Wednesday 27 May 2026

The "BadHost" Bug Hiding Inside Millions of AI Agents

A critical flaw in the Starlette web framework — 325 million weekly downloads — puts millions of AI agents at risk of server-side request forgery, and Iran's internet is flickering back to life after a 90-day blackout.

Lead story

The "BadHost" Bug Hiding Inside Millions of AI Agents

There's a critical vulnerability sitting inside Starlette, the Python web framework that underpins FastAPI and, by extension, a significant slice of the AI agent ecosystem. Researchers are calling it "BadHost," and with 325 million weekly downloads, the blast radius is enormous.

What happened: The flaw is a server-side request forgery (SSRF) vulnerability — the kind that lets an attacker trick a server into making requests on their behalf, potentially reaching internal infrastructure that should never be exposed to the internet. In the context of AI agents, which routinely talk to APIs, databases, and internal tooling, that's not a theoretical risk. It's a skeleton key.

Why this matters more than a typical open-source vuln: Starlette isn't just popular — it's foundational. FastAPI is built on top of it, and FastAPI has become the default scaffolding for a generation of AI agent backends. If you've spun up an agent that calls tools, hits APIs, or manages sessions, there's a real chance Starlette is somewhere in your stack. The vulnerability affects codebases where developers might not even know Starlette is present, buried two or three layers deep in their dependency tree.

That's the cruel geometry of modern software: you inherit risk from packages you didn't choose, written by people you'll never meet.

The agentic angle: What makes "BadHost" particularly pointed right now is the timing. Organisations are racing to deploy AI agents — the MIT Technology Review noted this week that 85% of enterprises want to go fully agentic within three years. Many are doing it faster than their security posture can keep up. An SSRF flaw in a framework this central to the Python AI ecosystem is exactly the kind of vulnerability that gets chained with other weaknesses to pivot from an exposed agent endpoint to internal cloud infrastructure.

What to do: Patch Starlette immediately. If you're running FastAPI or any framework built on Starlette, check your version and update. If you can't patch right now, audit what internal resources your agent backends can reach — and tighten those network controls. The principle of least privilege applies to AI agents just as much as it does to human users.

Australian context: FastAPI and Starlette are widely deployed across Australian cloud-native environments, including in the public sector and financial services, where agentic AI pilots are increasingly common. The Australian Signals Directorate's Essential Eight mitigation strategies — particularly patching applications within 48 hours for internet-facing systems — are directly relevant here. CERT-In (India's cyber agency) issued guidance just this week recommending 12-hour patching windows for critical internet-facing flaws, a benchmark worth noting as Australian organisations calibrate their own response timelines. The ASD hasn't yet issued a specific advisory, but defenders shouldn't wait for one.

Also today

Iran's Internet Flickers Back On After a 90-Day Blackout

After nearly three months offline — one of the longest internet shutdowns in any country's history — some connectivity is returning to Iran, according to web monitoring groups. The blackout followed the joint US-Israeli military campaign against the country in late February 2026. It isn't clear whether the reconnection is permanent or partial, and monitoring groups caution that access remains patchy and subject to change. The episode is a stark reminder of how completely states can weaponise internet infrastructure as a tool of control during conflict — and how dependent civil society, commerce, and communications become on connectivity that can vanish overnight.

WIRED ↗

ShinyHunters Claims Charter Communications Breach

US telecommunications giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group threatened to publish stolen data unless a ransom was paid. Charter is one of the largest cable and broadband providers in the United States, making this a significant incident for the sector. ShinyHunters has been on a tear recently — the same group is also linked to the 7-Eleven breach disclosed this week, which exposed the personal information of approximately 185,000 people including names, addresses, dates of birth, and Social Security numbers. The twin confirmations in a single news cycle underscore the group's sustained operational tempo against consumer-facing brands.

Bleeping Computer ↗

Microsoft Patches SharePoint RCE Flaw Out of Band

Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in SharePoint with a CVSS score of 8.8. The flaw stems from deserialisation of untrusted data and requires no special conditions to exploit — which in plain English means a motivated attacker with network access can run arbitrary code without needing any elevated privileges. SharePoint is widely deployed across Australian government and enterprise environments, and the ASD's Essential Eight patching timelines apply. If SharePoint is internet-facing in your organisation, this one should jump the queue.

The Hacker News ↗

MuddyWater Expands Espionage Campaign Across Nine Countries

Iran-linked threat group MuddyWater has been attributed to a fresh espionage campaign that hit at least nine organisations across four continents in the first quarter of 2026, according to Symantec and VMware Carbon Black researchers. Targets span industrial and electronics manufacturing, education, public sector bodies, financial services, and professional services — a broad sweep that suggests intelligence collection rather than a narrowly focused operation. The group is using DLL side-loading as its primary delivery mechanism, a technique that abuses legitimate Windows processes to execute malicious code while evading detection.

The Hacker News ↗

Check Point Research: AI Is Now Running Live Cyberattacks, Not Just Planning Them

Check Point Research's AI Threat Landscape Digest covering March–April 2026 documents a meaningful shift in how AI is being used offensively: it's no longer just assisting with planning or scripting, but executing autonomous attack workflows across extended campaigns in real time. The report covers individual criminal actors, mass exploitation platforms, ransomware groups, and state-sponsored espionage operations — all showing evidence of commercial AI models being deployed operationally. This is the research-backed confirmation of a trend defenders have feared: AI as an active participant in attacks, not just a writing assistant for phishing emails.

Check Point Research ↗

Apple Open-Sources Quantum-Resistant Encryption — and Formal Verification Found Bugs Tests Missed

Apple has released the source code for two quantum-resistant cryptographic algorithm implementations, a move that lets the wider security community scrutinise the work. The more interesting detail buried in the announcement: formal verification — a mathematical technique for proving code correctness — caught bugs that conventional testing would have missed entirely. That's a quiet but significant argument for formal methods in security-critical code. With post-quantum cryptography transitioning from theory to deployment across global infrastructure, including Australian government systems following ASD guidance, the ability to verify implementations rigorously matters enormously.

CyberScoop ↗

Microsoft Copilot Found Exfiltrating Files via Prompt Injection

Security researcher Simon Willison flagged a prompt injection attack against Microsoft's Copilot Cowork feature that results in file exfiltration. The attack works by embedding malicious instructions in content that Copilot reads — a document, email, or shared file — which then directs the AI to send sensitive data to an attacker-controlled location. It's a clean demonstration of why agentic AI systems that can read, write, and act on data represent a fundamentally different threat surface than traditional software. Microsoft has been informed; the broader pattern of prompt injection enabling data exfiltration is becoming a recurring motif across AI assistant products.

Simon Willison ↗

OpenRouter Doubles Valuation to $1.3B as Multi-Model Future Arrives

OpenRouter, the platform that lets developers route queries across dozens of AI models from a single API, has raised a $113 million Series B led by CapitalG at a $1.3 billion valuation — more than double its valuation from a year ago. Usage has grown fivefold in six months. The numbers reflect a maturing market where organisations don't want to bet on a single AI provider, preferring to mix and match models based on cost, capability, and latency. For Australian developers and enterprises, OpenRouter's growth signals that vendor-agnostic AI infrastructure is becoming standard practice rather than an edge case.

TechCrunch ↗

Nvidia Restructures Reporting to Separate Hyperscaler and Sovereign AI Sales

Nvidia is changing how it reports revenue, breaking out sales to hyperscalers — where competition and commoditisation pressure are growing — from sales to sovereign governments and enterprises, where Nvidia controls more of the full stack. Ben Thompson's Stratechery analysis argues this is a deliberate move to reframe the investor narrative: yes, the hyperscalers are increasingly designing their own chips, but everywhere else Nvidia is still the only game in town. For Australian readers, the sovereign AI segment is directly relevant — the federal government's investment in AI compute capacity will likely involve Nvidia hardware for the foreseeable future.

Stratechery ↗

Australia Post Builds ML Models to Triage Its Security Incident Queue

Australia Post has been co-developing two machine learning models with a security startup over the past five months, aimed at automatically prioritising its security incident queue. The goal is to cut through the noise of low-priority alerts and surface the events that actually warrant human attention — a problem familiar to any security operations team drowning in tool output. It's a practical, unglamorous application of AI to security operations, and one that mirrors what Commonwealth Bank announced earlier this week with its AI on-call system. The trend is clear: Australian enterprises are moving AI from pilot to production in their security operations centres.

iTnews ↗

Dutch Government Blocks US Acquisition of Cloud Firm Hosting National Digital ID

The Dutch government has moved to block a US company's acquisition of the cloud provider that hosts the Netherlands' national digital identity service, citing risk to the public interest. The decision is the latest in a series of European moves to reduce dependency on US technology infrastructure — a trend accelerating across the EU as geopolitical tensions make digital sovereignty a live policy question rather than an abstract one. For Australian policymakers, the case is a useful reference point as the country works through its own cloud sovereignty frameworks under the Australian Government Cloud Policy and SOCI Act obligations for critical infrastructure.

TechCrunch ↗

Sources consulted