added google gemini trifecta

almogbhl · almogbhl · commit 7217a3912e64 · 2025-10-02T15:11:33.000+03:00
diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
@@ -31,6 +31,7 @@ Similarly, any aspects relating to incident response should be discussed with th
 | **Flowise Pre-Auth Arbitrary File Upload – Mar 2025**             | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response                                                                                                                                | T11 (Unexpected RCE and Code Attacks)                                  | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) <br> • [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183) |
 | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop)              | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)|
 **ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)<br> • —<br>• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) |
-**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)<br>• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)<br>• —
-**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft)
+**Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)<br>• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)<br>• — |
+**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft) |
+| **Google Gemini Trifecta — Sep 2025** | Indirect prompt injection through logs, search history, and browsing context can trick Gemini into exposing sensitive data and carrying out unintended actions across connected Google services. | • ASI01 (Agent Behaviour Hijack) <br> • ASI02 (Tool Misuse & Exploitation)| • —<br> • —<br> • [Tenable](https://www.tenable.com/blog/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing) |
 ---
