ctipilot.ch

CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016)

report · report:certfr-2026-act-016 single-source-national-cert

CERT-FR technical report on agentic AI tooling risks: prompt injection, MCP supply chain, and sandboxing guidance for organizations deploying AI coding agents (CERT-FR, May 2026).

Aliases: CERTFR-2026-ACT-016

Coverage timeline
3
first 2026-05-04 → last 2026-05-12
Peak priority
high
1 high · 2 notable
Sources cited
12
7 hosts
Sections touched
3
active-threats, deep-dive, weekly-policy
Co-occurring entities
4
see Related entities below

Story timeline

  1. 2026-05-12GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware
    deep-dive
  2. 2026-05-08CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces
    active-threats
  3. 2026-05-04CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit
    weekly-policy

Where this entity is cited

  • weekly-policy1
  • active-threats1
  • deep-dive1

Source distribution

  • attack.mitre.org5 (42%)
  • cloud.google.com2 (17%)
  • cert.ssi.gouv.fr1 (8%)
  • helpnetsecurity.com1 (8%)
  • securityweek.com1 (8%)
  • thehackernews.com1 (8%)
  • theregister.com1 (8%)

Related entities

All cited sources (12)

Entries about CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) (3)

2026-05-12 · view entry permalink →

HIGH

GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware

ANNUAL REPORT — this is the dedicated treatment of the periodic Google Threat Intelligence Group AI Threat Tracker per PD-9: cherry-picked findings high-relevance to a Swiss / EU public-sector SOC; not a re-summary of the underlying daily-coverage items the GTIG report itself revisits.

Background. GTIG (Google's threat-intelligence merger of Mandiant and the historical Google TAG) has been publishing recurring AI-threat-landscape briefings since the original Adversarial Misuse of Generative AI report (January 2025); CERT-FR's CERTFR-2026-ACT-016 agentic-AI advisory (covered in this brief's 2026-05-10 daily) and the NCSC-CH BACS assessment on AI in vulnerability management (covered same day) lay the European policy floor for the same threat surface. Where the predecessors documented LLM abuse as augmentation of existing tradecraft (phishing-content generation, recon, social-engineering scripts), the May 2026 AI Threat Tracker is the first report to publicly attribute an AI-generated functional zero-day exploit observed in active criminal use (Google Cloud Threat Intelligence — AI vulnerability exploitation initial access, 2026-05-11).

The first AI-generated zero-day exploit observed in the wild

GTIG describes a criminal campaign that used an LLM-generated Python exploit script targeting an unnamed widely-deployed open-source web-based systems-administration tool. The underlying flaw is a 2FA-bypass arising from a semantic logic error: developers hardcoded a trust assumption in one code path that contradicts the authentication-enforcement logic in another. GTIG's editorial point is that this bug class is exactly where LLMs outperform classical static analysis and fuzzers — semantic intent mismatch is undetectable to a fuzzer because the program does not crash, and undetectable to a typical SAST rule because both code paths individually are syntactically defensible.

GTIG attributes the script to LLM generation with high confidence based on structural artefacts atypical of human exploit authors: abundant "educational" docstrings explaining each function's purpose to a hypothetical reader; a hallucinated CVSS score embedded in comments; ANSI-colour helper imports and a --help menu scaffold characteristic of LLM training-data formatting; consistent variable-naming patterns that read like a tutorial rather than an exploit. Mapped to T1190 Exploit Public-Facing Application at runtime, and notable as the first publicly attributed instance of an LLM operating as the exploit author rather than as a phishing-content generator. Responsible-disclosure coordination patched the underlying tool before mass exploitation took hold; GTIG explicitly believes the disclosure disrupted the campaign.

AI-augmented malware families: CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE

The same GTIG release documents four malware families that integrate LLM calls into runtime behaviour rather than into development:

  • CANFAIL and LONGSTREAM (Russia-nexus) insert LLM-generated inert decoy code blocks and daylight-saving-time API calls at runtime to inflate benign-looking telemetry, polluting downstream behavioural-sequence detectors. Mapped to T1553 Subvert Trust Controls (as an EDR-evasion variant) and T1027 Obfuscated Files or Information (LLM-generated junk code as obfuscation).
  • PROMPTFLUX uses the Gemini API at runtime to generate just-in-time self-modifying code for EDR evasion — a logical extension of the polymorphism / packer class, but with the unique property that no two execution-instance signatures need ever match because the LLM is the polymorphism engine.
  • HONESTCUE requests VBScript-obfuscation stubs from Gemini at runtime, weaponising the cloud-API surface as the obfuscator's compiler.

State-actor abuse of Gemini: UNC2814 (PRC), APT45 (DPRK), APT27, UNC5673 (TEMP.Hex / PRC)

GTIG documents state-affiliated actor usage of Gemini for: ORB-fleet management (operating relay-network proxies), recursive-prompting validation of CVE / PoC quality at scale, and persona-driven jailbreaking attempts against embedded-device firmware analysis (TP-Link, the OFTP industrial protocol). UNC5673 (TEMP.Hex) is specifically called out for operating Claude-Relay-Service and CLI-Proxy-API tooling to pool illicit LLM access across Southeast Asian government-targeting operations — meaning the operational unit of compromise has shifted to include stolen LLM API keys as a primary objective, not a side-channel. This is the structural reason TeamPCP's SANDCLOCK stealer (§ 4 UPDATE) now explicitly enumerates LLM API keys alongside cloud credentials: there is a developed criminal market for stolen LLM access keys, driven by both volume billing arbitrage and access to higher-rate-limit / less-monitored model tiers.

Defender takeaway for Swiss / EU public-sector estates running AI workloads: treat LLM API keys as Tier-1 secrets equivalent to cloud-administrator credentials. Specifically: rotate at the same cadence; store in the same KMS / HSM-backed secret manager; enable usage-anomaly alerting at the LLM provider (rate-limit baselines per service principal, geographic / ASN anomalies, prompt-content categories outside business profile); audit any embedded-key check-ins to source control with the same gates as cloud-credential leak detection (T1552.001 Credentials In Files). The GTIG attribution that UNC5673 specifically targets government organisations means the threat profile applies directly to government developers and government-procured AI tooling.

Hardening / detection summary

Concrete posture changes a Swiss federal / cantonal / EU public-sector SOC can implement based on this report alone, in priority order:

  1. Egress allowlisting for LLM-API endpoints: only workloads where LLM access is justified should be permitted outbound to *.googleapis.com/v1beta/, api.openai.com/v1/, api.anthropic.com/, etc. — enforce at SWG and at host firewall on production servers. Catches PROMPTFLUX / HONESTCUE / CANFAIL-class runtime LLM calls from workloads that should not be making them.
  2. LLM-API-key secrets management: treat as Tier-1; rotate quarterly minimum; enable provider-side usage alerting on per-key baselines.
  3. Exploit-artefact LLM-output heuristics added to triage pipelines for PoC scripts pulled from public sources — docstring-density / hallucinated-metadata / ANSI-bootstrap pattern, used as a triage prior, not a verdict.
  4. CI/CD secrets hygiene at the runner level — directly applicable both to the AI-key theft trend and to the SANDCLOCK / TeamPCP Jenkins compromise carried as the § 4 UPDATE. OIDC-federated short-lived credentials where the platform supports it; no long-lived PATs in runner environment.
  5. Behavioural-sequence detector cross-validation: where ML-based EDR is in use, validate against API-call-sequence pollution by sampling current detection thresholds against synthetic LLM-generated benign sequences.
threat12 May 05:00Zmulti-sourceOpen finding ↗

2026-05-08 · view entry permalink →

NOTABLE

CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.

threat08 May 05:00Zsingle-source · national CERTOpen finding ↗

2026-05-04 · view entry permalink →

NOTABLE

CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit

CERT-FR's advisory (dated 13 April 2026, surfaced in this week's daily on 2026-05-08) names three operational risk classes for organisations deploying agentic AI orchestration platforms (Claude Agents, Microsoft Copilot Studio, AutoGen, MCP-server architectures): prompt injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments. CERT-FR recommendations: input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated (CERT-FR — CERTFR-2026-ACT-016, 2026-05-08 · daily 2026-05-08). Why this is obligations-changing rather than routine advisory: for French public-sector entities deploying agentic AI, CERT-FR advisories establish the baseline a defendable-control posture is measured against. The Microsoft Semantic Kernel CVE-2026-26030 / CVE-2026-25592 pair (§ 3 deep dive) is the worked-example of CERT-FR's first and third risk classes manifesting as concrete vendor CVEs — defenders deploying any agentic-AI framework should treat the CERT-FR advisory as defining the question-set, not the answer-set.

policy04 May 05:00Zsingle-source · national CERTOpen finding ↗