This week: a credential-harvesting worm reaches into AI coding assistants, OpenAI ships a structural fix for prompt injection, and OWASP confirms prompt injection is now woven through most agentic-AI risk - read through the lens of the Indian SOC and AI builder.
1
Miasma/Hades supply-chain worm harvests cloud and AI-assistant secrets from npm and PyPI
Between 5 and 7 June, attackers pushed a malicious commit into Microsoft's Azure/durabletask GitHub repository (73 repos across four Microsoft orgs later disabled) and seeded 37 malicious PyPI wheels across ~19 packages; the payload fires when a developer opens the repo in Claude Code, Gemini CLI, Cursor or VS Code via config hooks (.claude, .gemini, .cursor, .vscode), then exfiltrates AWS/GCP/Azure tokens, GitHub and registry credentials, SSH keys and AI-assistant configuration files.
Why it matters for IndiaIndia's large GCC, services and AI-startup developer base runs exactly these AI coding tools, and a single harvested cloud or model-provider token can pivot into customer data and inference pipelines - with DPDP breach-notification exposure attached.
ActionPin and verify npm/PyPI dependencies, disable auto-execution of repo-level AI assistant config on untrusted clones, and rotate cloud/model-provider keys for any developer who opened an untrusted project this week.
SourcePhoenix Security, "Miasma" Azure/Hades analysis (10 June 2026); Orca Security, "Hades PyPI Supply Chain Attack" (8 June 2026).
2
OpenAI ships ChatGPT "Lockdown Mode" to blunt prompt-injection data theft
On 6 June, OpenAI launched Lockdown Mode, an optional toggle that disables live browsing, Deep Research, Agent Mode, web image retrieval and file downloads to cut the outbound channel that prompt-injection attacks rely on to exfiltrate data; OpenAI stressed it is not a silver bullet, as injected instructions can still appear in cached content or uploaded files.
Why it matters for IndiaAs Indian banks, GCCs and government bodies pilot ChatGPT-class agents over sensitive data, this gives a concrete, no-cost control to break Simon Willison's "lethal trifecta" of private data, untrusted content and an outbound channel.
ActionDefault high-risk and data-handling user groups to Lockdown Mode, treat Agent/Browse modes as privileged, and use the new Active Sessions dashboard (shipped alongside the Elevated Risk labels) to review sign-ins and revoke stale devices.
SourceOpenAI, "Introducing Lockdown Mode and Elevated Risk labels in ChatGPT" (6 June 2026); TechCrunch (6 June 2026).
3
OWASP confirms prompt injection now spans most agentic-AI risk categories
OWASP's GenAI Security Project published State of Agentic AI Security and Governance v2.01, mapping prompt injection to six of the ten entries in its Top 10 for Agentic Applications and noting it stems from LLMs treating the system prompt, user request and retrieved content as one undifferentiated token stream.
Why it matters for IndiaIndian enterprises racing to deploy autonomous agents (n8n leads the report's advisory count; Claude Code has 22) cannot treat prompt injection as a tunable bug - it must be a board-level design constraint before agents touch BFSI or citizen data.
ActionApply Meta's "Agents Rule of Two" (no more than two of: private data, untrusted input, autonomous external action without human approval), and require human-in-the-loop approval for any agent action that combines all three.
SourceOWASP GenAI Security Project via Help Net Security, "Prompt injection still drives most agentic AI security failures in production" (11 June 2026).
4
Adversa's June GenAI security roundup flags RAG corpus leakage and multimodal jailbreaks as the next enterprise exposure
Adversa AI's 8 June roundup curates current research showing RAG back-ends can leak whether a specific document sits in the corpus with as few as five entailment queries and no surrogate model, and that multi-turn, multi-language jailbreaks beat prior benchmarks - both directly relevant to private knowledge bases.
Why it matters for IndiaMany Indian AI deployments are RAG over proprietary or personal data (legal, health, BFSI), so corpus-membership leakage is a quiet DPDP and confidentiality risk that traditional DLP will miss.
ActionRate-limit and log RAG query patterns, segregate sensitive corpora behind access checks rather than retrieval alone, and add multi-turn jailbreak cases to pre-deployment red-team suites.
SourceAdversa AI, "Top GenAI Security Resources - June 2026" (8 June 2026).
AI defender tip: Treat every repo-level AI assistant config file (.claude, .cursorrules, CLAUDE.md, .gemini) on an untrusted clone as executable attacker input - review it before your assistant ever reads it.
Nirad AI Threat Watch | Bharat-first threat intelligence
