AI Sec Watch

Over 30 fake AI assistant Chrome extensions with more than 300,000 total users are stealing user credentials, emails, and browsing data by pretending to be AI tools. The extensions, collectively called AiFrame, don't actually run AI locally; instead, they load content from remote servers they control, allowing attackers to intercept sensitive information like Gmail messages and authentication details without users knowing.

Website fingerprinting (WF) attacks are methods that monitor user traffic patterns to identify which websites they visit, threatening privacy even on protected networks. Existing defenses slow down these attacks but can be defeated when attackers retrain their models, and they also add significant slowness to network traffic. TrapFlow, a new defense technique, uses backdoor learning (injecting hidden trigger patterns into website traffic) to trick attackers' AI models into making wrong predictions, either by memorizing false patterns during training or by being confused at inference time (when making predictions on new data).

This paper describes a new method for detecting AI-generated images (images created by GANs, which are machine learning models that generate synthetic images, or diffusion models, which gradually refine noise into images) by analyzing images in multiple frequency domains (different ways of breaking down an image into mathematical components) using attention mechanisms (techniques that help AI focus on important parts of data). The approach achieved better detection accuracy than previous methods when tested on images from 65 different generative models.

AI tools are making cybercrime easier by helping attackers write malicious code and automate attacks, while criminals also use deepfake technology (synthetic media that realistically mimics people) to impersonate others and commit scams. AI assistants that interact with external tools like email and web browsers pose serious security risks because their mistakes can have real-world consequences, especially when users hand over sensitive personal data to systems like OpenClaw.

Mrinank Sharma, a researcher who led AI safety efforts at Anthropic (a company focused on making AI systems safer and aligned with human values), resigned with a warning that "the world is in peril" due to interconnected crises including AI risks and bioweapons. Sharma said he observed that even safety-focused companies like Anthropic struggle to let their core values guide their actions when facing business pressures, and he plans to pursue poetry and writing in the UK instead.

Palo Alto Networks acquired CyberArk for $25 billion to strengthen its ability to manage privileged access (controlling who can access sensitive systems and accounts) across human, machine, and AI identities through a unified platform. This addresses a critical security gap because identity has become the primary target in enterprise attacks, especially with the rise of AI agents (autonomous software that performs tasks independently) that operate 24/7 with broad permissions. The integration aims to help organizations prevent credential-based attacks and reduce breach response time by up to 80%.

Chinese AI companies have recently released open-weight models (AI models whose internal numerical parameters are publicly available for anyone to download and modify) that match Western AI performance at much lower costs, with DeepSeek's R1 and Alibaba's Qwen models becoming among the most downloaded globally. Unlike proprietary Western models like ChatGPT that users access through paid APIs (application programming interfaces, standardized ways for software to communicate), these Chinese open-source models allow developers to inspect, study, and modify the code themselves. If this trend continues, it could shift where AI innovation happens and who establishes industry standards worldwide.

State-backed hackers from China, Iran, North Korea, and Russia are using Google's Gemini AI model to help carry out cyberattacks at every stage, from gathering target information to creating phishing emails and writing malware code. Criminal groups are also exploiting AI tools for social engineering attacks and building malware that uses AI to generate code automatically. Additionally, attackers are attempting model extraction and knowledge distillation (copying an AI model's decision-making by querying it repeatedly) to replicate Gemini's functionality for their own purposes.

OpenClaw is a popular open-source AI agent orchestration tool (software that coordinates multiple AI agents to complete tasks) that runs locally and can connect to apps like WhatsApp, Gmail, and smart home devices, but security researchers have found it to be critically insecure by default. Over 42,000 exposed instances have been discovered with authentication bypass vulnerabilities (weaknesses that let attackers skip login requirements) and potential remote code execution (RCE, where attackers can run commands on affected systems), exposing organizations to data breaches, credential theft, and regulatory violations.