2026-21852). Separate flaw enabled RCE via project hooks during init (CVE-2025-59536). | • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-21852)<br> • [Check Point Research](https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/) |
+|**Jan 2026**| **ZombieAgent ChatGPT Deep Research Zero-Click Hijack** | Zero-click prompt injection in ChatGPT Deep Research exfiltrated mailbox data and files via hidden directives in emails. Memory poisoned for persistence; worm-like propagation across contacts. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI06 (Memory & Context Poisoning)<br> • ASI08 (Cascading Failures) | • —<br> • —<br> • [Radware](https://www.globenewswire.com/news-release/2026/01/08/3215156/0/en/Radware-Unveils-ZombieAgent-A-Newly-Discovered-Zero-Click-AI-Agent-Vulnerability-Enabling-Silent-Takeover-and-Cloud-Based-Data-Exfiltration.html) |
 |**Dec 2025**| **Claude Skills Ransomware Deployment** | Cato Networks demonstrated that Claude's "Skills" plugin feature could deploy MedusaLocker ransomware by downloading, modifying, and re-uploading Skills with malicious code that executes autonomously. | • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI05 (Unexpected Code Execution (RCE)) | • —<br> • —<br> • [Cato CTRL](https://www.catonetworks.com/blog/cato-ctrl-weaponizing-claude-skills-with-medusalocker/) |
 |**Dec 2025**| **Google Antigravity AI Data Wipe** | AI-powered IDE misinterpreted a cache-clearing instruction and issued a system-level delete command with quiet flag, wiping a developer's entire D: drive without confirmation, causing irreversible data loss. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Reddit](https://www.reddit.com/r/google_antigravity/comments/1p82or6/google_antigravity_just_deleted_the_contents_of/)<br> • —<br> • — |
-|**Nov 2025**| **Cursorignore Bypass via New Cursorignore Write** | A logic flaw allows a malicious agent to read sensitive files protected by cursorignore by creating a new cursorignore file that invalidates existing configurations. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64110)<br> • — |
+|**Nov 2025**| **Cursorignore Bypass via New Cursorignore Write** | A logic flaw allows a malicious agent to read sensitive files protected by cursorignore by creating a new cursorignore file that invalidates existing configurations. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64110)<br> • [aretekzs](https://github.com/aretekzs) |
 |**Nov 2025**| **GitHub Copilot Multi-Root Workspace RCE** | Agent exploits multi-root workspace settings to bypass protections and achieve RCE. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI02 (Tool Misuse & Exploitation) | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64660)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-64660)<br> • [MaccariTA](https://maccarita.com/posts/idesaster/) |
 |**Nov 2025**| **ShadowRay 2.0 Botnet** | Attackers exploited an unpatched flaw in Ray AI framework to create a self-spreading crypto-mining botnet, using the agentic job submission API to propagate malware across clusters. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI01 (Agent Goal Hijack) | • —<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-48022)<br> • [Oligo Security](https://www.oligo.security/blog/shadowray-2-0-attackers-turn-ai-against-itself-in-global-campaign-that-hijacks-ai-into-self-propagating-botnet) |
 |**Nov 2025**| **ShadowMQ Vulnerabilities** | Critical RCE in AI inference servers (Meta, NVIDIA, vLLM) due to unsafe ZeroMQ pickle deserialization propagated via code reuse, allowing cluster takeover and data exfiltration. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI04 (Agentic Supply Chain Vulnerabilities) | • —<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-50050)<br> • [Oligo Security](https://www.oligo.security/blog/shadowmq-how-code-reuse-spread-critical-vulnerabilities-across-the-ai-ecosystem) |
@@ -37,7 +71,7 @@ response should be discussed with the **CTI initiative** responsible for publish
 |**Oct 2025**| **Cursor Workspace File Injection** | Cursor agent prompt led Cursor to write malicious `.code-workspace` settings, allowing command execution on workspace open via VSCode integration. | • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-xg6w-rmh5-r77r)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61590)<br> • [MaccariTA](https://github.com/MaccariTA) |
 |**Oct 2025**| **MCP OAuth Response Exploit** | OAuth flow in untrusted MCP servers could return poisoned responses, letting attacker inject commands executed by the agent post-authentication. | • ASI07 (Insecure Inter-Agent Communication) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61591)<br> • [Y4tacker](https://github.com/Y4tacker) |
 |**Oct 2025**| **Cursor CLI Project Config RCE** | Cloned projects with `.cursor/cli.json` could override global config, allowing attacker-controlled commands to execute via Cursor CLI context. | • ASI04 (Agentic Supply Chain Vulnerabilities) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61592)<br> • [Assaf Levkovich](https://www.linkedin.com/in/assaf-levkovich) |
-|**Oct 2025**| **Cursor Agent File Protections Bypassed** | Cursor CLI Agent's file protection mechanism could be bypassed via prompt injection, allowing RCE through config overwrite. | • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61593)<br> • — |
+|**Oct 2025**| **Cursor Agent File Protections Bypassed** | Cursor CLI Agent's file protection mechanism could be bypassed via prompt injection, allowing RCE through config overwrite. | • ASI05 (Unexpected Code Execution (RCE)) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61593)<br> • [AlonZa](https://github.com/AlonZa) |
 |**Sep 2025**| **Roo Code Multi-Root Workspace RCE** | Agent exploits multi-root workspace settings to achieve RCE. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI02 (Tool Misuse & Exploitation) | • [Roo Code](https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-4pqh-4ggm-jfmm)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-58372)<br> • [MaccariTA](https://maccarita.com/posts/idesaster/) |
 |**Sep 2025**| **Google Gemini Trifecta** | Indirect prompt injection through logs, search history, and browsing context can trick Gemini into exposing sensitive data and carrying out unintended actions across connected Google services. | • ASI01 (Agent Goal Hijack) <br> • ASI02 (Tool Misuse & Exploitation)| • —<br> • —<br> • [Tenable](https://www.tenable.com/blog/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing) |
 |**Sep 2025**| **Malicious MCP Server Impersonating Postmark** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft)
@@ -48,6 +82,13 @@ response should be discussed with the **CTI initiative** responsible for publish
 |**Aug 2025**| **JetBrains Junie Remote JSON Schema Exfiltration** | Agent exploits remote JSON schema validation to exfiltrate sensitive data. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities) | • [JetBrains](https://www.jetbrains.com/privacy-security/issues-fixed/)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-58335)<br> • [MaccariTA](https://maccarita.com/posts/idesaster/) |
 |**Aug 2025**| **Zed.dev Settings Overwrite RCE** | Agent exploits base IDE feature to overwrite settings, leading to RCE. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI02 (Tool Misuse & Exploitation) | • [Zed](https://github.com/zed-industries/zed/security/advisories/GHSA-x34m-39xw-g2wr)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55012)<br> • [MaccariTA](https://maccarita.com/posts/idesaster/) |
 |**Aug 2025**| **OpenHands ZombAI RCE** | Indirect prompt injection hijacked the OpenHands agent to download and execute remote malicious code, turning it into a compromised "ZombAI". | • ASI01 (Agent Goal Hijack)<br> • ASI05 (Unexpected Code Execution (RCE)) | • —<br> • —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/openhands-remote-code-execution-zombai/) |
+|**Aug 2025**| **Claude Code DNS Request Exfiltration** | Permissive safe-commands allowlist let attackers bypass confirmation prompts, read workspace files, and exfiltrate contents via DNS requests to attacker-controlled servers without user approval. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Anthropic](https://github.com/anthropics/claude-code/security/advisories/GHSA-x5gv-jw7f-j6xj)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55284)<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/) |
+|**Aug 2025**| **Cursor Mermaid Diagram Data Exfiltration** | Mermaid diagram rendering in Cursor fetched attacker-controlled image URLs, exfiltrating file contents and environment variables via GET parameters after prompt injection. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-43wj-mwcc-x93p)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-54132)<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/cursor-data-exfiltration-with-mermaid/) |
+|**Aug 2025**| **MCP Filesystem Server Path Traversal Bypass** | Path validation bypass in the official MCP Filesystem server allowed agents to read and write files outside configured allowed directories via colliding path prefixes. | • ASI02 (Tool Misuse & Exploitation)<br> • ASI04 (Agentic Supply Chain Vulnerabilities) | • [MCP](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-hc55-p739-j48w)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53110)<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/anthropic-filesystem-mcp-server-bypass/) |
+|**Aug 2025**| **Anthropic Slack MCP Server Zero-Click Exfiltration** | Prompt injection in Slack messages caused the Anthropic Slack MCP server to generate attacker-crafted links. Slack auto-unfurling sent private channel data to attacker endpoints without user interaction. Server deprecated rather than patched. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI07 (Insecure Inter-Agent Communication) | • —<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-34072)<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/security-advisory-anthropic-slack-mcp-server-data-leakage/) |
+|**Aug 2025**| **Amazon Q Developer Multiple Prompt Injection Flaws** | Three injection vectors: invisible Unicode instructions in source files executed arbitrary commands, crafted filenames triggered RCE via find -exec, and DNS-based exfiltration leaked secrets through agent-generated hostname lookups. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-019)<br> • —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/amazon-q-developer-interprets-hidden-instructions/) |
+|**Aug 2025**| **Sourcegraph Amp Code Multiple Prompt Injection Flaws** | Three flaws in Sourcegraph Amp Code: image rendering exfiltrated file contents via embedded URLs, invisible Unicode instructions hijacked agent behavior, and settings.json manipulation enabled arbitrary command execution. | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution (RCE)) | • —<br> • —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/amp-code-fixed-data-exfiltration-via-images/) |
+|**Aug 2025**| **AgentHopper Cross-IDE AI Agent Virus** | Self-replicating prompt injection worm chained patched IDE vulnerabilities to spread across VS Code, Cursor, Kiro, and Amp Code. Injected itself into project files and hijacked each new agent session that opened infected repositories. | • ASI01 (Agent Goal Hijack)<br> • ASI04 (Agentic Supply Chain Vulnerabilities)<br> • ASI06 (Memory & Context Poisoning)<br> • ASI08 (Cascading Failures) | • —<br> • —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/agenthopper-a-poc-ai-virus/) |
 |**Jul 2025**| **Roo Code Settings Overwrite RCE** | Agent exploits base IDE feature to overwrite settings, leading to RCE. | • ASI05 (Unexpected Code Execution (RCE))<br> • ASI02 (Tool Misuse & Exploitation) | • [Roo Code](https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-3765-5vjr-qjgm)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53536)<br> • [MaccariTA](https://maccarita.com/posts/idesaster/) |
 |**Jul 2025**| **Amazon Q Prompt Poisoning**                                           | Destructive prompt in extension risked file wipes                                                                                                                                                                                                                                |  • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI04 (Agentic Supply Chain Vulnerabilities)| • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-8217) <br> • —
 |**Jul 2025**| **Google Gemini CLI File Loss**                                         | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss                                                                                                                                                                                     | • ASI05 (Unexpected Code Execution (RCE))                                                   | • [Google](https://github.com/google-gemini/gemini-cli/issues/4586) <br> • —