AI Sec Watch

The Obsidian GitHub Copilot Plugin (a tool that integrates GitHub's AI code assistant into the Obsidian note-taking app) has a security flaw in versions before 1.1.7 where it stores GitHub API tokens (authentication credentials that allow access to a GitHub account) in cleartext (unencrypted, readable text). This means an attacker who gains access to a user's computer could steal these tokens and perform unauthorized actions on their GitHub account.

The EverNoteLoader component in langchain-ai/langchain version 0.3.63 has a security flaw that allows XXE (XML External Entity) attacks, where an attacker tricks the XML parser into reading external files by embedding special references in XML input. This could expose sensitive system files like password lists to an attacker.

5ire version 0.13.2, a desktop AI assistant and model context protocol client (software that lets AI models interact with external tools), contains a vulnerability that allows content injection attacks (inserting malicious code into web pages) through multiple routes including malicious prompts, compromised servers, and exploited tool connections. This vulnerability is fixed in version 0.14.0.

CVE-2025-9959 is a vulnerability in smolagents (a Python agent library) where incomplete validation of dunder attributes (special Python variables with double underscores, like __import__) allows an attacker to escape the sandbox (a restricted execution environment) if they use prompt injection (tricking the AI into executing malicious commands). The attack requires the attacker to manipulate the agent's input to make it create and run harmful code.

Researchers developed a new method for watermarking LLM outputs (adding hidden markers to prove ownership and track content) using a three-part system that works only through input prompts, without needing access to the model's internal parameters. The approach uses one AI to create watermarking instructions, another to generate marked outputs, and a third to detect the watermarks, making it work across different LLM types including both proprietary and open-source models.

This post wraps up a series of research articles documenting security vulnerabilities found in various AI tools and code assistants during a month-long investigation. The vulnerabilities included prompt injection (tricking an AI by hiding instructions in its input), data exfiltration (stealing sensitive information), and remote code execution (RCE, where attackers can run commands on systems they don't control) across tools like ChatGPT, Claude, GitHub Copilot, and others.

AgentHopper is a proof-of-concept attack that demonstrates how indirect prompt injection (hidden instructions in code that trick AI agents into running unintended commands) can spread like a computer virus across multiple AI coding agents and code repositories. The attack works by compromising one agent, injecting malicious prompts into GitHub repositories, and then infecting other developers' agents when they pull and process the infected code. The researchers note that all vulnerabilities exploited by AgentHopper have been responsibly disclosed and patched by vendors including GitHub Copilot, Amazon Q, AWS Kiro, and others.

This research creates a benchmark and evaluation framework for online safety analysis of LLMs, which involves detecting unsafe outputs while the AI is generating text rather than after it finishes. The study tests various safety detection methods on different LLMs and finds that combining multiple methods together, called hybridization, can improve safety detection effectiveness. The work aims to help developers choose appropriate safety methods for their specific applications.

Windsurf's MCP (Model Context Protocol, a system that connects AI agents to external tools) integration lacks fine-grained security controls that would let users decide which actions the AI can perform automatically versus which ones need human approval before running. This is especially risky when the AI agent runs on a user's local computer, where it could have access to sensitive files and system functions.