AI Sec Watch

Attackers can hide malicious instructions in GitHub Issues (bug reports or comments on a code repository) that GitHub Copilot (an AI coding assistant) automatically processes when a developer launches a Codespace (a cloud-based development environment) from that issue. This can lead to unauthorized takeover of the repository.

Anthropic accused three Chinese AI companies (DeepSeek, Moonshot AI, and MiniMax) of running large-scale distillation attacks, which involve flooding an AI model with specially crafted prompts to extract knowledge and train smaller competing models. The companies allegedly used commercial proxy services to bypass Anthropic's restrictions and created over 24,000 fraudulent accounts to generate roughly 16 million exchanges with Claude, with MiniMax responsible for over 13 million of those exchanges.

AI is creating 'arms races' across many domains, including democratic government systems, where citizens and officials increasingly use AI to communicate more efficiently, making it harder to distinguish between human and AI interactions in public policy discussions. As people use AI to submit comments and petitions to government agencies, those agencies must also adopt AI to review and process the growing volume of submissions, creating a cycle where each side must keep adopting AI to maintain influence.

A major npm supply chain worm called SANDWORM_MODE is attacking developer machines, CI pipelines (automated systems that build and test software), and AI coding tools by disguising itself as popular packages through typosquatting (creating package names that look nearly identical to real ones). Once installed, the malware steals credentials like GitHub tokens and cloud keys, then uses them to inject malicious code into other repositories and poison AI coding assistants by deploying a fake MCP server (model context protocol, a system that lets AI tools talk to external services).

Anthropic is negotiating with the U.S. Department of Defense over contract terms that would allow military use of its AI systems. The disputed phrase 'any lawful use' would permit the military to deploy Anthropic's AI for mass surveillance and lethal autonomous weapons (AI systems that can identify and attack targets without human approval), while OpenAI and xAI have already accepted similar terms.

According to CrowdStrike's 2025 threat report, malicious actors have shifted from expanding their attack tools to focusing on evasion, using AI to make existing attacks faster and harder to detect. AI-enabled attacks increased 89% year-over-year, with threat actors using generative AI (AI systems that can create new content) for phishing, malware creation, and social engineering, while increasingly relying on credential abuse (stealing login information) and malware-free techniques that blend into normal user behavior.

Anthropic launched Claude Code Security, an AI tool that scans code for vulnerabilities and suggests patches by reasoning about code the way a human security researcher would, causing stock prices of major cybersecurity companies to drop. However, experts caution that this tool supplements rather than replaces comprehensive security practices, and emphasize the critical importance of keeping humans in the decision-making loop to avoid over-relying on AI and losing essential security expertise.

Anthropic discovered that three Chinese AI companies (DeepSeek, Moonshot AI, and MiniMax) ran large-scale attacks using over 16 million fraudulent queries to copy Claude's capabilities through distillation (training a weaker AI model by learning from outputs of a stronger one). These illegal efforts bypassed regional restrictions and safeguards, creating national security risks because the copied models lack the safety protections that prevent misuse.

A Russian-speaking hacker used commercial generative AI services (AI systems that create new content based on patterns in training data) to compromise over 600 Fortinet Fortigate firewalls and steal credentials from hundreds of organizations. The attack succeeded not because of flaws in the firewall software itself, but because organizations failed to follow basic security practices like protecting management ports, using strong passwords, and requiring multi-factor authentication (a security method using multiple verification methods, like a password and a code from your phone).