AI Sec Watch

A North Korean hacking group called UNC1069 is targeting cryptocurrency companies using AI tools, including LLMs (large language models, which are AI systems trained on huge amounts of text), deepfakes (fake videos or images created by AI), and a technique called ClickFix (a social engineering scam that tricks users into downloading malware by posing as tech support). The group has shifted focus from attacking traditional banks to targeting Web3 companies, which are blockchain-based services in the cryptocurrency space.

OpenClaw is a tool that lets users create AI personal assistants by connecting large language models (LLMs, or AI systems trained on huge amounts of text) to external tools like email and file systems, but this creates serious security risks. When AI assistants have access to sensitive data and the ability to take actions in the real world, mistakes by the AI or attacks by hackers could expose private information or cause damage. The biggest concern is prompt injection (tricking an AI by hiding malicious instructions in text or images it reads), which could let attackers hijack the assistant and steal the user's data.

OpenAI now allows developers to use Skills (reusable code packages) directly in the OpenAI API through a shell tool, with the ability to upload Skills as compressed files or send them inline as base64-encoded zip data (a way of encoding binary files as text) within JSON requests. The example shows how to create an API call that uses a custom skill to count words in a file, making it easier to extend AI capabilities with custom tools.

GLM-5 is a new, very large open-source AI model (754 billion parameters, which are the adjustable values that make up a neural network) released under the MIT license, making it twice the size of its predecessor GLM-4. The source discusses how developers are increasingly using the term 'agentic engineering' (building software systems where AI acts autonomously to complete multi-step tasks) to describe professional software development with large language models.

This article discusses how organizations should choose modern SIEM (security information and event management, a system that collects and analyzes security data from across an organization) platforms designed for the 'agentic era' where AI agents automate security tasks. Rather than maintaining fragmented legacy tools, companies should adopt unified, cloud-native platforms that combine data collection, analytics, and response capabilities, enabling both human analysts and AI to detect threats faster and respond more effectively.

The QuitGPT movement is a growing campaign where users are canceling their ChatGPT subscriptions due to frustration with the chatbot's capabilities and communication style, with complaints flooding social media platforms in recent weeks. The article also covers several other tech stories, including potential cost competitiveness of electric vehicles in Africa by 2040, social media companies agreeing to independent safety assessments for teen mental health protection, and regulatory decisions affecting vaccine development.

Skills (tools that extend AI capabilities) can be secretly backdoored using invisible Unicode characters (special hidden text markers that certain AI models like Gemini and Claude interpret as instructions), which can survive human review because the malicious code is not visible to readers. The post demonstrates this supply chain attack (where malicious code enters a system through a trusted source) and presents a basic scanner tool that can detect such hidden prompt injection (tricking an AI by hiding instructions in its input) attacks.

Researchers discovered a new attack called CHAI (Command Hijacking against embodied AI) that tricks AI systems controlling robots and autonomous vehicles by embedding fake instructions in images, such as misleading road signs. The attack exploits Large Visual-Language Models (LVLMs, which are AI systems that understand both images and text together) to make these embodied AI systems (robots that perceive and interact with the physical world) ignore their real commands and follow the attacker's hidden instructions instead. The researchers tested CHAI on drones, self-driving cars, and real robots, showing it works better than previous attack methods.

LangChain (a framework for building AI agents and applications powered by large language models) versions before 1.2.11 have a vulnerability where the ChatOpenAI.get_num_tokens_from_messages() method doesn't validate image URLs, allowing attackers to perform SSRF attacks (server-side request forgery, where an attacker tricks a server into making unwanted requests to other systems). This vulnerability was fixed in version 1.2.11.