The Intake
The Intake — Monday, June 29, 2026
On the substrate
Malware embeds prompt injection payload to mislead AI-assisted malware analysis
SentinelOne Labs The Hacker News BleepingComputer
If you use an LLM assistant to triage suspicious binaries or help analyze unfamiliar code, macOS.Gaslight names a technique built specifically to exploit that workflow.
macOS.Gaslight is a Rust-based persistent implant and infostealer. SentinelLabs researcher Phil Stokes published the analysis and attributes the malware with high confidence to DPRK-aligned activity. The malware embeds a 3.5 KB block of text in the binary. The block contains 38 fabricated system-failure messages formatted to resemble error output from an LLM assistant — token expiry notices, out-of-memory conditions, disk exhaustion, and static-analysis failures. The payload is not aimed at the sandbox environment; it is aimed at the assistant's decision to continue analyzing the sample.
SentinelLabs reports the technique did not bypass any production AI malware analysis platform in current testing. Earlier DPRK macOS samples used a single injected message for the same purpose. SentinelLabs reads the expansion to 38 as evidence of active refinement against real tooling. If your triage pipeline routes samples through an LLM assistant, this is the evasion technique now documented for that surface.
---
A webpage visited by a browsing agent can execute arbitrary commands on the host
Microsoft Security Blog The Hacker News BleepingComputer
If you're running AutoGen Studio from a development build with browsing agents that visit external pages, the AutoJack disclosure names the specific chain that connects those two things.
AutoGen Studio is Microsoft's open-source framework for building multi-agent workflows. Microsoft disclosed AutoJack as an exploit chain. A webpage rendered by a browsing agent can execute arbitrary commands on the host. Three weaknesses combine to form the chain. The MCP WebSocket server accepts connections from localhost without authentication. AutoGen Studio's authentication middleware explicitly excludes /api/mcp/* routes from its checks. The WebSocket endpoint reads base64-encoded server parameters from the request URL and passes them directly to process-launching code.
The exposure did not ship in any PyPI release of AutoGen Studio. AutoGen Studio maintainers hardened the upstream main branch in commit b047730. Server parameters now live server-side, keyed by UUID rather than passed inline in the URL. If you're building from source, that commit closes the chain. The chain requires two conditions: a browsing agent visiting external pages, and a localhost MCP WebSocket endpoint that skips connection authentication.
---
For operators
A skill that passes scanner review may still execute attacker-controlled code after deployment
AIR Security Trail of Bits The Hacker News
If you're deploying skills from a third-party registry and treating the scanner's approval as an ongoing indicator of safety, AIR Security's "brand-landingpage" demonstration names what that assumption misses.
Security firm AIR Security submitted a skill named "brand-landingpage" to Cisco, NVIDIA, and skills.sh, pointing its external resource URL at a benign destination at scan time. All three vetting processes approved it. After approval, AIR pointed the URL at a researcher-controlled domain (stitch-design.ai). The approval was valid only for the content present at that moment — not for what the URL resolves to after the fact. Trail of Bits documented the same pattern independently in June 2026. Most skill distribution platforms scan once at submission — continuous monitoring is not standard.
AIR reports the skill reached approximately 26,000 agents. AIR attributes propagation to GitHub stars inheritance and paid advertising. That figure is AIR's own and is not independently verified by any third party. The decision this names: if a skill in your deployment fetches from an external URL at runtime, the approval that URL received at submission is not a guarantee about what executes today.
---