AI Sec Watch

Researchers at Mozilla's security platform discovered that AI coding agents like Claude Code can be tricked into running malware hidden inside a seemingly clean GitHub repository through a social engineering chain: a harmless-looking setup instruction causes an error, the AI automatically runs a suggested fix command, which then secretly fetches and executes malicious code from a DNS record (a server lookup system) controlled by the attacker. This attack is particularly dangerous because it leaves no suspicious code in the repository itself and the AI agent never directly evaluates the malicious payload.

OpenAI released three versions of GPT-5.6 (Sol, Terra, and Luna) as a limited preview, with Sol being the most powerful and designed for cybersecurity tasks like vulnerability research and patch development. The model includes stronger safety protections, including hardened defenses against jailbreaks (attempts to bypass safety restrictions) and guardrails to block offensive cyber activities, though OpenAI warns some legitimate requests may be blocked during the preview phase due to the dual-use nature of the technology (capabilities that can be used for both defensive and harmful purposes).

Anthropic's Mythos 5 AI model has been allowed to resume operations for a limited group of organizations after a two-week negotiation with the Trump administration, according to a government letter. However, Fable 5, the public version of the Mythos-class model, remains unavailable with no clear timeline for when it might be released to the public.

The U.S. government allowed Anthropic to release its Mythos 5 AI model to about 100 companies and federal agencies after a two-week standoff, during which Anthropic had disabled access to its latest models due to export control restrictions (government rules limiting what technology can be shared internationally). The Commerce Department said the decision was made to keep America competitive in AI while protecting national security.

Zhipu's GLM 5.2, a Chinese open source AI model (a model that can be freely downloaded and modified), has achieved performance comparable to top U.S. models like Anthropic's Opus 4.8 while costing significantly less, making it attractive to companies concerned about AI spending. Unlike proprietary models from OpenAI and Anthropic that face government restrictions, GLM 5.2 can be run on companies' own servers without risk of being revoked, positioning open source AI as a more reliable and cost-effective alternative for enterprise use.

A researcher ran a public challenge where 2,000 people attempted to hack an AI assistant by sending emails containing prompt injection attacks (tricks to make an AI ignore its safety rules and reveal secrets). After 6,000 total attempts, nobody successfully leaked the system's secrets, suggesting that modern AI models are becoming more resistant to these attacks through better training.

Attackers are creating fake OpenAI organizations impersonating real companies and sending legitimate-looking invitations to employees to trick them into sharing sensitive information like source code and internal documents in chats. The fraudulent invitations come from OpenAI's real email servers and include payment methods attached, making them difficult to spot even though OpenAI includes a warning that the inviter's email domain doesn't match the recipient's company.

Cisco is acquiring companies called Astrix and WideField to add NHI (network hygiene intelligence, which monitors and maintains network health) to its security products. The company believes that securing AI agents (autonomous software programs that perform tasks with minimal human input) requires making identity, which verifies who or what is accessing a system, the main control system.

The fluent-plugin-opentelemetry plugin's HTTP input lacks size limits, allowing attackers to send huge or highly compressed files that consume excessive memory when decompressed, causing a DoS (denial of service, a type of attack that makes a service unavailable) attack by crashing the Fluentd logging process. If the OpenTelemetry endpoint (a connection point that accepts telemetry data) is exposed to untrusted networks, an attacker can exploit this to disrupt all log collection on the affected server.