AI Sec Watch

This is a survey paper published in an academic journal that reviews recent progress in conversational data generation, which refers to techniques for creating dialogue datasets (collections of conversations) used to train and improve AI systems. The paper appears to be a comprehensive overview of advances in this field as of July 2026, but no specific technical findings, vulnerabilities, or security issues are described in the provided content.

As generative AI (machine learning systems that create text, images, and other content) becomes better at mimicking human work, people increasingly doubt whether online content is human-made, yet platforms often don't label AI-generated material. The author suggests creating a universal labeling system (similar to Fair Trade certification) that marks human-created content instead, since AI systems have no incentive to identify their own work but human creators do to protect themselves from being replaced.

Anthropic's source code for Claude Code (an AI coding tool) was accidentally made public, and hackers have been reposting it on GitHub with infostealer malware (software that steals personal information) embedded in the code. Anthropic has been trying to remove the leaked copies by issuing copyright takedown notices, initially targeting over 8,000 repositories before narrowing efforts to 96 copies.

Directus, a content management system, failed to properly sanitize sensitive data (like user tokens, two-factor authentication secrets, and API keys) before storing them in revision history records. This meant that anyone with access to the revision database table could read these secrets in plaintext, potentially allowing account takeover or unauthorized access to third-party services.

Directus has a security flaw in its TUS resumable upload endpoint (a feature that lets users upload files in chunks) that lets any authenticated user overwrite any file in the system by specifying its UUID (unique identifier), bypassing row-level permissions (rules like 'users can only edit their own files'). This can lead to permanent data loss and allow low-privilege users to replace important files with malicious content.

The mobile_open_url tool in mobile-mcp doesn't check what type of URL scheme (the protocol prefix like http:// or tel://) it receives before sending it to Android, allowing attackers to use prompt injection (tricking an AI by hiding instructions in its input) to execute dangerous commands like making phone calls, sending SMS messages, or accessing private data on a connected mobile device.

Anthropic is changing its policy so Claude users can no longer use their subscription to access OpenClaw (a third-party tool that integrates with Claude), forcing them to pay separately instead. The change takes effect April 4th, and may be motivated by Anthropic wanting to promote its own competing tools like Claude Cowork.

BentoML's Dockerfile generation uses an unsandboxed Jinja2 template engine (a tool that processes template files with dynamic code) with dangerous extensions enabled, allowing attackers to embed malicious code in a template file. When a victim imports a malicious bento archive and runs the containerize command, the attacker's code executes directly on the victim's host machine before any container isolation happens, rather than inside a container where it would be restricted.

BentoML has a command injection vulnerability in its cloud deployment setup script where user-supplied system packages are inserted directly into shell commands without proper escaping. An attacker can craft a malicious bentofile.yaml file that executes arbitrary commands on BentoCloud's build infrastructure (the servers that prepare applications for deployment) when the application is deployed, potentially stealing secrets or compromising the infrastructure.