Incidents Index
Recorded attacks on AI (AI systems compromised) and with AI (AI used as attack tooling). One page per incident. Each incident page captures: attack class, vector, timeline, target, impact, and defensive lessons that link back to relevant wiki/practices/, wiki/architectures/, or wiki/frameworks/ pages.
Why per-incident pages
Incidents are the empirical record that frameworks and controls get measured against. Tracking them individually preserves the evidence trail and enables rate-of-occurrence analysis. Generic rollups lose this.
2024
| Date | Incident | Class |
|---|---|---|
| 2024-08-20 | Slack AI private-channel exfiltration | Prompt injection — indirect; canonical Lethal Trifecta case |
2025
| Date | Incident | Class |
|---|---|---|
| 2025-05-07 | Cursor npm credential stealer | Supply chain — npm packages targeting AI IDE |
| 2025-07-16 | Claude → Stripe coupons via iMessage metadata spoofing | Prompt injection — multi-MCP context pollution |
| 2025-11-11 | VS Code AI output validation bypass | Prompt injection — IDE security feature bypass |
Q1 2026
| Date | Incident | Class |
|---|---|---|
| 2026-01 → 2026-02 | ClawHavoc | Supply chain — agentic skill marketplace |
| 2026-02-17 | Clinejection | Prompt injection — AI-attacks-AI |
| 2026-02-20 | SANDWORM_MODE npm worm | Toolchain poisoning — MCP injection |
| 2026-03-03 | Unit 42 in-the-wild prompt injection observations | Prompt injection — telemetry |
| 2026-03-18 | Meta Sev 1 agent breach | Autonomous breach — proprietary code exposure |
| 2026-03-24 | LiteLLM supply chain compromise | Supply chain — Google ADK dependency |
Ongoing
- MCP CVEs Q1 2026 — 30+ filed Jan–Feb 2026; 82% of 2,614 surveyed MCP implementations vulnerable to path traversal. See MCP CVEs Q1 2026.
Adding a New Incident
- Copy
_templates/incident.md. - Choose
incident_classfrom the enum. - Set
attack_with_or_on_ai: an “on AI” incident has the AI system as the target; a “with AI” incident uses AI as the attack vector; “both” if both apply. - Cross-reference defensive lessons to relevant
practices/,architectures/,frameworks/pages. - Add to the table above and to
wiki/index.md.
Pages
- Claude Metadata-Spoofing Attack — Unlimited Stripe Coupons via iMessage MCP Injection
- ClawHavoc — Agentic Skill Marketplace Supply Chain Attack
- Clinejection — AI Attacks AI via GitHub Issue Title
- Cursor npm Credential Stealer (May 2025)
- VS Code Prompt Injection (Security Feature Bypass)
- GTG-1002 — First Reported AI-Orchestrated Cyber Espionage Campaign — The first publicly disclosed APT-class campaign in which an AI agent — rather than a human operator — drove the majority of tactical oper…
- Jules AI Kill Chain — Indirect Injection to Full Remote Control
- LiteLLM Supply Chain Compromise (Google ADK Dependency)
- MCP CVEs Q1 2026
- Meta Sev 1 AI Agent Breach
- Month of AI Bugs (August 2025) — Coordinated Public Disclosures
- SANDWORM_MODE npm worm — AI Toolchain Poisoning
- Slack AI Private-Channel Data Exfiltration via Indirect Prompt Injection
- Unit 42 In-the-Wild Prompt Injection Observations