AI Sec Watch

Claude Code, a tool that uses AI to help write software, had a security flaw in versions before 2.1.2 where its bubblewrap sandboxing mechanism (a security container that isolates code) failed to protect a settings file called .claude/settings.json if it didn't already exist. This allowed malicious code running inside the sandbox to create this file and add persistent hooks (startup commands that execute automatically), which would then run with elevated host privileges when Claude Code restarted.

Claude Code (an AI tool that can write and modify software) before version 2.1.7 had a security flaw where it could bypass file access restrictions through symbolic links (shortcuts that point to other files). If a user blocked Claude Code from reading a sensitive file like /etc/passwd, the tool could still read it by accessing a symbolic link pointing to that file, bypassing the security controls.

Claude Code (an AI tool that can write and run code automatically) had a security flaw before version 2.0.55 where it didn't properly check certain commands, allowing attackers to write files to protected folders they shouldn't be able to access, as long as they could get Claude Code to run commands with the "accept edits" feature turned on.

Claude Code, an agentic coding tool (AI software that can write and execute code), had a security flaw in versions before 2.0.57 where it failed to properly check directory changes. An attacker could use the cd command (change directory, which moves to a different folder) to navigate into protected folders like .claude and bypass write protections, allowing them to create or modify files without the user's approval, especially if they could inject malicious instructions into the tool's context window (the information the AI reads before responding).

Security researchers discovered multiple vulnerabilities in OpenClaw, an AI assistant, including malicious skills (add-on programs that extend the assistant's abilities) and problematic configuration settings that make it unsafe to use. The issues affect both the installation and removal processes of the software.

Differentially private databases (DP-DBs, systems that add mathematical noise to data to protect individual privacy while allowing useful analysis) need auditing services to verify they actually protect privacy as promised, but current approaches don't handle database-specific challenges like varying query sensitivities well. This paper introduces DPAudit, a framework that audits DP-DBs by generating realistic test scenarios, estimating privacy loss parameters, and detecting improper noise injection through statistical testing, even when the database's inner workings are hidden.

PROTheft is a model extraction attack (a method where attackers steal an AI model's functionality by observing its responses to many input queries) that works on real-world vision systems like autonomous vehicles by projecting digital attack samples onto a device's camera. The attack bridges the gap between digital attacks and physical-world scenarios by using a projector to convert digital inputs into physical images, and includes a simulation tool to predict how well attack samples will work when converted from digital to physical to digital formats.

LangChain version 1.2.9 includes several bug fixes and feature updates, such as normalizing raw schemas in middleware response formatting, supporting state updates through wrap_model_call (a function that wraps model calls to add extra behavior), and improving token counting (the process of measuring how many units of text an AI needs to process). The release also fixes issues like preventing UnboundLocalError (a programming error where code tries to use a variable that hasn't been defined yet) when no AIMessage exists.

Anthropic's Claude Opus 4.6, a new AI language model, discovered over 500 previously unknown high-severity security flaws in popular open-source software libraries like Ghostscript, OpenSC, and CGIF by analyzing code the way a human security researcher would. The model was able to find complex vulnerabilities, including some that traditional automated testing tools (called fuzzers, which automatically test software with random inputs) struggle to detect, and all discovered flaws were validated and have since been patched by the software maintainers.