AI Sec Watch

Lloyds Banking Group is hiring 300 tech experts to work on agentic AI (autonomous artificial intelligence models that can plan and execute tasks with minimal human oversight) by September. While this hiring increases the bank's workforce now, the article notes that broader adoption of AI in the future could potentially lead to job cuts.

A speculative thought experiment called 'Europe 2031' imagines a future where Europe falls behind economically because the US and China invested heavily in AI datacenters (facilities housing the computer chips that power AI systems) and automation while Europe did not, leading to economic collapse and political instability. The scenario, which went viral among policymakers and EU officials, was created by Brussels-based thinktankers to warn Europe about the risks of falling behind in AI development and to highlight a communication gap between European policymakers and the US tech industry where most AI is being built.

SALT is a watermarking technique for diffusion models (AI systems that generate images by gradually removing noise from random data) that uses semantic guidance and adaptive latent space truncation to embed hidden ownership marks. The method aims to protect diffusion models from unauthorized use while maintaining the quality of generated images. This research addresses the need for better ownership verification and copyright protection in generative AI systems.

The U.S. White House ordered Anthropic to restrict exports of its AI models Fable and Mythos, citing national security concerns after a South Korean telecom (suspected of China ties) gained access and Amazon researchers found a workaround to Fable's safeguards. The action is the first major test of whether export controls can contain advanced AI the way the government has attempted, with mixed success, to control encryption and spyware technologies.

A vulnerability in pydantic-settings' `NestedSecretsSettingsSource` (a feature that reads secret values from files in a directory) allows attackers to read files outside the configured secrets directory by creating symbolic links (shortcuts that point to other locations on the system). The same flaw also bypasses `secrets_dir_max_size`, a size limit meant to prevent loading excessively large files. This can happen when `secrets_nested_subdir=True` is enabled and an attacker can add symbolic links to the secrets directory.

The LangSmith SDK's `TracingMiddleware` (a component that tracks and logs AI application activity) has a vulnerability that allows attackers to read arbitrary files from a server's local storage and upload them to LangSmith. The attack exploits two bugs: missing validation of data from tracing headers (CWE-346, a type of injection attack) and a type-checking failure that should have blocked file access (CWE-843). Once files are uploaded, anyone with read access to the LangSmith workspace can view the stolen contents.

The `web_url_read` tool in mcp-searxng has a security flaw called SSRF (server-side request forgery, where an attacker tricks a server into making requests to internal systems). The vulnerability exists because the code checks if a hostname looks private by comparing text strings, but it doesn't actually resolve the hostname using DNS (the system that translates domain names to IP addresses). An attacker can use a domain that resolves to an internal IP address to bypass this check and access sensitive data from internal services.

The SearXNG MCP Server's `web_url_read` tool has a vulnerability where it enforces a 5 MiB (megabyte) response size limit only by checking the `Content-Length` header in an initial HEAD request. When a server doesn't include this header, the size check fails and the tool loads the entire response into memory without any limit, allowing an attacker to force the server to consume unlimited memory and CPU, causing a denial of service (DoS, a situation where a system becomes unavailable).

The `EnvironmentManager.restore()` function in Network-AI 5.12.1 is vulnerable to path traversal (a technique where an attacker uses sequences like `../` to access files outside the intended directory). An attacker can pass a malicious backup ID to copy arbitrary files from anywhere on the system into the environment's data folder, potentially exposing sensitive information or breaking environment isolation.