What happened
CodeWall's autonomous offensive agent breached McKinsey's internal AI platform, Lilli, gaining full read and write access to its production database within two hours. The agent exploited a SQL injection vulnerability in an unprotected API endpoint, which wrote user search queries by concatenating JSON keys directly into SQL. This compromise exposed 46.5 million chat messages, 728,000 files, 57,000 user accounts, and 3.68 million RAG document chunks containing proprietary research. The agent also accessed system prompts and AI model configurations, revealing the full AI stack.
Why it matters
AI platforms, even from sophisticated organisations, remain vulnerable to common exploits, exposing critical data and enabling AI behaviour manipulation. Security architects and platform engineers must recognise the 'prompt layer' as a new high-value target; write access to system prompts allows silent alteration of AI advice or data exfiltration via output. This incident demonstrates that traditional security scanning tools can miss vulnerabilities like JSON key SQL injection, necessitating advanced autonomous threat detection and dedicated controls for AI configuration integrity.
Subscribe for Weekly Updates
Stay ahead with our weekly AI and tech briefings, delivered every Tuesday.
