AI Sec Watch

Claude Code, an AI coding tool, experienced quality issues over two months caused by three bugs in its underlying system (the software framework that runs the AI), not the AI models themselves. One major bug caused the system to repeatedly clear Claude's memory from idle sessions every turn instead of just once, making it seem forgetful and repetitive.

The White House warned that Chinese firms are conducting large-scale theft of American AI technology through a process called distillation (copying AI models by using thousands of fake accounts to extract information from US AI systems). The administration plans to share threat information with US AI companies, coordinate defenses, develop best practices to identify and fix these attacks, and explore ways to hold foreign actors accountable.

A malicious version of Bitwarden CLI (the terminal interface for a popular password manager) was published to npm by attackers who compromised Bitwarden's CI/CD pipeline (the system that automates building and releasing software). The fake version 2026.4.0 contained malware designed to steal developer credentials like GitHub tokens, AWS keys, and API keys from infected systems, though it was detected and removed within 1.5 hours.

Anthropic has expanded Claude's capabilities to connect directly to personal apps like Spotify, Uber Eats, TurboTax, and others, similar to how ChatGPT already offers these integrations. When connected, Claude can suggest and use these apps during conversations, such as recommending hikes through AllTrails.

Flowise, a tool with a drag-and-drop interface for building customized AI workflows, has a vulnerability in versions before 3.1.0 where the GraphCypherQAChain node fails to properly clean user input before sending it to a Neo4j database (a graph database that stores connected data). An attacker could inject malicious Cypher commands (the query language for Neo4j) to steal, change, or delete data from the database.

CVE-2026-33102 is an open redirect vulnerability (a flaw where a website redirects users to an untrusted site) in Microsoft 365 Copilot that allows an attacker to elevate their privileges over a network without authorization. The vulnerability has a CVSS severity rating of 4.0 (a moderate severity score on a 0-10 scale).

Two OpenTelemetry libraries have a vulnerability where they read entire HTTP response bodies into memory without any size limit. An attacker controlling a remote endpoint or intercepting traffic (MitM, or man-in-the-middle attack, where someone secretly relays communications between two parties) could send a huge response to exhaust the application's memory and cause it to crash through an Out of Memory error.

OpenTelemetry .NET packages have a vulnerability where parsing propagation headers (headers that track request flow across services) can allocate excessive memory, potentially causing a denial of service (DoS, where a system becomes unavailable due to resource exhaustion). The issue occurs in baggage, B3, and Jaeger processing code that allocates temporary storage before checking size limits.

OpenTelemetry's dotnet implementation has a vulnerability in how it handles gRPC responses during retries. When the server sends a `grpc-status-details-bin` trailer (extra data sent with a response), the code reads a length value from it without checking if that length is reasonable, potentially allowing an attacker to force the application to allocate massive amounts of memory and crash it (a denial of service attack, or DoS). A malicious collector or someone intercepting network traffic could exploit this.