AI Threat Watch — 19 June 2026
LiteLLM AI-gateway takeover chain — full server compromise (CVE-2026-47101, CVE-2026-47102, CVE-2026-40217; plus exploited CVE-2026-42271). Obsidian Security disclosed a CVSS 9.9 chain that walks a default low-privilege user up to admin and remote code execution on the LiteLLM proxy, exposing every configured provider key (OpenAI, Anthropic, Gemini, Bedrock, Azure), master/salt keys, the database URL and all prompt/response traffic. A separately exploited LiteLLM flaw (CVE-2026-42271, on CISA's KEV list) reaches RCE on the same product. Why it matters for India: Indian banks, fintechs and GCCs are standardising on LLM gateways to broker multiple model providers — one compromised proxy hands over the keys to the entire AI estate and everything that has passed through it. What to do: upgrade to LiteLLM v1.83.14-stable or later; rotate all provider, master, salt and DB credentials; restrict the proxy to authenticated, segmented networks. Source (with date): Obsidian Security; The Hacker News (11 Jun 2026).
I4C / MHA warns of deepfakes built to defeat video-KYC and biometric onboarding. India's Cyber Crime Coordination Centre (I4C), under the Home Ministry, advised that fraudsters harvest facial and voice data via fake video calls, interviews and dating/job lures, then generate deepfakes that bypass liveness detection, video-KYC and account recovery — with low-cost open models driving the surge. Why it matters for India: video-KYC underpins digital account opening across Indian BFSI and wallets; defeating liveness turns identity itself into the attack surface, enabling fraudulent onboarding and account takeover at scale. What to do: add deepfake/liveness-spoof detection to onboarding; require multi-signal verification (device, behavioural, out-of-band) for high-risk actions; warn customers never to "blink/turn-head" on unsolicited calls. Source (with date): I4C / MHA advisory, via ETV Bharat and Business Standard (11 Jun 2026).
Supply-chain worms are now hunting AI-developer and cloud secrets. Microsoft detailed the "Miasma" worm in malicious @redhat-cloud-services npm packages harvesting GitHub, npm, AWS, Azure, GCP, Vault and Kubernetes credentials; Socket then found 37 malicious PyPI wheels in the same Shai-Hulud / "Hades" lineage — several targeting AI-assistant configuration files. Why it matters for India: India's large developer and GCC base heavily consumes npm/PyPI SDKs inside CI jobs that often hold LLM and cloud keys; one poisoned dependency leaks the credentials guarding production and customer data. What to do: pin and lock dependencies, disable install-time scripts, scan for malicious packages and AI-config tampering, and rotate any secrets exposed during installs. Source (with date): Microsoft Threat Intelligence (2 Jun 2026); Socket (7 Jun 2026).
Prompt injection is reaching agentic CI/CD pipelines (CVE-2025-66032). Researchers showed untrusted GitHub issues and PR comments can steer AI coding agents — the Claude Code GitHub Action (CVE-2025-66032, CVSS 8.7, fixed in 2.1.128), with Gemini CLI and Copilot variants — into leaking workflow secrets or pushing malicious commits; OWASP still rates indirect prompt injection the top cause of agentic-AI failures in production. Why it matters for India: AI code-review and issue-triage bots are entering Indian engineering pipelines faster than their trust boundaries are being designed. What to do: make agent workflows read-only and secretless by default; pin actions by commit SHA; require human approval before writes; treat all model-ingested content as untrusted. Source (with date): GMO Flatt Security (1 Jun); Microsoft Security Blog (5 Jun); Help Net Security / OWASP (11 Jun 2026).