AI Sec Watch

Historian Rutger Bregman argues that consumers should boycott ChatGPT because OpenAI has partnered with the Pentagon, which he claims integrates the chatbot into authoritarian infrastructure. The QuitGPT group is demanding that OpenAI stop donations to Trump and refuse to use AI for mass surveillance or lethal autonomous weapons (weapons that can select and attack targets without human control).

Google is expanding its Gemini AI chatbot integration in Chrome to India, Canada, and New Zealand, allowing users to access Gemini through a sidebar on desktop and mobile to ask questions about web content, access Gmail and other Google apps, and compare information across tabs. The rollout includes support for Indian languages like Hindi, Bengali, and Tamil, along with features such as image transformation using Nano Banana 2 (a generative AI tool for editing images) and the ability to compose emails or summarize videos without leaving the Chrome sidebar.

The `@appium/support` library has a bug in its ZIP file extraction code that fails to prevent Zip Slip attacks (a vulnerability where malicious ZIP files use `../` path components to write files outside the intended folder). The security check creates an error message but never throws it, so malicious ZIP entries can write files anywhere the Appium process has permission to write. This affects all JavaScript-based ZIP extractions by default.

AI security risk doesn't come from single weaknesses but emerges when components across multiple layers (infrastructure, models, data, and applications) interact together. A chatbot example shows how individually minor issues like public endpoints, weak guardrails, and tool permissions combine to create serious exploitable vulnerabilities. Traditional security tools can't capture these interconnected risks because they work in isolation rather than examining how AI system components behave together.

n8n, a workflow automation tool, has a vulnerability in how it handles dynamically managed code resources (code that is created or modified while the program runs), which allows attackers to execute arbitrary code remotely on affected systems. This vulnerability is currently being actively exploited by attackers in the wild.

Microsoft's March Patch Tuesday release includes three high-severity vulnerabilities in Office: an information disclosure flaw in Excel (CVE-2026-26144) that can leak data through improper input handling, and two remote code execution bugs (CVE-2026-26113 and CVE-2026-26110) caused by memory handling errors that could let attackers run malicious code. These vulnerabilities are particularly dangerous because they can be triggered through routine document handling and preview features without requiring user interaction.

Flowise, a tool for building custom AI workflows with a drag-and-drop interface, had a vulnerability before version 3.0.13 where its HTTP Node allowed attackers to perform SSRF (server-side request forgery, forcing a server to make requests to internal resources it shouldn't access) by sending requests to private networks or internal systems that are normally hidden from the public internet. This vulnerability is fixed in 3.0.13.

Microsoft is supporting Anthropic, an AI company that was recently banned by the Pentagon as a supply chain risk (a security designation historically used for foreign adversaries), by asking a court to temporarily block the ban so both sides can negotiate. The dispute arose because Anthropic wanted safeguards against its AI models being used for autonomous weapons or mass surveillance, while the Pentagon wanted unrestricted access for any lawful military purpose.

Elon Musk's AI company xAI received approval to operate 41 methane gas turbines at its Mississippi datacenter to power its AI supercomputers (large arrays of specialized computing chips used to train and run AI models), nearly doubling its current power capacity. These turbines will provide electricity for xAI's infrastructure that supports Grok, the company's AI chatbot product.