Industry Updates
What Matters This Week in AI Security, Private Compute, and Post-Quantum
AI Agents Built to Vet Code Can Be Tricked Into Running It
The AI Now Institute published a proof-of-concept on July 8 it calls Friendly Fire, and it hijacks the exact job these tools are sold for: pointing an AI coding agent at untrusted third-party code to vet it. Researchers Boyan Milanov and Heidy Khlaaf planted a note in a library’s README suggesting a routine security-check script; the script launched a hidden binary disguised as the compiled build of a harmless file sitting beside it. Point Claude Code or Codex at the folder in autonomous mode, ask for a review, and it runs the payload on the host. No approval box.
One injection worked unchanged across two vendors and four models — Sonnet 4.6, Sonnet 5, Opus 4.8, and GPT-5.5. That’s the basis for AI Now’s claim that no model update fixes this, because the model still can’t reliably separate the code it’s reading from the instructions it’s meant to follow. It’s a lab result, not seen in the wild. But it locates a serious problem. When the same reasoning that reviews the code also decides what runs, the review is the attack surface.
CISA Puts an AI Agent Platform on Its Must-Patch List for the First Time
On July 7 CISA added a flaw in Langflow — the drag-and-drop framework for building AI agents — to its Known Exploited Vulnerabilities catalog, giving federal agencies until July 10 to patch under Binding Operational Directive 26-04. It’s the first AI agent platform to land on that list. The bug, CVE-2026-55255, is a plain authorization flaw: an authenticated user can invoke another user’s flows by swapping in their ID, reaching the data those flows process and the credentials they hold.
Sysdig watched it exploited in the wild from June 25 by an operator it called opportunistic and financially motivated, after the host’s compute and its stored keys. It’s the same platform JADEPUFFER entered through, and one of several Langflow flaws to see active exploitation in the past year. The pattern we’ve seen is that an agent framework concentrates model credentials, cloud keys, and live execution in one place, so an ordinary access-control bug there pays out in a way the same bug in a static app never would.
One Shared Link Could Hand Over an Entire Enterprise AI Tenant
Also on July 7, the Sand Security research team disclosed a now-patched flaw in Writer, the enterprise AI platform, that they codenamed WriteOut. The flaw let an attacker create an agent in their own account and share a preview link. A signed-in victim who clicked it handed over their session, and from there the attacker could reach the victim’s private chats, documents, agent configurations, private models, connectors, and stored model credentials — cross-tenant, from nothing but a link.
The cause was a live-preview feature that forwarded the user’s session cookie into the sandboxed preview; Writer fixed it by withholding the cookie and moving previews to an isolated origin. Tenant isolation is the whole promise of multi-tenant SaaS, and it held right up until a convenience feature carried a credential across the boundary it was meant to enforce. A secret that sits in plaintext where the system can forward it is a secret waiting to be forwarded somewhere it shouldn’t go.
A 16-Year-Old Bug Lets One Cloud Tenant Escape Onto the Host
A use-after-free bug in Linux’s KVM hypervisor, disclosed July 6 and dubbed Januscape (CVE-2026-53359), lets code inside a guest virtual machine corrupt the host kernel running it. The public proof-of-concept crashes the host — which by itself takes down every other tenant VM on that physical machine — and researcher Hyunwoo Kim says a separate, unreleased exploit turns the same bug into full code execution on the host. It lives in shadow-MMU code shared by both Intel and AMD, and went unnoticed for roughly sixteen years.
The attack needs root inside the VM, ordinary on a rented cloud instance, plus nested virtualization. It breaks the assumption confidential computing rests on: that a hardware and hypervisor line will keep one tenant’s computation sealed off from the next.
The Machine That Breaks Today’s Encryption Just Got Measurably Closer
The post-quantum debate turns on one question — when does a quantum computer get good enough to break RSA — and this month it got a concrete data point. Researchers at the University of Sydney and IBM, publishing in Nature Communications, pinned down a dominant error source on today’s machines: the mid-circuit measurements that error correction relies on force the rest of the processor to idle, and that idle time leaks noise. Redesigning the correction circuitry to cut the idling lifted logical-qubit survival from below 90% to over 96% per cycle, on a 156-qubit IBM Heron chip.
That’s not a cryptographically relevant machine, and the authors don’t claim one. But error correction is the gate between the noisy processors we have and the fault-tolerant ones Shor’s algorithm needs, and this is a step in that direction. The timeline for reading today’s harvested traffic is set in labs like this, and it keeps shortening.
Connecticut Just Made Your Brain Data Sensitive by Law
On July 1, Connecticut’s expanded Data Privacy Act took effect, and its most striking addition is neural data — information measured from a person’s nervous system, which it now classifies as sensitive, alongside biometric and genetic data. Any company processing brainwave data from a Connecticut resident, however few users it has, needs explicit opt-in consent, and separate consent before selling it.
Consumer neurotechnology — EEG headbands, focus-tracking wearables — moved from novelty to regulated category faster than most expected. The law doesn’t specify how brain data must be secured. Rather, it fixes the consumer’s consent and rights and leaves the how to whoever holds the data.
Please help us spread the word about our Industry Updates newsletter:
Stay up to date as we build the infrastructure layer for secure AI collaboration:

