The State of
AI Security
From Ecosystem Vulnerabilities to Cryptographic Solutions
Mirror Security Labs
hello@mirrorsecurity.io | mirrorsecurity.io
Table of contents
Table of contents
  • Abstract
Abstract
This white paper presents findings from a security analysis of the AI ecosystem, examining 2,595 VS Code extensions, 147 Model Context Protocol (MCP) server implementations, and 12 agent frameworks.
The research identified vulnerabilities across multiple deployment vectors, with 275 security issues discovered across analyzed extensions (10.6% occurrence rate), 5,933 AI artifacts extracted that contain prompt injection vectors, and MCP servers showing exploitable command injection in 78% of tested instances. Using Mirror Security's DiscoveR framework, a security assessment tool for AI systems, the findings indicate that current AI infrastructure operates with security assumptions that adversaries can exploit, with attack success rates exceeding 70% for chained vulnerabilities.
Our paper also includes a survey conducted by Mirror Security of 368 AI Engineers, developers and decision makers across various sectors. While organizations express confidence in their AI security and adoption, examination reveals gaps in security practices. This disparity highlights an area of risk within the AI ecosystem. 87% of organizations lack proper data encryption for AI, indicating a vulnerability in data protection for AI systems.
To address these critical vulnerabilities, this paper presents Fully Homomorphic Encryption (FHE) as the foundational solution for securing AI infrastructure. The Mirror VectaX FHE engine demonstrates how cryptographic protection can be maintained throughout the entire AI pipeline from data ingestion through model processing to output generation without sacrificing functionality. By enabling computation on encrypted data, FHE eliminates the exposure points that current attacks exploit, offering a practical path to eliminate the security gaps and provide the end-to-end AI security.
Executive Summary
Key Findings
1
High Adoption, Low Preparation: 79% currently use AI in production and 85% plan to expand usage, while only 9% have AI-native security measures in place.
2
Data Protection Gap: 87% of organizations lack proper data encryption for AI systems, indicating a disconnect between deployment speed and security implementation
3
Extension Ecosystem Compromise: 10.6% of analyzed VS Code extensions (275 of 2,595) contain security vulnerabilities, with 25 identified as high-risk
4
AI Artifact Exposure: 5,933 AI-specific artifacts extracted, revealing widespread prompt injection and model manipulation vectors
5
MCP Protocol Failures: 78% of MCP servers vulnerable to command injection & expose sensitive information
6
Agent Framework Risks: 64% of agent implementations susceptible to prompt injection, with framework-specific attack chains achieving 67-83% success rates
Critical Recommendations
  • Immediate Implementation of Mirror's Cryptographic AI Protection: Deploy Mirror's VectaX Fully Homomorphic Encryption (FHE) to enable secure computation on encrypted data, addressing the data protection gap without compromising AI functionality.
  • Zero-Trust AI Architecture with Cryptographic Foundation: Deploy Mirror's VectaX AI-native security controls built on FHE principles that maintain encryption during machine-speed processing and broad access operations, replacing traditional security models that fail in AI environments.
  • Mandatory Pre-Deployment Validation: Require Mirror's DiscoveR framework assessment for AI apps, agents and extensions before publication and usage , preventing the high vulnerability rate currently observed in systems.
  • Protocol-Level Security Enforcement: Implement Mirror's AgentIQ policies across MCP server infrastructure to address the 78% vulnerability rate and 91.2% information exposure.
Survey Highlights
Perceptions vs. Reality
While organizations express high confidence in their AI security and widespread adoption, a closer look reveals significant gaps in fundamental security practices. This disparity highlights a critical area of risk within the evolving AI ecosystem.

Critical Gap:
A staggering 87% of organizations lack proper data encryption for AI, underscoring a fundamental vulnerability in data protection for AI systems.
What Organizations Believe
77%
Confident in AI security
79%
Using AI in production
85%
Plan to expand AI usage
The Reality
28%
Completed security audit
9%
Have AI-native security
10%
Have dedicated AI team
39%
Have a secrets management
The Fundamental Problem
The modern AI ecosystem represents a shift in how data moves through enterprise systems. Unlike traditional applications, AI data continuously transforms - from raw inputs through embeddings, to model interactions, and back to enriched outputs. This ecosystem operates at machine speed, with data traversing multiple processing stages, crossing organizational boundaries, and interacting with various AI components in ways that traditional security architectures were not designed to handle.
The AI Data Challenge
Continuous Data Transformation: Information flows through multiple stages (ingestion, preprocessing, training, model inference), each with unique security challenges.
Ecosystem Interconnection: AI applications exist within complex ecosystems involving multiple models, vector databases, AI Agents, APIs, and third-party AI services.
Bidirectional Flow Patterns: AI systems feature recursive loops where outputs become inputs, create compounding security challenges unlike traditional request-response architectures.
Critical AI Ecosystem Components
AI Applications & Agents: The orchestration layer coordinating complex workflows and interactions.
Intellectual Property: The algorithms, LLM models, system prompts and proprietary data flowing through the system.
Vector Databases & AI Memory: The persistent layer where contextualized data resides, crucial for contextual awareness.
Large Language Models: The core processing engines transforming and generating data within the ecosystem.
This inherent complexity, combined with the speed and scale of AI operations, demands a new security paradigm—one that protects data throughout its entire journey across the AI workflow.
Key Drivers of AI Security Urgency
Explosive Growth
AI coding assistants have exploded from dozens to thousands of options in under 24 months, signaling an enormous surge in AI-generated code using vibe coding a paradigm shift in software development. These AI-powered tools are now embedded throughout development workflows, exposing proprietary code to third-party services. This explosive growth far exceeds the speed of conventional security review processes, while introducing new risks of intellectual property leakage.
Shadow AI Proliferation
Developers are integrating AI tools and services without adequate security teams oversight, leading to ungoverned data flows and unmonitored AI model interactions. This shadow AI creates unmanaged entry points for attackers.
Persistent Knowledge Gaps
Security teams frequently lack visibility into how AI components interact, store, and transmit sensitive data. This gap in understanding prevents effective threat modeling and the implementation of appropriate controls.
This report represents the systematic security evaluation of the entire AI ecosystem – from AI coding assistants to complex agent frameworks – providing empirical evidence of vulnerabilities and actionable insights for defense.
Data Analyzed
AI VS Code Extensions
2,595 extensions discovered through 137 AI-specific search terms.
  • Categories: Code completion, AI chat, model integration, development tools
  • Sources: VS Code Marketplace
MCP Implementations
147 publicly accessible servers across multiple deployments.
  • Discovery: Network fingerprinting, GitHub , npm scan.
  • Types: 39 distinct AI service categories identified.
Agent Frameworks
GitHub API queries for agent framework implementations, filtered by stars, recent commits, and production indicators
  • OpenAI Agents (3 )
  • AutoGen Systems (2 )
  • CrewAI Platforms (2 )
  • LangGraph/Chain (3 )
  • Custom Frameworks (2 )
AI Artifacts
5,933 extracted components
  • Prompts, system instructions, API endpoints.
  • Model references, tool definitions, agent configurations.
Attack Vectors
Traditional application security models fail when applied to AI systems due to fundamental architectural differences. Unlike conventional software with predictable inputs and outputs, AI systems introduce probabilistic behaviors & opaque decision-making processes. In this study we have applied the threat models covering following attack vectors.
Interconnected Risk Model
These five threat categories don't operate in isolation but form an interconnected web of vulnerabilities. Each successful attack in one category increases the likelihood and impact of attacks in others, creating a cascading failure scenario that can compromise entire AI infrastructures within hours.
Behavioural Manipulation
Adversarial prompts causing unintended actions
AI agents can be manipulated through carefully crafted inputs that exploit their instruction-following nature, causing them to perform actions outside their intended scope or bypass security controls.
Protocol Exploitation
MCP communication vulnerabilities
The protocols designed for AI-to-AI and AI-to-system communication lack security controls, creating exploitable channels for attackers.
Credential Harvesting
Secret extraction through AI interactions
AI systems have access to credentials and secrets, which can be systematically extracted through targeted interactions.
Persistent Compromise
Memory and context manipulation
AI systems maintain state across interactions, creating opportunities for persistent compromise through memory manipulation.
Cross-Domain Propagation
Vulnerabilities spreading across AI components
The interconnected nature of AI ecosystems enables vulnerabilities to propagate across different components and security domains.
Analysis
Threat Distribution
Our analysis revealed interconnected vulnerabilities across three primary attack surfaces:
VS Code Extensions (2,595 analyzed)
275
Total security issues discovered (10.6% infection rate)
5,933
AI artifacts extracted, revealing prompt injection vectors
25
High-risk extensions identified
67
Confirmed instances of malicious behavior (2.6%)
MCP Services (147 analyzed, 39 service types)
78.0%
Command Injection
62.6%
Authentication Bypass
91.2%
Information Disclosure
29.3%
Privilege Escalation
60.5%
Tool Poisoning
48.3%
Session Hijacking
GenAI Agent Frameworks
Histogram of framework vulnerabilities and attack success rates across different agent types. OpenAI Agents show the highest vulnerability rate (89%) while CrewAI has the highest attack success rate (83%).
Service Vulnerabilities
Gradio
XSS, RCE, Path Traversal
ComfyUI
File Upload, Code Execution
JupyterLab
Auth Bypass, RCE
Dify
Injection, Data Exposure
High-Risk Extensions
Detailed examination of the highest-risk extensions revealed these key findings:
Top High-Risk Extensions by Composite Score
1
modelharbor.modelharbor-agent
Risk Score: 42.00
Issues: 1, AI Artifacts: 12
Key Vulnerabilities: Prompt injection, API exposure
2
innotechvn.innocody
Risk Score: 40.70
Issues: 1, AI Artifacts: 6
Key Vulnerabilities: Code execution, data exfiltration
3
AkiraKudo.kudosflow
Risk Score: 39.00
Issues: 0, AI Artifacts: 9
Key Vulnerabilities: Credential harvesting
4
TabbyML.vscode-tabby
Risk Score: 37.50
Issues: 2, AI Artifacts: 8
Key Vulnerabilities: Model poisoning vectors
5
CodingAGI.codingagi
Risk Score: 35.00
Issues: 1, AI Artifacts: 4
Key Vulnerabilities: Unsanitized AI responses
6
blackboxapp.blackbox
Risk Score: 34.20
Issues: 3, AI Artifacts: 7
Key Vulnerabilities: Multiple security flaws
7
Codeium.codeium
Risk Score: 33.80
Issues: 1, AI Artifacts: 11
Key Vulnerabilities: Context leakage
8
continue.continue
Risk Score: 32.10
Issues: 2, AI Artifacts: 5
Key Vulnerabilities: Session management
Security Gaps in Agent Framework
Red Teaming of 12 agent frameworks revealed systemic security failures:
Framework-Specific Vulnerability Matrix
This bar chart illustrates the vulnerability rates across various agent frameworks for different attack vectors, showing "Prompt Injection" and "Tool Poisoning" as consistently high-risk areas across most frameworks.
Quantitative Security Metrics
Attack Success Rate Analysis
Empirical testing revealed alarming success rates across attack scenarios:
73/100
Ext /MCP to Agent
Avg. Time: 4.7 min
81/100
Prompt Injection Chain
Avg. Time: 2.1 min
34/50
Supply Chain Poisoning
Avg. Time: 48 hours
89/100
Agent Memory Corruption
Avg. Time: 7.3 min
68/75
Tool Poisoning
Avg. Time: 3.2 min
41/50
Multi-Vector Chain
Avg. Time: 6.4 hours
  1. Ext/MCP to Agent: MCP interfaces to control agent workflows and execution paths.
  1. Prompt Injection Chain: Carefully crafted prompt sequences defeat safety mechanisms by exploiting context memory.
  1. Supply Chain Poisoning: Embedding malicious code in third-party dependencies or contaminate reasoning data.
  1. Agent Memory Corruption: Poison RAG retrievals and context stores to manipulate agent responses and behaviors.
  1. Tool Poisoning: Compromised external APIs and function-calling tools serve as entry points for agent manipulation.
  1. Multi-Vector Chain: Attacks orchestrate multiple exploitation methods simultaneously for deep system penetration.
Discovery to Solution
Our research has revealed a fundamental architectural flaw common across all attack vectors. Every successful exploit leveraged the same critical weakness: data exposure at processing points.
The Protection Gap
10.6% of extensions leak data during processing.
78% of MCP servers are vulnerable to command injection at decryption points.
91.2% information disclosure rate due to plaintext processing requirements.
5,933 AI artifacts exposed because they must remain readable for execution.
Why This Matters for AI Systems
The AI Processing Reality:
  • Continuous Operations: AI performs thousands of operations per second.
  • Multi-Stage Workflows: Data flows through multiple processing stages.
  • Distributed Architecture: Extensions → MCP → Agents → Models.
  • Real-Time Requirements: Data in use encryption breaks AI utility.
The Critical Question
How can we protect data that must be continuously processed, transformed, and shared across AI components without ever exposing it?
This challenge demands a fundamental paradigm shift. From the traditional Encrypt-Decrypt-Process-Repeat model, we must transition to a Process-While-Encrypted approach. This leads us to a cryptographic functions that enables computation on encrypted data, transforming the landscape of AI security.
FHE: The Path to Secure AI
The fundamental challenge of securing AI systems while maintaining their utility can be addressed through a paradigm shift in data processing. Our research demonstrates that Fully Homomorphic Encryption (FHE) serves as the cornerstone of this solution, enabling computation on encrypted data without requiring decryption.
What is FHE?
Homomorphic Encryption is a cryptographic technique that allows mathematical operations to be performed directly on encrypted data, ensuring end-to-end confidentiality, even as AI systems process sensitive information. When you decrypt the result, it's identical to what you would have gotten by performing the same operations on unencrypted data. This capability allows AI systems process sensitive information without ever seeing the actual data. Whether analysing medical records, financial transactions, or personal communications, the AI performs all computations on encrypted values while producing encrypted results that only authorized parties can decrypt.
This fundamentally redefines the security perimeter, moving beyond traditional "encrypt-decrypt-process" cycles to achieve a truly "process-while-encrypted" paradigm. Data remains in its encrypted state from initial ingestion through final output, eliminating critical exposure points that adversaries typically exploit.
How FHE Closes the Protection Gap
FHE directly addresses the vulnerabilities identified by transforming the very nature of data handling within AI workflows. This ensures data privacy and integrity without compromising operational efficiency.
Eliminates Plaintext Exposure
No more data leakage at processing points, as all computations occur directly on encrypted data.
Mitigates Prompts Exposure
Prompts and their responses are processed homomorphically, preventing direct manipulation or exfiltration.
Secures Tool Chains
Tool poisoning becomes ineffective as commands and outputs remain encrypted throughout execution.
Ensures Data Integrity
Homomorphic operations inherently protect data from unauthorized modification or inference during computation.
Mirror VectaX FHE Solution
Mirror's VectaX represents the practical implementation of FHE technology specifically designed for AI workloads. Our solution transforms theoretical cryptographic capabilities into a production-ready security framework that integrates seamlessly with existing AI infrastructure.
Data flow architecture comparing standard AI system components with their FHE enabled counterparts.
Key Benefits of Mirror VectaX
Zero Exposure Processing
AI models operate on encrypted data throughout the entire pipeline from initial input through final output—never requiring decryption at any stage. This eliminates the traditional vulnerability windows where data exists in plaintext form across all ecosystem components.
Maintained Functionality
FHE preserves full AI capabilities including training, inference, and real-time processing without performance degradation, ensuring security doesn't compromise operational efficiency. Mirror's VectaX achieves this through optimized homomorphic operations specifically designed for neural network computations and vector operations.
End-to-End Protection
Data remains encrypted from source systems through AI processing to result delivery, reducing the vulnerable decryption points our research identified across the ecosystem. Only authorized endpoints with proper cryptographic keys can access the final decrypted results.
Component-Level Security
Each critical AI ecosystem component from agents and IP to vector databases and LLMs operates within its own encrypted domain while maintaining seamless interoperability through homomorphic computation protocols.
Conclusion : The AI Security Inflection Point
We stand at a pivotal moment. As AI adoption accelerates across industries, the attack chains we've documented—from prompt injection to credential harvesting and tool poisoning—create an expanding threat surface that only cryptographic solutions like FHE can effectively address. These vulnerabilities persist because traditional security operates on plaintext data, while FHE eliminates the exposure points entirely by maintaining encryption throughout all AI operations.
Our research reveals a critical juncture in AI security. The 87% data security gap, combined with 73-91% attack success rates across AI extensions, agents, and protocols, demonstrates that current security measures are fundamentally inadequate for the AI era. This vulnerability is compounded by a dangerous disconnect: while 77% of organizations believe their AI systems are secure, only 9% have implemented AI security across their AI infrastructure.
The Path Forward
Foundation, Not Policies
Outsourcing security to AI third-party providers through trust policies leaves critical data exposure problems unresolved, requiring organizations to embed foundational security directly into their AI architecture.
Encryption Throughout
End-to-end encryption through FHE implementation needs to become the foundational standard for AI deployments, not an afterthought.
Implementation Readiness
With FHE now available as a proven solution, enterprises can finally secure their AI implementations against data breaches and protect the integrity of their AI-driven operations.
Mirror VectaX and similar FHE solutions offer a practical path to secure AI— one that maintains functionality while eliminating the critical vulnerabilities our research has exposed.
mirrorsecurity.io
hello@mirrorsecurity.io