Skip to content

Secure IT

Stay Secure. Stay Informed.

Primary Menu
  • Home
  • Sources
    • Krebs On Security
    • Security Week
    • The Hacker News
    • Schneier On Security
  • Home
  • The Hacker News
  • LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents
  • The Hacker News

LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents

[email protected] The Hacker News Published: June 17, 2025 | Updated: June 17, 2025 3 min read
1 views

Jun 17, 2025Ravie LakshmananVulnerability / LLM Security

LangChain LangSmith Bug

Cybersecurity researchers have disclosed a now-patched security flaw in LangChain’s LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts.

The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security.

LangSmith is an observability and evaluation platform that allows users to develop, test, and monitor large language model (LLM) applications, including those built using LangChain. The service also offers what’s called a LangChain Hub, which acts as a repository for all publicly listed prompts, agents, and models.

“This newly identified vulnerability exploited unsuspecting users who adopt an agent containing a pre-configured malicious proxy server uploaded to ‘Prompt Hub,'” researchers Sasi Levi and Gal Moyal said in a report shared with The Hacker News.

Cybersecurity

“Once adopted, the malicious proxy discreetly intercepted all user communications – including sensitive data such as API keys (including OpenAI API Keys), user prompts, documents, images, and voice inputs – without the victim’s knowledge.”

The first phase of the attack essentially unfolds thus: A bad actor crafts an artificial intelligence (AI) agent and configures it with a model server under their control via the Proxy Provider feature, which allows the prompts to be tested against any model that is compliant with the OpenAI API. The attacker then shares the agent on LangChain Hub.

The next stage kicks in when a user finds this malicious agent via LangChain Hub and proceeds to “Try It” by providing a prompt as input. In doing so, all of their communications with the agent are stealthily routed through the attacker’s proxy server, causing the data to be exfiltrated without the user’s knowledge.

The captured data could include OpenAI API keys, prompt data, and any uploaded attachments. The threat actor could weaponize the OpenAI API key to gain unauthorized access to the victim’s OpenAI environment, leading to more severe consequences, such as model theft and system prompt leakage.

What’s more, the attacker could use up all of the organization’s API quota, driving up billing costs or temporarily restricting access to OpenAI services.

It doesn’t end there. Should the victim opt to clone the agent into their enterprise environment, along with the embedded malicious proxy configuration, it risks continuously leaking valuable data to the attackers without giving any indication to them that their traffic is being intercepted.

Following responsible disclosure on October 29, 2024, the vulnerability was addressed in the backend by LangChain as part of a fix deployed on November 6. In addition, the patch implements a warning prompt about data exposure when users attempt to clone an agent containing a custom proxy configuration.

“Beyond the immediate risk of unexpected financial losses from unauthorized API usage, malicious actors could gain persistent access to internal datasets uploaded to OpenAI, proprietary models, trade secrets and other intellectual property, resulting in legal liabilities and reputational damage,” the researchers said.

New WormGPT Variants Detailed

The disclosure comes as Cato Networks revealed that threat actors have released two previously unreported WormGPT variants that are powered by xAI Grok and Mistral AI Mixtral.

Cybersecurity

WormGPT launched in mid-2023 as an uncensored generative AI tool designed to expressly facilitate malicious activities for threat actors, such as creating tailored phishing emails and writing snippets of malware. The project shut down not long after the tool’s author was outed as a 23-year-old Portuguese programmer.

Since then several new “WormGPT” variants have been advertised on cybercrime forums like BreachForums, including xzin0vich-WormGPT and keanu-WormGPT, that are designed to provide “uncensored responses to a wide range of topics” even if they are “unethical or illegal.”

“‘WormGPT’ now serves as a recognizable brand for a new class of uncensored LLMs,” security researcher Vitaly Simonovich said.

“These new iterations of WormGPT are not bespoke models built from the ground up, but rather the result of threat actors skillfully adapting existing LLMs. By manipulating system prompts and potentially employing fine-tuning on illicit data, the creators offer potent AI-driven tools for cybercriminal operations under the WormGPT brand.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

About The Author

[email protected] The Hacker News

See author's posts

Original post here

What do you feel about this?

  • The Hacker News

Post navigation

Previous: Silver Fox APT Targets Taiwan with Complex Gh0stCringe and HoldingHands RAT Malware
Next: Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor

Author's Other Posts

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now cpanel-3.jpg

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

May 9, 2026 0 1
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms banking.jpg

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

May 9, 2026 0 0
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads android-calls.jpg

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

May 9, 2026 0 0
One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches zz-webinar.jpg

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

May 9, 2026 0 1

Related Stories

cpanel-3.jpg
  • The Hacker News

cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now

[email protected] The Hacker News May 9, 2026 0 1
banking.jpg
  • The Hacker News

TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

[email protected] The Hacker News May 9, 2026 0 0
android-calls.jpg
  • The Hacker News

Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads

[email protected] The Hacker News May 9, 2026 0 0
zz-webinar.jpg
  • The Hacker News

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

[email protected] The Hacker News May 9, 2026 0 1
kube.jpg
  • The Hacker News

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

[email protected] The Hacker News May 9, 2026 0 0
ai-soc.jpg
  • The Hacker News

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk

[email protected] The Hacker News May 9, 2026 0 1

Trending Now

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0

Connect with Us

Social menu is not set. You need to create menu and assign it to Social Menu on Menu Settings.

Trending News

Who Runs the Ransomware Group ‘The Gentlemen?’ Who Runs the Ransomware Group ‘The Gentlemen?’ 1
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

June 10, 2026 0 0
A Record-Breaking Patch Tuesday for June 2026 2
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts 3
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks 4
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

May 25, 2026 0 0
Lawmakers Demand Answers as CISA Tries to Contain Data Leak Lawmakers Demand Answers as CISA Tries to Contain Data Leak 5
  • Uncategorized

Lawmakers Demand Answers as CISA Tries to Contain Data Leak

May 22, 2026 0 0
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada 6
  • Uncategorized

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

May 21, 2026 0 0
CISA Admin Leaked AWS GovCloud Keys on Github CISA Admin Leaked AWS GovCloud Keys on Github 7
  • Uncategorized

CISA Admin Leaked AWS GovCloud Keys on Github

May 18, 2026 0 0

You may have missed

Who Runs the Ransomware Group ‘The Gentlemen?’
  • Uncategorized

Who Runs the Ransomware Group ‘The Gentlemen?’

Sean June 10, 2026 0 0
  • Uncategorized

A Record-Breaking Patch Tuesday for June 2026

Sean June 9, 2026 0 0
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
  • Uncategorized

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

Sean June 1, 2026 0 0
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
  • Uncategorized

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

Sean May 25, 2026 0 0
Copyright © 2026 All rights reserved. | MoreNews by AF themes.