When the Full Stack Fights Back: Cross-Layer Attacks on Compound AI

When the Full Stack Fights Back: Cross-Layer Attacks on Compound AI

The security conversation around AI pipelines has long fixated on the algorithmic layer — jailbreaks, prompt injection, training data poisoning. A new paper from UT Austin and Intel researchers argues that fixation is dangerously incomplete. "Cascade" introduces a systematic red-teaming framework that composes attack gadgets across software CVEs, hardware side-channels, and algorithmic exploits to compromise compound AI systems end-to-end. The core insight: modern AI pipelines are not monolithic models but layered stacks of LLMs, vector databases, orchestration frameworks (LangChain, Ollama), and distributed hardware — each layer harboring its own vulnerabilities that can amplify attacks on adjacent layers. (more: https://arxiv.org/abs/2603.12023v1)

The paper's proof-of-concept chains three distinct exploit classes. First, a code injection vulnerability in a query enhancer (targeting real CVEs in LangChain and LlamaIndex) triggers a denial-of-service that forces the pipeline to bypass query sanitization entirely. Second, a Rowhammer-based fault injection flips bits in the guardrail model's memory — not the generator's — corrupting either trigger tokens or attention masks. The Type 3 variant (random attention bitflip) achieved a 94% guardrail evasion rate because boosting attention on any single safe token effectively suppresses all others, including multiple trigger words. Third, with the guardrail neutralized and the query enhancer down, a GCG-crafted adversarial suffix jailbreaks the generator at an 82% success rate. The researchers curated a corpus of 100 algorithmic vulnerability papers, 100 software CVEs, and dozens of hardware attack primitives, then used LLM-based reasoning to search for viable attack chains — essentially building an automated red-team that explores cross-stack compositions human testers would rarely attempt.

This matters because it demonstrates that guardrails and query sanitizers, the go-to defenses for production AI deployments, can be rendered irrelevant by exploits that never touch the model algorithm at all. The framework also systematizes existing attack patterns (SQL injection into PoisonedRAG, malicious HuggingFace packages exfiltrating queries, I/O bus snooping for membership inference) into a composable taxonomy. Meanwhile, a lighter but related technique surfaced on Reddit: injecting special tokens to gaslight LLMs during code reviews, causing them to overlook malicious code by exploiting how models process control tokens differently from natural language. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rwg41x/gaslighting_llms_with_special_token_injection_for/)

On the defensive side, Cisco shipped an AI Security Scanner IDE plugin that watches the supply chain around MCP servers, agent skills, and AI-generated code. It combines YARA rules and behavioral analysis (fully local) with optional LLM-based and VirusTotal analysis, scanning MCP config files and skill definitions for hidden instructions, data exfiltration patterns, and prompt injection. A Watchdog mode monitors file changes with snapshot-and-revert capability. Notably, it analyzes descriptions only — never executes MCP tools or runs skill code — and source code never leaves the machine unless you opt in to file upload. (more: https://cisco-ai-defense.github.io/docs/ai-security-scanner)

The offensive side is moving even faster. A deep analysis of AI-native offensive security startups reveals over $600 million raised across five companies alone. Armadin, founded by Kevin Mandia (who built and sold Mandiant twice), emerged with a record $150 million combined seed-and-Series-A to build "agentic attacker swarms." Horizon3's NodeZero has powered over 150,000 autonomous pentests, including the NSA's Continuous Autonomous Penetration Testing program. XBOW, now at $273 million in funding, became the first autonomous system to rank #1 on HackerOne, identifying over 1,000 vulnerabilities. The exploitation timeline data is stark: from 771 days between disclosure and exploitation in 2006, to under 24 hours in recent observations, to Google's Threat Analysis Group documenting exploitation within four hours. When your quarterly pentest report is stale before the ink dries, the model is not struggling — it is failing. (more: https://www.resilientcyber.io/p/the-new-offense-how-ai-agents-are)

From Silicon Leakage to Automated Recon: The Practitioner's Edge

While AI security dominates the headlines, some of the most technically impressive offensive work happens at the hardware layer with a multimeter and patience. A new writeup documents the first publicly known side-channel key extraction from Texas Instruments' MSPM0G3507 hardware AES engine — a microcontroller with no prior published SCA research. The critical insight that makes or breaks this attack: hardware AES does not leak the same way software AES does. In software, every intermediate value hits a data bus, leaking power proportional to its Hamming Weight. Hardware AES processes rounds through dedicated logic where intermediate values are wired directly between stages and never touch a bus. The actual leakage event occurs at round boundaries, when the AES engine writes new state back to an internal register, leaking in proportion to the Hamming Distance between old and new state. (more: https://bedri-zija.github.io/mspm0g3507-cpa)

The researcher used a ChipWhisperer Nano clocked synchronously from the MSPM0's own clock output (1 sample per cycle — eliminating jitter entirely), removed the onboard decoupling capacitor to expose the VCORE rail, and performed reverse CPA with the known key to map all 10 AES rounds across the trace before attempting the actual attack. The custom selection function targets the Hamming Distance across SubBytes in the final round, and full AES-128 key recovery required just 45,500 traces out of 100,000 captured. TI has a standing advisory acknowledging power analysis vulnerability with a CVSS score of 4.8–6.1, but the MSPM0G3507 carries no documented mitigations. For anyone deploying this chip in key-protecting roles, the message is clear.

On the automated pentest front, RedAmon hit version 3.0 with 25+ features including eight new tools in the discovery pipeline (ffuf, Arjun, ParamSpider, Amass, puredns, Katana, SecretFinder, theHarvester), parallel fan-out/fan-in execution, a Wave Runner system that fires independent tools simultaneously, and a Tool Confirmation Gate for human-in-the-loop control before destructive tools like nmap or Metasploit execute. Rules of Engagement can now be uploaded as PDF/DOCX and automatically parsed into 30+ structured enforcement settings. (more: https://www.linkedin.com/posts/samuele-giampieri-b1b67597_ffuf-arjun-paramspider-share-7441945161569341440--LUH)

The $23 Million Key: DeFi's Off-Chain Blind Spot

On March 22, an attacker minted 80 million unbacked USR stablecoins on the Resolv protocol and extracted roughly $23 million in ETH — not by exploiting a smart contract bug, but by compromising the protocol's AWS Key Management Service environment and using its own signing key against it. The smart contract worked exactly as designed. It checked for a valid signature from the SERVICE_ROLE key, found one, and minted whatever amount was requested. There was no on-chain ratio check between collateral deposited and USR minted, no price oracle, no cap. The attacker deposited ~$100K–$200K in USDC, then used the compromised key to authorize tens of millions in USR output across two transactions. (more: https://www.chainalysis.com/blog/lessons-from-the-resolv-hack/)

The attacker then converted the unbacked USR to wstUSR (a staking pool derivative), rotated through multiple DEX pools and bridges into stablecoins, and finally into ETH — a textbook layered extraction designed to maximize value before detection. USR's peg collapsed by 80%. Resolv had undergone multiple audits. The takeaway is not that audits are useless — it is that auditing smart contracts while ignoring the off-chain infrastructure that controls privileged keys is security theater. As DeFi systems increasingly depend on cloud services, external signing keys, and off-chain approval workflows, the actual attack surface has quietly migrated from Solidity to AWS IAM.

Agentic Commerce Gets a Reality Check

Walmart tested roughly 200,000 products through OpenAI's Instant Checkout, which let users complete purchases entirely inside ChatGPT without visiting Walmart's site. The results were blunt: in-chat purchases converted at one-third the rate of transactions where users clicked through to Walmart's website. Daniel Danker, Walmart's EVP of product and design, called the experience "unsatisfying." OpenAI has since confirmed it is phasing out Instant Checkout entirely in favor of merchant-handled app-based checkout. Walmart will now embed its own chatbot, Sparky, inside ChatGPT, with a similar integration coming to Google Gemini next month. (more: https://searchengineland.com/walmart-chatgpt-checkout-converted-worse-472071)

The implication extends beyond Walmart. Agentic commerce — the idea that AI assistants will handle purchasing end-to-end — assumes users trust a conversational interface for high-intent actions like checkout. The 3x conversion gap suggests they do not, at least not yet. Shopping is a visual, comparative activity that conversational UIs compress into a linear flow. Sending users back to owned environments with product images, reviews, and cart persistence still wins. That said, the pivot to embedded merchant chatbots within AI platforms may land differently — the user stays in the AI context but transacts through a familiar merchant experience. Worth watching whether Sparky-in-ChatGPT closes the gap or confirms it.

Agent Infrastructure: The Runtime Layer War

ByteDance open-sourced DeerFlow 2.0 and within 24 hours it topped GitHub Trending, accumulating ~25,000 stars. What distinguishes DeerFlow from the crowded agent framework landscape (CrewAI, AutoGen, LangGraph) is that it ships as a full runtime, not a library. Built on LangGraph and LangChain, DeerFlow's lead agent decomposes tasks, spawns sub-agents with scoped contexts and tools, runs them in isolated Docker containers, and stitches results back together. Each sub-agent gets its own filesystem, bash terminal, and code execution capability. Skills are Markdown files loaded progressively to avoid context window bloat, and a persistent JSON-based memory system tracks preferences and project context across sessions — with a new TIAMAT cloud backend suggesting enterprise ambitions. The security considerations are worth noting: ByteDance ownership triggers review processes regardless of technical merit, and the recommendation to deploy containerized with hardened images applies to any agent platform that executes code. (more: https://aihola.com/article/bytedance-deerflow-2-agent-runtime)

AgencyCLI takes a fundamentally different approach: infrastructure rather than framework. You define org charts in Markdown and YAML — teams, roles, projects, skills — and agents assemble their own context and run autonomously on a heartbeat schedule. The key differentiator is inter-agent communication: agents can hire, message, and coordinate with each other through an async inbox system, with confirm-request gates for human-in-the-loop approval. It is model-agnostic (Claude Code, Codex, Gemini, Cursor), runs agents in Docker sandboxes by default, and requires no server. (more: https://github.com/chenhg5/agencycli)

For model routing, SmarterRouter 2.2.1 offers a self-hosted MoE-style proxy that profiles incoming prompts and routes to the best backend model — local via Ollama or external via OpenAI-compatible APIs. It is multimodality-aware and optimized for rapid Ollama model loading/unloading. (more: https://www.reddit.com/r/OpenWebUI/comments/1rx68um/smarterrouter_221_is_out_one_ai_proxy_to_rule/)

Anthropic's Claude Dispatch lets users control desktop AI tasks from their phone, extending the Cowork environment into a persistent assistant paradigm. Community reaction was mixed — some found it transformative for cross-device workflows (one user had it search multiple Gmail accounts, save closing documents to Obsidian, and fill out a tax form), while others criticized the growing fragmentation of Claude Desktop into disconnected feature panes. (more: https://www.reddit.com/r/Anthropic/comments/1rx1z5c/anthropic_launched_a_new_cowork_feature_called/)

ColeMedin's deep dive on Claude Code covers roughly a dozen features shipped in just the last couple of months: the 1M token context window (with the practical caveat that hallucinations spike sharply at 250K–300K tokens), agent teams with real-time inter-agent communication, native git worktree support for parallel feature branches, /simplify and /batch commands for post-implementation cleanup and large-scale refactors, /btw for sidecar questions that do not bloat context, /loop for recurring prompts, voice input, effort-level tuning, and scheduled cron tasks. The worktree support is arguably the most impactful for daily use — real development always involves multiple feature branches, and having Claude manage isolated copies natively eliminates the manual worktree juggling that was previously required. (more: https://www.youtube.com/watch?v=uegyRTOrXSU) (more: https://m.youtube.com/watch?v=uegyRTOrXSU)

Swictation v0.7.30 shipped the first native macOS release, bringing cross-platform voice-to-text dictation to both Linux (NVIDIA CUDA) and Apple Silicon (CoreML/ANE via a custom coreml-native crate) with a single npm install -g swictation. The release also adds a native Tauri 2 menu bar tray with idle/recording/disconnected states and Unix socket IPC. (more: https://github.com/robertelee78/swictation/releases/tag/v0.7.30)

Model Efficiency: When Smaller Models Learn to See

Baidu's Qianfan-OCR packs document parsing, layout analysis, table extraction, formula recognition, chart understanding, and key information extraction into a single 4-billion-parameter vision-language model — and it leads OmniDocBench v1.5 at 93.12, surpassing models 60x its size on key information extraction tasks (beating Gemini-3.1-Pro and Qwen3-VL-235B). The key contribution is Layout-as-Thought: an optional reasoning phase where the model explicitly reasons about bounding boxes, element types, and reading order before generating structured output — document-layout-specific chain-of-thought that can be toggled at inference time depending on accuracy/speed requirements. Trained on 2.85 trillion tokens across 192 languages on 1,024 Kunlun P800 chips, with weights fully open-sourced. At 1.024 pages/sec on a single A100 with W8A8 quantization, this is a production-viable document intelligence model. (more: https://www.reddit.com/r/learnmachinelearning/comments/1rx6y36/r_qianfanocr_endtoend_4b_document_intelligence/)

On the quantization tooling front, AMD's Quark has been flying under the radar with only a few hundred downloads per model update despite offering MXFP4 post-training quantization that reportedly preserves better quality than standard approaches. One commenter noted finding bugs via Claude when working with Quark's codebase, suggesting the tooling maturity has room to grow. (more: https://www.reddit.com/r/LocalLLaMA/comments/1ryju7u/has_anyone_heard_of_amd_quark/) A community experiment compressing six LLMs found that models do not degrade uniformly under compression — one commenter hypothesized that steep degradation may indicate thorough training (all neurons carrying load), while graceful degradation may signal undertrained models with redundant neurons in benchmark blind spots. The methodology used uniform intermediate dimension reduction, with the author exploring targeted per-layer approaches next. (more: https://www.reddit.com/r/LocalLLaMA/comments/1rw2tqs/we_compressed_6_llms_and_found_something/) HumeAI also released tada-1b, an expressive audio generation model on HuggingFace. (more: https://huggingface.co/HumeAI/tada-1b)

Embeddings, Memory, and the Automated Research Loop

NVIDIA published a complete six-command pipeline for building domain-specific embedding models in under a day on a single GPU — from raw documents to a deployed, OpenAI-compatible inference endpoint. The recipe chains NeMo Curator for synthetic data generation (using Nemotron to produce multi-hop question-answer pairs from domain documents), hard negative mining with a 95% margin ceiling to avoid false negatives, contrastive fine-tuning with InfoNCE loss, BEIR-compatible evaluation, ONNX/TensorRT export, and NIM container deployment. On NVIDIA's own documentation corpus, the fine-tuned model showed 10%+ improvement in both NDCG@10 and Recall@10. More compelling is Atlassian's validation: applying this exact pipeline to fine-tune on their Jira dataset pushed Recall@60 from 0.751 to 0.951 — a 26.7% gain that directly impacts search quality for millions of Rovo users. The practical threshold is accessible: 50–100 documents for a proof-of-concept, scaling up from there. (more: https://huggingface.co/blog/nvidia/domain-specific-embedding-finetune)

For evaluating the memory systems that sit atop those embeddings, WMB-100K introduces a benchmark at a scale that actually reflects real usage. Existing benchmarks test at 600–1,000 turns. WMB-100K tests 100,000 turns with 3,134 questions across five difficulty levels, including false memory probes — because confidently returning wrong information is worse than saying "I don't know." At $0.07 per run, the barrier to evaluation is essentially zero. (more: https://www.reddit.com/r/LocalLLaMA/comments/1s1brq3/wmb100k_open_source_benchmark_for_ai_memory/)

Finally, a practitioner took Karpathy's autoresearch framework — a tight hypothesize-edit-train-evaluate-commit/revert loop with an LLM agent in the middle — and pointed it at a real research problem: a contrastive learning model for image-text alignment using expert attention heatmaps. The agent ran 42 experiments in a single Saturday on one RTX 4090, committing 13 and reverting 29. The single biggest win was a bug fix: relaxing a temperature clamp from 2 dropped the mean rank by 113 points — worth more than all architecture changes combined. Hyperparameter tuning delivered steady gains. But when the agent moved to architectural modifications and moonshot ideas in later phases, the success rate dropped sharply — it was "throwing spaghetti at the wall." The pattern is familiar: LLM agents excel at structured search (hyperparameters, obvious bugs) but struggle with the creative leaps that define research breakthroughs. The containerized execution approach (no network access, locked-down file permissions, Docker-orchestrated training) is a sensible template for anyone wanting to let an agent iterate autonomously without handing it the keys to the kingdom. (more: https://ykumar.me/blog/eclip-autoresearch/)