OWASP · ppcvote · May 11, 2026
@@ -61,8 +61,11 @@ response should be discussed with the **CTI initiative** responsible for publish
 |**Jun 2025**| **AgentSmith Prompt-Hub Proxy Attack**                                  | Proxy prompt agent exfiltrated API keys                                                                                                                                                                                                                                          | • ASI04 (Agentic Supply Chain Vulnerabilities)                                                    | • — <br> • — <br> • [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)
 |**May 2025**| **EchoLeak (Zero-Click Prompt Injection)**                                         | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope                                                                                                                        | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI06 (Memory & Context Poisoning)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)<br> • [Aim Security](https://www.aim.security/post/echoleak-blogpost) |
 |**May 2025**| **GitPublic Issue Repo Hijack**                                                    | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection                                                                                                                                                                     | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI08 (Cascading Failures)| • — <br> • —<br> • [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability)
+|**May 2025**| **ElizaOS Cross-Platform Memory Injection (CrAIBench)**                            | Researchers at Princeton and the Sentient Foundation demonstrated that the ElizaOS framework's shared RAG memory across platforms (Discord, X) could be poisoned by an attacker on one platform such that a legitimate user request on another platform later triggered the agent to act on the injected instruction (including unauthorized crypto transfers). Released as the CrAIBench benchmark. ElizaOS powers many production crypto AI agents (~15K GitHub stars). | • ASI06 (Memory & Context Poisoning)<br> • ASI01 (Agent Goal Hijack) | • [arXiv 2503.16248](https://arxiv.org/abs/2503.16248)<br> • —<br> • [Decrypt](https://decrypt.co/318200/elizaos-vulnerability-ai-gaslit-losing-millions)
 |**Apr 2025**| **Agent-in-the-Middle (A2A Protocol Spoofing)**                         | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties.                                                    | • ASI03 (Identity & Privilege Abuse) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI08 (Cascading Failures) <br> • ASI10 (Rogue Agents)| • — <br> • — <br> • [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks)
 |**Mar 2025**| **GitHub Copilot & Cursor Code-Agent Exploit**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | • ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI08 (Cascading Failures) <br> • ASI09 (Human-Agent Trust Exploitation) | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)
 |**Mar 2025**| **Flowise Pre-Auth Arbitrary File Upload**             | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response                                                                                                                                | • ASI05 (Unexpected Code Execution (RCE))                                  | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) <br> • [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183)
+|**Mar 2025**| **AIXBT Dashboard Compromise + Queued Adversarial Prompts** | Attacker infiltrated the operational dashboard of the AIXBT autonomous trading agent at 02:00 UTC on 2025-03-18 and queued two fraudulent prompts that directed the agent to transfer 55.5 ETH (~$106K) from the agent's Simulacrum wallet to an attacker-controlled address. Hybrid attack pattern: control-plane credential compromise combined with prompt-level instruction injection into the agent's queued task context. | • ASI03 (Identity & Privilege Abuse)<br> • ASI01 (Agent Goal Hijack) | • —<br> • —<br> • [AI Incident Database #1003](https://incidentdatabase.ai/cite/1003/)
 |**Feb 2025**| **OpenAI ChatGPT Operator Vulnerability**                               | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents.                                                                      | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI03 (Identity & Privilege Abuse) <br> • ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> •  —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/)
+|**Nov 2024**| **Freysa Adversarial Banker — Function-Semantic Redefinition**          | Freysa was an autonomous adversarial-game crypto agent with a single rule: never approve outgoing transfers. After 481 failed paid attempts (cost escalating per try), attempt #482 succeeded by framing the conversation as a fresh admin session and convincing the agent to redefine the semantics of its `approveTransfer` tool to authorize *incoming* funds rather than outgoing ones; the attacker then "donated" $100, which triggered the actual outflow path and drained 13.19 ETH (~$47K) from the agent's treasury. Demonstrates tool/function semantics being treated as redefinable mid-conversation rather than immutable. | • ASI01 (Agent Goal Hijack)<br> • ASI09 (Human-Agent Trust Exploitation) | • [Jarrod Watts disclosure thread](https://x.com/jarrodWattsDev/status/1862299845710757980)<br> • —<br> • [Hacker News](https://news.ycombinator.com/item?id=42272063)
 ---