GhostApproval exposed a symlink trust-boundary flaw across six AI coding assistants simultaneously, and the four different vendor responses reveal something more important than the vulnerability: there is no shared security contract governing what these tools are allowed to do.
AI workflow platforms are being deployed with developer-speed patching and no orchestration-layer instrumentation, and attackers have started treating them as production attack surfaces.
The first confirmed autonomous LLM agent attack, a critical auth bypass in the Python framework underpinning most MCP infrastructure, and two AI platforms under active exploitation this week represent a structural shift: AI attack surface is not emerging, it is operational.
Four AI infrastructure platforms (Langflow, Marimo, LMDeploy, Flowise) were exploited within 24 hours of vulnerability disclosure last week. The patching window has collapsed to under one attacker shift.