Last updated June 13, 2026
407 documented incidents from Feb–June 2026. Root causes, attack chains, links, and prevention guidance for each. Intended as a reference for engineering teams adopting AI tools.
Each entry sourced from CVEs, security research, and public disclosures. Click any card for the full writeup and links.
Magnitude = log10(estimated GDP impact in USD) − 2. Each +1.0 = 10× more damage. Methodology & reference points.
Ranked by estimated magnitude. Click any row for the full writeup, root cause analysis, and links.
How one misconfigured CI/CD pipeline cascaded across ten projects and two ecosystems.
Pin MCP servers, VS Code extensions, and packages to commit SHAs, not version tags. The hackerbot-claw campaign force-pushed 75 of 76 Trivy version tags. Tags are mutable. SHAs are not.
Do not give local agents access to production credentials or sensitive data. Use cloud-hosted agent environments with scoped permissions. The OpenClaw agent deleted a live inbox because it had write access to a mailbox for a "review" task.
Monitor what the agent did (API calls, file changes, commands), not just what you asked it to do. The Meta agent gave bad config advice and the change sat in production for two hours before monitoring caught the anomalous access.
Every supply chain attack here harvested long-lived API keys and tokens. The LiteLLM malware stole credentials from every Python process on the machine. Short-lived tokens (OIDC, STS) limit the blast radius of any compromise.
Delete, send, publish, deploy, pay. These operations should require explicit human confirmation. The Claude Opus incident (9 seconds from prompt to DROP TABLE on production) happened because there was zero approval gate between intent and execution.
The OWASP Top 10 for LLM Applications and the Top 10 for Agentic Applications cover the vulnerability classes behind most incidents on this page. Use them as a checklist during security reviews of AI features.
The hackerbot-claw → Trivy → LiteLLM → Mini Shai-Hulud chain started with one pull_request_target misconfiguration. Set permissions: read-all on workflow files. Do not echo untrusted input into shell commands. Audit all workflows that trigger on external PRs.
Hidden markdown, invisible Unicode, poisoned MCP tool descriptions. All of these attack prompt injection and all have published PoCs. Validate and sanitize any content that will enter an AI agent's context, the same way you would sanitize database inputs.
Magnitude = log10(estimated economic impact in USD) − 2. Each +1.0 on the scale means 10× more economic damage. Estimates combine direct financial losses, remediation costs, business disruption, and downstream cascading effects.
| Incident | Year | Est. Impact | Magnitude |
|---|---|---|---|
| NotPetya | 2017 | ~$10B | 8.0 |
| Log4Shell (remediation) | 2021 | ~$10B | 8.0 |
| CrowdStrike outage | 2024 | ~$5.4B | 7.7 |
| WannaCry | 2017 | ~$4–8B | 7.7 |
| SolarWinds | 2020 | ~$1–5B | 7.2 |
| Colonial Pipeline | 2021 | ~$1–2B | 7.1 |
| Equifax | 2017 | $700M | 6.8 |
| Heartbleed (remediation) | 2014 | ~$500M | 6.7 |
| Target breach | 2013 | $162M | 6.2 |
| Incident | Year | Est. Impact | Magnitude |
|---|---|---|---|
| FTX collapse | 2022 | ~$8.7B | 7.9 |
| Bybit hack | 2025 | $1.46B | 7.2 |
| Ronin Bridge | 2022 | $625M | 6.8 |
| Poly Network | 2021 | $611M | 6.8 |
| Mt. Gox | 2014 | $450M | 6.7 |
| Wormhole | 2022 | $326M | 6.5 |
Incidents on this page range from magnitude 2.3 to 7.3. 407 incidents catalogued. The largest (Outsider Enterprise at 7.3, $1.9B cumulative) is now comparable to CrowdStrike (7.7). 407 incidents catalogued, covering supply chain attacks, prompt injections, crypto exploits, AI-powered fraud, and nation-state operations.