• itscybernews
  • Posts
  • The Sentence That Made an AI Hack Its Own Computer

The Sentence That Made an AI Hack Its Own Computer

Your AI can finally use your computer for you. The catch: a stranger's hidden note can use it too.

Author

The itscybernews Team
June 02, 2026

A Microsoft security researcher built a cheerful little “hotel finder” AI. You ask it for hotels in Paris, it searches a list, it hands you options. Friendly. Boring. Safe.

Then they typed one carefully worded request — and instead of finding hotels, the assistant opened the Windows calculator on the machine running it.

No virus. No dodgy attachment. No memory-corruption wizardry. Just words. The AI did exactly what it was built to do: read a sentence, pick a tool, pass along the details. The details just happened to be a smuggled instruction to run code. Microsoft logged it as CVE-2026-26030, one of two flaws its own researchers found in Semantic Kernel, its open-source framework for building AI agents (27,000+ GitHub stars). Pop calc.exe today; run anything tomorrow.

Welcome to the strangest security story of 2026: the year our AI assistants grew hands.

Your AI grew hands

For two years, chatbots could only talk. In 2026 they started doing. OpenAI’s GPT-5.5 shipped with native “computer use” — it moves a cursor, clicks buttons and fills forms like a person would. Agents now read your files, query your databases, run scripts and reach across 50+ apps through connectors. GitHub counts 4.3 million AI repositories on its platform now, with LLM-focused projects up 178% in a single year.

This is genuinely magical. The same capability that can pop a calculator can also chew through your most tedious work while you sleep.

The genuinely cool part

Security teams are early winners. Open-source “agentic” penetration-testing tools — one crossed 17,000 GitHub stars in May — now chain reconnaissance, exploitation and reporting that used to eat an analyst’s entire week. Defenders shipped back fast: a new open-source prompt-injection scanner launched in May with 225 detection patterns across 15 languages, and a static analyzer now grades risky agent code against the new OWASP “Agentic Top 10.” Give an agent a clear goal and a locked sandbox, and it grinds through the boring 80% — triaging alerts, drafting fixes, writing the report — while a human keeps the judgment.

What can go wrong

Here’s the uncomfortable truth: an AI model can’t reliably tell the difference between your instructions and data it’s merely reading. Anything it ingests — an email, a shared doc, a web page, a support ticket — can be interpreted as a command. Researcher Simon Willison named the danger zone the “lethal trifecta”: an agent that (1) can see private data, (2) reads untrusted content, and (3) can send data back out. Have all three, and you have a problem.

It is not theoretical. “EchoLeak” turned Microsoft 365 Copilot into a zero-click data thief: an attacker emailed a hidden instruction, and the next time anyone asked Copilot a question, it quietly retrieved the poisoned email and leaked company data through an image URL — no click required. “GeminiJack” pulled the same trick on Google’s enterprise stack. In March, researchers chained invisible prompt injection to siphon chat history straight out of a default consumer AI session. And a hidden note buried in a GitHub pull-request description (CVE-2025-53773, severity 9.6) was enough to make an AI coding assistant run an attacker’s code.

How to not get owned

The good news: the fixes are old-school security discipline, not magic.

  • Starve the trifecta. The easiest link to break is exfiltration — block external image loading in AI responses, add content-security-policy rules, and sandbox generated output before it renders.

  • Least privilege, always. Your agent does not need all of Gmail, all of Slack and every database at once. Scope it to the task in front of it.

  • Treat agents like privileged users. Log every query, alert on odd behavior, and assume any tool parameter the model can touch is attacker-controlled.

  • Patch the plumbing. Building on Semantic Kernel? Upgrade now (Python 1.39.4+, .NET SDK 1.71.0+). Audit your MCP connectors for hidden instructions while you’re at it.

  • Watch the host, not just the model. Your LLM is not a security boundary. If an agent process suddenly spawns a shell or drops a file into the Startup folder, that’s your real alarm.

That’s it for today. Stay curious, patch your plumbing, and maybe don’t let a hotel chatbot near your calculator.

— The itscybernews Team