AI Sec Watch

Codex, an AI tool that generates code and assists with software development tasks, has grown from 3 million to 4 million weekly users and is now being adopted by major enterprises like Virgin Atlantic, Notion, and Cisco to speed up development workflows. OpenAI is expanding Codex adoption through a program called Codex Labs, which provides expert guidance to organizations, and by partnering with global consulting firms (like Accenture and Infosys) to help enterprises integrate Codex into their software development processes at scale.

Amazon is investing up to $25 billion more in Anthropic, an AI company known for its Claude AI models (large language models, or LLMs, which are AI systems trained on vast amounts of text to generate human-like responses), on top of an earlier $8 billion investment. As part of this deal, Anthropic will spend over $100 billion on Amazon's cloud services and custom AI chips over the next decade to expand its computing capacity (the processing power needed to train and run AI models). Anthropic made this agreement because its infrastructure has been strained by rapidly growing demand from enterprise customers and users of Claude.

LMDeploy, a toolkit for compressing, deploying, and serving large language models, contains a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick a server into making requests to unintended targets) in versions before 0.12.3. The vulnerability exists in the `load_image()` function, which downloads images from URLs without checking if those URLs point to private or internal systems, potentially allowing attackers to access sensitive cloud services and internal networks.

Universal Adversarial Perturbations (UAPs, tiny modifications to images that fool AI models across many different inputs) are security threats to deep learning systems, but existing methods make attacks obvious because they either look wrong to humans or cause suspicious misclassifications. This paper presents Stealthy-UAP, a framework that makes UAPs harder to detect by targeting only semantically related classes (so misclassifications seem plausible) and optimizing perturbations to match how humans actually perceive images.

The llm-openrouter tool, version 0.6, added a new 'refresh' command that lets users update their list of available AI models without waiting for the cached (temporarily stored) list to expire. This feature was created so users could access newly available models on OpenRouter immediately.

A vulnerability (CVE-2026-6662) was found in ericc-ch copilot-api versions up to 0.7.0 in the CORS function (a security feature that controls which websites can access an API from a web browser) of the token endpoint. The flaw allows a permissive cross-domain policy with untrusted domains, meaning attackers from other websites could potentially access the API remotely, and the exploit has been publicly disclosed.

Cyber Threat Attribution (CTA) is the process of identifying who carried out a cyberattack by analyzing evidence from the attack. This paper introduces ThreatMAMBA, an AI framework that improves CTA by building knowledge graphs from threat intelligence data (IOCs, or indicators of compromise that identify malicious activity; TTPs, or tactics and techniques used by attackers; and temporal relationships) and using machine learning to identify attackers even in the early stages of ongoing attacks. The system showed significant improvements in accuracy at different stages of attack development, suggesting it can provide reliable attribution information quickly during real incidents.

Researchers discovered a critical vulnerability in Anthropic's Model Context Protocol (MCP, a system that allows AI models to interact with external tools and data) that allows attackers to run arbitrary commands on systems using vulnerable implementations. The flaw affects over 7,000 publicly accessible servers and has been found in popular AI projects like LangChain and LiteLLM, but Anthropic has declined to fix the underlying architectural issue, leaving developers responsible for protecting against it.

CISOs (chief information security officers, the top security leaders at companies) are expanding their roles beyond traditional cybersecurity to become broader business risk strategists who manage strategic, operational, and financial risks across their entire organizations. This shift reflects the fact that nearly all business operations are now digital, making any cyber risk a material business risk, and has accelerated since the rise of generative AI (AI systems like ChatGPT that can create new content) and agentic AI (AI systems that can take independent actions). Research shows that most CISOs now share responsibility for enterprise risk management with other executives and are expected to unify regulatory requirements, company risk tolerance, and security controls into a single operating model.