You connected your shiny new AI agent to Slack, Linear, GitHub, and email last week. Five tools, one autonomous assistant, zero friction. Your morning workflow finally felt like the future everyone's been promising since 2023. Congratulations — you also built an attack surface that would make a 2005 Windows XP box jealous.
Here's the problem nobody mentioned during onboarding: every message, ticket, issue, and document your agent reads is text written by someone else. And your agent — powered by an LLM (large language model, the brain behind ChatGPT, Claude, Gemini) — cannot tell the difference between your instructions and instructions someone hid inside that text. This flaw has a name: prompt injection — when an attacker embeds hidden commands in ordinary-looking content, and the AI follows them instead of yours.
Prompt injection stopped being theoretical in February, when the Clinejection attack exfiltrated SSH keys from roughly 4,000 developers via invisible Unicode characters hidden in GitHub issue titles. That was the proof of concept. April 2026 is the production deployment.
On April 4, cloud security firm Wiz published an analysis of a supply chain campaign called prt-scan: a single threat actor submitted 475 malicious pull requests in 26 hours using AI-generated payloads that adapted to each repository's tech stack. Python repo? Inject via conftest.py. Node.js? Poison package.json. Rust? Slip into build.rs. The attacker's tooling — essentially an agent attacking other agents — operated at a pace no human code reviewer could match. Verified theft included AWS keys, Cloudflare API tokens, and Netlify credentials.
On April 11, two critical vulnerabilities (CVE-2026-5058 and CVE-2026-5059, both scoring 9.8 out of 10) surfaced in the AWS MCP server — MCP (Model Context Protocol) being the universal plug standard for connecting AI agents to external tools, like USB but for data. Both flaws allowed unauthenticated remote code execution. No login required. Just send the right text. The AWS holes weren't isolated: Microsoft's Azure MCP Server shipped without authentication entirely (CVE-2026-32211, disclosed April 3), and on April 7 a DNS rebinding flaw (CVE-2026-35568) in the MCP Java SDK let attackers hijack locally-running AI servers through a victim's browser.
On April 9, Palo Alto's Unit 42 team documented 22 distinct techniques attackers use in the wild: zero-sized text, CSS suppression, Base64 encoding, Unicode directional overrides.
Their conclusion deserves its own line: "The web itself effectively becomes an LLM prompt delivery mechanism."
The attack surface scales multiplicatively. An agent connected to five tools has five inbound channels for poisoned text. Chain agents together — Slack triggers Linear triggers a coding agent — and one injection cascades through every handoff. Security researcher Simon Willison framed it precisely in his April 6 post: "The Lethal Trifecta" — private data access + untrusted content exposure + any exfiltration vector = guaranteed data theft. His assessment of vendors claiming 95% attack prevention: "95% is very much a failing grade."
Microsoft tacitly acknowledged the gap on April 2 by open-sourcing an Agent Governance Toolkit — runtime policy enforcement in under 0.1ms, seven packages, 9,500 tests, support for Python, TypeScript, Rust, Go, and .NET. It's a solid start. It's also an admission that no existing platform has this built in.
Before you connect tool number six, audit what actions your agent can take autonomously. Assume every text input it reads — every Slack message, every Jira ticket, every email subject line — is a potential unsigned command running with your credentials.
The most dangerous agent isn't the smartest one. It's the one with the most permissions and no idea it's already compromised.
