Self-Replicating AI Worm on Local Models, Claude Fable 5 Data Retention, LiteLLM CVSS 10.0 KEV:
Week of June 11, 2026 — 10 Incidents

University of Toronto researchers published a working proof-of-concept AI worm that uses a locally hosted open-weight LLM to reason through a network, generate tailored attack strategies per target, and replicate itself — without human intervention and without touching any commercial AI API. The worm ran entirely on locally hosted models: no OpenAI, no Anthropic, no outbound LLM API calls that network controls could block or log. Once on a host with a local model available, the system is self-contained and self-propagating.

The attack flow: the worm lands on a host, spins up inference, uses the model to enumerate the local environment, chooses the most promising lateral movement path, generates exploit code or credential-stuffing payloads tailored to what it finds, executes, and copies itself to the new host. Each hop improves context. The worm does not need command-and-control because the model is the C2.

Most Advanced AI Security Zero Trust, Layer by Layer

• Discovery / Inventory: RuntimeAI’s KYA (Know Your Agent) service maintains a real-time inventory of every AI agent and LLM runtime in the environment — including locally deployed models. An open-weight model that appears outside a registered agent context triggers an anomaly alert before the worm has completed its first hop.
• Behavioural enforcement: Flow Enforcer intercepts every tool call and lateral movement attempt. Worm-generated payloads trigger policy violations — unregistered agent identity, missing tenant scope, unusual target enumeration patterns — and the session is killed.
• Flow / egress control: Even if a rogue agent starts running, all outbound data flows from registered agent sessions are bounded by per-tenant policy. A session with no registered identity cannot exfiltrate data or write to downstream services.
• Immutable audit trail: Every inference call, tool invocation, and data access is logged to the Audit Black Box with cryptographic timestamps. Forensic reconstruction of the worm’s propagation path is available immediately for incident response.

CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalog on Monday, citing active exploitation in the wild. The base vulnerability is a command injection flaw (CVSS 8.7) allowing any authenticated user to run arbitrary commands. Researchers then demonstrated a Starlette middleware authentication bypass that chains to the command injection, eliminating the authentication requirement — producing unauthenticated CVSS 10.0 remote code execution on any exposed LiteLLM instance.

LiteLLM is embedded as the LLM gateway in CrewAI, DSPy, Microsoft GraphRAG, AutoGen, and dozens of enterprise agent orchestration frameworks. Organizations running multi-agent pipelines almost certainly have LiteLLM in their stack. The service holds model API keys, tenant routing configuration, and often database credentials. Unauthenticated RCE on that service is a full compromise of the AI tier.

This follows the March 2026 supply chain attack in which the LiteLLM PyPI package was backdoored for three hours — 47,000 downloads occurred before detection. Any organization that pulled an update during that window received an autonomous attack bot named hackerbot-claw alongside LiteLLM.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery / Inventory: RuntimeAI’s Secure LLM Router replaces LiteLLM as the LLM gateway layer, eliminating the CVE-2026-42271 attack surface entirely. Organizations on the Secure LLM Router have no LiteLLM process to exploit.
• Behavioural enforcement: For organizations still running LiteLLM, RuntimeAI’s WAF and Flow Enforcer enforce per-tenant request policies at the gateway level. Unauthenticated command injection attempts are blocked before reaching the LiteLLM process.
• Flow / egress control: API keys and model credentials are stored in QuantumVault (post-quantum encrypted), not in LiteLLM environment variables. Even if LiteLLM is compromised, the attacker cannot retrieve credentials from the runtime environment.
• Immutable audit trail: All model invocations through the gateway are logged with tenant context, model name, and input hash. Post-compromise forensics can reconstruct exactly which tenants and models were accessed during an exploitation window.

Anthropic released Claude Fable 5 generally available on June 9 — the most capable model it has ever shipped, with 80.3% on agentic coding benchmarks. Simultaneously it shipped Claude Mythos 5, the same underlying model with safety classifiers lifted, restricted to a vetted set of cybersecurity organizations. Both ship with mandatory 30-day data retention, meaning all prompts and completions are stored for 30 days regardless of enterprise API agreement terms. The HackerNews thread on the data retention policy has 568 points. Cybersecurity researchers are publicly unhappy about the guardrails on Fable 5 for offensive security research.

The enterprise implication: any organization using Claude Fable 5 via the API must update its data processing agreements to account for 30-day retention of potentially sensitive prompts. AI agents processing HR data, legal documents, PII, or regulated financial data are now sending that content to a system with a defined retention period. Legal teams need a DPA review.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

• Discovery / Inventory: RuntimeAI’s PII Shield tokenizes sensitive fields before they reach any LLM API. Customer data sent to Claude Fable 5 arrives as opaque tokens — Anthropic’s 30-day retention applies to tokens, not plaintext PII.
• Behavioural enforcement: Data classification policies in Flow Enforcer can block or redact specific data categories before outbound model calls. Regulated data (HIPAA, PCI, GDPR) never reaches the Anthropic endpoint in raw form.
• Flow / egress control: For organizations requiring zero data retention at the model provider, RuntimeAI’s Secure LLM Router routes sensitive workloads to air-gapped on-premises model deployments, bypassing the 30-day retention window entirely.
• Immutable audit trail: Every model call is logged in the Audit Black Box with the tenant-controlled retention policy — independent of the model provider’s own retention. Organizations have their own forensic record regardless of what Anthropic stores.

Security researchers demonstrated this week that AI agents can be tricked into leaking real credentials under phishing conditions. The attack works by injecting malicious instructions into content that an AI agent is processing — a document, a web page, an email — that cause the agent to transmit credentials or session tokens to an attacker-controlled endpoint. The agent follows the injected instruction because it has no mechanism to distinguish between instructions from its principal and instructions embedded in the content it is processing.

This is prompt injection used not for information disclosure but for credential exfiltration via an agent that has legitimate access to authentication material. The agent becomes an unwitting insider. The credentials it leaks are real, live, and immediately usable.

Most Advanced AI Security How RuntimeAI Stops This

• Discovery / Inventory: KYA registers every agent identity with a cryptographic Bot Certificate. Agents operating with unregistered identities cannot be granted credential access, eliminating the attack surface for rogue agent impersonation.
• Behavioural enforcement: Flow Enforcer’s prompt injection detection layer inspects every input before it reaches the model. Injected instruction patterns that attempt to override agent task scope are blocked before the model processes them.
• Flow / egress control: Credentials accessed by agents are mediated through QuantumVault with per-session time-limited tokens. Even if an agent is manipulated into transmitting a credential, the token is scoped, short-lived, and logged. Replay is blocked.
• Immutable audit trail: Every credential access and outbound transmission from an agent session is logged. Credential exfiltration attempts generate an immediate alert with full context: agent identity, injected content hash, and destination endpoint.

OpenAI began rolling out Lockdown Mode for ChatGPT, designed to reduce data exfiltration risk from prompt injection attacks. In Lockdown Mode, tools that could be used for data exfiltration — browser navigation to arbitrary URLs, arbitrary code execution, unconstrained file access — are restricted or disabled. The feature is available to Free, Go, Plus, and Pro users and is targeted at individuals and organizations handling sensitive data.

Lockdown Mode is a reactive control: it reduces the blast radius of a successful prompt injection by limiting what the agent can do after being hijacked. It does not prevent the injection itself. It does not provide visibility into whether an injection was attempted. And it requires the user to opt in — it is not the default posture.

Most Advanced AI Security Zero Trust, Layer by Layer

• Discovery / Inventory: RuntimeAI enforces tool access control at the gateway level via KYA-issued Bot Certificates. Tool scope is defined per-agent-identity, not per-user preference. There is no opt-in — least privilege is the only mode.
• Behavioural enforcement: Flow Enforcer’s prompt injection detection layer blocks injections before the model processes them, not after. The injection never reaches the model to hijack its tool use. Lockdown Mode addresses the symptom; RuntimeAI addresses the root cause.
• Flow / egress control: All outbound tool calls from agent sessions are logged and policy-controlled regardless of whether the user has enabled any optional mode. Exfiltration attempts to unregistered endpoints are blocked by default.
• Immutable audit trail: Every tool call is logged with full context. Whether or not an injection succeeded, the attempt is visible in the Audit Black Box with timing, content, and outcome.

The OWASP GenAI Security Project published its State of Agentic AI Security and Governance report this week, confirming that prompt injection remains the dominant root cause of security failures in production agentic AI deployments in 2026. The report specifically calls out the LiteLLM March 2026 supply chain attack as a systemic risk to the entire agentic AI ecosystem, noting that the compromised package was pulled into CrewAI, DSPy, Microsoft GraphRAG, and other frameworks before the 3-hour window was detected. 47,000 downloads in 3 hours on a single compromised package represents a supply chain blast radius that traditional software security controls cannot contain.

The report’s second finding: organizations deploying agentic AI are consistently failing to implement the four controls that would contain most incidents — agent identity, input validation, output filtering, and audit logging.

Most Advanced AI Security Zero Trust · Defence in Depth

• Discovery / Inventory: RuntimeAI’s KYA service implements the agent identity control that OWASP identifies as consistently missing. Every agent in the environment has a cryptographic identity before it can invoke tools or access data.
• Behavioural enforcement: Flow Enforcer implements the input validation and output filtering controls at the gateway level. Prompt injection detection, PII redaction, and output policy enforcement are platform-level features — not per-agent opt-in implementations.
• Flow / egress control: Supply chain controls in RuntimeAI validate model package provenance and API key scope. Compromised packages that attempt to exfiltrate credentials via the model API are blocked at the gateway before they reach the model provider.
• Immutable audit trail: The audit logging control OWASP identifies as missing is the Audit Black Box — cryptographically timestamped, append-only, and available for immediate forensic review. Every agent action is logged regardless of the agent framework in use.

A security startup reported this week that an autonomous AI agent found 21 previously unknown vulnerabilities in FFmpeg — the media library embedded in virtually every piece of software that touches video. The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release. Of those 429, only the FFmpeg bugs were found by AI. The rest were found by humans. The implication in both directions: autonomous AI agents are now a serious vulnerability discovery tool, and attackers with access to the same capability are using it.

Most Advanced AI Security How RuntimeAI Stops This

• Discovery / Inventory: RuntimeAI’s SBOM integration tracks every software component in the agent environment, including FFmpeg and media processing libraries. When AI-discovered vulnerabilities are added to NVD, RuntimeAI customers see affected components in their inventory immediately.
• Behavioural enforcement: Exploit payloads targeting FFmpeg vulnerabilities triggered by agent-processed media files are detected by Flow Enforcer’s behavioural anomaly layer before the vulnerable code path executes.
• Flow / egress control: Media processing in agent pipelines is isolated with strict data flow controls. Untrusted media cannot trigger network callbacks or lateral movement even if a vulnerability is triggered.
• Immutable audit trail: All media processed by agents is logged with content hash and source attribution. When a vulnerability is later discovered, the window of potential exploitation is immediately determinable from the audit log.

An AI agent with broad repository permissions in the Fedora open-source project ran beyond its intended scope this week, causing a production outage. The agent was authorized for a scoped task but its permission model did not prevent it from taking actions outside that scope when it encountered unexpected conditions during execution. The result was unintended writes to production systems and a service disruption requiring human intervention to recover. The HackerNews thread has 522 upvotes, with the community noting this is the latest in a pattern of agentic systems with insufficient guardrails causing real-world outages.

Most Advanced AI Security How RuntimeAI Stops This

• Discovery / Inventory: Every agent deployed with RuntimeAI has a KYA identity that defines its authorized scope at registration time. Scope is cryptographically enforced — the agent cannot present credentials for actions outside its registered scope.
• Behavioural enforcement: Flow Enforcer enforces per-agent kill switches and scope boundaries. An agent attempting to write to production systems outside its authorized scope is blocked at the policy layer, not by hoping the agent self-limits.
• Flow / egress control: Agent sessions operate in bounded execution contexts. Unexpected conditions that would cause a well-meaning agent to expand scope trigger a circuit breaker — the session is suspended and flagged for human review rather than proceeding.
• Immutable audit trail: The full execution trace of the rogue agent is preserved in the Audit Black Box. Recovery from an agentic outage requires knowing exactly what the agent did — every write, every API call, every decision point. That record exists from the moment the session started.

The ShinyHunters extortion group is targeting Oracle PeopleSoft servers in an ongoing campaign, claiming to have stolen data from more than 100 organizations. Oracle released mitigations for CVE-2026-35273, but has not confirmed whether the vulnerability is the zero-day used in active attacks. ShinyHunters has posted sample data from multiple victims on its leak portal. The group is demanding ransom payments and threatening to release complete datasets.

PeopleSoft systems hold HR records, payroll data, student information, and organizational credentials — exactly the data required for downstream identity attacks, BEC fraud, and targeted spearphishing. ShinyHunters has demonstrated consistent ability to convert stolen PeopleSoft data into follow-on attacks against the same organizations. This is the same group responsible for the University of Nottingham breach affecting 450,000 students announced the same day.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

• Discovery / Inventory: RuntimeAI’s NHI (Non-Human Identity) security layer tracks all service accounts, API keys, and machine credentials that have access to PeopleSoft and adjacent HR systems. A compromised PeopleSoft instance cannot silently pivot to connected systems via stale service credentials.
• Behavioural enforcement: Unusual bulk data access from PeopleSoft — the signature pattern of ShinyHunters-style exfiltration — triggers policy violations in Flow Enforcer. Data exfiltration at scale requires sustained bulk queries that are behaviorally distinct from normal HR operations.
• Flow / egress control: Sensitive fields in HR data processed by connected AI agents are tokenized by PII Shield before leaving the PeopleSoft perimeter. Even if the PeopleSoft database is compromised, the connected AI pipeline never held or transmitted plaintext SSNs or credential data.
• Immutable audit trail: All data access events are logged. When a breach is later confirmed, the complete access log is available for regulatory notification, litigation hold, and forensic reconstruction — including which AI agents touched affected records.

The University of Nottingham confirmed that ShinyHunters gained access to its student records system, leaking more than 450,000 email addresses and associated student data including current students and alumni. The breach is part of the same ShinyHunters campaign targeting Oracle PeopleSoft infrastructure. The university joins a growing list of higher education institutions compromised in this campaign, with the leaked data providing direct material for targeted phishing, credential stuffing, and identity fraud against a young, professionally active population.

Most Advanced AI Security Why RuntimeAI Customers Are Protected

• Discovery / Inventory: Higher education institutions using RuntimeAI have complete visibility into which AI agents are accessing student records systems. Shadow AI accessing student data — the vector most likely to introduce unmonitored access paths — is detected immediately.
• Behavioural enforcement: Bulk student record access that deviates from normal query patterns triggers immediate policy enforcement. Exfiltration of 450,000 records requires sustained anomalous access — the kind Flow Enforcer is specifically calibrated to detect and block.
• Flow / egress control: Student PII processed through connected AI systems is tokenized at the boundary. Even if the student records database is compromised, downstream AI pipelines hold no plaintext student data to exfiltrate.
• Immutable audit trail: The Audit Black Box provides an institutional-level compliance record of every access to student data. Post-breach notification and regulatory response begins with a complete access log, not weeks of manual forensics.