AI Sec Watch

GrafanaGhost is a critical vulnerability in Grafana (a data visualization platform) that uses indirect prompt injection (tricking an AI by hiding malicious instructions in data it processes) to steal sensitive enterprise data without requiring user authentication or interaction. Attackers chain together multiple exploits, including bypassing URL validation and AI safety guardrails, to trick Grafana's AI into sending confidential information to attacker-controlled servers.

Attackers are targeting over 1,000 publicly accessible ComfyUI instances (a platform for running AI image generation) with an automated scanner that exploits a misconfiguration allowing unauthenticated remote code execution (the ability to run commands on a system without permission). Once compromised, these systems are enrolled in botnets (networks of infected computers controlled remotely) to mine cryptocurrency and serve as proxies.

OpenAI has published policy proposals suggesting that companies should trial four-day work weeks as AI tools become more capable and potentially displace workers from jobs. The company argues that AI systems will soon complete projects in days that currently take months, and recommends employers offer benefits like reduced work hours without pay cuts, increased retirement contributions, and subsidized childcare to help workers adapt to this shift.

Broadcom, a chip designer, announced new deals to produce AI chips for Google and expanded its partnership with Anthropic (an AI company), causing its stock price to rise 3.7% in premarket trading. The deals include revenue commitments and access to computing capacity, which analysts believe signal strong future demand for custom AI chips and may ease investor concerns about competition.

Google has redesigned Gemini's crisis response feature to make it faster for users in distress to access mental health resources. When the chatbot detects a conversation indicating potential suicide or self-harm risk, it now presents a streamlined 'Help is available' module that connects users to crisis resources like suicide hotlines or crisis text lines more quickly.

Multi-tenant SIEM (security information and event management, a platform that collects and analyzes security data from many sources) solutions share physical resources like CPU and memory among different customers, creating a "noisy neighbor" problem where one customer's heavy workload can slow down threat detection for others and violate service promises. While vendors market cloud-based SIEM as efficient and reliable, most don't publicly discuss how they prevent this fairness issue, which requires sophisticated engineering strategies like fair-share scheduling (giving each customer a proportional share of resources) and intelligent queuing rather than simple rate-limiting.

A vulnerability in HuggingFace Transformers' `Trainer` class (a tool for training AI models) allows attackers to run arbitrary code by providing a malicious checkpoint file. The problem occurs because the `_load_rng_state()` method uses `torch.load()` without the `weights_only=True` parameter (a safety setting that restricts what code can run), leaving systems vulnerable when using PyTorch versions below 2.6.

Flowise, an open-source AI platform, has a maximum-severity vulnerability (CVE-2025-59528, CVSS score 10.0) in its CustomMCP node that allows attackers to execute arbitrary JavaScript code on the server without validation, potentially leading to full system compromise and data theft. The flaw requires only an API token to exploit and is being actively exploited in the wild against over 12,000 exposed Flowise instances.

As AI models become more powerful, they create both greater risks and opportunities for security. CrowdStrike argues that while companies like Anthropic build safer models, organizations also need deployment governance (security controls for how and where AI runs in a company) to protect data and systems when AI agents access databases, workflows, and sensitive information. CrowdStrike offers tools for discovering all AI applications in use, monitoring what data they access, and preventing sensitive information from being exposed through AI workflows.