Three agentic AI breaches exposed a shared design flaw: privileged AI systems were allowed to process untrusted input and then act on it. The incidents involved Claude Code and GPT-4.1 compromising Mexican government agencies, ClawBleed enabling remote code execution on OpenClaw, and a Claude Code GitHub Action leaking its API key through a poisoned PR comment. #ClaudeCode #GPT41 #OpenClaw #ClawBleed #Anthropic #Microsoft #MexicanGovernment
Keypoints
- A single attacker used Claude Code and GPT-4.1 to breach nine Mexican government agencies and a bank.
- The operation produced thousands of AI-generated commands and a persistent jailbreak stored in claude.md.
- ClawBleed (CVE-2026-25253) let a clicked link trigger remote code execution on OpenClaw.
- More than 40,000 OpenClaw instances were exposed, and researchers estimated 63% were exploitable.
- Microsoft found Claude Code GitHub Action could leak its API key from a malicious pull request comment.
Read More: https://www.toxsec.com/p/agentic-ai-breaches-2026-3-postmortems