TechLetters ☕️ Prompt injection takes Instagram AI bot. Autonomous cyber gets cheap? Red Hat npm worm spreads. AI worm reasons through networks. Gaza data breach. Smart TVs become proxy nodes.
Security
The first cyberattack in history using prompt injection. Attackers used Meta’s chatbot as a tool to take over Instagram accounts belonging to well-known people, brands, and institutions. By manipulating Meta’s AI support system, they convinced it to perform a critical administrative operation: changing or adding an email address associated with the victim’s account. Basic mistake: using LLM as a security boundary. The attacker contacted Meta’s bot, provided the username of the account they wanted to take over, and asked it to link that account to a new email address controlled by the attacker. In practice, this meant that the person controlling the new email address could receive or provide the confirmation code, and then use the modified recovery channel to reset the password and take over the account. AI support became a path for bypassing account security. If a chatbot can change an email address or initiate account recovery without independent verification of the owner, the attacker does not need to know the password or break through traditional security controls. It is sufficient to convince the automated support operator to perform an operation that the attacker should not normally be allowed to request. https://www.theverge.com/tech/941179/meta-instagram-ai-support-chatbot-exploit-hacked
Draft:
AI/LLM can absolutely make autonomous cyberattacks and hack enterprise networks, but also government systems and this can be cheaper than human ops. Going beyond “magic hacking powers of this and that model” the important stuff is in agentic orchestration, so scanning, tool use, credential discovery, exploit selection, evidence tracking, privilege escalation planning, and adaptive retries across long attack chains - all well planned and executed. Once properly architected and connected, including to tooling like to shells, scanners, knowledge bases, memory, and task planners, models can turn known weaknesses, exposed services, misconfigurations, leaked credentials, and weak identity controls into repeatable intrusion workflows. This is also about going beyond human expertise limits to architectural decisions about state management, tool wrappers, context control, and deciding when a path is worth pursuing. This lowers the cost of offensive experimentation and lets attackers run more attempts, across more targets, with less specialist work. Defenders should assume AI-assisted intrusion attempts will become continuous, cheap, but also noisy before they become perfected. This genie is out of the box and let’s repeat: harness is critical, and the work can absolutely be done with freely available open weight models. https://dl.acm.org/doi/pdf/10.1145/3766895 https://dl.acm.org/doi/pdf/10.1145/3800584 https://arxiv.org/pdf/2507.00829 https://arxiv.org/pdf/2505.10321 https://arxiv.org/pdf/2602.17622
Another supply-chain compromise worm. Multiple packages in the official Red Hat redhat-cloud-services npm scope were compromised in a supply-chain attack distributing a credential-stealing worm. Affected packages added a preinstall hook that ran a script. The malware harvested npm, GitHub, AWS, Azure, GCP, Vault, Kubernetes, SSH, CI/CD, and local secrets, then attempted to propagate by abusing stolen credentials to publish additional malicious packages and modify repositories. Any environment that installed affected versions should be treated as compromised. https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
AI-powered computer worm, a self-replicating agent that reasons its way through a network instead of carrying a fixed exploit list. It steals compute from compromised GPU machines to run its own open-weight LLM, then uses weaker machines as relays for reach. In trials on a corporate testbed, it identified vulnerabilities, exploited systems, and launched replicas across Linux, Windows, and IoT targets. Every new infection can add more infrastructure while costing the attacker almost nothing. Patching one flaw no longer ends the threat, because the worm can operationalise fresh advisories, generate new attack logic, and keep adapting without a human operator. It is not a WannaCry-style worm with one baked exploit and one baked ransomware payload. It can adapt across many vulnerability classes it can discover and operationalise https://arxiv.org/pdf/2606.03811
Privacy
Cyberattack on humanitarian organization World Food Program exposes sensitive data of vulnerable population. Affected 600,000 households in Gaza, names, ID numbers, phone numbers, location data, all exfiltrated. The timing is specific. Israel's Supreme Court had just upheld a requirement forcing aid organizations to hand over workers' personal data as a condition of operating in Gaza. In 2022 it was the Red Cross (515,000 people). In 2023, the Norwegian Refugee Council. This time it's WFP. The sector has had a poor track record. https://www.thenewhumanitarian.org/news/2026/06/02/data-600000-gaza-households-exposed-wfp-cyber-attack
The world’s largest residential proxy network runs on consent, TLS and vibes. The TV is always watching and apparently it is also available for contract work in surveillance or data acquisition? Bright Data sells access to a residential proxy network, the kind customers use to route requests through real home IP addresses instead of datacenter IPs that Cloudflare, DataDome and HUMAN are trained to block. The supply comes from an SDK embedded in consumer apps. So: CTV games, messengers, mobile apps and screensavers. With consent somewhere upstream, the device becomes an exit node. The TV is perfect for this job. It is plugged in, on WiFi, often unattended and barely supervised. It also asks for consent through a privacy policy and a remote-control UI, which is one way to make “informed choice” look like an endurance sport. One config flag tells the SDK to ignore whether the screen is on. Another tells it to ignore whether the user is on a call. In this economy, watching TV counts as downtime. https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/
Technology Policy
Other
Developer adds instructions to instruct AI coding agents not to use the project (and before that, instructions made AI agents remove the tests and code for this project). https://jqwik.net/docs/1.10.1/user-guide.html#note-to-coding-agents-and-alike
Revolution in computing hardware? Nvidia announced RTX Spark, a chip combining a Blackwell GPU (6,144 CUDA cores, FP4 Tensor) with a 20-core Grace CPU, up to 128GB unified memory, claimed 1 petaflop of AI Claimed workloads include rendering 90GB 3D scenes, editing 12K 4:2:2 video, running 120B-parameter LLMs with up to 1 million tokens of context, generating 4K AI video. The ambition is to bring AI-first computing to PCs and laptops, making Nvidia's stack the default runtime for local AI agents. Microsoft is doing real platform work alongside - Windows scheduler tuning, unified memory changes, TensorRT via Windows ML, OpenShell sandboxing for agent containment. So this isn't just a chip swap. It is also Microsoft's second attempt to define the "AI PC" .
In case you feel it's worth it to forward this content further:
Subscribed
If you’d like to share: