AI Sec Watch

Claude Code, an agentic coding tool (AI software that can write and execute code), had a security flaw in versions before 2.0.57 where it failed to properly check directory changes. An attacker could use the cd command (change directory, which moves to a different folder) to navigate into protected folders like .claude and bypass write protections, allowing them to create or modify files without the user's approval, especially if they could inject malicious instructions into the tool's context window (the information the AI reads before responding).

Security researchers discovered multiple vulnerabilities in OpenClaw, an AI assistant, including malicious skills (add-on programs that extend the assistant's abilities) and problematic configuration settings that make it unsafe to use. The issues affect both the installation and removal processes of the software.

Differentially private databases (DP-DBs, systems that add mathematical noise to data to protect individual privacy while allowing useful analysis) need auditing services to verify they actually protect privacy as promised, but current approaches don't handle database-specific challenges like varying query sensitivities well. This paper introduces DPAudit, a framework that audits DP-DBs by generating realistic test scenarios, estimating privacy loss parameters, and detecting improper noise injection through statistical testing, even when the database's inner workings are hidden.

PROTheft is a model extraction attack (a method where attackers steal an AI model's functionality by observing its responses to many input queries) that works on real-world vision systems like autonomous vehicles by projecting digital attack samples onto a device's camera. The attack bridges the gap between digital attacks and physical-world scenarios by using a projector to convert digital inputs into physical images, and includes a simulation tool to predict how well attack samples will work when converted from digital to physical to digital formats.

LangChain version 1.2.9 includes several bug fixes and feature updates, such as normalizing raw schemas in middleware response formatting, supporting state updates through wrap_model_call (a function that wraps model calls to add extra behavior), and improving token counting (the process of measuring how many units of text an AI needs to process). The release also fixes issues like preventing UnboundLocalError (a programming error where code tries to use a variable that hasn't been defined yet) when no AIMessage exists.

Anthropic's Claude Opus 4.6, a new AI language model, discovered over 500 previously unknown high-severity security flaws in popular open-source software libraries like Ghostscript, OpenSC, and CGIF by analyzing code the way a human security researcher would. The model was able to find complex vulnerabilities, including some that traditional automated testing tools (called fuzzers, which automatically test software with random inputs) struggle to detect, and all discovered flaws were validated and have since been patched by the software maintainers.

Version 5.4.0 (released February 5, 2026) is an update to a security framework that documents new attack techniques targeting AI agents, including publishing poisoned AI agent tools (malicious versions of legitimate tools), escaping from AI systems to access the host computer, and exploiting vulnerabilities to steal credentials or evade security. The update also includes new real-world case studies showing how attackers have compromised AI agent control systems and used prompt injection (tricking an AI by hiding commands in its input) to establish control.

A website called Moltbook, built using agentic AI (AI systems that can take actions autonomously to complete tasks), exposed all its user data because its API (the interface that lets different software talk to each other) was left publicly accessible without proper access controls. This is a predictable security failure that highlights risks when AI is used to build complete platforms without adequate security oversight.

Anthropic released Opus 4.6 and OpenAI released GPT-5.3-Codex (currently available only through the Codex app, not via API) as major new model releases. While both models perform well, they show only incremental improvements over their predecessors (Opus 4.5 and Codex 5.2), with one notable demonstration being the ability to build a C compiler (a program that translates code into machine instructions) using multiple parallel instances of Claude working together.