AI Sec Watch

Granola, an AI-powered note-taking app that records meetings and generates summaries, makes your notes viewable to anyone who has the link by default, despite claiming notes are "private by default." Additionally, Granola uses your notes for internal AI training unless you actively opt out of this practice.

Agentic AI systems (AI that autonomously connects to software tools and uses large language models as reasoning engines to plan and execute actions) present unique security challenges because they operate at machine speed with real-world consequences, unlike traditional software or human-reviewed generative AI. The main risks are that agents can carry out unintended actions before humans can intervene, and they may not recognize ambiguities or understand unstated policy boundaries like humans do. Security responses don't require entirely new frameworks but should extend existing ones (like NIST's Cybersecurity Framework) with four foundational principles addressing both traditional software components and AI-specific elements.

This podcast episode discusses how AI coding models reached an inflection point in November 2025 when GPT 5.1 and Claude Opus 4.5 became reliable enough that generated code mostly works without extensive manual fixes, fundamentally changing how software engineers work. The speaker highlights that code quality is easier to verify than other knowledge work (like legal documents), making software engineers early adopters facing questions about career changes as AI agents (programs that can take actions autonomously) handle tasks that previously consumed most development time. The episode also touches on practical uses of AI for coding on mobile devices and the importance of testing before deploying AI-generated code to users.

Threat actors exploited a March 31 accidental leak of Claude Code's source code (a terminal-based AI agent from Anthropic) by creating fake GitHub repositories that deliver Vidar infostealer malware to users searching for the leaked code. The repositories use search engine optimization to appear in Google results and trick users into downloading a malicious executable that deploys information-stealing and network-proxying tools.

vLLM versions 0.5.5 through 0.17.x have a bug where Librosa (a library that processes audio) uses a simple averaging method for mono downmixing (converting multi-channel audio to single-channel), but the international standard ITU-R BS.775-4 requires a weighted algorithm instead. This causes audio to sound different to humans than what AI models actually process, creating a mismatch in how the same audio is experienced.

OpenAI has acquired TBPN, a daily technology news podcast that covers AI and interviews major tech leaders. The acquisition is part of OpenAI's effort to create a platform for discussion about how AI is changing society, though the company says TBPN will maintain editorial independence and continue choosing its own guests.

A supply chain attack compromised the axios npm package (versions 1.14.1 and 0.30.4) by injecting a malicious dependency that installs a RAT (remote access trojan, malware giving attackers shell access and command execution). The @lightdash/cli package could resolve to these compromised axios versions during installation, potentially affecting users who installed @lightdash/cli versions 0.1800.0 through 0.2695.0 without a lockfile (a file that pins exact dependency versions) during the roughly 3-hour window the malicious versions were available on npm.

This is a monthly briefing post by Simon Willison from April 2, 2026, covering developments in LLM (large language model) tools and services, including updates to the llm command-line tool, Google's Gemini AI, and Google's Gemma model. The post appears to be an announcement of a sponsored monthly email digest tracking important LLM developments, though specific technical details about changes or issues are not provided in the content.

SillyTavern, a local application that lets users interact with AI text generation models and other AI tools, had a security flaw in versions before 1.17.0 where it didn't properly validate all types of network addresses. The validation only checked for standard IPv4 addresses (like 127.0.0.1) but missed other ways to refer to the local computer, such as 'localhost' or IPv6 addresses, which could allow SSRF (server-side request forgery, where an attacker tricks the application into making unwanted network requests to internal services).