Threat Landscape Snapshot for June 6
The weekly vulnerability pipeline processed 237 high-signal records across CISA KEV, NVD, the Go Vulnerability Database, and editorial security sources. The dependency lane was quiet for the current engine: no matching Go dependency CVEs landed against the audited bill of materials. The application threat lane was not quiet at all.
The strongest signals clustered around autonomous support workflows, dynamic tool registration, execution-time race conditions in agent workspaces, and protocol-level resource exhaustion. That is the shape of the modern attack surface: attackers are not only looking for one vulnerable library. They are looking for trusted automation that can be bent into doing the dangerous part for them.
What Shipped This Cycle
This pass stayed inside the existing architecture: one engine, sixteen security modules, the optional Rust sidecar, and no new runtime dependencies. The work expanded existing modules where the weekly report showed concrete gaps, then added focused tests around the new behavior.
AI support bot jailbreak to account takeover correlation
The correlator now watches for an LLM Firewall threat followed by a sensitive identity mutation for the same principal inside a five-minute window. Email changes, password changes, password resets, and account recovery events now normalize into account_mutation alerts with user, account, and session context attached.
When the chain matches, the correlated alert carries recommended response actions to disable the user and block the source IP. This matters because the attack is not just "prompt injection happened." The damaging moment is the identity change that follows it.
Execution-time TOCTOU and fileless path checks
Runtime Watcher now inspects process execution telemetry for path swaps, hash mismatches, and transient fileless execution paths such as memfd, proc-fd, deleted binaries, and O_TMPFILE-style launches. If an allowed tool is validated and then swapped before execution, the runtime module can raise the mismatch at the point of execution instead of waiting for a later file scan.
The report asked for kernel-grade hooks. This implementation takes the dependency-safe route first: consume normalized execution integrity details through the existing event path, preserve the Linux realtime file monitoring already present, and avoid adding kernel libraries or another collector module.
Dynamic MCP server injection prevention
API Fortress now detects JSON bodies that try to inject mcpServers configuration on ordinary API routes, not only obvious MCP endpoints. Unprivileged dynamic registration attempts now raise mcp_server_dynamic_injection, and command or args fields containing shell and downloader primitives are treated as high-risk server registration.
That closes a practical gap in agent infrastructure: a malicious payload can try to register a new MCP server that looks like configuration but behaves like code execution. The new check keeps that decision in the existing API enforcement path.
SSH channel exhaustion and oversized payload handling
The Rust sidecar now treats SSH channel exhaustion as a protocol-aware signal instead of counting every packet in an SSH-looking flow. It counts visible SSH_MSG_CHANNEL_OPEN requests and separately flags oversized SSH payloads above the 262144-byte threshold.
That reduces false positives from noisy encrypted traffic while still covering the resource exhaustion pattern called out in the weekly report.
Deep binary inspection at exact offsets
The deep binary scanner now reports exact embedded signature offsets when ELF, PE, or 7zXZ markers cross chunk boundaries. The prior behavior could identify the chunk; the new behavior points at the byte-level location, which gives analysts cleaner evidence and improves automated triage.
What the Audit Confirmed Was Already Covered
Several June 6 action items turned out to be real but already substantially handled by the current engine. The LLM Firewall already decompresses PDF FlateDecode streams with the Go standard library before routing text through prompt-injection checks. It already carries markdown taint context for agentic exfiltration patterns. Supply Chain Sentinel already scans install hooks for downloader, shell, eval, and base64 abuse while maintaining a broader popular-package baseline.
Those did not need new modules. They needed verification, a sharper reading of the report, and incremental hardening where the weekly action item pointed to a narrower edge.
Architecture Discipline Still Matters
The rule held: do not create a seventeenth module, do not add external runtime dependencies, and do not make the weekly intelligence loop depend on a fragile pile of new libraries. The new detections are deterministic: event correlation, regex-backed MCP body inspection, normalized identity mutation classification, execution metadata checks, and Rust packet heuristics.
That restraint is not aesthetic. Security projects decay when every new headline becomes a new subsystem. 1-SEC stays useful week after week because the threat landscape expands, but the operating model stays understandable.
What Security Teams Should Watch Next
The most important pattern in this cycle is the collapse between AI input security and identity security. Prompt anomalies, support-bot actions, account recovery, email mutation, and session context now belong in the same investigation, not five different dashboards.
Expect more attacks that look like configuration changes rather than exploit payloads: MCP server additions, tool registration updates, CI hook edits, and agent workspace file swaps. The defense is to treat "trusted automation changed something sensitive" as a first-class signal. That is where this week moved the engine.
Verification
This cycle added focused Go tests for account mutation handling, principal-aware correlation, MCP dynamic injection, and runtime execution-integrity alerts. The Rust sidecar gained tests for visible SSH channel-open bursts, non-channel false positives, oversized SSH payloads, and exact binary signature offsets across chunk boundaries.
The full Go suite and the Rust no-default-features test suite pass with the new coverage. The default pcap-enabled Rust path still depends on the local packet-capture SDK being present on the builder, so the portable CI-safe Rust path remains the no-default-features target.