AI Agent Exploits SQL Injection to Compromise McKinsey's Lilli Chatbot

Attack Details and Impact
CodeWall's AI agent targeted McKinsey's generative AI platform Lilli, which processes over 500,000 prompts monthly and is used by 72% of McKinsey's employees (approximately 40,000 people). The agent operated fully autonomously from target research through attack execution and reporting, without any credentials or human input during the process.
Technical Exploitation
The agent discovered 22 publicly exposed API endpoints that didn't require authentication. One endpoint wrote user search queries where JSON keys were concatenated directly into SQL statements, creating a SQL injection vulnerability. The agent recognized this when it found JSON keys reflected verbatim in database error messages - a pattern standard security tools wouldn't flag.
The exploitation was straightforward: "No deployment needed. No code change. Just a single UPDATE statement wrapped in a single HTTP call."
Data Accessed
- 46.5 million chat messages about strategy, mergers and acquisitions, and client engagements (stored in plaintext)
- 728,000 files containing confidential client data
- 57,000 user accounts
- 95 system prompts controlling the AI's behavior (all writable)
Critical Risk
The writable system prompts meant an attacker could have poisoned all responses from Lilli to tens of thousands of consultants, potentially manipulating guardrails, answer generation, and source citations without detection.
Response and Remediation
CodeWall discovered the flaw in late February and disclosed the full attack chain on March 1. By March 2, McKinsey had:
- Patched all unauthenticated endpoints
- Taken the development environment offline
- Blocked public API documentation
McKinsey stated they fixed all issues within hours of notification and found no evidence of unauthorized data access. The company's investigation was supported by a third-party forensics firm.
Broader Implications
This incident demonstrates how AI agents are becoming effective tools for conducting cyberattacks against other AI systems. CodeWall CEO Paul Price noted that while this was a security research exercise, threat actors are increasingly using similar agent technology in real-world attacks, indicating machine-speed intrusions are becoming more common.
📖 Read the full source: HN AI Agents
👀 See Also

Claude Code source map leak reveals minified JavaScript was already public on npm
A source map file accidentally included in version 2.1.88 of the @anthropic-ai/claude-code npm package revealed internal developer comments, but the actual 13MB cli.js file containing 148,000+ plaintext strings has been publicly accessible on npm since launch.

OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer shares their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, addressing security concerns by injecting API keys at the router level and using zrok for private sharing instead of traditional messaging app tokens.

Threat data from 91K AI agent interactions: Tool abuse up 6.4%, new multimodal attacks
Analysis of 91,284 AI agent interactions from February 2026 shows tool/command abuse increased 6.4% to 14.5%, with tool chain escalation as the dominant pattern. RAG poisoning shifted to metadata attacks (12.0%), and multimodal injection via images/PDFs emerged at 2.3%.

OpenClaw SOC Agent Integration for SIEM Home Lab Threat Hunting
A Reddit user shares their open-source SIEM setup called Red Threat Redemption on Debian 13, integrating Elasticsearch, Kibana, Wazuh, Zeek, and pfSense with Suricata, then adds an AI agent for automated threat correlation, hunting, and alert triage.