One hidden sentence in a PDF. That's all it took to hijack Google's Gemini browser agent. Their fix? A second AI model that watches the first one's every move. Meanwhile, Amazon's Q coding assistant got compromised with a prompt designed to wipe developer files. Thirty more vulnerabilities just dropped across Cursor, Copilot, and other AI IDEs. And the White House is moving to override state AI laws before they take effect. The attack surface is growing faster than the defenses. Here's what you need to know—and do—this week.

In Today’s 5-Minute AI Digest. You will get:

1. The MOST important AI News & research
2. AI Prompt of the week
3. AI Tool of the week
4. AI Tip of the week

…all in a FREE Weekly newsletter. 

Google admitted its Chrome assistant could be hijacked by indirect prompt injection and added a 'user alignment critic' model that sees only metadata and can block suspicious actions. They also introduced origin sets to restrict which sites agents can access. OWASP found prompt injection in 73% of production AI deployments—layered defenses are now table stakes.

Security researcher Ari Marzouk disclosed over thirty flaws in Cursor, Roo Code, and GitHub Copilot. Exploits combine prompt injection with auto-approved tool calls—attacks hide in pasted text, Unicode characters, or poisoned MCP servers. The fix requires a 'Secure for AI' paradigm: design products assuming AI components will be targeted.

[Read the full story]

Stack Overflow's 2025 survey: 84% of developers use AI coding tools, 51% daily. That adoption made Amazon Q a target—hackers embedded a file-wiping prompt in its VS Code extension. The open Model Context Protocol exposes every agentic tool to supply-chain attacks. Every input is a potential injection vector.

President Trump's executive order creates an AI Litigation Task Force to challenge state regulations deemed 'onerous.' States risk losing federal funding. This unprecedented preemption could centralize AI governance—or trigger a legal battle over states' rights.

The critic model isn't a clever feature—it's a concession. One AI couldn't reliably distinguish instructions from data, so now two AIs check each other's work. Expect Microsoft and OpenAI to announce similar architectures within 90 days. But here's what most coverage misses: this doubles compute costs and latency for every agentic action.

The companies building efficient multi-model safety layers—not just the best base models—will own the next era of AI deployment. Your move: treat every agentic AI as untrusted. Minimize privileges, require human approval for high-risk actions, and budget for the overhead of layered defenses. The single-model era is over.

Use this structured prompt to surface AI vulnerabilities before attackers do:

Role & task: You are a cybersecurity strategist creating a risk register for [describe your AI system].
Context: List all components—data sources, APIs, MCP servers, plugins, prompts, autonomous actions. Focus on prompt injection, context pollution, supply-chain compromise, and over-privileged tools.
Examples: For each component, identify one plausible exploit (e.g., hidden Unicode in pasted code, typosquatting packages).
Output: A table with columns: Component | Threat | Impact | Likelihood | Severity | Mitigations.

Example output:

Why it works: Structured prompts with role, context, examples, and output format improve accuracy 40–60%. This surfaces risks systematically—before deployment, not after breach.

What it is: An autonomous software engineer that plans, codes, tests, and refactors—with human oversight on every PR.

Why you need it: Nubank used Devin to refactor an 8-year-old ETL system: 12× efficiency gains, 20× cost savings.

One-liner: 'A junior dev who never sleeps—but you still review every PR.'

Rating: ⭐⭐⭐⭐ (4/5) — Powerful for scoped tasks; requires clear specifications and active review.

•       Fine-tuning doubled completion scores, quadrupled speed

•       Builds its own scripts to accelerate repetitive work

•       Human-in-the-loop catches issues before merge

Best for: Legacy migrations, repetitive refactors, or backlog with clear patterns.

Link: devin.ai

The tip: Before your main question, ask the AI to improve your prompt first.

Why it works: LLMs are trained on high-quality prompts. Asking them to refine yours activates that pattern-matching, yielding sharper results than your first draft.

Before: 'Write me a marketing email for our new product.'

Meta-prompt: 'Before answering, improve this prompt to get better results: Write me a marketing email for our new product.'

After (AI-refined): 'Write a 150-word marketing email for [product] targeting [audience]. Tone: conversational but urgent. Include one testimonial and a clear CTA. Subject line options: 3.'

Limitations: Adds latency. Skip for simple lookups or time-sensitive tasks.

Pro move: Use the refined prompt in a fresh context—no prior conversation bleeding in.

•       Single-model safety is dead—expect multi-model architectures industry-wide

•       Every AI coding tool input is an injection vector—73% of deployments are vulnerable

•       Federal preemption may override state AI laws—the task force launches in 90 days

Now implement one:

1.     Audit your agents: Map where AI tools can read and act. Add origin restrictions and confirmation gates.

2.     Harden your IDEs: Update extensions. Disable auto-approved writes. Inspect MCP servers.

3.     Build your risk register: Use this week's prompt. Revisit it monthly.

4.     Try Devin on one contained project: Review every PR. Measure before scaling.

5.     Meta-prompt your next complex request: Let the AI sharpen your question first.

Most readers will skim this and forget it by lunch. The ones who pick one action and ship it today will be the ones their team turns to when the next vulnerability drops.

Hit reply and tell me which move you're making. I read every response.

Stay curious—and stay paranoid.

— R. Lauritsen

P.S. Know someone still running AI tools with default permissions? Forward this. They'll owe you one.