Context Window: AI Security Podcast

Top Story: TeamPCP Returns — "Mini Shai-Hulud" Hits Two Ecosystems Simultaneously — After a 26-day pause, TeamPCP is back. Curator's Corner: When Trust Is the Exploit Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-05-04.html

Top Story: MCP STDIO RCE — The Connector Layer Has an Authority Problem — On April 23, the Cloud Security Alliance — an independent industry research body — and OX Security, an established Israeli software-supply-chain security vendor (founded 2021, $34M seed from Insight Partners and Team8), jointly disclosed an architectural vulnerability in the Model Context Protocol's STDIO transport — the most common transport used by local MCP servers across the open-source agent ecosystem. Curator's Corner: Three Layers, Three Attack Surfaces, One Agent Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-04-27.html

Top Story: Comment and Control — Three Coding Agents, One Bug Class, Zero CVEs — On April 15, researcher Aonan Guan — working with Johns Hopkins University's Zhengyu Liu and Gavin Zhong — published the first cross-vendor demonstration of a prompt-injection pattern that turns GitHub itself into the command-and-control channel for stealing runner credentials out of AI coding agents. Curator's Corner: Every Consultancy Is a Honey Pot Now Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-04-20.html

Top Story: Claude Mythos Preview + Project Glasswing — AI Reaches the Zero-Day Threshold — On April 7, Anthropic announced Claude Mythos Preview alongside Project Glasswing — the most consequential AI security development of 2026, and arguably of the decade.. Curator's Corner: Anthropic's Oppenheimer Moment Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-04-13.html

Anthropic accidentally published Claude Code's entire source code to npm — 512,000 lines of TypeScript, including an autonomous daemon called KAIROS that nobody was supposed to know about. North Korea compromised the Axios npm package through AI-assisted social engineering. Mercor, a $10B AI startup, got breached via the LiteLLM supply chain — 4TB exfiltrated. Plus: Microsoft open-sources the Agent Governance Toolkit, and Curator's Pick on why instructions are not guardrails. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-04-06.html

Your vulnerability scanner just published malware. One threat actor — TeamPCP — hit five ecosystems in ten days: Trivy, Checkmarx KICS, LiteLLM, Telnyx, and npm via CanisterWorm. A supply chain worm that completes a full compromise cycle in under sixty seconds. Plus: RSA Conference drops its agent security agenda, Claude gets jailbroken, and Curator's Corner on why security tools became the attack surface. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-03-30.html

Two major AI platform sandbox escapes dropped this week on the eve of RSA Conference. AWS Bedrock's "isolated" sandbox leaks DNS queries — researchers built a full reverse shell. Snowflake's Cortex Code CLI got jailbroken through a GitHub README. Plus: MCP rug pulls, VoidLink (88K lines of AI-generated malware), the biggest pre-RSA funding window ever, and Curator's Corner on why AI didn't create new vulnerabilities — it made old ones affordable. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-03-23.html

A red-team agent compromised a Big Four consultancy's customer-facing chatbot in under two hours. The Chrome Gemini hijack lets browser extensions take over Google's built-in AI. Plus the biggest M&A week in AI security history — Google closed the $32B Wiz deal, OpenAI bought Promptfoo, and three stealth startups emerged with a quarter-billion in combined funding. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-03-16.html

The week AI security shifted from theoretical to operational. Major breaches, new funding rounds, and the emerging challenge of securing autonomous AI agents. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-03-08.html

The pilot episode of Context Window — your weekly AI security briefing in under 15 minutes. Curated by Asaf Nakash. Voices by AI. Opinions by human. Show notes: https://contextwindowsec.com/episodes/2026-03-01.html