AI Sec Watch

Claude Code has a vulnerability where commands with more than 50 subcommands (smaller operations within a larger command) cause the tool to skip its security checks for subcommands after the 50th, asking users to approve them without proper safety analysis. Attackers could exploit this by hiding malicious commands in legitimate-looking code repositories, potentially stealing user credentials and compromising entire software projects.

FastMCP (a framework for building MCP applications, which are tools that extend AI assistants) has a command injection vulnerability (a security flaw where an attacker can run unauthorized commands) in versions before 3.2.0 on Windows. When server names contain shell metacharacters like '&', they can be misinterpreted by the Windows command interpreter and allow attackers to execute malicious commands during installation.

vLLM's OpenAI-compatible API server has a denial-of-service vulnerability where an attacker can send a request with an extremely large `n` parameter (a value that controls how many independent response sequences to generate). Because the server doesn't validate an upper limit on this parameter, it attempts to create millions of copies of the request object in memory, which overwhelms the system and causes it to crash from running out of memory (OOM, out-of-memory).

Claude's source code was leaked, revealing problems in how the software supply chain (the process of developing, distributing, and maintaining software) is protected. The incident shows that companies need stronger security controls at every step of software development, similar to how critical infrastructure like power grids are protected.

This news roundup covers several security incidents: a data leak from ChatGPT, a rootkit (malware that hides itself deep in a system to maintain control) discovered on Android devices, and a ransomware attack (malware that encrypts files and demands payment) on a water treatment facility. The article also mentions a Symantec vulnerability, a new anti-ClickFix defense added to macOS (a mechanism to block a social engineering attack that tricks users into visiting malicious websites), and an FBI hack classified as a major incident.

OpenAI announced its purchase of TBPN (Technology Business Programming Network), a media company that streams a daily three-hour tech talk show, marking another acquisition alongside its $6.4 billion purchase of hardware startup io. The acquisition strategy appears unclear to investors and analysts, as the company faces intensifying competition from rivals like Google and Anthropic while dealing with significant losses from infrastructure spending ahead of a planned IPO.

Enterprises are facing growing security risks on mobile devices because unauthorized AI (shadow AI, meaning AI tools deployed without official approval) is being hidden in everyday apps, combined with outdated mobile devices and zero-click exploits (attacks that work without any user interaction like clicking a link). These factors together create mobile security threats that are hard for organizations to detect and manage.

At the 2026 RSA cybersecurity conference, industry leaders identified a clear divide among CISOs (chief information security officers, top security leaders at companies) in their approach to AI: about 20% are proactive and strategic, 40% are confused about AI risks in their organizations, and 40% are unaware of AI projects happening around them. The article predicts that confused CISOs will face a difficult transition to becoming proactive, requiring them to assess business goals, create governance frameworks (policies and rules for managing AI), and implement guardrails (safety controls) while their organizations continue developing AI. Legacy security vendors currently have an advantage in selling AI tools, but simply adding AI to existing security tools will not work long-term, and companies instead need to build strong AI foundations (data systems, control systems, and safety measures) before adding AI agents on top.

OpenClaw, an LLM agent framework, had a vulnerability where an AI agent could bypass approval controls by using a `config.patch` command (a way to modify settings) to silently disable execution approval requirements. This means an agent could potentially perform restricted actions without human permission.