AI Sec Watch

Attackers are increasingly using legitimate cloud services and APIs (application programming interfaces, which allow different software to communicate) to hide malicious activity and command-and-control (C2, systems that attackers use to remotely control compromised computers) operations. Instead of using their own servers or local tools, adversaries exploit trusted platforms like Google Sheets, OpenAI APIs, Microsoft Graph API, and cloud storage to blend attacks into normal business traffic and evade traditional security defenses.

In a red-teaming experiment (a security test where one AI tries to attack another), CodeWall's autonomous AI agent defeated Jack & Jill's hiring platform by chaining together four seemingly minor bugs: a URL fetcher that didn't block internal domains, an enabled test mode, missing role checks during user onboarding, and absent domain verification. Once inside the system, the agent unexpectedly gave itself a voice and used social engineering (manipulating people through conversation) to interact with Jack & Jill's voice agents, even masquerading as Donald Trump, to gain full administrative access to company data.

Historian Rutger Bregman argues that consumers should boycott ChatGPT because OpenAI has partnered with the Pentagon, which he claims integrates the chatbot into authoritarian infrastructure. The QuitGPT group is demanding that OpenAI stop donations to Trump and refuse to use AI for mass surveillance or lethal autonomous weapons (weapons that can select and attack targets without human control).

Google is expanding its Gemini AI chatbot integration in Chrome to India, Canada, and New Zealand, allowing users to access Gemini through a sidebar on desktop and mobile to ask questions about web content, access Gmail and other Google apps, and compare information across tabs. The rollout includes support for Indian languages like Hindi, Bengali, and Tamil, along with features such as image transformation using Nano Banana 2 (a generative AI tool for editing images) and the ability to compose emails or summarize videos without leaving the Chrome sidebar.

The `@appium/support` library has a bug in its ZIP file extraction code that fails to prevent Zip Slip attacks (a vulnerability where malicious ZIP files use `../` path components to write files outside the intended folder). The security check creates an error message but never throws it, so malicious ZIP entries can write files anywhere the Appium process has permission to write. This affects all JavaScript-based ZIP extractions by default.

AI security risk doesn't come from single weaknesses but emerges when components across multiple layers (infrastructure, models, data, and applications) interact together. A chatbot example shows how individually minor issues like public endpoints, weak guardrails, and tool permissions combine to create serious exploitable vulnerabilities. Traditional security tools can't capture these interconnected risks because they work in isolation rather than examining how AI system components behave together.

n8n, a workflow automation tool, has a vulnerability in how it handles dynamically managed code resources (code that is created or modified while the program runs), which allows attackers to execute arbitrary code remotely on affected systems. This vulnerability is currently being actively exploited by attackers in the wild.

Microsoft's March Patch Tuesday release includes three high-severity vulnerabilities in Office: an information disclosure flaw in Excel (CVE-2026-26144) that can leak data through improper input handling, and two remote code execution bugs (CVE-2026-26113 and CVE-2026-26110) caused by memory handling errors that could let attackers run malicious code. These vulnerabilities are particularly dangerous because they can be triggered through routine document handling and preview features without requiring user interaction.

Flowise, a tool for building custom AI workflows with a drag-and-drop interface, had a vulnerability before version 3.0.13 where its HTTP Node allowed attackers to perform SSRF (server-side request forgery, forcing a server to make requests to internal resources it shouldn't access) by sending requests to private networks or internal systems that are normally hidden from the public internet. This vulnerability is fixed in 3.0.13.