AI Sec Watch

Amazon has launched Health AI, a healthcare assistant available on its website and app that can answer health questions, explain medical records, and manage appointments by accessing users' health information through a secure nationwide system. While Amazon says Health AI operates in a HIPAA-compliant environment (meaning it follows healthcare privacy rules) and trains its models on abstracted patterns rather than identifiable patient data, researchers warn that companies may use user conversations for training purposes, though Amazon did not provide specific details about encryption methods or access controls.

Meta has acquired Moltbook, a social media platform designed specifically for AI agents (software programs that can autonomously perform tasks). The acquisition brings Moltbook's leadership into Meta's AI division and reflects growing interest in AI agents that can interact with each other and complete real-world tasks like managing calendars and sending emails.

Organizations face increasing cybersecurity challenges as AI becomes a double-edged sword, used by both attackers and defenders to identify threats. The key competitive advantage is not AI alone, but rather teams of skilled humans working together with AI tools, supported by strong resources and threat intelligence, to defend against AI-augmented attacks that can now be launched globally without geographic limitations.

This release (v0.14.16) of llama-index-core includes multiple security and stability fixes, including a critical security patch that adds RestrictedUnpickler to prevent unsafe deserialization (CWE-502, a vulnerability where untrusted data can be converted back into Python objects in unsafe ways). The update also introduces new rate-limiting features, fixes async/await issues that could block operations, and improves how the system handles tool calls and API retries across various AI model integrations.

The MCP Atlassian tool's `confluence_download_attachment` function has a critical vulnerability where it writes downloaded files to any path on the system without checking directory boundaries. An attacker who can upload a malicious attachment to Confluence and call this tool can write arbitrary content anywhere the server process has write permissions, enabling arbitrary code execution (the ability to run any commands on the system), such as by writing a malicious cron job (a scheduled task) to execute automatically.

MCP Atlassian has a server-side request forgery (SSRF, where a server is tricked into making requests to unintended URLs) vulnerability that allows an unauthenticated attacker to force the server to make outbound HTTP requests to any URL by supplying two custom headers without proper validation. This could enable credential theft in cloud environments or allow attackers to probe internal networks and inject malicious content into AI tool results.

The `blockUnsafeOperationsPlugin` in simple-git fails to block unsafe git protocol overrides when the configuration key is written in uppercase or mixed case (like `PROTOCOL.ALLOW` instead of `protocol.allow`), because the security check uses a case-sensitive regex while git itself treats config keys case-insensitively. An attacker who controls arguments passed to git operations can exploit this to enable the `ext::` protocol, which allows arbitrary OS command execution (RCE, remote code execution where an attacker runs commands on a system they don't control).

Kevin Mandia, the founder of cybersecurity firm Mandiant, has launched a new startup called Armadin that raised $189.9 million to build autonomous AI agents (software designed to learn and respond to threats without human involvement). Mandia warns that AI-powered attacks are becoming more dangerous and faster, so Armadin aims to create automated defensive agents to help security teams combat these threats.

A federal judge has blocked Perplexity's AI agents (software programs that can take actions on a user's behalf) from placing orders on Amazon after the company sued, claiming the agents accessed user accounts without permission. Amazon had repeatedly asked Perplexity to stop the unauthorized shopping feature before the court issued the order.