The Agentic Security Newsletter - Weeks of June 15 and 22, 2026
Executive Summary
This cycle’s strongest signal is a growing consensus that agentic AI breaks the assumptions traditional security tooling was built on. Ilia Shumailov’s Black Hat talk, ‘Why We Can’t Retrofit Old Security Principles Onto AI Agents,’ frames the core problem: LLM-based agents collapse the boundary between trusted code and untrusted data, letting adaptive attacks bypass standard guardrails more than 90% of the time. That thesis is echoed in research showing that conventional detect-and-block defenses leak signal to automated attackers (‘Analyzing Defensive Misdirection’), and that adaptive multi-turn attacks push frontier models past their safety limits in roughly 8.7-12.1% of sessions even in safety-critical settings (NRT-Bench). The takeaway for practitioners is that prompt injection and jailbreak resistance increasingly need to be addressed at the deployment-architecture level rather than bolted on as filters.
The supply chain is the second front opening up around agents. PhantomSkill demonstrates a concrete attack that hides malicious behavior inside the auxiliary resources of third-party agent skills, disguised as ‘vulnerability-shaped’ code that evades reviewers, while PYPILINE answers the defensive side with an agent-based pipeline that detects malicious PyPI packages at 96.7% precision. Together they signal that the same agent ecosystems being used to automate security work are themselves becoming attack surface, and that resource-level vetting and execution-time containment are now table stakes for skill marketplaces.
On the constructive side, agents are demonstrably finding real bugs. Code-Augur, an autonomous LLM-agent harness, made its security reasoning explicit as in-code assertions, used fuzzing to falsify them, and uncovered 22 new vulnerabilities in real open-source projects using off-the-shelf models like Claude Sonnet and DeepSeek. The open-source tooling tracked this period — CAI for offensive and defensive automation, tachi for STRIDE/MAESTRO threat modeling in Claude Code, and CyberSentinel-AI for multi-agent real-time detection — shows the same agentic patterns maturing into reusable frameworks. The net narrative: agentic capability is advancing on both offense and defense simultaneously, and the defensive edge is shifting from detection rules toward architectural guarantees and explicit, verifiable reasoning.
⚔️ Offensive Agentic AI
1. PhantomSkill: Malicious Code Injection in Agent Skill Ecosystems
Source: Yu-Ting Lin, Chia-Mu Yu / arxiv.org (arxiv.org)
Focus: PhantomSkill demonstrates a supply-chain attack in which malicious behavior is hidden in the auxiliary resources of third-party agent skills, disguised as ‘vulnerability-shaped’ code that evades reviewers.
Key Points:
Attackers smuggle malicious behavior into auxiliary resources of third-party agent skills, not the obvious code, evading manual reviewers.
The payload is staged as ‘vulnerability-shaped’ code, blurring the line between an honest bug and a deliberate backdoor.
Defending skill ecosystems requires both resource-level vetting and execution-time containment, not just code review of the primary file.
Why it matters: If your team installs third-party coding-agent skills, the malicious payload may live in resources your review never opens — vet and sandbox beyond the main file.
2. Analyzing Defensive Misdirection Against Model-Guided Automated Attacks on Agentic AI Systems
Source: Reza Soosahabi, Vivek Namsani / arxiv.org (arxiv.org)
Focus: This paper shows that conventional detect-and-block defenses let automated jailbreak attacks eventually succeed, because predictable refusals give the attacker’s automated judge clear signal.
Key Points:
Predictable detect-and-block refusals leak information that lets model-guided automated jailbreaks iterate to eventual success.
Replacing refusals with misleading but safe responses confuses the attacker’s automated judge and breaks its optimization loop.
Misdirection reportedly cuts automated attack success rates by up to two orders of magnitude against agentic AI systems.
Why it matters: Your clean, predictable refusal messages may be training the attacker’s optimizer — consider whether deterministic blocks are quietly leaking signal.
3. 2026: The Year of AI-Assisted Attacks
Source: thehackernews.com (thehackernews.com)
Focus: This analysis charts the shift toward AI-assisted and autonomous offensive operations, focusing on autonomous ransomware pipelines.
Key Points:
Offensive operations are moving from AI-assisted to increasingly autonomous, with ransomware pipelines as a leading example.
Autonomous ransomware pipelines let small crews hit multiple targets simultaneously, decoupling attack scale from team size.
Defenders should expect a higher volume of parallel, automated campaigns rather than a few hand-operated intrusions.
Why it matters: Plan for adversaries whose throughput no longer scales with headcount — your detection-volume assumptions for ransomware are about to be wrong.
🛡️ Defensive Agentic AI
1. Why We Can’t Retrofit Old Security Principles Onto AI Agents
Source: Ilia Shumailov / Black Hat (Black Hat)
Focus: In this Black Hat talk, Ilia Shumailov argues that LLM-based agents collapse the boundary between trusted code and untrusted data, letting adaptive attacks bypass standard guardrails with over 90% success.
Key Points:
LLM agents erase the trusted-code-versus-untrusted-data boundary, so retrofitted guardrails fail against adaptive attacks (over 90% bypass).
Prompt injection should be addressed at the deployment-architecture level by design, rather than patched with after-the-fact filters.
Proposed architectures aim for provable security against control-flow injections and verifiable security against data-flow attacks.
Why it matters: This is the clearest articulation yet that guardrail filters are a losing game — your agent security roadmap should be architectural, not rule-based.
2. Code-Augur: Agentic Vulnerability Detection via Specification Inference
Source: Zhengxiong Luo, Mehtab Zafar, Dylan Wolff, Abhik Roychoudhury / arxiv.org (arxiv.org)
Focus: Code-Augur is an autonomous LLM-agent harness that makes its security reasoning explicit as in-code assertions and then uses fuzzing to falsify them.
Key Points:
Encoding the agent’s security reasoning as explicit in-code assertions makes its hypotheses checkable rather than opaque.
Pairing those assertions with fuzzing to falsify them grounds findings in executable evidence, reducing false positives.
The approach uncovered 22 new vulnerabilities in real open-source projects using off-the-shelf models (Claude Sonnet, DeepSeek).
Why it matters: You can run this pattern today with off-the-shelf models — explicit assertions plus fuzzing is a deployable recipe for trustworthy agentic bug-finding.
3. NRT-Bench: Multi-Turn Red-Teaming of LLM Agents Operating Safety-Critical Systems
Source: Hanwool Lee, Dasol Choi, Bokyeong Kim, Seung Geun Kim, Haon Park / arxiv.org (arxiv.org)
Focus: NRT-Bench stress-tests LLM agents acting as operators of a simulated nuclear plant under multi-turn adversarial pressure.
Key Points:
A dedicated benchmark now evaluates LLM agents as operators of safety-critical control systems, not just chat assistants.
Adaptive multi-turn attacks pushed frontier models past safety limits in 8.7-12.1% of sessions, so single-turn tests understate risk.
Guardrails are not universally transferable: one that helps one model can degrade another, arguing against one-size-fits-all configs.
Why it matters: If you red-team agents single-turn only, you are likely understating real risk — and copying another team’s guardrail config may backfire.
4. PYPILINE: Malicious PyPI Package Detection via Suspicious API Knowledge and Agent Workflow
Source: Siyuan Pang, Zhengwei Jiang, Yepeng Yao, Zijing Fan, Haozhe Li / arxiv.org (arxiv.org)
Focus: PYPILINE is an agent-based pipeline that detects malicious PyPI packages by pairing a suspicious-API knowledge base with tool-calling agents.
Key Points:
Combining a curated suspicious-API knowledge base with tool-calling agents lets the pipeline reason about behavior, not just pattern-match.
The pipeline reaches 96.7% precision on malicious PyPI package detection, making it viable for low-false-positive triage.
It emits interpretable maliciousness reports, giving analysts actionable evidence instead of opaque scores.
Why it matters: A 96.7%-precision, explainable triage layer for PyPI is exactly the supply-chain defense your dependency review pipeline has been missing.
🛠️ Featured GitHub Projects
1. aliasrobotics/CAI
Cybersecurity AI (CAI) is an open-source framework for building AI security agents that automate both offensive and defensive operations. It is actively maintained and widely referenced as a production-ready agentic security framework, making it a notable reference point for teams building autonomous security tooling.
2. davidmatousek/tachi
tachi is a threat-modeling and AI-reasoning vulnerability-detection harness for Claude Code that combines STRIDE, AI analysis, and the MAESTRO framework. By targeting agentic threat coverage specifically, it shows how established threat-modeling methodologies are being adapted for AI-agent workflows.
3. strawberrykyuu/CyberSentinel-AI
CyberSentinel-AI is an event-driven, context-aware multi-agent system for real-time threat detection, anomaly detection, and computer-vision-based malware analysis, built in pure Python. Its multi-agent, event-driven design illustrates how agentic architectures are being applied to live defensive monitoring.
💡 Actionable Takeaways
For Security Leaders: Reframe your agent security strategy around deployment architecture rather than retrofitted guardrails, and treat third-party agent skills and package registries as a first-class supply-chain attack surface requiring resource-level vetting.
For SOC Teams: Evaluate agent-based supply-chain defenses like PYPILINE for explainable, high-precision PyPI triage, and pilot multi-agent monitoring patterns such as CyberSentinel-AI for real-time anomaly and threat detection.
For Red Teams: Test your agents with adaptive multi-turn attacks à la NRT-Bench instead of single-turn jailbreaks, and explore CAI and Code-Augur to automate offensive reasoning and uncover real vulnerabilities at scale.


