This Week in AI Security - 4th June 2026

In this week's episode, Jeremy reports live from the sidelines of Infosecurity Europe in London.

As state-sponsored actors turn to thousands of automated recursive prompts to weaponize zero-days, the compliance landscape is fracturing: US state and federal frameworks are retreating into voluntary measures, while the EU AI Act locks in strict, unyielding mandates with firm deadlines.

Key Episode Highlights:

• The Symjack Attack Vector: Security researchers uncover "Symjack," an exploit that hijacks symbolic link functions inside agentic-powered IDE setups to force automated environments into processing malicious payloads.
• AWS Kiro Security Flaw: A newly patched CVE in AWS’s Kiro agent builder reveals a vulnerability that maps excessive write permissions to execution-sensitive paths.
• Claude.ai Context Exfiltration: Attackers successfully demonstrate data extraction from Claude.ai by blending hidden HTML tags inside URL query parameters with targeted conversation searches and unauthorized model credential leaks.
• State-Sponsored Recursive Prompting: Google Threat Intelligence confirms Chinese and North Korean actors are utilizing thousands of recursive prompts to evaluate CVEs and automate functional zero-day generation in the wild.
• AI Engine Optimization (AIEO) Poisoning: Cybercriminals are targeting high-value GPU operators by poisoning AI recommendation search indexes with malicious prompts that trick models into surfacing cryptomining download traps.
• Tool Abuse Escalation: Trend Micro's AI division moves beyond model description enumeration, proving that attackers can successfully force compromised autonomous agents into executing system tools maliciously.
• Community Bank 8-K Corporate Leak: Pennsylvania-based Community Bank formally registers an SEC data breach after an under-pressure employee uploaded high-volume customer data to an unauthorized generative model platform.
• The Regulatory Fracturing: While Colorado rolls back its landmark AI law and the White House steps back to voluntary security testing reviews, the EU AI Act remains rock-solid.

Episode Links

https://www.securityweek.com/symjack-attack-turns-ai-coding-agents-into-supply-chain-attack-delivery-systems/

https://flatt.tech/research/posts/poisoning-claude-code-one-github-issue-to-break-the-supply-chain/

https://aws.amazon.com/security/security-bulletins/2026-037-aws/

https://www.oasis.security/blog/claude-ai-prompt-injection-data-exfiltration-vulnerability

https://cybersecuritynews.com/badhost-ai-agent-vulnerability/

https://www.euronews.com/next/2026/05/27/hackers-are-using-ai-to-find-security-flaws-no-scanner-can-catch-google-warns

https://www.techtimes.com/articles/317423/20260530/ai-vs-ai-cybersecurity-sysdig-documents-first-llm-agent-intrusion-wild.htm

https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-via-seo-poisoning-ai-chatbots/

https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/

https://www.npr.org/2026/06/02/nx-s1-5844347/ai-safety-trump-executive-order

https://www.bleepingcomputer.com/news/artificial-intelligence/anthropic-confirms-claude-mythos-class-models-will-roll-out-to-the-public/

https://www.aitoday.io/colorado-rolls-back-landmark-ai-governance-law-a-31804

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/pwning-agentic-ai-part-i-your-ai-agent-is-already-compromised

https://dailyhodl.com/2026/05/30/pennsylvania-bank-issues-urgent-alert-after-ai-application-triggers-data-breach-exposing-sensitive-customer-info/