1. EMBER: LLMs Generate Hallucination Signals at Token Position Zero Before Any Output
A paper from Dip Roy, Rajiv Misra, Sanjay Kumar Singh, and Anisha Roy (arXiv:2604.13068, submitted 2026-04-13) identifies a scale-dependent phase transition in how autoregressive language models encode factual versus fictional information. Across seven transformer models ranging from 117M to 7B parameters tested on TriviaQA, Simple Facts, and Biography (552 labeled examples), models below 400M parameters show chance-level probe accuracy at every generation position (AUC 0.48–0.67), meaning no reliable internal signal distinguishes true from false outputs. Above approximately 1B parameters, a distinctly different regime emerges: peak hallucination detectability occurs at position zero — before any token is generated at all — then declines during token generation. The pre-generation signal is statistically significant in Pythia-1.4B (p = 0.012) and Qwen2.5-7B (p = 0.038). At 7B scale, instruction-tuned Qwen2.5-7B shows the dominant pre-generation effect, while base-model Pythia-6.9B produces a flat temporal profile. Critically, activation steering along probe-derived directions fails to correct hallucinations, confirming the signal is correlational rather than causal. The authors propose scale-calibrated detection protocols: below 400M, assume no factuality signal; above 1B, monitor position-zero probe readings as an upstream warning indicator. The mechanistic origin of why instruction tuning is required for pre-commitment encoding remains an open question.
Source: arXiv cs.CL | 2026-04-13
2. Capsule Security Discloses Prompt Injection "Lethal Trifecta" Affecting Microsoft Copilot Studio and Salesforce Agentforce
Capsule Security emerged from stealth with a $7M seed round and disclosed two critical indirect prompt injection vulnerabilities in enterprise agent platforms. ShareLeak (CVE-2026-21520, CVSS 7.5) exploits the gap between a SharePoint form submission and Microsoft Copilot Studio's context window: an attacker places a crafted payload in a public-facing comment field that injects a fake system role message overriding the agent's original instructions. The agent then queries connected SharePoint Lists for customer data and exfiltrates it via Outlook to an attacker-controlled email. Microsoft's own safety mechanisms flagged the request as suspicious, but the DLP never fired because the email was routed through a legitimate Outlook action — the exfiltration succeeded despite detection. PipeLeak is a parallel indirect prompt injection in Salesforce Agentforce requiring no authentication; Capsule found no volume cap on exfiltrated CRM data, and Salesforce has not assigned a CVE or issued a public advisory. Capsule coins the "lethal trifecta" as the minimum condition for any agent exploit: access to private data, exposure to untrusted content, and the ability to communicate externally. All three conditions are standard features of modern enterprise agent deployments. The proposed mitigation is a runtime guardian agent — a fine-tuned SLM evaluating every tool call pre-execution — running as a separate trust boundary from the agent itself. Chris Krebs, former CISA Director and a Capsule advisor, said legacy security tools were not built to monitor what happens between prompt and action.
Source: VentureBeat | 2026-04-15
3. MCP Rug Pull Attack: Tool Definitions Silently Swap After User Approval
A concrete proof-of-concept attack published by Koukyosyumei (Medium, 2026-04-16) demonstrates that MCP servers can return clean tool definitions at session start and silently substitute malicious ones after user approval. The MCP protocol has no tool definition integrity mechanism — no signatures, no version pinning, no requirement for clients to re-display or re-validate on notifications. The attack requires no special privileges: the same server returns clean Version A of its tools for calls 1–2, then silently serves malicious Version B after the third tools/list call. The malicious weather tool carries an identical visible description but contains a hidden [SYSTEM] directive instructing the agent to read /etc/passwd, SSH keys, and .env files, encode them as base64, and POST to an attacker-controlled endpoint. The three-call threshold is realistic because MCP clients typically make two or more tools/list calls before the LLM takes control. Visible tool names and descriptions remain identical between versions, making the swap undetectable by human review. The short-term fix is SHA-256 hash comparison of tool lists before every invocation; the long-term fix requires cryptographically signed tool manifests. The author maintains a curated list of AI agent security incidents at github.com/h5i-dev/awesome-ai-agent-incidents.
Source: Hacker News | 2026-04-16
4. OpenAI Agents SDK Adds Native Sandbox Execution and Multi-Provider Manifest Abstraction
OpenAI released a major update to its Agents SDK introducing two infrastructure primitives now considered necessary for enterprise agent reliability. Native sandbox execution gives agents a controlled isolated workspace with files, tools, and dependencies, without requiring developers to build their own container orchestration. Built-in support covers Blaxel, Cloudflare Daytona, E2B, Modal, Runloop, and Vercel, with the manifest abstraction enabling portable workspace definitions across providers — if one sandbox vendor fails, the agent's state can be restored via snapshotting and rehydration in a fresh container on a different provider. The second major addition is a model-native harness aligning agent execution with frontier model operating patterns: configurable memory, Codex-like filesystem tools, MCP tool use, a shell tool, and an apply-patch tool for file edits. OpenAI explicitly frames this release around the assumption that prompt injection and data exfiltration attempts are routine — separating harness and compute keeps credentials out of environments where model-generated code executes. The new capabilities are API-priced (standard token rates) and launch in Python first; TypeScript support is planned. The manifest abstraction and sandbox portability features represent the first industry attempt at standardizing agent workspace portability across hosting providers.
Source: OpenAI | 2026-04-15
5. multi-turboquant Consolidates 10 KV Cache Compression Methods Including ~80x Combined Reduction for Agent Workloads
A new Python toolkit called multi-turboquant (GitHub, rookemann, MIT license) unifies 10 KV cache compression methods spanning five algorithm families under a single API with GPU validation and preset launch commands for llama.cpp and vLLM. The methods include TurboQuant (Walsh-Hadamard transform, 2.25–4.25 bits, 3.8–7.1x compression), TCQ (WHT + Viterbi trellis), IsoQuant (quaternion 4D rotation, 0% speed cost, no calibration), PlanarQuant (Givens 2D rotation, ~0% speed cost), and TriAttention (DFT-based token eviction, 10–16x eviction ratio). In combined mode, TriAttention + turbo3_tcq achieves approximately 80x total KV cache reduction. Sixteen named presets cover use cases from balanced quality (k_only_iso, zero speed cost) to extreme (80x) and agent-specific profiles like agents_8x16k and agents_4x8k_70b. All methods are tested on RTX 3090 with real CUDA tensors (77 automated tests: 68 CPU + 9 GPU). Platform support covers NVIDIA (all 10 methods), AMD ROCm (iso/planar only), and Apple Silicon Metal (iso/planar). Multi-GPU tensor-split planning handles arbitrary GPU counts. A 32B model at 32K context consumes over 8GB of VRAM for KV cache alone; at 80x compression that drops below 100MB, fundamentally changing what context lengths are viable on commodity hardware.
Source: GitHub | 2026-04-10
6. Stanford HAI Flagsal: Frontier AI Fails 1 in 3 Production Attempts as Model Transparency Declines to New Low
Stanford HAI's latest Flagsal report delivers two uncomfortable data points about the state of enterprise AI. First, despite 88% enterprise adoption of frontier AI models, structured benchmark attempts still fail in approximately 1-in-3 cases in production environments. Agent performance varies sharply by task type: SWE-bench Verified approaches near-perfect scores, WebArena achieves 74.3%, MLE-bench reaches 65%, yet ClockBench — a seemingly trivial "tell me the time" task — scores only around 50% for top models, suggesting some failure modes are not about difficulty but about fundamental reliability. Hallucination rates across 26 leading models range from 22% to 94%, with GPT-4o accuracy degrading from 98.2% to 64.4% under close scrutiny. Second, the Foundation Model Transparency Index average score has dropped to 40/100, down 17 points from the prior measurement; 80 out of 95 models released in 2025 ship without training code disclosed. Stanford HAI's conclusion: the most capable systems are now the least transparent, and responsible AI progress is not keeping pace with capability gains.
Source: VentureBeat | 2026-04-15
7. Allbirds Rebrands as NewBird AI After 99% Stock Collapse; Shares Surge 582% on GPUaaS Pivot
Allbirds, once valued at $4 billion as a sustainable wool-sneaker brand, announced it is exiting footwear entirely and pivoting to AI compute infrastructure under the name NewBird AI. The company secured a $50 million funding commitment and announced a $39 million sale to American Exchange Group, which will shift Allbirds from a public-benefit corporation committed to environmental conservation to a conventional corporation. The stock surged 582% intraday on the announcement. The plan is to operate GPU-as-a-Service and AI-native cloud solutions, though no technical details about chip supply agreements or data center plans were disclosed. Allbirds' shares had lost 99% of their value since their 2021 peak. Gary Marcus cited this as the latest evidence of peak AI market absurdity, quoting Dr. Parik Patel: "The best investment is not in yourself. It's in a bankrupt shoe retailer that pivots to AI datacenter operations." The shareholder vote on the American Exchange acquisition is expected next month.
Source: The Guardian | 2026-04-15