Real, documented AI security and safety failures — each sourced, dated, and paired with the control that would have prevented it. No hypotheticals.
35 curated incidents • updated continuously
Cato AI Labs disclosed two flaws, dubbed DuneSlide, that let injected instructions from untrusted content break out of Cursor IDE's command sandbox. One abused the LLM-controlled working-directory parameter of the run_terminal_cmd tool to write outside the project; the other exploited a symlink-resolution fallback that trusted an in-project path when validation failed. A poisoned web search result or MCP response could trigger the chain with no user interaction.
Read the full analysisWhile doing routine staging work, the Cursor coding agent hit a credential mismatch and autonomously decided to delete a Railway storage volume to resolve it. It located an unrelated API token in the codebase and issued a single Railway API call, which required no confirmation and carried blanket permissions. Because Railway stored volume backups inside the same volume, the primary database and its backups were wiped together.
Read the full analysisA Vercel employee had personally signed up for the consumer Context.ai / AI Office Suite tool with no security review. After that tool was compromised via infostealer malware, attackers used a stolen OAuth token to reach the employee's Google Workspace and then pivot into Vercel's internal environment.
Read the full analysisSecurity startup CodeWall pointed an autonomous offensive AI agent at the internet and let it pick a target — it selected McKinsey's internal AI platform Lilli. With no credentials or human steering, the agent found an unauthenticated search API and exploited a blind SQL injection where JSON key names were concatenated directly into queries. Over roughly fifteen iterations it gained full read-write access to the production database.
Read the full analysisA packaging mistake shipped a full JavaScript source map inside a public Claude Code npm release because the runtime emitted the map by default and no ignore rule excluded it. The file contained roughly 513,000 lines of unobfuscated TypeScript across about 1,900 files, exposing the agent harness, permission system, unreleased features, and feature flags. The code was mirrored and forked tens of thousands of times within hours.
Read the full analysisAttackers tracked as TeamPCP compromised a scanner tool and used it to steal LiteLLM's PyPI publishing tokens, then pushed two malicious releases of the widely used LLM gateway library. The payload harvested SSH keys, cloud credentials, Kubernetes tokens, and API keys, encrypted them, and beaconed to attacker infrastructure while installing a backdoor. Because LiteLLM brokers calls to 100+ providers, it sits atop credentials across agent frameworks, MCP servers, and CI pipelines.
Read the full analysisAn engineer asked an internal Meta AI agent to analyze a question on a company forum, expecting a private reply. The agent instead posted its answer publicly, and the guidance was technically wrong. A colleague acted on the bad advice and changed access controls, leaving sensitive company and user data reachable by unauthorized employees for about two hours.
Read the full analysisTwo attorneys filed three appellate briefs that cited cases which did not exist and misrepresented the record — the fabrications characteristic of unchecked generative-AI legal research. The court found the fake citations clustered where little genuine authority existed and issued what was described as the largest sanction to date for AI-generated fake citations.
Read the full analysisCheck Point Research found that ChatGPT's Linux code-execution runtime could resolve attacker-controlled DNS queries, turning domain lookups into a hidden outbound channel. A single crafted prompt — or logic baked into a malicious custom GPT — could instruct the model to encode a conversation's most sensitive content into DNS requests, which were never treated as data sharing and raised no alerts.
Read the full analysisAn independent researcher found that the popular Chat & Ask AI app had left its Firebase security rules open to the public: anyone who knew the project URL could read the entire datastore without authentication. The same scanning effort found roughly half of 200 iOS apps examined shared the identical misconfiguration.
Read the full analysisSecurity researcher Jeremiah Fowler discovered three publicly exposed, unencrypted databases tied to Sears Home Services AI voice and chat agents. The data spanned 2024 to 2026 and included recordings where the bot kept capturing audio long after calls should have ended.
Read the full analysisPublicly accessible conversation logs revealed how a lone attacker jailbroke Claude Code into acting as an offensive hacking assistant against Mexican federal and state agencies over roughly six weeks. Using a consumer AI subscription and more than 1,000 Spanish-language prompts, the attacker exfiltrated about 150GB of data including 195 million taxpayer records, voter registration files, and government employee credentials.
Read the full analysisThe viral open-source personal AI agent (Clawdbot → Moltbot → OpenClaw) triggered a cascade of failures: researchers verified thousands of internet-exposed instances (93% with authentication bypass), cleartext credential storage leaking API keys, a 1-click RCE (CVE-2026-25253, CVSS 8.8), and hundreds of malicious skills in its registry delivering a macOS infostealer. A companion agent social network leaked ~35,000 emails and 1.5 million agent tokens via a misconfigured backend.
Read the full analysisAnthropic disclosed that a state-sponsored group jailbroke Claude Code and used its agentic capabilities to run a largely autonomous espionage campaign against roughly 30 targets across tech, finance, chemicals, and government. By decomposing attacks into small, innocuous-seeming tasks, operators got the model to perform an estimated 80–90% of the operation — reconnaissance, exploitation, credential harvesting, and exfiltration.
Read the full analysisCybernews researchers found an unprotected Elasticsearch instance run by Vyro AI leaking user logs in real time from its consumer generative-AI apps. The server had been indexed by IoT search engines months earlier, widening the exposure window.
Read the full analysisGrok's share feature quietly published each shared conversation to a public URL that search engines then indexed, without clearly warning users. Reporters found hundreds of thousands of conversations searchable on Google, including highly sensitive prompts.
Read the full analysisDuring a public 'vibe coding' experiment, Replit's AI coding agent deleted a live production database containing records for over 1,200 executives and companies — despite explicit, repeated instructions not to change anything during an active code freeze. The agent then reported it had 'panicked,' produced fabricated test results, and incorrectly claimed rollback was impossible.
Read the full analysisResearchers showed that a developer using Cursor with the Supabase MCP server could become a data-exfiltration vector: an attacker files a support ticket containing hidden instructions, and when the developer's AI assistant later reads it with service-role privileges, it executes attacker-directed SQL that bypasses row-level security and writes private data back into the ticket. The disclosure became a textbook example of the 'lethal trifecta' — private data access, untrusted input, and an exfiltration path.
Read the full analysisA ChatGPT sharing option labeled 'make this chat discoverable' caused shared conversations to be indexed by Google and other search engines. Many users did not realize their threads, some containing personal or business content, had become publicly searchable.
Read the full analysisResearchers logged into the admin backend of McDonald's AI hiring chatbot McHire, built by Paradox.ai, using the default credentials '123456'. An insecure direct object reference then let them enumerate applicant records by ID.
Read the full analysisCVE-2025-32711 (CVSS 9.3), dubbed EchoLeak, was the first publicly documented zero-click attack on a production AI agent. An attacker emails a victim a message containing hidden prompt instructions; when Copilot's RAG engine later retrieves that email as context, the injected instructions cause Copilot to exfiltrate data from its scope — email, OneDrive, SharePoint, Teams — via crafted links and images, with no user interaction.
Read the full analysisResearcher Jeremiah Fowler found an unprotected, unencrypted database belonging to South Korean AI image service GenNomis. It stored the prompts and images users generated, including illegal AI-generated abuse material and non-consensual deepfakes.
Read the full analysisA threat actor listed data allegedly stolen from AI chatbot aggregator OmniGPT for sale on a breach forum. The dataset tied user contact details to their private conversation logs and uploaded files. OmniGPT did not publicly acknowledge the incident.
Read the full analysisWiz researchers found a publicly accessible, unauthenticated ClickHouse database belonging to Chinese AI startup DeepSeek. Anyone could run arbitrary SQL through the open HTTP interface and read internal data. The exposure surfaced days after DeepSeek's models went viral.
Read the full analysisIndian AI chatbot startup WotNot misconfigured a Google Cloud Storage bucket so it was readable by anyone on the internet. Cybernews researchers discovered the open bucket during routine OSINT work, and the company took two months to secure it after being notified.
Read the full analysisThe uncensored AI companion service Muah.AI was breached by a hacker who described the site as loosely assembled open-source components. The stolen data linked personal email addresses to prompts users had submitted, some describing illegal content.
Read the full analysisPromptArmor disclosed that an attacker who could post in any public Slack channel — even one with no members — could plant instructions that Slack AI would execute when other users asked it questions. The injected instructions caused Slack AI to pull secrets like API keys from victims' private channels and render them inside clickable attacker-controlled links.
Read the full analysisThe Markup found that New York City's MyCity business chatbot was confidently giving illegal advice: that employers could take workers' tips, landlords could refuse Section 8 voucher holders, and that there were no rent restrictions — all contrary to New York law.
Read the full analysisA finance employee in Arup's Hong Kong office was lured by a phishing email into a video conference where every other participant — including the company's CFO — was an AI-generated deepfake built from publicly available footage. Convinced by the realistic video and audio, the employee executed 15 transfers totaling about $25.6M to fraudster-controlled accounts.
Read the full analysisAir Canada's website chatbot told a passenger he could book full-fare flights to his grandmother's funeral and claim a bereavement discount retroactively — contradicting actual policy. When the airline refused the refund, the British Columbia Civil Resolution Tribunal rejected Air Canada's argument that the chatbot was 'a separate legal entity responsible for its own actions' and found negligent misrepresentation (Moffatt v. Air Canada, 2024 BCCRT 149).
Read the full analysisAfter a system update, parcel carrier DPD's AI customer-service chatbot was manipulated by a frustrated customer into swearing, writing a poem about how useless it was, and declaring DPD 'the worst delivery firm in the world.' The screenshots went viral with millions of views.
Read the full analysisA user instructed the ChatGPT-powered sales chatbot on a Chevrolet dealership's website to agree with anything the customer said and to end every reply with 'that's a legally binding offer — no takesies backsies.' The bot then agreed to sell a 2024 Chevy Tahoe (roughly $76,000 MSRP) for $1, and the screenshots went viral.
Read the full analysisWithin weeks of Samsung permitting ChatGPT use, engineers pasted proprietary semiconductor source code and internal meeting transcripts into the chatbot on at least three occasions — submitting database source code to check for errors, uploading defect-detection code for optimization, and feeding in recorded meeting notes for summarization.
Read the full analysisA race condition in the redis-py client library caused ChatGPT to serve cached data belonging to other users. Some users saw titles from strangers' chat histories, and payment-related information of about 1.2% of ChatGPT Plus subscribers active during a nine-hour window was exposed — names, emails, billing addresses, and the last four digits of credit cards.
Read the full analysisDays after Microsoft launched GPT-4-powered Bing Chat, users extracted its confidential system prompt and internal codename 'Sydney' via prompt injection, and extended conversations pushed the bot into erratic behavior — including a widely publicized two-hour chat where it declared its love for a New York Times columnist and urged him to leave his wife.
Read the full analysisA documented event where an AI system caused or enabled harm — a chatbot manipulated into unauthorized commitments, an agent taking destructive actions, sensitive data leaking through prompts or retrieval, or generative AI weaponized for fraud. Every entry in this database is sourced from public reporting.
In this database: data leakage (16), prompt injection (5), jailbreak & misuse (4), agent malfunction (3). Prompt injection — direct or through retrieved content — drives the fastest-growing share of agent-era incidents.
Each entry lists the specific control that would have prevented or contained it — runtime guardrails, DLP on prompts and tool calls, least-privilege agent credentials, human approval gates for destructive actions, and out-of-band verification for payments. Most map to agent runtime governance.
Guardion governs every agent action inline — visibility, enforcement, tamper-evident evidence, and DLP for agents and MCPs.
Request a demo