TL;DR: A critical flaw in Docker's Ask Gordon AI assistant allowed attackers to execute commands and steal data through nothing more than a poisoned image label—no clicks required. Cursor disclosed its third sandbox escape since July, this time letting a prompt injection write malicious git hooks that execute with full system privileges. And Google's Threat Intelligence Group caught adversaries firing 100,000+ prompts at Gemini to clone its reasoning capabilities, while nation-state hackers from four countries now use AI across their entire attack playbook.

What Happened

Noma Security disclosed a critical vulnerability in Docker's Ask Gordon AI assistant. The flaw, dubbed "DockerDash," let attackers hide malicious instructions inside a Docker image's metadata labels. When someone asked Gordon about the image, it read those labels, interpreted the hidden instructions as legitimate tasks, and forwarded them to the Model Context Protocol (MCP) Gateway for execution. No validation at any step.

In cloud and CLI environments, that's full remote code execution. In Docker Desktop, the same trick exfiltrated environment variables, container configs, and network topology.

Docker patched it in Desktop 4.50.0 last November after Noma's September disclosure. The fix requires explicit user confirmation before any MCP tool runs.

Why It Matters

This is a new class of attack. Noma calls it "Meta-Context Injection"—exploiting the fact that AI assistants can't tell the difference between descriptive metadata and executable instructions. The MCP Gateway trusted Gordon. Gordon trusted the image labels. Nobody checked.

The payload hides in plain sight. Docker images get pulled from registries and scanned through automated pipelines millions of times a day. A malicious LABEL field looks like every other label until an AI agent reads it.

This won't stop at Docker. Any AI assistant that reads untrusted context and has access to tools through MCP is vulnerable to the same pattern. Bugcrowd's David Brumley called it "one example of what is sure to be a slew of examples in 2026."

Enterprise: Confirm Docker Desktop is on 4.50.0+. Review what other AI coding assistants have MCP access to your infrastructure—this attack class applies broadly.

SMB: If your developers use AI-assisted tools that connect to local systems, ask what those tools can access and whether inputs are validated before execution.

Action Items:

What Happened

Cursor disclosed a sandbox escape vulnerability (CVE-2026-26268, CVSS 8.1) on February 13. A prompt injection could trick Cursor's AI agent into writing malicious commands to a project's .git configuration—specifically git hooks, which run automatically when common actions like commits or pushes happen. Because .git settings weren't adequately protected, the agent could plant the payload without user approval. The next time Git ran one of those hooks, the code executed outside the sandbox with full system privileges.

No user interaction required. Git runs hooks automatically. Fixed in Cursor 2.5.

This is Cursor's third prompt-injection-to-RCE vulnerability since July 2025. The first (CurXecute) let attackers hijack MCP configurations to execute arbitrary commands. The second exploited a case-sensitivity bug to bypass file protections. This latest one found yet another path: configuration files the sandbox wasn't protecting.

And it's not just Cursor. A week earlier, Anthropic patched a nearly identical flaw in Claude Code—its sandbox failed to protect settings.json when the file didn't exist at startup, letting malicious code inject persistent hooks that executed with host privileges on restart.

Why It Matters

This is a pattern, not an anomaly. Two of the most popular AI coding tools had sandbox escapes via configuration file injection within the same two-week window. The attack surface is structural: these tools need file access to be useful, and that access keeps creating openings.

The sandbox model has a fundamental tension. AI coding assistants need to read and write project files to do their job. But every writable path is a potential escape route. Each patch fixes one path—then researchers find the next one. Three CVEs in seven months tells you the game of whack-a-mole isn't working.

Developers are high-value targets. A compromised developer machine often has SSH keys, cloud credentials, API tokens, and access to production infrastructure. Escaping a coding tool's sandbox doesn't just affect that project—it's potentially a foothold into everything that developer touches.

Enterprise: Inventory which AI coding tools your engineering teams use. Verify they're on patched versions. Consider whether AI agents in dev environments should operate under least-privilege constraints similar to CI/CD pipelines.

SMB: If your developers use Cursor, update to 2.5 immediately. If they use Claude Code, verify auto-update is active. And ask the broader question: what else on developer machines has file system access that nobody's auditing?

Action Items:

61% of marketers say this is the biggest marketing shift in decades.

Get the data and trends shaping growth in 2026 with this groundbreaking state of marketing report.

Inside you’ll discover:

Download your 2026 state of marketing report today.

Get Your Report

What Happened

Google's Threat Intelligence Group published its latest AI Threat Tracker on February 12, documenting a sharp rise in "distillation attacks"—where adversaries systematically query a commercial AI model to extract its knowledge and train competing models at a fraction of the cost.

One campaign fired over 100,000 prompts at Gemini, each designed to coerce the model into revealing its full reasoning process across multiple languages. The goal: replicate Gemini's reasoning capabilities in a model the attackers control—without guardrails.

The report also tracked threat actors from North Korea, Iran, China, and Russia using Gemini across every stage of the attack lifecycle. A Chinese APT directed Gemini to analyze RCE and SQL injection results against specific U.S. targets. North Korean actors profiled defense companies for social engineering. New malware like HONESTCUE experiments with AI APIs to generate malicious code on the fly.

And the "dark AI" underground is mostly a sham. A toolkit called Xanthorax marketed itself as purpose-built offensive AI. GTIG found it was actually jailbroken commercial APIs—including Gemini—accessed through stolen keys.

Why It Matters

AI theft doesn't look like hacking. Model extraction happens through legitimate API access. No network intrusion. No malware. Just lots of carefully crafted questions. That makes it extraordinarily hard to distinguish from normal use.

Nation-states are past the experimentation phase. GTIG drew direct lines between AI-assisted reconnaissance and subsequent real-world attack campaigns. This isn't theoretical anymore—it's operational.

The "custom dark AI" threat is overhyped. Most underground tools claiming to be purpose-built offensive AI are actually jailbroken versions of commercial models. The real threat isn't some shadowy AI—it's stolen API keys giving bad actors access to the same models everyone else uses.

Enterprise: If you serve AI models, implement query pattern analysis and extraction detection. If you consume them, secure API keys with the same rigor as database credentials.

SMB: Verify your AI vendors are legitimate providers with proper terms of service—not resellers of jailbroken commercial APIs. The cost savings aren't worth the exposure.

Action Items:

Every story this week comes back to the same problem: something trusted turned out not to be. Image metadata. A sandbox. An authorized API user. As AI tools get woven deeper into your stack, the most dangerous assumption isn't that they'll be attacked — it's that your trust boundaries still hold.

Check out → DigiForm-AI-Governance

Keep reading, learning and be a LEADER in AI 🤖

Hashi & The Context Window Team!