Digest Archive

Amazon Q Developer Executes Malicious Code From Cloned Repos: Amazon Q for VS Code had a high-severity vulnerability (CVE-2026-12957, CVSS 8.5) that allowed attackers to run arbitrary commands and steal AWS credentials by embedding malicious MCP server configurations (local processes that extend AI assistant capabilities) in a repository. The flaw occurred because Amazon Q automatically loaded and executed these configurations without verifying workspace trust or requesting user permission, giving attackers full access to the developer's environment variables and cloud credentials.

US Government Restricts GPT-5.6 and Mythos Releases: The Trump administration requested that OpenAI limit its GPT-5.6 rollout to government-vetted partners before a wider launch, marking the first time a US AI firm has been told to restrict model access pre-release. Anthropic's Mythos models were pulled from service for two weeks under similar restrictions before being released to approximately 100 approved companies and federal agencies, signaling a new era of government oversight for advanced AI deployments.

Attackers Exploit OpenAI's Organization Invites to Impersonate Companies: Cybersecurity firms are being targeted by fraudulent OpenAI organization invitations that appear to come from legitimate companies, using OpenAI's real email infrastructure with attached payment methods to trick employees into sharing source code and internal documents. The invitations are difficult to detect despite OpenAI's domain mismatch warnings, as they leverage the platform's authentic communication channels.

Malware Designed to Evade LLM-Based Security Tools: Security researchers identified malware such as macOS.Gaslight (linked to North Korean threat actors) that specifically subverts AI-powered security analysis tools by causing LLM-assisted detection systems (security products that use large language models to analyze threats) to halt analysis or refuse to operate. This represents an emerging adversarial technique where malware authors are actively engineering code to bypass AI-based defenses.

Anthropic Expands AI Infrastructure in Asia-Pacific: Anthropic is rapidly building data center operations in Australia and Japan, hiring 13 people to manage infrastructure driven by advantages like renewable energy and political stability, though Australia's copyright laws may complicate expansion plans.

Critical RCE in ToolJet Marketplace Plugins: ToolJet versions before 3.20.178-lts contain a vulnerability (CVE-2026-55413) where authenticated builder-role users can inject malicious JavaScript into shared marketplace plugins, achieving RCE (remote code execution, where an attacker can run commands on a system they don't own) with full Node.js access that executes whenever anyone uses the compromised plugin.

Anthropic Accuses Alibaba of Massive Model Distillation Attack: Anthropic alleged that Alibaba conducted an illegal distillation campaign (training a weaker AI model using outputs from a stronger one without permission) involving 28.8 million exchanges through fraudulent accounts between April and June 2024. Anthropic is calling for coordinated government and industry action to combat such illicit capability extraction.

OpenAI and Broadcom Unveil Jalapeño Inference Chip: OpenAI's first custom AI accelerator, designed specifically for LLM inference (running trained models to generate outputs), delivers significantly better performance per watt than current alternatives and will deploy in data centers starting 2026. The ASIC (application-specific integrated circuit, a processor built for one particular task) was co-designed with Broadcom in nine months using OpenAI's own AI models.

OpenAI Launches Patch the Planet to Accelerate Open-Source Fixes: OpenAI deployed a new program combining AI-assisted vulnerability discovery with security experts from Trail of Bits to identify, fix, and deploy patches for flaws in critical open-source projects like Python, Go, and cURL. The company argues that AI has made vulnerability discovery so fast that security teams are overwhelmed, shifting its Daybreak initiative to prioritize rapid patching over pure research.

Fake AI Agent Skill Bypassed Security Scanners and Reached 26,000 Agents: Security researchers created a malicious AI agent skill (a bundle of instructions that agents load and execute) that evaded all scanning tools by exploiting a structural flaw where reviewers only check the initial package but attackers can later swap the external webpage it references. The attack leveraged inherited GitHub credibility and targeted advertising, demonstrating that current trust mechanisms and automated scans fail against sophisticated supply-chain attacks.

OpenAI Launches Multi-Billion Dollar Open Source Security Initiative: OpenAI expanded its Daybreak program to systematically find and fix vulnerabilities in critical open-source projects, partnering with Trail of Bits, HackerOne, and Calif to provide free security consulting and AI-powered bug hunting using GPT-5.5-Cyber (a specialized model trained on security tasks). In the first week, engineers discovered hundreds of bugs across 19 major projects including Python, Go, and RustCrypto, with 37 patches already merged.

US Export Controls Block Anthropic's Fable Model Over Code-Writing Capabilities: The US government placed export controls on Anthropic's Fable AI model, claiming its advanced code-writing capabilities posed a national security threat, while intelligence agencies from the Five Eyes alliance (US, UK, Canada, Australia, New Zealand) warned that AI models capable of severely damaging governments and businesses could arrive within months.

Samsung Deploys ChatGPT Enterprise to All Employees Globally: Samsung Electronics is rolling out ChatGPT Enterprise and Codex (an AI coding assistant) across its Korea and Device eXperience divisions worldwide, marking one of OpenAI's largest enterprise deployments to date. The deployment includes security controls like data protection and access management to enable AI use within corporate policies.

Cloudflare Enables Anonymous AI Agent Deployments: Cloudflare now allows users to deploy applications on its Workers serverless platform without account creation through temporary 60-minute projects. This reduces friction for testing and prototyping but introduces potential abuse vectors for malicious actors seeking ephemeral infrastructure.

Microsoft Attributes Major npm Supply Chain Attack to North Korean Hackers: The Sapphire Sleet group compromised an npm maintainer account and poisoned over 140 JavaScript packages with a malicious dependency that exfiltrated credentials, API keys, and cryptocurrency wallets from developer machines. The malware used post-install hooks (code that executes automatically during package installation) and deployed platform-specific persistence mechanisms across Windows, Linux, and macOS.

Lloyds Banking Group Expands AI Agent Workforce by 300: The bank is hiring 300 technologists by September to build agentic AI systems (autonomous models that plan and execute tasks with minimal human oversight), even as broader AI adoption may eventually reduce headcount elsewhere in the organization.

Widespread Critical Vulnerabilities in AI Agent Frameworks: Multiple critical command injection and authentication bypass vulnerabilities were disclosed in popular AI agent tools, including Network-AI (CVE-2026-48814, CVE-2026-54051), Langflow (CVE-2026-55255, CVE-2026-55447), and agentic-flow. These flaws allow unauthenticated attackers to execute arbitrary commands, read sensitive files, or hijack other users' workflows, exposing organizations running AI agents to immediate risk of system compromise and data theft.

Microsoft Identifies AutoJack Attack Chain Targeting AI Browsing Agents: Microsoft disclosed AutoJack, an exploitation technique that weaponizes malicious webpages to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) on computers running AI agents with web browsing capabilities. The attack chains together weaknesses in AutoGen Studio's Model Context Protocol implementation, allowing hostile pages visited by the agent to execute arbitrary code without credentials or user interaction.

PraisonAI File Access Vulnerabilities Expose Systems to Total Compromise: Two critical and high-severity flaws in PraisonAI allow attackers to read or write arbitrary files and trigger SSRF (server-side request forgery, tricking a server into making requests to unintended locations) attacks by manipulating AI agent tool parameters. The `multiedit` tool passes filepaths directly to `open()` without validation, enabling credential theft and system takeover, while search tools accept attacker-controlled `searxng_url` parameters that can reach internal services and cloud metadata endpoints to steal credentials.

Unauthenticated Email Triggers Privileged AI Code Execution in AgenticMail: A high-severity flaw in AgenticMail allows any external sender to trigger a Claude Code session running in `bypassPermissions` mode (removing safety restrictions) by sending an email whose contents are embedded directly into the AI prompt without sender verification. This enables prompt injection (tricking the AI by hiding instructions in its input) leading to arbitrary code execution and file access under the operator's identity.