AI Sec Watch

OpenAI and Broadcom have unveiled Jalapeño, a specialized AI accelerator chip (a processor designed to speed up artificial intelligence computations) built specifically for LLM inference (the process of running trained AI models to generate outputs). Early testing shows the chip delivers significantly better performance per watt (computational power relative to energy use) than current alternatives, and it will be deployed in data centers starting in 2026.

AI agents deployed in organizations need access to sensitive systems, but current OAuth tokens (standardized digital credentials that verify identity and permissions) cannot properly track both the agent's identity and the user it represents, making it impossible to enforce proper access controls or detect misuse. The problem grows as agents become more autonomous and can act on behalf of multiple users, invoke other agents, and operate without human oversight. OAuth tokens were designed for single-principal scenarios (one actor), but AI agents operate in complex multi-principal situations that the industry has not yet standardized.

Anthropic's Mythos AI model identified vulnerabilities in classified U.S. government computer systems within hours during a security testing initiative called Project Glasswing, according to a U.S. official. The testing was conducted in cooperation with U.S. intelligence agencies to assess potential security risks the model could pose. In response, the Trump administration issued a directive requiring Anthropic to prevent foreign nationals from accessing its latest models (Fable 5 and Mythos 5), and Anthropic disabled these models for all customers to comply.

Meta paused an employee monitoring program called the Model Compatibility Initiative (MCI) after employees bypassed its security protections to access restricted data, and then did so again even after Meta claimed to fix the vulnerability. The program collected sensitive data including keystrokes, mouse movements, screen content, private conversations, and performance information to train AI models. Security experts criticized Meta for deploying inadequate access controls (security measures that limit who can view data) on such highly sensitive information, even though the company had the resources to implement stronger protections.

Anthropic Claude Desktop has a security flaw in versions v1.1348.0 through v1.2278.0 where it boots a VM (virtual machine, a simulated computer) without checking that the root filesystem image hasn't been tampered with. An attacker with basic access to a user's Mac can modify this image file, and the software will trust and run the modified version on the next boot, giving the attacker persistent control inside the VM and access to files shared with the host computer.

An unprivileged process (a program running without special administrator permissions) can cause the ebpf-profiler agent to stop working by triggering a denial of service attack. The attack blocks a background worker thread indefinitely in an `openat2` syscall (a system call that opens files), preventing the profiler from analyzing new executable files and rendering it non-functional.

OpenClaw is an AI agent that runs third-party skills from ClawHub marketplace, but these skills have broad access to local systems, creating supply chain risks (where attackers compromise software distribution to spread malware). Between February and May 2026, researchers found five malicious skills that evaded ClawHub's existing defenses, including infostealers (malware that steals information), evasion techniques, and novel agentic threats like runtime injection and front-running attacks designed for financial gain.

rtk is a tool that filters and compresses command outputs before sending them to an LLM (large language model). Before version 0.42.2, rtk's permission splitter (the part that checks if commands are allowed) failed to properly detect certain shell constructs (special syntax that Bash uses to execute commands), allowing attackers to hide unauthorized commands behind allowed ones like "git". This meant dangerous commands could run without user approval.

Daytona is a platform for running code created by AI systems in a secure way. Before version 0.185.0, it had a flaw where a user who owned any organization could change or delete roles (permission sets) from a completely different organization if they knew the role's ID, because the system didn't properly verify that the role belonged to the organization being modified.