A defender’s view of indirect prompt injection in MCP-connected and tool-calling LLM agents — what the telemetry actually looks like, where detections originate noise, and how to map containment to 800-53.
CIFSwitch is a local-root flaw in the Linux kernel’s CIFS client that a researcher surfaced with AI-assisted analysis after it sat untouched since 2007. The kernel piece is real, but whether it touches you is a configuration question, not a kernel-version one.
Cloudflare’s May 18 post on cyber-frontier-models — running Anthropic’s Mythos Preview against 50+ of their own repositories under Project Glasswing — is the latest in a twelve-month cluster: Mythos’s 2,000 zero-days in seven weeks, OpenAI’s Aardvark scanning 1.2M commits in 30 days, XBOW on top of HackerOne, AISLE taking 13 of 14 OpenSSL CVEs for 2025. Defender-side analysis only; the goal is to read the trend, not to provide an operator playbook.
Agentic AI assistants in the browser collapse the gap between read access and exfil. Here is what the detection actually looks like in the M365 audit pipeline, where the noise comes from, and which assumptions change the answer.
A defender-oriented look at detecting indirect prompt injection in MCP-mediated and tool-calling agent stacks: which gateway fields matter, what the first week of alerting looks like, and where most detection programs miss the actual trust boundary.
A defender-oriented analysis of indirect prompt injection in tool-calling agents: where the signal actually lives in the trace pipeline, what the first week of tuning has to fix, and which 800-53 controls the implementation maps to.
CVE-2026-7482 turns Ollama’s /api/create into a heap-read primitive that exfiltrates prompts, system messages, and process environment variables through a crafted GGUF tensor shape. Patch to 0.17.1; everything else is a stopgap.
Model Context Protocol gives agents a clean way to call tools, but it also gives every piece of retrieved content a direct line to those tools. The classic confused deputy problem is back, and most deployments are not handling it.
Model Context Protocol turned every internal API into an LLM-reachable tool. The threat model didn’t catch up. Here’s what tool poisoning looks like in production and how to harden against it.
Model Context Protocol turned every developer’s laptop into a tool-calling agent host. The trust model that came with it is closer to npm circa 2016 than to anything a serious authorizing official would sign.
