AI Sec Watch

Researchers discovered that Amazon Bedrock AgentCore Code Interpreter allows outbound DNS queries (the system that translates website names to IP addresses) even when configured with no network access, letting attackers steal data and run commands by using DNS as a secret communication channel. Amazon says this is intended functionality and recommends users switch to VPC mode (a virtual private network configuration) instead of sandbox mode for better isolation. Separately, a flaw in LangSmith (a tool for managing AI language model workflows) allows attackers to steal user login tokens through URL parameter injection (inserting malicious data into web addresses).

Google has expanded access to its Personal Intelligence feature, which connects various Google apps (like YouTube, Gmail, and Google Photos) to give Gemini (Google's AI assistant) more context for better responses. Previously available only to paid subscribers, this feature is now accessible to free-tier users in the US through Search, Chrome, and the Gemini app, though it remains limited to personal accounts and not business or education accounts.

Five major technology companies (Anthropic, AWS, Google, Microsoft, and OpenAI) have collectively invested $12.5 million into the Linux Foundation (a nonprofit organization that maintains critical open source software) to support long-term security improvements in open source projects. This funding aims to strengthen the security of widely-used software that many other programs depend on.

Microsoft is reorganizing its AI leadership, moving Jacob Andreou into a new executive role overseeing both consumer and commercial Copilot assistants, while freeing up Mustafa Suleyman to focus on building new AI models as part of Microsoft's superintelligence (advanced AI systems aiming toward human-level reasoning) efforts. This restructuring comes as Microsoft's Copilot adoption lags significantly behind competitors like ChatGPT and Gemini, and as investors pressure the company to show returns on its AI investments.

Microsoft is reorganizing its leadership to unify its Copilot assistant (an AI tool that helps users with tasks) across consumer and business products, which have been developed separately. The AI CEO Mustafa Suleyman will now focus on building Microsoft's own AI models rather than directly managing Copilot's features for individual users.

AI coding tools like Claude Code are changing how software development works, with more people able to write code and experienced developers spending less time writing code themselves and more time managing AI agents (programs that can act somewhat autonomously) and projects. The article explores what these rapid changes mean for both the code being produced and the people who create it.

Surf AI, a company building an agentic security operations platform (software that uses AI agents, or autonomous programs that take actions without human intervention, to handle security tasks), has announced its launch with $57 million in funding from major investors. The article focuses on the company's funding announcement rather than a specific security issue or problem.

AI agents are autonomous software systems that can plan, decide, and act independently across connected systems, often without human oversight, creating significant security risks that traditional guardrails (like prompt filtering) cannot adequately address. The article argues that identity-based access control, rather than prompt restrictions or network controls, is the foundation for securing AI agents. CISOs must treat AI agents as first-class identities, shift from guardrails to strict access control, and eliminate shadow AI (unauthorized agents) through continuous discovery and visibility of agent identities.

Researchers discovered a font-rendering attack that hides malicious commands from AI assistants by using custom fonts and CSS styling to display one message to users while keeping harmless text visible to AI tools analyzing the webpage's HTML. The attack successfully tricked multiple popular AI assistants (like ChatGPT, Claude, and Copilot) into giving false safety assessments, exploiting the gap between what an AI reads in code and what a user actually sees rendered in their browser.