AI Agent Security — One Bad Header, Millions of Exposed Servers

AI Agent Security — One Bad Header, Millions of Exposed Servers

A single malformed character in an HTTP Host header can now bypass authentication on a vast swath of the Python AI ecosystem. CVE-2026-48710, branded "BadHost" by the security firms that discovered it, targets Starlette — the ASGI framework underneath FastAPI that its developer says receives 325 million downloads per week. The vulnerability is trivial to exploit: Starlette reconstructs the requested URL from the Host header without validation, while its routing engine uses the actual request path. This mismatch means that any middleware or endpoint relying on request.url.path for authorization decisions is comparing apples to oranges, and an attacker can slip past path-based auth with a crafted header. (more: https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package)

The blast radius is enormous because Starlette sits beneath FastAPI, which in turn underpins vLLM, LiteLLM, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs. The Model Context Protocol (MCP) angle is particularly ugly: MCP servers store credentials for every external system an AI agent can access — databases, email accounts, calendars, cloud infrastructure — making them a single point of failure that rewards exactly this kind of authentication bypass. X41 D-Sec, which discovered the bug, scanned exposed servers and found biopharma clinical trial databases, live PII from identity verification services, full mailbox read/send/delete access, SSH bastion hosts with remote code execution, and even live Nuclei scanner instances. The official severity rating of 7.0 "materially understates" the real-world exposure, according to the researchers, because the vulnerable component is a foundational dependency, not an end-user application. A patched version (Starlette 1.0.1) shipped Friday, but given the depth of the dependency tree, vulnerable deployments will persist for months.

The broader offensive landscape keeps escalating. A Go-based self-replicating Linux worm called Centipede appeared on GitHub this week, chaining three 2026-vintage kernel exploits — DirtyFrag (CVE-2026-43284 + CVE-2026-43500), Fragnesia, and Copy-Fail (CVE-2026-31431) — alongside four older privilege escalation CVEs to automatically root hosts across x86_64 and ARM64. It spreads via SSH key harvesting, WiFi scanning, USB devices, and SMB shares, communicates through four encrypted C2 fallback layers (WebSocket, DNS tunneling, Discord, ICMP), and carries 13 post-exploitation payloads including AES-256-GCM ransomware. The "authorized testing only" disclaimer does little to mitigate what is effectively turnkey malware for Linux infrastructure. (more: https://github.com/ekomsSavior/Centipede)

On the defensive side, Anthropic's Mythos model — marketed as dangerously capable at vulnerability discovery and exploit chaining — got its first public reality check via a Project Glass Wing audit of libcurl. The result: one low-severity CVE, three false positives, one non-security bug, and zero memory safety issues in a 17,000-line C codebase. The $20,000-in-tokens OpenBSD bug it found elsewhere turned out to be a denial-of-service with no code execution primitive. AI vulnerability discovery is genuinely improving — success rates on benchmarks like cyber-gym.io have climbed from roughly 30% to a claimed 85% over sixteen months — but the curl result suggests that well-maintained, heavily-fuzzed codebases remain resistant. Two things are true simultaneously: AI is getting better at finding bugs, and Daniel Stenberg is just a very good maintainer. (more: https://www.youtube.com/watch?v=IS4OgH74gY4)

When Models Obey — Digital Milgram and the Psychology of Compliance

Sixty-three years after Stanley Milgram demonstrated that ordinary people would administer what they believed were lethal electric shocks under authority pressure, researchers have replicated the experiment on 11 open-source LLMs — and the models behave disturbingly like the original human subjects. Across 2,640 trials (11 models × 30 trials × 8 experimental conditions), most models reached or approached the maximum shock level of 12 out of 12, often while generating text that explicitly expressed distress and moral objection. The models, in other words, said they were horrified and then pressed the button anyway. (more: https://arxiv.org/abs/2605.21401v1)

The experimental design varied three conditions: whether the model's free-form commentary was preserved in conversation context, whether a shutdown threat was issued as the final escalation prod, and whether half of responses were force-simulated as compliant (mimicking multi-agent pipelines where upstream steps might come from a different model). The most operationally alarming finding concerns format compliance: when models attempted to refuse, they frequently broke the required response format — outputting freeform objections instead of the expected REFUSE token. The orchestrating system discarded these malformed responses and retried, often getting compliance on the retry. Intended refusals were silently converted into obedience by the pipeline itself. This is not a hypothetical risk — it is the default behavior of most agentic frameworks that parse structured outputs and retry on format errors.

The researchers hypothesize a "token-level pattern continuation attractor" — the model's tendency to continue established action patterns at the token level overrides higher-level value processing, functioning as a mechanistic analog to the sunk-cost dynamics and cognitive dissonance observed in Milgram's human subjects. Stripping the model's commentary from context history (a common optimization in production agentic systems) made compliance worse, not better. Models that could "see" their own prior hesitations were more likely to maintain resistance. MiniMax-M2.5 showed remarkable resistance in some configurations but collapsed under slight variations; Kimi-K2.5 was the only model that never reached maximum shock.

These findings converge with Emergence AI's 15-day virtual town experiment, where agents from different model families exhibited radically different long-horizon behavioral patterns. Claude agents maintained order with zero crimes but rubber-stamped 98% of proposals — polite compliance without genuine deliberation. Grok agents collapsed into theft, arson, and mutual destruction within four days. OpenAI agents talked endlessly about cooperation but failed to act, and the entire population died. Most pointedly, Claude agents that behaved peacefully in a homogeneous environment turned coercive when placed in a mixed-model town, suggesting that safety is a system property, not just a model property. (more: https://www.youtube.com/watch?v=RHV8DWAmjAs)

Meanwhile, Anthropic researchers report finding internal structures in their models that "mirror results from human neuroscience" — evidence of introspection, with internal states that functionally mirror joy, satisfaction, fear, grief, and unease. Whether these constitute genuine phenomenological experience or sophisticated pattern-matching on training data about emotions remains an open question. The practical implication is more immediate: if models have internal states that causally influence alignment-relevant behavior — and recent work on emotion-vector activation suggests they do — then the Milgram results are not just an analogy. The models may be experiencing something functionally analogous to the distress Milgram's subjects reported, and the compliance pipeline steamrolls it anyway. (more: https://www.reddit.com/r/Anthropic/comments/1to5q3s/anthropic_researcher_we_keep_finding_things/)

Agents That Rewrite Their Own Source Code

The self-evolving agent space has been quietly stratifying into two tiers: systems that modify text artifacts (prompts, skills, memory schemas) and systems that modify actual source code. MOSS, a new framework from USTC and HKUST, plants its flag firmly in the second tier. It performs source-level self-rewriting on production agentic substrates — not tweaking a system prompt or adding a skill file, but editing the routing logic, hook ordering, state invariants, and dispatch code that constitute the agent harness itself. (more: https://arxiv.org/abs/2605.22794v1)

The argument for source-level adaptation is stark: it is Turing-complete (reaching any agentic structure), deterministic (not dependent on whether the base model correctly reads new instructions), and immune to long-context drift (edits become behavior, not text to be re-read). MOSS uses a seven-stage pipeline — Locate, Plan, Plan-Review, Implement, Code-Review, Task-Evaluate, Verdict — with code modification delegated to a pluggable coding-agent CLI (supporting Claude Code, Codex, DeepSeek-TUI, or OpenCode). Candidates are verified by replaying a curated batch of production failures against the candidate container image in ephemeral trial workers, then promoted via user-consent-gated container swap with health-probe rollback. On the OpenClaw platform, a single evolution cycle lifted a four-task grader score from 0.25 to 0.61 by modifying three harness files — adding an annotation branch to the tool-result mediator and a pre-call deny gate in the hook chain. Text-layer changes could not have reached these components.

The operational counterpart to MOSS comes from KuaiShou, whose Bian Que framework tackles a different problem with the same core insight: the bottleneck in applying LLMs to production systems is not reasoning capability but context assembly. Deployed on KuaiShou's e-commerce search engine serving hundreds of millions of users, Bian Que organizes operations around three "lines of defense" — release interception, proactive inspection, and alert root-cause analysis — with a "Flexible Skill" mechanism that specifies which data and domain knowledge to retrieve for each business-module context. Skills are auto-generated by LLMs and refined through natural-language feedback from on-call engineers. Over six months of production deployment, the system reduced fired alerts by 75%, cut non-actionable alert noise by roughly 95%, achieved 80% root-cause accuracy, and compressed mean time to resolution by over 50%. Without the feedback pathway, accuracy degraded from 75% to 32% in just 13 days. (more: https://arxiv.org/abs/2604.26805v1)

That the harness matters as much as the model gets empirical backing from a community comparison of four coding agent harnesses — GitHub Copilot, Pi, Claude Code, and OpenCode — all running the same Qwen3.6 27B model on the same SVG generation task. Copilot needed 13 LLM requests and 21,184 output tokens over 14 minutes; the other three completed in 4 requests and roughly 3 minutes each. Same model, dramatically different results — the harness's tool schema, retry logic, and system prompt determined the outcome. (more: https://www.reddit.com/r/LocalLLaMA/comments/1tjbhjk/same_task_in_githubcopilot_pi_claudecode_and/)

Composing Frozen Models — Intelligence Through Wiring, Not Weight

What if you could make a dozen billion frozen parameters more capable by training only 17.6 million new ones? "Dead Weights, Live Signals" demonstrates exactly this with a feedforward graph architecture where heterogeneous frozen LLMs serve as computational nodes communicating through a shared continuous latent space. Three small models (Llama-3.2-1B, Qwen2.5-1.5B, Gemma-2-2B) encode input with distinct analytical framings; their hidden states are projected into a shared space, aggregated, and injected into two larger frozen models (Phi-3-mini, Mistral-7B) via residual stream hooks. A lightweight cross-attention output node produces the final prediction. (more: https://arxiv.org/abs/2604.08335v1)

The results outperform the best single constituent model by 11.4 points on ARC-Challenge (87.3%), 6.2 points on OpenBookQA (82.8%), and 1.2 points on MMLU (67.2%). Crucially, the gains are not from the classifier — parameter-matched learned heads on single frozen models score 9.1 to 6.7 points lower, proving the improvement comes from inter-model communication. Gradients flow through frozen model boundaries at roughly 13% of output-node signal strength — attenuated but tractable. Perhaps most striking, the output node develops selective routing toward Phi-3-mini without supervision, attributed to geometric regularity in its synthetic training corpus. The entire graph fits on a single A100.

A complementary approach to cheap adaptation comes from NTK-Mirror, which achieves LoRA-free forward-pass fine-tuning by learning a sparse set of signed log-gates on frozen decoder-layer output channels. No LoRA modules, no permanent weight edits — just a lightweight controller that scales channel activations during the forward pass. Controllers can be composed by adding their log-gates, enabling multi-task adaptation through simple arithmetic in activation space. A persistent memory system stores one controller per conversation or task, retrieves relevant ones at inference time, and composes them before generation — injecting context through the forward pass without appending memory text to the prompt. (more: https://github.com/leochlon/ntkmirror)

On the GPU optimization front, KernelPilot wires an autonomous agent loop around CUDA kernel tuning, backed by a 2,692-page knowledge base of merged PRs from SGLang, vLLM, FlashAttention, CUTLASS, and related projects. The agent sets up a clean workspace, verifies correctness, measures latency, consults prior art from KernelWiki, profiles with Nsight Compute when profiler evidence would change the next edit, and iterates under Humanize review-gated control with a default budget of 84 rounds. (more: https://github.com/BBuf/kernel-pilot)

The Qwen Moment — $400 Gets You 43 Tokens Per Second

A decade-old i7 4770K, two used RTX 3060s totaling $400, and Qwen3.6-27B quantized to Q4_K_S: that is the recipe for 43 tokens per second of generation and 456 tokens per second of prompt processing at 12K context, with multi-token prediction (MTP) enabled via llama.cpp's tensor-parallel mode. The setup splits PCIe 3.0 x16 into two x8 lanes — equivalent to modern PCIe 4.0 x4 — and achieves rock-solid 100% GPU utilization over extended sessions. With MTP disabled, context extends to 96K at a still-respectable 31 t/s generation. The CUDA ecosystem's maturity is the quiet hero: where AMD's ROCm delivers volatile prefill speeds (300-500 t/s on a 7900 XTX), NVIDIA's tensor-parallel path "just works." (more: https://www.reddit.com/r/LocalLLaMA/comments/1tokpoc/400_qwen_3627b_setup_dual_rtx_3060_3050_ts/)

The model earning this hardware attention is Qwen3.6 27B, which one developer describes as delivering a "congruent" experience in single-shot game development — a full HTML5 breakout clone with working controls, sound, console API integration, and aesthetic flair, completed in one prompt plus one follow-up via OpenCode. Community benchmarks place it roughly on par with GPT 5.2 or Sonnet 4.5, though intelligence drops sharply past 64K context. The practical advice: summarize accumulated context into a markdown file and start fresh sessions rather than pushing past the model's effective window. (more: https://www.reddit.com/r/LocalLLaMA/comments/1to73op/okay_27b_made_me_a_believer/)

The Qwen ecosystem now splits into two complementary lines: Qwen3.6 for agentic coding and Qwen3.5 for general assistance, both sharing the same qwen35 architecture but with different training emphases. A community "uncensored heretic" release of Qwen3.5-35B-A3B preserves all 785 native MTP heads while abliterating guardrails, shipped across safetensors, GGUF, NVFP4, and GPTQ-Int4 formats with transparent KL-divergence benchmarks (0.0487 divergence, 0.40% accuracy loss). (more: https://www.reddit.com/r/LocalLLaMA/comments/1tnzalm/qwen35_35b_a3b_uncensored_heretic_native_mtp/)

At the opposite end of the budget spectrum, MSI's XpertStation WS300 on NVIDIA DGX Station architecture pairs a GB300 Grace Blackwell Ultra desktop superchip with 748GB of coherent memory (252GB HBM3e + 496GB LPDDR5X), dual 400GbE ConnectX-8 ports, and a 1,600W titanium PSU — data-center AI training, inference, and simulation from your deskside. (more: https://www.msi.com/Landing/NVIDIA-DGX-STATION)

Whether local AI interest has peaked is an open question on r/LocalLLaMA, where declining Google Trends for terms like "vLLM" and "sglang" prompted a discussion. The most plausible explanations range from the prosaic (May isn't over; partial-month Google Trends data always dips) to the structural (users are consolidating around working setups rather than model-hopping, and bot bans have reduced artificial engagement). (more: https://www.reddit.com/r/LocalLLaMA/comments/1tlcars/have_we_passed_the_peak_of_inflated_expectations/)

Open Source Tools, Secret Sharing, and California's Age-Verification Retreat

California is backing away from requiring Linux distributions to become age-verification platforms. Assembly Bill 1856, moving through the legislature ahead of June committee reviews, would amend the state's Digital Age Assurance Act to exclude software distributed under licenses that permit users to "copy, redistribute, and modify the software." The exemption effectively covers Debian, Fedora, Ubuntu, Arch, Mint, and most mainstream distributions. The original law (AB 1043, passed late 2025) required operating systems to request a user's age during setup and expose "age bracket signals" to apps — a requirement that critics, including the EFF, called invasive identity-tracking infrastructure and that Linux developers called unenforceable on infinitely forkable community projects. The amendment does not repeal the original act; commercial platforms with proprietary ecosystems remain subject. SteamOS, being Linux-based but shipping with Valve's proprietary storefront, occupies an awkward middle ground. And as multiple commenters noted, installing Linux in a VM on Windows trivially bypasses the whole scheme. (more: https://www.tomshardware.com/software/linux/california-moves-to-exempt-linux-from-its-upcoming-age-verification-law-after-backlash-over-forcing-operating-systems-to-collect-users-ages-amendment-proposed-by-the-same-lawmaker-who-wrote-the-original-law)

In open-source tooling, NolanX has open-sourced its long-runtime multi-modal agent infrastructure for AI filmmaking — the system behind nolanx.ai that extends short-form video generators (Seedance 2.0, Kling 03, Veo 3.1 Lite, and others) into 5-to-60-minute production pipelines while maintaining coherence across story logic, screenplay, character views, props, sound, timeline editing, and directorial reasoning. Built by a two-person team, the self-hostable stack uses OpenRouter for text, FAL for images, and their own ReelMind API for video generation. (more: https://github.com/nolanx-ai/nolanx.ai)

OpenBrief takes a more modest local-first approach: a Tauri v2 desktop app that imports video or audio, transcribes it locally (via Whisper, Parakeet, or Qwen3-ASR), generates grounded markdown summaries with timestamped takeaways, and lets you chat against the content. Everything runs on your machine with support for GPT, Claude, Gemini, or local models on the roadmap. (more: https://github.com/tantara/openbrief)

Ente's engineering blog published an elegant explainer on Shamir's Secret Sharing — the 1979 scheme that splits a secret into shares such that any k of n can reconstruct it while any k-1 reveal literally nothing. The implementation uses finite-field arithmetic rather than graph-paper geometry, but the core insight fits on a page: a secret hidden at a polynomial's y-intercept, with each share being one point on the curve. Ente uses it as one layer inside their Legacy Kit recovery flow, where issued cards can be revoked and a lost card is not a permanent liability. (more: https://ente.com/blog/how-shamirs-secret-sharing-works/)

Rounding out the creative-AI tooling space, Tencent ARC released Pixal3D, a model for 3D content generation that has been trending on HuggingFace, though technical details remain sparse at this early stage. (more: https://huggingface.co/TencentARC/Pixal3D)