← Back to arXiv Cryptography and Security

arXiv Cryptography and Security briefings

Policy SafetyOfficialarXiv Cryptography and Security

Mako: A Self-Evolving Agentic Operating System for Autonomous Web Exploitation

Researchers have introduced Mako, a self-evolving AI agent designed to autonomously exploit web vulnerabilities by treating its exploit capability as a mutable kernel. Mako achieved full coverage on 104 CTF-style web applications spanning 26 vulnerability classes, demonstrating the ability to autonomously discover and exploit a wide range of web vulnerabilities. Due to dual-use concerns, the authors have withheld operational details, payloads, and source code.

Why it matters: Mako's results highlight that once an exploit capability is available, the difficulty of autonomous exploitation collapses, raising significant security and safety concerns about the potential for automated offensive systems.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

AMT-X: Multi-Turn Red-Teaming Framework Reveals Gap Between Partial and Fully Actionable LLM Harm

Researchers introduce AMT-X, a phase-structured multi-turn red-teaming framework that employs a multi-role jury and phase-conditioned checklists to evaluate the safety of large language models (LLMs). When tested on six frontier models, AMT-X achieved 97.6-100% attack success under lenient scoring, but only 66.7-78.6% under stricter criteria requiring complete operational detail. This demonstrates a substantial gap between partially and fully actionable harmful outputs.

Why it matters: The findings indicate that current single-turn safety evaluations may underestimate the risks posed by adaptive adversaries, emphasizing the need for more nuanced assessment methods in AI safety.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

MusicMark: A Robust Generative Watermarking Framework for Music Generation

Researchers introduce MusicMark, a generative watermarking framework that embeds watermarks into the semantic latent space during diffusion-based music generation. Unlike post-hoc watermarking methods, MusicMark integrates watermarking directly into the generation process, resulting in greater robustness against attacks such as neural codec re-synthesis and cover-song transformations, while preserving audio quality. Experimental results show that MusicMark outperforms existing post-hoc approaches in both robustness and fidelity.

Why it matters: This work provides a significant advance in ensuring reliable provenance and attribution for AI-generated music, addressing a growing need as such content becomes more widespread.

Jul 14, 2026

Policy SafetyOfficialarXiv Cryptography and Security

NetInjectBench: Benchmarking Indirect Prompt Injection in Tool-Using LLM Agents for Network Operations

NetInjectBench introduces a 130-scenario benchmark to evaluate indirect prompt injection attacks on large language model (LLM) agents used in network operations. In tests across 240 attack instances, naive execution led to an 82.50% unsafe tool-action rate, while a metadata-aware policy gate eliminated unsafe actions and preserved 99.17% usefulness. The study also compares several prompt-level defenses, finding them less effective than execution-time authorization boundaries.

Why it matters: This work reveals that LLM agents for network operations are highly susceptible to indirect prompt injection, but that metadata-aware policy gates can effectively prevent unsafe actions without sacrificing utility.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

One Token Is Enough: Fingerprinting LLMs from Single-Token Output Distributions

Researchers have developed a method to fingerprint large language models (LLMs) by analyzing the distribution of their responses to simple, single-token prompts such as "name a random number between 1 and 100." By testing 165 models via the OpenRouter aggregator, the method achieved 59.5% accuracy in identifying model lineage and a 7.3% equal error rate in verification, all using only single-token queries. The approach also uncovered cases where a proprietary model endpoint was distributionally indistinguishable from an open-weight Qwen model.

Why it matters: This technique provides a practical way for clients to verify which LLM is actually serving them through opaque API chains, helping address trust and transparency issues in commercial model deployment.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

Grammar-Driven Watermark (GDW) Improves Code Watermarking Trade-off for LLMs

A new preprint introduces Grammar-Driven Watermark (GDW), a code watermarking technique for large language models (LLMs) that uses grammar-guided masking and structural role-aware modulation. GDW aims to preserve code quality while enhancing watermark detectability, and experiments across several programming languages and models indicate it achieves a better balance between quality and detectability than previous methods. The method also demonstrates robustness against variable-renaming attacks.

Why it matters: Improving watermarking for machine-generated code without sacrificing quality is important for reliably identifying AI-generated code in real-world applications.

Jul 14, 2026

Policy SafetyOfficialarXiv Cryptography and Security

AHA: Automated Red-Teaming Framework Uncovers Reusable Vulnerabilities in Production LLM Agents

A new preprint introduces AHA, an automated red-teaming system designed to discover and formalize reusable vulnerability knowledge in production LLM agents such as Claude Code and Codex. AHA iteratively proposes vulnerability hypotheses, constructs falsifiers, and builds a Vulnerability Concept Graph (VCG) that links attack surfaces to unsafe agent behaviors. In experiments, the VCG outperformed the strongest frozen discovery baseline by 14.2 percentage points and demonstrated transferability across models and attack scenarios. The VCG serves as an auditable artifact for safety teams to inspect, validate, and patch vulnerabilities.

Why it matters: This work advances scalable and reusable safety testing for production LLM agents, helping safety teams keep pace with evolving threats and models.

Jul 14, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Minionese: Comprehensive Benchmark and Mechanistic Study of Multilingual LLM Safety

Researchers introduce Minionese, a multilingual jailbreak benchmark that spans 18 languages, 4 resource tiers, and 4 perturbation types to evaluate the safety alignment of large language models (LLMs). The study finds that prompts refused in English can elicit harmful responses in non-English and low-resource languages, with each attack type exposing distinct vulnerabilities. Mechanistic analysis reveals that low-resource jailbreaks exploit geometric misalignments in model representations, bypassing refusal mechanisms without disabling them.

Why it matters: This work demonstrates that evaluating LLM safety solely in English is inadequate, emphasizing the need for multilingual and script-aware safety assessments.

Jul 14, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Banshee Attack Uses Sound to Hijack Drone Visual Tracking Systems

Researchers have introduced Banshee, the first physically realizable attack that uses acoustic injection to induce target switching in UAV visual tracking systems. By exploiting acoustic vulnerabilities in gimbal-camera systems, Banshee causes camera-view drifts that break target associations, achieving a 93.6% success rate in simulation and 95.5% in real-world tests against commercial drones.

Why it matters: This work demonstrates a practical cross-domain vulnerability between acoustics and vision in autonomous systems, emphasizing the need for more robust gimbal designs to prevent such attacks.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

Multi-Agent System Recommends Security Controls with High Coverage and Efficiency

A new preprint proposes a Security Decision Support System that recommends security control sub-families based on minimal user requirements. Using a Multi-Agent Influence Diagram model and no-regret online learning, the system achieves 99% satisfaction coverage while utilizing only about 65% of software-implementable controls, according to validation on curated datasets. The approach aims to balance security coverage with resource efficiency, with results showing rapid computation times.

Why it matters: This framework could enable organizations with limited cybersecurity expertise to make more effective and resource-efficient security decisions.

Jul 14, 2026

Policy SafetyOfficialarXiv Cryptography and Security

Temporary Authority, Permanent Effects: Commit-Time Authorization for LLM Agents

A new preprint introduces the concept of commit-time authorization, a security property ensuring that LLM agents only commit durable effects if the authority evidence remains valid at the moment of commitment. The authors demonstrate that, in a controlled test suite, 207 out of 216 invalidating runs resulted in unauthorized commits after the authorizing path had failed, revealing a significant security gap. To address this, they propose CommitGuard, a fail-closed boundary monitor that blocks stale authorization attempts at commit time.

Why it matters: This work exposes a critical security vulnerability in LLM agents related to the misuse of temporary authority and offers a practical mitigation strategy.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

When Local Monitors Miss Compositional Harm: Diagnosing Distributed Backdoors in Multi-Agent Systems

A new preprint demonstrates that runtime monitors which check each step or message individually can fail to detect distributed backdoors in multi-agent LLM systems, where a harmful payload is split across agents so that each local check passes. The authors formalize an 'observability boundary,' proving that if fragments appear benign in the monitored view, no detector operating on that view can identify the attack. They show that while monitors trained only on benign traffic can recover attack structure (0.874 mean AUROC) and a decoded-view gate can block all tested attacks, even full-trace monitors fail unless they access the representation where the payload is exposed.

Why it matters: This work exposes a fundamental limitation in current safety monitoring for multi-agent AI systems, highlighting that local checks cannot guarantee global safety when harm is distributed across agents.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

PL-HCL: Detecting Cross-Layer Misalignment in LLM Agent Skills

Researchers introduce Progressive Loading-Aware Hierarchical Contrastive Learning (PL-HCL), a framework for detecting inconsistencies between the descriptions and actual behaviors of large language model (LLM) agent skills. Evaluated on a corpus of over 264,000 open-source skills and a human-verified challenge set, PL-HCL raises Macro-F1 scores from around 0.45 (for unadapted baselines) to 0.87–0.89 across different LLM backbones. This demonstrates a substantial improvement in identifying misaligned agent skills.

Why it matters: As open-source skill marketplaces expand, PL-HCL provides an effective tool to help users and operators screen for agent skills that may not behave as advertised, improving trust and safety.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

LLM Multi-Agent System Uncovers 84 Vulnerabilities in Cellular Core Networks

Researchers introduced iFinder, a multi-agent system powered by large language models (LLMs), to detect implicit trust errors in cellular core network (CN) implementations. Applied to seven open-source CN projects, iFinder uncovered 84 previously unknown vulnerabilities, with 83 confirmed and 81 assigned CVEs. Notably, a session-hijacking flaw was validated on commercial 5G networks.

Why it matters: This work demonstrates a novel and effective use of LLMs for automated vulnerability discovery in critical cellular infrastructure, highlighting systemic security risks as networks move to cloud-native architectures.

Jul 14, 2026

ResearchOfficialarXiv Cryptography and Security

Which Neurons Detect Malicious Code? A Probing Study of LLM Security Knowledge

Researchers applied mechanistic interpretability techniques to identify neurons responsible for malware detection in three instruction-tuned large language models (LLMs). By amplifying or suppressing these neurons, they observed changes in malware detection accuracy, with effects varying by model. The study demonstrates that security-relevant knowledge is encoded differently across LLM architectures and highlights the potential for neuron-level interventions.

Why it matters: This work provides foundational insights for developing neuron-level defense mechanisms, such as selective unlearning and editing, to improve the security and reliability of code-focused LLMs.

Jul 14, 2026