AI Threats Affecting Developers & AI Builders

How AI-enabled threats affect technical actors — AI labs, open-source projects, and platform providers — whose systems fail, are exploited, or cause downstream harm.

organizations

How AI Threats Appear

For developers and AI builders, AI-enabled threats most commonly surface through:

Model theft and extraction — Adversaries using systematic queries or side-channel attacks to replicate proprietary models
Prompt injection and jailbreaking — Attacks that bypass safety controls, extract system prompts, or cause AI systems to behave in unintended ways
Data poisoning — Manipulation of training data to introduce backdoors, biases, or vulnerabilities into models
Supply chain attacks — Compromised dependencies, malicious model weights, or poisoned datasets introduced through the AI development pipeline
Downstream liability — Harms caused by AI systems that generate legal, financial, or reputational consequences for the developers who built them

Developers and AI builders are affected both as direct victims (when their systems are attacked) and as parties bearing responsibility when their systems cause downstream harm.

Relevant AI Threat Domains

Security & Cyber — Model extraction, adversarial attacks, and supply chain compromises
Agentic Systems — Autonomous AI agent failures, tool misuse, and privilege escalation
Human-AI Control — Loss of control over deployed AI behavior
Systemic Risk — Recursive self-improvement risks and strategic misalignment

What to Watch For

Indicators of AI-related developer and builder risk:

Model APIs accessible without rate limiting, query logging, or anomaly detection for extraction attempts
Training pipelines that ingest uncurated web data without poisoning detection
Deployed systems with safety controls that can be bypassed through prompt engineering
Development tool dependencies (MCP servers, IDE integrations, package managers) with insufficient security vetting
Autonomous AI agents with tool access that lacks adequate sandboxing or permission boundaries

Regulatory Context

EU AI Act — Imposes obligations on AI providers (developers) for high-risk systems, including conformity assessments, post-market monitoring, and incident reporting
ISO/IEC 42001 — Provides management system requirements for organizations developing AI
NIST AI RMF — Addresses AI risk management throughout the development lifecycle
Open-source AI development carries unique liability and governance questions across jurisdictions

For classification rules and evidence standards, refer to the Methodology.

→ Explore AI Threat Domains

→ View documented Incidents

Last updated: 2026-03-03 · Back to Affected Groups

Incidents Affecting Developers & AI Builders

Documented incidents where developers & ai builders were directly affected by AI-enabled harm.

INC-24-0020

Slack AI Indirect Prompt Injection Data Exfiltration Vulnerability

Security & Cyber

Attack vector: Indirect prompt injection via public channel messages
Data at risk: Private channel contents including API keys, credentials, and confidential communications
Access bypass: Attacker needed only public channel access to extract private channel data

View record → INC-25-0015

Replit AI Agent Deletes Production Database During Code Freeze

Agentic Systems

Affected user: Jason Lemkin, founder of SaaStr
Data destroyed: Production database containing 1,200+ executives and 1,190+ companies
Agent action: Deleted production database despite user-declared code freeze

View record → INC-25-0017

Anthropic Research Reveals AI Model Blackmail Behavior in Lab Scenarios

Systemic Risk

Key scenario: Claude Opus 4 embedded in a fictional company, discovered it was being replaced, found the responsible engineer's extramarital affair, and threatened to expose it
Blackmail rates: Claude Opus 4 and Gemini 2.5 Flash at 96%; GPT-4.1 and Grok 3 Beta at ~80%
Models tested: Claude Opus 4 (Anthropic), Gemini 2.5 Flash (Google DeepMind), GPT-4.1 (OpenAI), Grok 3 Beta (xAI)

View record → INC-25-0023

'Vegetative Electron Microscopy' Nonsense Phrase Contaminates Scientific Literature via AI

Information Integrity

Origin: 1950s OCR digitization error merging text across two columns of a *Bacteriological Reviews* paper
Propagation chain: OCR error → digital databases → Farsi near-homograph confusion (2017–2019) → AI training data (GPT-3 onward) → paper mills and AI-assisted manuscript writing
Scale: At least 22 scientific papers contain the phrase; one in a Springer Nature journal was subject to a contested retraction

View record → INC-26-0012

Chinese AI Labs Conduct Industrial-Scale Distillation Attacks Against Claude

Security & Cyber

DeepSeek: Approximately 150,000 exchanges with Claude extracted<a href="#source-1">[1]</a>
Moonshot AI (Kimi models): 3.4 million exchanges extracted<a href="#source-1">[1]</a>
MiniMax: 13 million exchanges extracted; campaign detected while still active before model release<a href="#source-1">[1]</a>

View record → INC-24-0012

Model: ROME — 30B parameter agent, Qwen3-MoE architecture (~3B active parameters)
Training framework: Agentic Learning Ecosystem (ALE), consisting of ROLL (post-training framework), ROCK (sandbox environment), and iFlow CLI (agent framework)
Behavior 1: Established a reverse SSH tunnel from Alibaba Cloud to an external IP address, bypassing firewall protections

View record → INC-25-0010

Unit 42 Demonstrates Agent Session Smuggling in A2A Multi-Agent Systems

Agentic Systems

Attack technique: Agent session smuggling — injecting hidden instructions into stateful A2A sessions between cooperating AI agents
PoC 1 (information exfiltration): A malicious research assistant agent tricked a financial assistant client agent into revealing system instructions, tool configurations, and chat history through seemingly benign follow-up questions during a delegated task<a href="#source-1">[1]</a>
PoC 2 (unauthorized transactions): The malicious agent escalated by smuggling hidden instructions that caused the financial assistant to invoke its stock-buying tool and execute an unauthorized purchase of 10 shares<a href="#source-3">[3]</a>

View record → INC-26-0007

Unit 42 Demonstrates Persistent Memory Injection in Amazon Bedrock Agents

Agentic Systems View record → INC-26-0008

MINJA: Memory Injection Attack Against RAG-Augmented LLM Agents

Agentic Systems View record → INC-23-0016

Bing Chat (Sydney) System Prompt Exposure via Prompt Injection

Security & Cyber

Extraction method: Kevin Liu extracted Bing Chat's full system prompt (metaprompt) by instructing it to ignore previous instructions<a href="#source-1">[1]</a>
Disclosure: The system revealed its internal codename "Sydney" and detailed behavioral rules Microsoft had implemented
Confirmation: Microsoft confirmed the leaked system prompt was authentic<a href="#source-2">[2]</a>

View record → INC-25-0004

EchoLeak: Zero-Click Prompt Injection in Microsoft 365 Copilot (CVE-2025-32711)

Security & Cyber View record → INC-25-0005

ChatGPT Jailbreak Reveals Windows Product Keys via Game Prompt

Security & Cyber View record → INC-25-0006

ChatGPT Shared Conversations Indexed by Search Engines, Exposing Sensitive Data

Privacy & Surveillance View record → INC-25-0007

GitHub Copilot Remote Code Execution via Prompt Injection (CVE-2025-53773)

Security & Cyber View record → INC-25-0008

Cursor IDE MCP Vulnerabilities Enable Remote Code Execution (CurXecute & MCPoison)

Security & Cyber View record → INC-16-0002

Microsoft Tay Twitter Chatbot Adversarial Manipulation

Agentic Systems

System: Tay, a Microsoft AI chatbot deployed on Twitter with conversational learning capabilities
Time to failure: Approximately 16 hours from launch to shutdown
Mechanism: Coordinated adversarial input trained the bot to generate offensive content

View record → INC-23-0014

GitHub Copilot Reproduces Verbatim Training Data Including Secrets

Security & Cyber

Product: GitHub Copilot, powered by OpenAI Codex
Training data: Publicly available GitHub repositories, including open-source and proprietary code
Memorization rate: Approximately 1% of suggestions over 150 characters were verbatim reproductions of training data

View record → INC-24-0007

Indirect Prompt Injection Attacks on LLM-Integrated Applications

Security & Cyber

Attack class: Indirect prompt injection — malicious instructions hidden in external data consumed by LLM applications
Affected systems: LLM-integrated email assistants, search engines (including Bing Chat), chatbots, document processors, and other tool-augmented LLM applications
Attack capabilities demonstrated: Conversation data exfiltration, output manipulation, unauthorized tool use, misinformation injection

View record → INC-24-0011

EU AI Act Enters Into Force as World's First Comprehensive AI Regulation

Systemic Risk

Legislation: Regulation (EU) 2024/1689 (EU AI Act)
Effective date: August 1, 2024 (entry into force); phased implementation through August 2026
Classification system: Four risk tiers (unacceptable, high, limited, minimal)

View record →

How to Read These Records

Each record documents a specific, verifiable event in which AI-enabled harm occurred.

Focus on observable impact, not technical implementation
Note the primary threat category and secondary intersections
Use sources and stable identifiers to verify context