AI Sec Watch

Claude Code had a security flaw where it checked a git worktree (a Git feature allowing multiple branch checkouts in separate directories) `commondir` file to decide if a folder was trustworthy, but didn't verify the file's contents. An attacker could create a malicious repository with a fake `commondir` file pointing to a folder the victim had previously trusted, tricking Claude Code into skipping its safety dialog and running malicious code from `.claude/settings.json` (a configuration file). This attack required the victim to clone the malicious repository and open it in Claude Code, and the attacker had to know a path the victim had already marked as safe.

LiteLLM's proxy API key verification has a SQL injection vulnerability (a type of attack where an attacker inserts malicious database commands into input fields). An unauthenticated attacker could send a specially crafted authorization header to exploit this flaw and potentially read or modify the proxy's database, gaining unauthorized access to stored credentials.

Ray Data registers custom Arrow extension types (special data format handlers) globally in PyArrow, and when PyArrow reads a Parquet file (a data storage format) containing these types, it automatically deserializes metadata bytes using cloudpickle.loads(), which can execute arbitrary code. This vulnerability was reintroduced in July 2025 after a similar issue was supposedly fixed in May 2024, allowing attackers to run malicious code just by having Ray read a specially crafted Parquet file.

LiteLLM Proxy had a server-side template injection vulnerability (a security flaw where user input is processed as code rather than plain text) in its `/prompts/test` endpoint that allowed authenticated users to run arbitrary code within the proxy process and potentially access sensitive information like API keys or database credentials. The vulnerability affects any deployment running an affected version of LiteLLM Proxy.

Organizations often have forgotten software integrations, unauthorized IT systems (shadow IT), and now hidden AI tools and agents scattered across their networks that they don't fully track or manage. Attackers can exploit these overlooked systems without needing advanced AI models, making security harder when companies don't know what's running in their own infrastructure.

Agentic AI (artificial intelligence systems that can make decisions and take actions without human intervention) is becoming a major cybersecurity concern because the same capabilities that help defenders also empower attackers to launch autonomous, adaptive, and large-scale attacks. The industry is responding by treating AI systems as identities (entities with credentials and access permissions) rather than separate tools, and using identity threat detection to monitor their behavior for suspicious activity.

Cybercriminals are increasingly using LLMs (large language models, AI systems trained on massive amounts of text) to launch faster and cheaper attacks, including phishing emails (deceptive messages designed to steal information), deepfakes (AI-generated fake videos or images), and automated vulnerability scans (tools that search for security weaknesses). Meanwhile, AI tools are being deployed in healthcare for tasks like note-taking, reviewing patient records, and interpreting medical images, but researchers still don't know whether using these tools actually leads to better health outcomes for patients.

Elon Musk, who cofounded OpenAI but left after not becoming CEO, is suing the company and Sam Altman in a trial starting April 27th in Oakland, California. The lawsuit centers on claims that OpenAI committed fraud, though it also involves broader allegations of breach of contract and unfair business practices. This legal case is primarily about the conflict between Musk and Altman over control of the AI company.

AI agents create a security challenge called the 'Authority Gap' because they inherit permissions from the humans and systems that activate them, rather than having their own independent authority. The article argues that enterprises cannot safely govern AI agents unless they first reduce 'identity dark matter' (hidden credentials and unmanaged permissions scattered across systems) in their traditional users and software, and then use continuous observability (real-time monitoring of who is doing what) to dynamically control what authority agents receive based on who is delegating to them and the context of their actions.