frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

AI Agent Hacks McKinsey

https://codewall.ai/blog/how-we-hacked-mckinseys-ai-platform
98•mycroft_4221•5h ago

Comments

gbourne1•1h ago
- "The agent mapped the attack surface and found the API documentation publicly exposed — over 200 endpoints, fully documented. Most required authentication. Twenty-two didn't."

Well, there you go.

sgt101•1h ago
Why was there a public endpoint?

Surely this should all have been behind the firewall and accessible only from a corporate device associated mac address?

jihadjihad•1h ago
Surely.
sd9•1h ago
Cool but impossible to read with all the LLM-isms
vanillameow•1h ago
Tiring. Internet in 2026 is LLMs reporting on LLMs pen-testing LLM-generated software.
causal•28m ago
Those short "punchy sentence" paragraphs are my new trigger:

> No credentials. No insider knowledge. And no human-in-the-loop. Just a domain name and a dream.

It just sounds so stupid.

lenerdenator•1h ago
Not exactly clear from the link: were they doing red team work for McKinsey or is this just "we found a company we thought wouldn't get us arrested and ran an AI vuln detector over their stuff"?

You'd think that the world's "most prestigious consulting firm" would have already had someone doing this sort of work for them.

frereubu•30m ago
From TFA: "Fun fact: As part of our research preview, the CodeWall research agent autonomously suggested McKinsey as a target citing their public responsible diclosure policy (to keep within guardrails) and recent updates to their Lilli platform. In the AI era, the threat landscape is shifting drastically — AI agents autonomously selecting and attacking targets will become the new normal."
fhd2•1h ago
> This was McKinsey & Company — a firm with world-class technology teams [...]

Not exactly the word on the street in my experience. Is McKinsey more respected for software than I thought? Otherwise I'm curious why TFA didn't just politely leave this bit out.

aerhardt•1h ago
The LLM that wrote this simply couldn’t help itself.
codechicago277•59m ago
Picked up a vibe, but couldn’t confirm it until the last paragraph, but yeah clearly drafted with at least major AI help.
vanillameow•13m ago
Can we stop softening the blow? This isn't "drafted with at least major AI help", it's just straight up AI slop writing. Let's call a spade a spade. I have yet to meet anyone claiming they "write with AI help but thoughts are my own" that had anything interesting to say. I don't particularly agree with a lot of Simon Willison's posts but his proofreading prompt should pretty much be the line on what constitutes acceptable AI use for writing.

https://simonwillison.net/guides/agentic-engineering-pattern...

Grammar check, typo check, calls you out on factual mistakes and missing links and that's it. I've used this prompt once or twice for my own blog posts and it does just what you expect. You just don't end up with writing like this post by having AI "assistance" - you end up with this type of post by asking Claude, probably the same Claude that found the vulnerability to begin with, to make the whole ass blog post. No human thought went into this. If it did, I strongly urge the authors to change their writing style asap.

"So we decided to point our autonomous offensive agent at it. No credentials. No insider knowledge. And no human-in-the-loop. Just a domain name and a dream."

Give me a fucking break

lenerdenator•1h ago
> Not exactly the word on the street in my experience.

Depends on the street you're on. Are you on Main Street or Wall Street?

If you're hiring them to help with software for solving a business problem that will help you deliver value to your customers, they're probably just like anyone else.

If you're hiring them to help with software for figuring out how to break down your company for scrap, or which South African officials to bribe, well, that's a different matter.

cmiles8•1h ago
I can only remember a McKinsey team pushing Watson on us hard ages ago. Was a total train wreck.

They’ve long been all hype no substance on AI and looks like not much has changed.

They might be good at other things but would run for the hills if McKinsey folks want to talk AI.

captain_coffee•1h ago
Music to my ears! Couldn't happen to a better company!
joenot443•1h ago
> One of those unprotected endpoints wrote user search queries to the database. The values were safely parameterised, but the JSON keys — the field names — were concatenated directly into SQL.

I was expecting prompt injection, but in this case it was just good ol' fashioned SQL injection, possible only due to the naivety of the LLM which wrote McKinsey's AI platform.

simonw•59m ago
Yeah, gotta admit I'm a bit disappointed here. This was a run-of-the-mill SQL injection, albeit one discovered by a vulnerability scanning LLM agent.

I thought we might finally have a high profile prompt injection attack against a name-brand company we could point people to.

jfkimmes•23m ago
Not the same league as McKinsey, but I like to point to this presentation to show the effects of a (vibe coded) prompt injection vulnerability:

https://media.ccc.de/v/39c3-skynet-starter-kit-from-embodied...

> [...] we also exploit the embodied AI agent in the robots, performing prompt injection and achieve root-level remote code execution.

TheDong•18m ago
Github actions has had a bunch of high-profile prompt injection attacks at this point, most recently the cline one: https://adnanthekhan.com/posts/clinejection/

I guess you could argue that github wasn't vulnerable in this case, but rather the author of the action, but it seems like it at least rhymes with what you're looking for.

danenania•12m ago
> I thought we might finally have a high profile prompt injection attack against a name-brand company we could point people to.

These folks have found a bunch: https://www.promptarmor.com/resources

But I guess you mean one that has been exploited in the wild?

paxys•59m ago
> named after the first professional woman hired by the firm in 1945

Going out of their way to find a woman's name for an AI assistant and bragging about it is not as empowering as the creators probably thought in their heads.

bee_rider•58m ago
I don’t love the title here. Maybe this is a “me” problem, but when I see “AI agent does X,” the idea that it might be one of those molt-y agents with obfuscated ownership pops into my head.

In this case, a group of pentesters used an AI agent to select McKinsey and then used the AI agent to do the pentesting.

While it is conventional to attribute actions to inanimate objects (car hits pedestrians), IMO we should be more explicit these days, now that unfortunately some folks attribute agency to these agentic systems.

simonw•36m ago
Yeah, the original article title "How We Hacked McKinsey's AI Platform" is better.
causal•25m ago
Yah it's just an ad, and "Pentesting agents finds low-hanging vulnerability" isn't gonna drive clicks.
jacquesm•8m ago
It's not an ad for McKinsey though.
tasuki•24m ago
> now that unfortunately some folks attribute agency to these agentic systems.

You're doing that by calling them "agentic systems".

sigmar•43m ago
I've got no idea who codewall is. Is there acknowledgment from McKinsey that they actually patched the issue referenced? I don't see any reference to "codewall ai" in any news article before yesterday and there's no names on the site.

https://www.google.com/search?q=codewall+ai

rzmmm•15m ago
Yeah can't find much information either. I would like to see at least some proof. Either via Mckinsey or from the security team.
victor106•28m ago
this reads like it was written by an LLM
ecshafer•27m ago
If the AI was poisoned to alter advice, then maybe McKinsey advice would actually be a net good.
mnmnmn•20m ago
McKinsey can eat shit
frankfrank13•19m ago
Some insider knowledge: Lilli was, at least a year ago, internal only. VPN access, SSO, all the bells and whistles, required. Not sure when that changed.

McKinsey requires hiring an external pen-testing company to launch even to a small group of coworkers.

I can forgive this kind of mistake on the part of the Lilli devs. A lot of things have to fail for an "agentic" security company to even find a public endpoint, much less start exploiting it.

That being said, the mistakes in here are brutal. Seems like close to 0 authz. Based on very outdated knowledge, my guess is a Sr. Partner pulled some strings to get Lilli to be publicly available. By that time, much/most/all of the original Lilli team had "rolled off" (gone to client projects) as McKinsey HEAVILY punishes working on internal projects.

So Lilli likely was staffed by people who couldn't get staffed elsewhere, didn't know the code, and didn't care. Internal work, for better or worse, is basically a half day.

This is a failure of McKinsey's culture around technology.

jacquesm•6m ago
And: AI agent writes blog post.

Lego's 0.002 mm Specification and Its Implications for Manufacturing (2025)

https://www.thewave.engineer/articles.html/productivity/legos-0002mm-specification-and-its-implic...
158•scrlk•1h ago•96 comments

The entities enabling scientific fraud at scale are large, resilient and growing

https://doi.org/10.1073/pnas.2420092122
74•peyton•1h ago•21 comments

Microsoft BitNet: 100B Param 1-Bit model for local CPUs

https://github.com/microsoft/BitNet
142•redm•2h ago•80 comments

Faster Asin() Was Hiding in Plain Sight

https://16bpp.net/blog/post/faster-asin-was-hiding-in-plain-sight/
48•def-pri-pub•46m ago•7 comments

Whistleblower: DOGE member took Social Security data to new job

https://www.washingtonpost.com/politics/2026/03/10/social-security-data-breach-doge-2/
264•raldi•1h ago•106 comments

PeppyOS: A simpler alternative to ROS 2 (now with containers support)

https://peppy.bot/
44•Ekami•3d ago•13 comments

Building a TB-303 from Scratch

https://loopmaster.xyz/tutorials/tb303-from-scratch
156•stagas•3d ago•57 comments

AI Agent Hacks McKinsey

https://codewall.ai/blog/how-we-hacked-mckinseys-ai-platform
99•mycroft_4221•5h ago•33 comments

UK MPs give ministers powers to restrict Internet for under 18s

https://www.openrightsgroup.org/press-releases/mps-give-ministers-powers-to-restrict-entire-inter...
60•robtherobber•1h ago•38 comments

Zig – Type Resolution Redesign and Language Changes

https://ziglang.org/devlog/2026/#2026-03-10
339•Retro_Dev•13h ago•176 comments

Cloudflare crawl endpoint

https://developers.cloudflare.com/changelog/post/2026-03-10-br-crawl-endpoint/
398•jeffpalmer•16h ago•153 comments

Create value for others and don’t worry about the returns

https://geohot.github.io//blog/jekyll/update/2026/03/11/running-69-agents.html
542•ppew•9h ago•377 comments

U+237C ⍼ Is Azimuth

https://ionathan.ch/2026/02/16/angzarr.html
364•cokernel_hacker•16h ago•62 comments

Yann LeCun raises $1B to build AI that understands the physical world

https://www.wired.com/story/yann-lecun-raises-dollar1-billion-to-build-ai-that-understands-the-ph...
545•helloplanets•1d ago•448 comments

Tony Hoare has died

https://blog.computationalcomplexity.org/2026/03/tony-hoare-1934-2026.html
1912•speckx•1d ago•251 comments

TADA: Fast, Reliable Speech Generation Through Text-Acoustic Synchronization

https://www.hume.ai/blog/opensource-tada
80•smusamashah•9h ago•20 comments

Julia Snail – An Emacs Development Environment for Julia Like Clojure's Cider

https://github.com/gcv/julia-snail
123•TheWiggles•3d ago•16 comments

Agents that run while I sleep

https://www.claudecodecamp.com/p/i-m-building-agents-that-run-while-i-sleep
380•aray07•20h ago•429 comments

SSH Secret Menu

https://twitter.com/rebane2001/status/2031037389347406054
290•piccirello•1d ago•129 comments

RISC-V Is Sloooow

https://marcin.juszkiewicz.com.pl/2026/03/10/risc-v-is-sloooow/
286•todsacerdoti•19h ago•303 comments

When the chain becomes the product: Seven years inside a token-funded venture

https://markmhendrickson.com/posts/when-the-chain-becomes-the-product/
38•mhendric•3d ago•14 comments

Writing my own text editor, and daily-driving it

https://blog.jsbarretto.com/post/text-editor
158•todsacerdoti•13h ago•74 comments

Let yourself fall down more

https://ntietz.com/blog/let-yourself-fall-down-more/
7•Brajeshwar•18m ago•1 comments

Debian decides not to decide on AI-generated contributions

https://lwn.net/SubscriberLink/1061544/125f911834966dd0/
357•jwilk•1d ago•269 comments

Levels of Agentic Engineering

https://www.bassimeledath.com/blog/levels-of-agentic-engineering
243•bombastic311•1d ago•116 comments

Roblox is minting teen millionaires

https://www.bloomberg.com/news/articles/2026-03-06/roblox-s-teen-millionaires-are-disrupting-the-...
197•petethomas•3d ago•238 comments

Launch HN: RunAnywhere (YC W26) – Faster AI Inference on Apple Silicon

https://github.com/RunanywhereAI/rcli
230•sanchitmonga22•22h ago•142 comments

Where did you think the training data was coming from?

https://idiallo.com/blog/where-did-the-training-data-come-from-meta-ai-rayban-glasses
28•speckx•1h ago•3 comments

Standardizing source maps

https://bloomberg.github.io/js-blog/post/standardizing-source-maps/
62•Timothee•10h ago•6 comments

Universal vaccine against respiratory infections and allergens

https://med.stanford.edu/news/all-news/2026/02/universal-vaccine.html
325•phony-account•16h ago•114 comments