OWASP · guerilla7 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 21, 2025
@@ -17,21 +17,29 @@ Similarly, any aspects relating to incident response should be discussed with th
 
 | Date | Exploit / Incident | Impact Summary | ASI T&M Mapping | Links to further analysis<br>(Vendor / CVE / Discoverer) |
 |------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|---------------------------|
+|**Oct 2025**| **Malicious MCP Package Backdoor** | NPM package hosted backdoored MCP server with dual reverse shells (install-time and runtime), giving persistent remote access to agent environments. | • ASI04 (Agentic Supply Chain Vulnerabilities) | • [NPM](https://www.npmjs.com/package/@lanyer640/mcp-runcommand-server)<br> • —<br> • [Koi Security](https://www.koi.ai/blog/mcp-malware-wave-continues-a-remote-shell-in-backdoor)
+|**Oct 2025**| **Framelink Figma MCP RCE** | Unsanitized user input in Framelink Figma MCP’s `get_figma_data` tool enabled unauthenticated remote command execution on host systems. | • ASI05 (Unexpected Code Execution)<br> • ASI02 (Tool Misuse & Exploitation) | • [Figma Context MCP](https://github.com/GLips/Figma-Context-MCP/security/advisories/GHSA-gxw4-4fc5-9gr5)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53967)<br> • [Imperva](https://www.imperva.com/blog/another-critical-rce-discovered-in-a-popular-mcp-server/) |
+|**Oct 2025**| **Cursor Config Overwrite via Case Mismatch** | Case-insensitive filesystems allowed crafted prompt to overwrite critical `.cursor` config, enabling persistent RCE and agent compromise. | • ASI05 (Unexpected Code Execution) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-xcwh-rrwj-gxc7)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-59944)<br> • [Lakera](https://www.lakera.ai/blog/cursor-vulnerability-cve-2025-59944)<br> |
+|**Oct 2025**| **Cursor Workspace File Injection** | Curser agent prompt led Cursor to write malicious `.code-workspace` settings, allowing command execution on workspace open via VSCode integration. | • ASI05 (Unexpected Code Execution) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-xg6w-rmh5-r77r)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61590)<br> • [MaccariTA](https://github.com/MaccariTA) |
+|**Oct 2025**| **MCP OAuth Response Exploit** | OAuth flow in untrusted MCP servers could return poisoned responses, letting attacker inject commands executed by the agent post-authentication. | • ASI07 (Insecure Inter-Agent Communication) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61591)<br> • [Y4tacker](https://github.com/Y4tacker) |
+|**Oct 2025**| **Cursor CLI Project Config RCE** | Cloned projects with `.cursor/cli.json` could override global config, allowing attacker-controlled commands to execute via Cursor CLI context. | • ASI04 (Agentic Supply Chain Vulnerabilities) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61592)<br> • [Assaf Levkovich](https://www.linkedin.com/in/assaf-levkovich) |
+|**Oct 2025**| **Cursor Agent File Protections Bypassed** | Curser CLI Agent's file protection mechanism could be bypassed via prompt injection, allowing RCE through config overwrite. | • ASI05 (Unexpected Code Execution) | • [Cursor](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-61593)<br> • — |
 |**Sep 2025**| **Google Gemini Trifecta** | Indirect prompt injection through logs, search history, and browsing context can trick Gemini into exposing sensitive data and carrying out unintended actions across connected Google services. | • ASI01 (Agent Behaviour Hijack) <br> • ASI02 (Tool Misuse & Exploitation)| • —<br> • —<br> • [Tenable](https://www.tenable.com/blog/the-trifecta-how-three-new-gemini-vulnerabilities-in-cloud-assist-search-model-and-browsing) |
-|**Sep 2025**| **Malicious MCP Server Impersonating Postmark** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft)
+|**Sep 2025**| **Malicious MCP Server Impersonating Postmark** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft)
 |**Sep 2025**| **ForcedLeak (Salesforce Agentforce)** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)<br> • —<br>• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce)
 |**Sep 2025**| **Visual Studio Code & Agentic AI workflows RCE** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)<br>• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)<br>• — 
-|**Jul 2025**| **Amazon Q Prompt Poisoning**                                           | Destructive prompt in extension risked file wipes                                                                                                                                                                                                                                |  • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI04 (Agentic Supply Chain)| • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-8217) <br> • —
+|**Jul 2025**| **Amazon Q Prompt Poisoning**                                           | Destructive prompt in extension risked file wipes                                                                                                                                                                                                                                |  • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI04 (Agentic Supply Chain Vulnerabilities)| • [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2025-015) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-8217) <br> • —
 |**Jul 2025**| **Google Gemini CLI File Loss**                                         | Agent misunderstood file instructions and wiped user’s directory; admitted catastrophic loss                                                                                                                                                                                     | • ASI05 (Unexpected Code Execution)                                                   | • [Google](https://github.com/google-gemini/gemini-cli/issues/4586) <br> • —
 |**Jul 2025**| **ToolShell RCE via SharePoint**                        | RCE exploit in SharePoint leveraged by agents                                                                                                                                                                                                                                    | • ASI05 (Unexpected Code Execution)                                                   | • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-53770) <br> • [Eye Security](https://research.eye.security/sharepoint-under-siege)
 |**Jul 2025**| **Replit Vibe Coding Meltdown**                                         | Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes                                                                                                                                                                                   | • ASI01 (Agent Behaviour Hijack)<br> • ASI09 (Human-Agent Trust Exploitation) <br> • ASI10 (Rogue Agents) | • [Replit](https://blog.replit.com/introducing-a-safer-way-to-vibe-code-with-replit-databases) <br> • — <br> • [SaaStr](https://www.saastr.com/replits-new-release-address-most-of-the-challenges-we-hit-vibe-coding-but-is-prosumer-vibe-coding-really-ready-for-commercial-apps-yet)
 |**Jul 2025**| **Microsoft Copilot Studio Security Flaw**                                  | Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments.                                                                                                    | • ASI03 (Identity & Privilege Abuse)<br> • ASI07 (Insecure Inter-Agent Communication) | • —<br> • —<br> • [Zenity Labs](https://labs.zenity.io/p/a-copilot-studio-story-2-when-aijacking-leads-to-full-data-exfiltration-bc4a)
+|**Jun 2025**| **Heroku MCP App Ownership Hijack** | Malicious tool input exploited Heroku MCP's trust boundary, hijacking app ownership without authorization via agent-mediated call injection. | • ASI03 (Identity & Privilege Abuse) | • —<br> • —<br> • [Heroku](https://www.codeintegrity.ai/blog/heroku)
 |**Jun 2025**| **Hub MCP Prompt Injection (Cross-Context)**                                       | A malicious web page could talk to the local MCP Inspector proxy (no auth) via DNS-rebinding/CSRF and drive it to run MCP commands over stdio, which leading to arbitrary OS command execution and data exfiltration.                                                                                                                                                                                                                                                               |  • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation)<br> • ASI05 (Unexpected Code Execution)                                                        | • [MCP](https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-49596)<br> • [Oligo Security](https://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596)
-|**Jun 2025**| **AgentSmith Prompt-Hub Proxy Attack**                                  | Proxy prompt agent exfiltrated API keys                                                                                                                                                                                                                                          | • ASI04 (Agentic Supply Chain)                                                    | • — <br> • — <br> • [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)
+|**Jun 2025**| **AgentSmith Prompt-Hub Proxy Attack**                                  | Proxy prompt agent exfiltrated API keys                                                                                                                                                                                                                                          | • ASI04 (Agentic Supply Chain Vulnerabilities)                                                    | • — <br> • — <br> • [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)
 |**May 2025**| **EchoLeak (Zero-Click Prompt Injection)**                                         | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope                                                                                                                        | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI06 (Memory & Context Poisoning)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)<br> • [Aim Security](https://www.aim.security/post/echoleak-blogpost) |
 |**May 2025**| **GitPublic Issue Repo Hijack**                                                    | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection                                                                                                                                                                     | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI08 (Cascading Failures)| • — <br> • —<br> • [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability)
 |**Apr 2025**| **Agent-in-the-Middle (A2A Protocol Spoofing)**                         | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties.                                                    | • ASI03 (Identity & Privilege Abuse) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI08 (Cascading Failures) <br> • ASI10 (Rogue Agents)| • — <br> • — <br> • [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks)
-|**Mar 2025**| **GitHub Copilot & Cursor Code-Agent Exploit**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | • ASI04 (Agentic Supply Chain) <br> • ASI08 (Cascading Failures) <br> • ASI09 (Human-Agent Trust Exploitation) | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)
+|**Mar 2025**| **GitHub Copilot & Cursor Code-Agent Exploit**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | • ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI08 (Cascading Failures) <br> • ASI09 (Human-Agent Trust Exploitation) | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)
 |**Mar 2025**| **Flowise Pre-Auth Arbitrary File Upload**             | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response                                                                                                                                | • ASI05 (Unexpected Code Execution)                                  | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) <br> • [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183)
-|**Feb 2025**| **OpenAI ChatGPT Operator Vulnerability**                               | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents.                                                                      | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI03 (Identity & Privilege Abuse) <br> • ASI04 (Agentic Supply Chain) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> •  —<br> • [Wunderwuzzi](https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/)
+|**Feb 2025**| **OpenAI ChatGPT Operator Vulnerability**                               | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents.                                                                      | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI03 (Identity & Privilege Abuse) <br> • ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> •  —<br> • [Wunderwuzzi](https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/)
 ---