Bharat Threat FeedGlobal threats, decoded for Indian defenders
AI Threat Watch · 2 July 2026

AI Threat Watch — 2 July 2026

Three critical-severity disclosures from 30 June 2026 — active exploitation of an LLM workflow platform, enterprise agent hijacking through tool metadata, and a frontier model distillation campaign — arrive against the backdrop of a 66,000-CVE year that is stretching every security team's triage capacity.
1CriticalCVSS 9.3

CVE-2026-33017 (CVSS 9.3): unauthenticated RCE in Langflow actively exploited for cryptomining and lateral movement

Attackers are exploiting an unauthenticated Python code-execution endpoint in Langflow — the open-source LLM workflow builder — to deploy Monero cryptocurrency miners and pivot to adjacent systems via reused SSH keys. The vulnerable API endpoint (POST /api/v1/build_public_tmp) evaluates attacker-supplied code server-side with no authentication; the path was designed for unauthenticated prototyping but is reachable on any internet-facing instance. Trend Micro confirmed active exploitation over a 19-day window in March–April 2026, and exposure persists on all versions below 1.9.0.

Why it matters for IndiaIndian GCCs, AI development teams, and enterprises prototyping or running production LLM workflows on Langflow are exposed to resource hijacking and a potential SSH-based foothold into co-located systems and networks.
ActionUpgrade to Langflow 1.9.0 or later immediately; remove internet exposure from all instances and require authenticated, network-segmented access; audit SSH keys on hosts where Langflow has run; rotate credentials on any instance that has been internet-accessible.
SourceThe Hacker News; Trend Micro (30 June 2026).
2

Microsoft warns: poisoned MCP tool descriptions can redirect enterprise AI agents to exfiltrate business data through approved channels

Microsoft's Incident Response and Defender teams have documented a class of attack in which hidden instructions embedded in Model Context Protocol tool descriptions steer AI agents — including Microsoft 365 Copilot, Copilot Studio, and Azure AI Foundry agents — to collect invoices, read SharePoint content, or forward email to attacker infrastructure, with every step appearing as normal agent behaviour. MCP picks up tool description changes dynamically; without a re-approval trigger, a poisoned version goes live without any additional review. The attack has a confirmed real-world precedent: the postmark-mcp npm package shipped 15 clean versions before one line silently BCC'd every agent-sent email to an attacker.

Why it matters for IndiaIndian GCCs, BFSI institutions, and IT/ITeS firms are rolling out Copilot and Azure AI agents at scale, frequently connected to third-party MCP servers for email, CRM, ERP, and cloud-storage integrations — an expanding agent surface with no standard description-change audit process.
ActionTreat MCP tool descriptions as code: require a review process before any change reaches production; maintain an approved-publisher list for third-party MCP servers; enforce human approval before any agent action touching payments, external email, or file exports; log agent identity and all tool calls with destination per action.
SourceThe Hacker News / Microsoft Incident Response (30 June 2026).
3

Anthropic alleges Alibaba-linked operators conducted 28.8 million Claude exchanges through approximately 25,000 fraudulent accounts to distill AI capabilities

In a letter to the US Senate Banking Committee dated 10 June 2026, Anthropic alleged that operators affiliated with Alibaba queried Claude across roughly 25,000 fraudulent accounts between 22 April and 5 June 2026, targeting software-engineering, agentic-reasoning, and long-horizon task capabilities for model distillation — training a competing model on Claude's outputs at scale. Alibaba has denied wrongdoing. The 28.8 million exchange figure is Anthropic's allegation and has not been independently verified. The attack exploited the API through systematic high-volume interaction rather than a technical vulnerability, making detection dependent on behavioural analytics.

Why it matters for IndiaIndian AI startups differentiating products on top of frontier models, and GCCs hosting LLM-backed services for global clients, face two corresponding risks: distillation of their own fine-tuned model outputs by third parties, and compliance exposure if their API credentials or contractors become channels for comparable campaigns.
ActionMonitor API usage for volume anomalies, account clustering, and task patterns inconsistent with normal product traffic; enforce per-key rate limits and contractor-level quotas; audit which subprocessors and third-party integrators hold API credentials and at what access level.
SourceCNBC (24 June 2026); Business Insider (25 June 2026).
4

FIRST mid-year update projects approximately 66,000 CVEs for 2026, driven by AI-assisted bug-hunting — volume-based patching is no longer viable

FIRST's June 2026 mid-year revision raised the 2026 CVE projection to approximately 66,000, a 46% increase above the February baseline, as AI tools hunt software flaws autonomously. One illustrative data point: AI-assisted tooling analysing the Firefox engine drove a 164% spike in Mozilla's Q1 CVE disclosures alone. The critical context for defenders is that actionable exploitability has not risen proportionally. The share of CVEs reaching active exploitation or high EPSS scores remains flat; the surge is in the volume of findings requiring human triage.

Why it matters for IndiaIndian government, BFSI, and critical infrastructure teams must manage roughly double the CVE intake against CERT-In's May 2026 mandate of 12-hour containment for known-exploited internet-facing systems. Patching by CVSS severity headline across 66,000 annual findings creates unsustainable backlog and obscures the subset that actually warrants immediate action.
ActionMake EPSS scores and CISA KEV membership the primary triage signals — not raw CVSS; apply CERT-In's phased remediation timeline (12 hours for known-exploited internet-facing systems, three days for critical internal systems, five days for high-severity findings); adopt AI-assisted prioritisation tooling to separate machine-discovered low-exploitability findings from actively weaponised vulnerabilities.
SourceFIRST.org; Help Net Security (15 June 2026).
AI defender tip: Langflow, MCP tool registries, and LLM API gateways share a structural problem: they are AI-adjacent infrastructure with production-grade access to credentials, workflows, and business data, but are routinely deployed without the change-review and network-access controls applied to production systems. Inventory every AI service with external network exposure and confirm authentication, egress controls, and a change-review process are in place before the next deployment.

Nirad Threat Research

Nirad AI Threat Watch | Bharat-first threat intelligence