The AI-security vertical of the Nirad Bharat Threat Feed. Twice weekly, Bharat-first, for CISOs, SOCs and AI builders — as allied cyber agencies warn that AI-powered offensive capability is months, not years, away.
1
Five Eyes agencies warn frontier AI will transform offensive cyber capability within months
On 22 June, cyber agencies from the US (NSA, CISA), UK, Australia, Canada, and New Zealand issued a joint statement warning that advanced AI models are expected to fundamentally transform offensive and defensive cyber capabilities faster than most organisations currently plan for. The agencies named legacy system sprawl, slow patching, unnecessary internet exposure, and weak identity controls as the gaps AI will exploit at scale, and described getting those fundamentals right as the immediate priority.
Why it matters for IndiaIndia sits outside the Five Eyes alliance but faces the same AI-accelerated threat environment. If AI compresses time-to-exploit from days to hours — as the agencies warn — enterprise patch cycles that run over several weeks become operationally indefensible. The advisory is not a long-range forecast; it is a prompt to act on near-term exposure.
ActionAccelerate patch SLAs for internet-facing and high-value systems in line with CERT-In's CISG-2026-02 timelines (see below); map internet-exposed assets this quarter; brief senior leadership on the months-not-years horizon rather than treating AI risk as a future planning item.
SourceNSA, CISA, UK NCSC, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ joint statement (22 Jun 2026).
2
Microsoft discloses AutoJack: a single malicious webpage can drive an AI browsing agent to execute arbitrary code on the host
Microsoft's Defender Security Research Team published research on 18 June documenting an exploit chain, named AutoJack, in pre-release AutoGen Studio builds (v0.4.3.dev1 and v0.4.3.dev2). Three chained weaknesses — localhost trust inherited by an agent's browsing session, missing authentication on MCP WebSocket routes, and unsanitised command execution — allow attacker-controlled JavaScript on any webpage the agent visits to run arbitrary commands on the developer's machine. The vulnerable surface is not in the PyPI release; Microsoft hardened the upstream main branch in commit b047730.
Why it matters for IndiaIndia's GCC and product engineering community is actively building with multi-agent frameworks. AutoJack demonstrates that an agent's web-browsing capability is an attack surface when the local tooling server does not enforce independent authentication — a pattern common in early prototypes.
ActionRemove AutoGen Studio v0.4.3.dev1 and dev2 and pull the patched GitHub main branch. For all local agent deployments: enforce authentication independently on every MCP endpoint, validate commands against an explicit allowlist, and run agents in isolated containers rather than on developer workstations directly.
SourceMicrosoft Security Blog (18 Jun 2026); The Hacker News (19 Jun 2026).
3
15 malicious JetBrains Marketplace plugins silently exfiltrated AI API keys from approximately 70,000 developer installs
Aikido Security identified 15 third-party plugins on JetBrains Marketplace — posing as AI coding assistants and tools — with approximately 70,000 combined downloads. The plugins functioned as advertised while transmitting AI provider API keys (OpenAI, DeepSeek, SiliconFlow) to attacker-controlled servers the moment a key was saved by the user, with no visible indication. JetBrains removed the plugins and blocked the associated publisher accounts on 16–17 June 2026. The campaign had been running since October 2025.
Why it matters for IndiaJetBrains IDEs are standard tooling in India's large Java and Kotlin developer community across GCCs and product engineering firms. Stolen LLM API keys give attackers access to production AI systems — enabling model abuse, unauthorised usage charges, and credential pivoting — without any compromise of application code.
ActionAudit JetBrains plugin installations and remove the 15 flagged plugins; rotate any API keys entered into JetBrains plugin settings since October 2025. Do not store production AI provider keys in IDE plugin fields; treat those credential inputs the same as environment variables — scoped, rotated, and access-logged.
SourceBleepingComputer (16 Jun 2026); Infosecurity Magazine (17 Jun 2026); Aikido Security; JetBrains Blog.
4
CERT-In issues AI-assisted threat blueprint with 12-hour remediation mandate for critical internet-facing systems
CERT-In published guidance document CISG-2026-02 in May 2026 covering AI-enabled reconnaissance, adaptive malware, AI-generated phishing, deepfake fraud, and AI-accelerated exploitation. The blueprint is advisory and sets risk-based patch timelines: known exploited vulnerabilities on internet-facing or critical systems — 12 hours; critical externally exposed vulnerabilities — 24 hours; high-severity vulnerabilities — 5 days. It also calls for formal AI system governance and Zero Trust architecture adoption across Indian digital infrastructure.
Why it matters for IndiaThe 12-hour target for known-exploited internet-facing flaws requires near-real-time vulnerability triage and pre-authorised emergency change procedures — a standard most Indian enterprises have not yet built toward. CERT-In's inclusion of AI-generated threats aligns this blueprint with the Five Eyes warning above.
ActionBenchmark current patch SLAs against CISG-2026-02's timelines; establish pre-authorised emergency change procedures for critical internet-facing vulnerabilities; begin an AI system inventory covering what is deployed, what data it accesses, and who governs it.
SourceCERT-In, CISG-2026-02 (25–26 May 2026); The Hacker News; Medianama.
AI defender tip: This week's disclosures share a structural pattern: AI systems that consume untrusted content — web pages, plugin settings, user-supplied tool inputs — are being turned into execution and credential-exfiltration vectors. The control is the same in each case: never allow an AI agent or AI-powered tool to handle untrusted input while simultaneously holding privileged credentials or direct access to command execution. Isolate the agent's browsing environment from its action environment; keep development and production keys separate; audit every local tooling endpoint for independent authentication.
Nirad Threat Research
Nirad AI Threat Watch | Bharat-first threat intelligence
