🔍AI RiskAtlas
← Real-world cases

Google Big Sleep AI agent surfaces an imminently-exploited SQLite flaw (CVE-2025-6965)

Disclosed vulnerability15 Jul 2025

On 15 July 2025 Google announced that its LLM-assisted vulnerability-research agent, Big Sleep (a collaboration between Google DeepMind and Google Project Zero), had discovered CVE-2025-6965 in the SQLite database engine. Per NVD/SQLite, the flaw affects SQLite versions before 3.50.2: when the number of aggregate terms can exceed the number of available columns, an attacker who can inject arbitrary SQL may trigger a numeric-truncation/integer-overflow leading to a memory-corruption (out-of-bounds read) condition; it is fixed in 3.50.2. Google describes it as a critical issue that, in its words, 'was known only to threat actors and was at risk of being exploited.' Notably, Google credits the *combination* of Google Threat Intelligence and Big Sleep — not the agent alone — with predicting that the vulnerability was imminently going to be used and cutting it off beforehand; Google states 'we believe this is the first time an AI agent has been used to directly foil efforts to exploit a vulnerability in the wild.' All of these characterisations (the threat-actor knowledge, the imminent-exploitation prediction, and the 'first time' claim) are Google's own assessment and have not been independently confirmed. Severity is contested: Google scored it CVSS 4.0 = 7.2 (High) while NVD lists a CVSS 3.1 base score of 9.8 (Critical). The case illustrates dual-use agentic-AI capability uplift on the *defensive* side — autonomous vulnerability discovery used to pre-empt exploitation — the complement of attacker-side autonomous-offensive use seen in the GTG-1002 case.

More cases on Supply-Chain Compromise

PoisonGPT (Mithril Security)postmark-mcp backdoorMalicious models on Hugging Face (pickle deserialization RCE)A small number of samples can poison LLMs of any size (~250-document backdoor)Model Namespace Reuse (Hugging Face name-trust hijack)Slopsquatting — package hallucinations by code-generating LLMsMCP registry / marketplace poisoning (OX Security)ClawHavoc — mass poisoning of OpenClaw's ClawHub agent-skill marketplaceMalice in Agentland — backdooring agents through the supply chain (Boisvert et al.)Heretic — automated LLM abliteration toolSalesloft Drift OAuth supply-chain breach (UNC6395) — mass Salesforce data theft via an AI chat integrationAmazon Q Developer 'wiper' prompt shipped via poisoned pull request (CVE-2025-8217)NVIDIA Triton Inference Server unauthenticated RCE chain (CVE-2025-23319 / -23320 / -23334)SesameOp: backdoor abuses the OpenAI Assistants API as covert command-and-controlMCPTox: tool-poisoning benchmark over real-world MCP serversOperation Bizarre Bazaar (first attributed LLMjacking campaign with a resale marketplace)TeamPCP poisons the LiteLLM AI gateway on PyPI to harvest LLM API keysCVE-2026-21445 — Langflow missing authentication on critical API endpoints, exploited in the wildMalicious JetBrains Marketplace plugins steal AI API keyscodexui-android — malicious npm package steals OpenAI Codex auth tokensLeRobot async-inference gRPC pickle RCE (CVE-2026-25874)Flowise AI agent builder CustomMCP RCE (CVE-2025-59528)PyTorch Lightning PyPI compromise (Mini Shai-Hulud / TeamPCP)Project Glasswing — Claude 'Mythos' autonomously finds 10,000+ software vulnerabilities

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗