Google Researchers Documented 11 Real Attacks on AI Agents. ChatGPT. Claude. Copilot. Cursor. Every Single One Violated the Same Principle — and Nobody Was Watching.

Researchers from Google, UC San Diego, and the University of Wisconsin mapped eleven real-world attacks on AI agents and found something consistent: every single one violated the same security principle — secure information flow. Not a model flaw. Not a jailbreak. A systems failure.

The attacks included data exfiltration from the ChatGPT macOS app, a Claude Code exfiltration flaw, a Microsoft Copilot exfiltration vulnerability, and the AgentFlayer attack on Cursor triggered by a malicious Jira ticket. In each case, an AI agent with access to enterprise tools, memory, APIs, and browsers was compromised — not because the model was dangerous, but because the systems around it were never built to contain it.

The researchers' conclusion is blunt: enterprises cannot secure AI agents by making the underlying models more robust. Security must be enforced at the system level. 'The AI model powering the agent must be treated as an untrusted component,' they wrote. The comparison: an operating system treats every process as untrusted. AI systems should do the same.

They don't. Eleven documented cases prove it. No human oversight flagged any of these attacks in real time. No human stopped them. The data left the building at machine speed.