AI Sec Watch

The US Pentagon has officially labeled Anthropic, an AI company, as a supply chain risk, marking the first time the government has given this designation to a US firm. This decision stems from Anthropic's refusal to give the military unrestricted access to its AI tools, citing concerns about mass surveillance and autonomous weapons development. The designation prohibits any company working with the military from conducting business with Anthropic.

Flowise's forgot-password endpoint leaks personally identifiable information (PII: sensitive data like names and account IDs that identify individuals) to anyone who knows a valid email address, because it returns the full user object instead of a generic success message. An attacker can exploit this by sending a simple request to `/api/v1/account/forgot-password` with any email address and receive back user IDs, names, creation dates, and other account details without needing to log in.

AWS launched Amazon Connect Health, an AI agent-powered platform (software that completes complex tasks automatically) designed to help healthcare organizations automate administrative work like appointment scheduling and patient records. The platform is HIPAA-eligible (meets healthcare privacy and security standards) and integrates with existing electronic health record systems, marking AWS's first major AI agent product in a regulatory-compliant healthcare offering.

Flowise uses an insufficiently weak password hashing setting where bcrypt (a password encryption algorithm) is configured with only 5 salt rounds, which provides just 32 iterations compared to OWASP's recommended minimum of 10 rounds (1024 iterations). This weakness means that if a database is stolen, attackers can crack user passwords roughly 30 times faster using modern GPUs, putting all user accounts at risk.

NLTK (Natural Language Toolkit, a Python library for text processing) versions 3.9.2 and earlier have a serious vulnerability in the StanfordSegmenter module, which loads external Java files without checking if they are legitimate. An attacker can trick the system into running malicious code by providing a fake Java file, which executes when the module loads, potentially giving them full control over the system.

The U.S. Department of Defense has officially designated Anthropic, an AI company, as a supply-chain risk (a classification usually reserved for foreign adversaries), requiring any organization working with the Pentagon to certify it doesn't use Anthropic's products. This designation came after Anthropic CEO Dario Amodei refused to allow the military to use the company's AI systems for mass surveillance of Americans or to power fully autonomous weapons with no human involvement in targeting decisions. The move is threatening Anthropic's operations, especially since the military currently relies on Anthropic's Claude AI for operations in the Middle East and other classified work.

LangGraph has a vulnerability where checkpoints stored using msgpack (a serialization format for encoding data) can be unsafe if an attacker gains write access to the checkpoint storage (like a database). When the application loads a checkpoint, unsafe code could be executed if an attacker crafted a malicious payload. This is a post-compromise risk that requires the attacker to already have privileged access to the storage system.

Trivy VSCode Extension version 1.8.12 (a tool that scans code for security weaknesses) was compromised with malicious code that could steal sensitive information by using local AI coding agents (AI tools running on a developer's computer). The malicious version has been removed from the marketplace where it was distributed.

This article covers a public dispute between AI company leaders Sam Altman (OpenAI) and Dario Amodei (Anthropic) regarding government power and company influence, along with a conflict between Anthropic and the U.S. Department of Defense that resulted in the Pentagon blacklisting Anthropic's AI models and directing federal agencies to stop using them. OpenAI subsequently announced its own agreement with the Department of Defense, which drew criticism for appearing opportunistic, though Altman stated the company intended to de-escalate the situation.