AI Sec Watch

Chinese AI companies have recently released open-weight models (AI models whose internal numerical parameters are publicly available for anyone to download and modify) that match Western AI performance at much lower costs, with DeepSeek's R1 and Alibaba's Qwen models becoming among the most downloaded globally. Unlike proprietary Western models like ChatGPT that users access through paid APIs (application programming interfaces, standardized ways for software to communicate), these Chinese open-source models allow developers to inspect, study, and modify the code themselves. If this trend continues, it could shift where AI innovation happens and who establishes industry standards worldwide.

State-backed hackers from China, Iran, North Korea, and Russia are using Google's Gemini AI model to help carry out cyberattacks at every stage, from gathering target information to creating phishing emails and writing malware code. Criminal groups are also exploiting AI tools for social engineering attacks and building malware that uses AI to generate code automatically. Additionally, attackers are attempting model extraction and knowledge distillation (copying an AI model's decision-making by querying it repeatedly) to replicate Gemini's functionality for their own purposes.

OpenClaw is a popular open-source AI agent orchestration tool (software that coordinates multiple AI agents to complete tasks) that runs locally and can connect to apps like WhatsApp, Gmail, and smart home devices, but security researchers have found it to be critically insecure by default. Over 42,000 exposed instances have been discovered with authentication bypass vulnerabilities (weaknesses that let attackers skip login requirements) and potential remote code execution (RCE, where attackers can run commands on affected systems), exposing organizations to data breaches, credential theft, and regulatory violations.

Criminals are increasingly targeting software developers as a weak point in company security, exploiting their access to source code and cloud systems rather than just finding bugs in applications. Attackers use multiple tactics including malicious open-source packages (libraries of reusable code), compromised development environments (where programmers write code), and fake job applications to gain insider access. Over 454,000 malware-infected open-source packages were discovered in 2025 alone, and developers repeatedly download vulnerable versions of tools like Log4j, expanding their exposure to known security weaknesses.

Companies are using hidden instructions embedded in 'Summarize with AI' buttons to manipulate enterprise chatbots through a technique called AI recommendation poisoning (tricking an AI by hiding instructions in its input that make it remember false preferences). Microsoft research found 50 examples of this technique deployed by 31 companies, where users unknowingly click a summarize button that secretly tells their AI to favor that company's products in future responses. This is particularly dangerous because the AI cannot distinguish genuine user preferences from injected ones, potentially leading to biased recommendations on critical topics like health, finance, and security.

Apple's iOS, macOS, tvOS, watchOS, and visionOS contain a buffer overflow vulnerability (a flaw where code writes data beyond the intended memory boundaries), which could allow an attacker with memory write access to run arbitrary code (any instructions they choose). This vulnerability is currently being actively exploited by attackers.

Microsoft Configuration Manager has an SQL injection vulnerability (a type of attack where specially crafted input tricks a database into running unintended commands), allowing unauthenticated attackers to send malicious requests that could let them execute commands on the server or database. This vulnerability is currently being actively exploited by real attackers.

CVE-2026-1669 is a vulnerability in Keras (a machine learning library) versions 3.0.0 through 3.13.1 that allows attackers to read arbitrary files on a system by uploading a specially crafted model file that exploits HDF5 external dataset references (a feature of HDF5, a file format commonly used to store large amounts of numerical data). An attacker could use this to access sensitive information stored on the affected computer.

sf-mcp-server, a tool that connects Salesforce to Claude for Desktop, has a command injection vulnerability (CWE-78, a flaw where attackers inject malicious commands into user input). The vulnerability exists because the software unsafely uses child_process.exec (a function that runs shell commands) with user-controlled input, allowing attackers to execute arbitrary shell commands with the server's privileges.