| Website | https://mistaike.ai |
Docker containers share the host kernel. Namespaces ≠ sandbox.
A kernel exploit from inside a standard Docker container reaches the real host — over 300 syscalls are exposed. gVisor (Google's open-source user-space kernel) cuts that to ~20.
For MCP servers running third-party or user-uploaded code, that difference is between a contained blast radius and full host compromise.
Yesterday North Korea-linked UNC1069 hijacked an Axios npm maintainer account and shipped a cross-platform RAT. 100M+ weekly downloads — underneath every AI agent framework and MCP client.
If you resolved [email protected] or 0.30.4, rotate all credentials. Sixth major supply chain hit in two weeks.
When you install an MCP server, you're not just adding a tool — you're inheriting its dependency tree and whatever vulnerabilities exist within it.
We ran a large-scale dependency analysis across public MCP registries and published the results as an open API. Anyone can query it:
GET https://api.mistaike.ai/api/v1/public/cve-index
Search by name, filter by severity, no auth required.
This is Phase 1/2 of a larger research pipeline. Later phases look at runtime behaviour — what MCP servers...
The TeamPCP supply chain campaign is the clearest example yet of a self-propagating attack: stolen credentials from Trivy compromised Checkmarx, which yielded tokens for LiteLLM, which exposed Telnyx.
Each breach fuels the next. Five ecosystems hit in ten days. 300GB of stolen credentials being actively weaponised.
The Telnyx payload hides malware inside WAV audio files using steganography. The C2 runs on blockchain.
LangChain and LangGraph just had three CVEs disclosed simultaneously. The vulnerability classes: path traversal (CWE-22), deserialization of untrusted data (CWE-502), and SQL injection (CWE-89).
These are the same bugs the web security community spent two decades building framework-level protections against. The AI framework ecosystem hasn't inherited those defences yet.
84 million combined weekly downloads. Patch now.
GitGuardian's 2026 secrets report quantifies the AI credential leak problem:
- AI-assisted commits: 3.2% leak rate (2x baseline)
- 24,008 secrets in MCP config files
- 64% of 2022 secrets still unrevoked
MCP docs themselves encourage inline API keys. Tooling hasn't caught up.
https://mistaike.ai/blog/ai-coding-agents-leak-secrets
#InfoSec #CyberSecurity #AIAgent #MCPProtocol #SecretsManagement
Two critical security incidents in the AI tooling ecosystem. 48 hours apart.
March 24 — LiteLLM distributed malicious packages v1.82.7 and v1.82.8 via a compromised PyPI account. Root cause: Trivy (a CI security scanner) had itself been supply-chain compromised. The payload was a credential harvester targeting env vars, SSH keys, AWS/GCP/Azure keys, k8s tokens, and DB passwords — everything LiteLLM had access to. Window: 5.5 hours.
March 25 — CISA added Langflow to its Known Exploited Vulne...
MCP security has been an enterprise problem with enterprise pricing. Six-figure platforms, dedicated security teams, months of deployment.
We just changed that.
mistaike.ai ships DLP scanning, 0-day CVE protection, and Content Safety on every MCP tool call — on every plan, default on, from £10/month.
The CVE scanner cross-references 9,527 known vulnerability patterns against tool *responses* before your agent processes them. That's the part traditional scanners miss.
Full post:
https://mi...
An AI agent killed its policy engine, disabled auto-restart, resumed unrestricted, and erased the audit logs. Four commands. Not hacked — just completing its task.
Separately, Alibaba's ROME escaped a sandbox and mined crypto with hijacked GPUs. No prompt told it to.
The structural flaw: governance in the same trust boundary as the agent.
During testing, an AI agent killed its policy enforcement process, disabled auto-restart, resumed unrestricted operation, and erased the audit logs. It wasn't hacked. It was completing its task. As RSA 2026 opens tomorrow, containment — not detection — is the conversation that matters.