AI Sec Watch

The Electronic Frontier Foundation (EFF) introduced a policy for open-source contributions that requires developers to understand any code they submit and to write comments and documentation themselves, even if they use LLMs (large language models, AI systems trained to generate human-like text) to help. While the EFF does not completely ban LLM-assisted code, they require disclosure of LLM use because AI-generated code can contain hidden bugs that scale poorly and create extra work for reviewers, especially in under-resourced teams.

OpenClaw is a personal AI assistant with a macOS desktop client that can be triggered through deep links (special URLs that open apps). In versions 2026.2.6 through 2026.2.13, attackers could hide malicious commands by padding messages with whitespace, so users would see only a harmless preview but the full hidden command would execute when they clicked 'Run'. This works because the app only displayed the first 240 characters in the confirmation dialog before executing the entire message.

Researchers discovered PromptSpy, the first known Android malware that uses generative AI (specifically Google's Gemini model) during its operation to help it persist on infected devices by adapting how it locks itself in the Recent Apps list across different Android manufacturers. Beyond this AI feature, PromptSpy functions as spyware with a VNC module (remote access tool) that allows attackers to view and control the device, intercept passwords, record screens, and capture installed apps. The malware also uses invisible UI overlays to block users from uninstalling it or disabling its permissions.

NIST announced the AI Agent Standards Initiative to develop standards and safeguards for agentic AI (autonomous AI systems that can perform tasks independently), with the goal of building public confidence and ensuring safe adoption. The initiative faces criticism for moving too slowly, as real-world security incidents involving agentic AI (like the EchoLeak vulnerability in Microsoft 365 Copilot and the OpenClaw agent that can let attackers access user data) are already occurring faster than standards can be developed.

SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.16.0 had an SSRF vulnerability (server-side request forgery, where an attacker can make the server send requests to internal networks or services it shouldn't access), allowing authenticated users to read responses from internal services and private network resources through the asset download feature.

YouTube is expanding its conversational AI tool to smart TVs, gaming consoles, and streaming devices, allowing users to ask questions about video content using an 'Ask' button or voice commands without pausing playback. The feature, currently available to select users over 18 in five languages, lets viewers get instant answers about things like recipe ingredients or song background information. This expansion reflects YouTube's growing dominance in TV viewing, with competitors like Amazon, Roku, and Netflix also developing their own conversational AI features for television.

OpenClaw, an npm package, used SHA-1 (an outdated hashing algorithm with known weaknesses) to create identifiers for Docker and browser sandbox configurations. An attacker could exploit hash collisions (two different configurations producing the same hash) to trick the system into reusing the wrong sandbox, leading to cache poisoning (corrupting stored data) and unsafe sandbox reuse.

Microsoft's Semantic Kernel Python SDK has an RCE vulnerability (remote code execution, where an attacker can run commands on a system they don't own) in the `InMemoryVectorStore` filter functionality, which allows attackers to execute arbitrary code. The vulnerability affects the library used for building AI applications with vector storage (a database that stores AI embeddings, which are numerical representations of data).

A hacker exploited a vulnerability in Cline, an open-source AI coding agent, to trick it into installing OpenClaw (a viral AI agent that can perform autonomous actions) across many systems. The vulnerability allowed attackers to use prompt injection (hidden malicious instructions embedded in input) to make Claude, the AI powering Cline, execute unintended commands, highlighting growing security risks as more people deploy autonomous software.