OpenAI and Dell Partner on Private Codex Deployment: OpenAI and Dell Technologies are partnering to bring Codex (an AI tool that writes and understands code) to hybrid and on-premise enterprise environments, allowing companies to use the system in their own data centers rather than only in the cloud. This addresses security concerns for organizations that need to keep sensitive data on their own infrastructure while still accessing AI coding capabilities.
Critical Code Injection in ChromaDB Allows Unauthenticated RCE: ChromaDB versions 1.0.0 and later contain a pre-authentication code injection vulnerability allowing unauthenticated attackers to execute arbitrary code on the server by sending a malicious model repository to a specific API endpoint, earning a critical CVSS score of 10.0. (CVE-2026-45829)
Supply Chain Attack Compromises Mistral AI PyPI Package: Version 2.4.6 of the mistralai package on PyPI contained malicious code that executes a dropper (a program designed to download and run harmful payloads) when imported on Linux systems, downloading and executing files from a remote server. The compromised version has been removed, with versions 2.4.5 and earlier unaffected.
MLflow Permissions Flaw Enables Local Code Execution: MLflow versions before 3.11.0 create temporary directories with overly permissive access settings, allowing local attackers in shared environments like Databricks to modify model files and execute arbitrary code when those files are loaded. (CVE-2026-4137)
Anthropic Briefs Financial Regulators on Claude Mythos Exploit Discovery Capabilities: Anthropic is briefing global financial regulators on Claude Mythos, an AI model with advanced capabilities in discovering zero-day vulnerabilities (previously unknown security flaws), with the UK's AI Security Institute finding the latest version completed a difficult autonomous hacking test that no prior model had solved. Rather than releasing Mythos publicly, Anthropic has restricted access to selected tech companies and banks.
Google Launches Gemini Omni Flash for Video Generation: Google introduced Gemini Omni Flash, a model that generates and edits videos from combined text, image, audio, or video inputs using physics-based reasoning. Users can iteratively edit outputs through conversational natural language instructions while maintaining consistency across characters and scene elements.
Critical Path Traversal in Bert-VITS2 AI Voice Model: CVE-2026-8756, a high-severity path traversal vulnerability (manipulating file paths to access files outside intended directories) affects fishaudio Bert-VITS2's Gradio interface. The flaw in the generate_config function can be exploited remotely via the data_dir argument, and the exploit is publicly available.
Cerebras IPO Signals Concentration Risk in AI Investment: Cerebras Systems' shares surged 70% on debut, but the success highlights how impending trillion-dollar IPOs from SpaceX, OpenAI, and Anthropic are monopolizing investor attention and starving smaller AI companies of capital.
Survey Maps Attack Surface of Embodied AI Systems: A new survey examines vulnerabilities in embodied AI (AI systems controlling physical robots or devices), cataloging security risks when machine learning models interface with real-world hardware and environments.
OpenAI Suffers Supply Chain Attack via TanStack Compromise: Two OpenAI employee devices were infected through a supply chain attack on TanStack (a web development framework), allowing attackers to steal code-signing certificates (digital keys that verify software is authentic) for OpenAI's iOS, macOS, Windows, and Android applications. OpenAI revoked the compromised certificates and is requiring macOS users to update ChatGPT Desktop, Codex App, Codex CLI, and Atlas before June 12, 2026, though no customer data or production systems were affected.
NCSC Warns Organizations to Deploy Agentic AI Cautiously: The NCSC and international partners issued guidance urging organizations to adopt agentic AI (AI systems that can plan, make decisions, and take actions autonomously) carefully due to significant security risks including broader system access, unpredictable behavior, and difficulty explaining AI actions. The guidance recommends starting with low-risk tasks, deploying incrementally with tight controls, and maintaining human oversight before connecting agents to real systems or data.
DeepSeek TUI RCE via Auto-Approved Test Execution: DeepSeek TUI's `run_tests` tool executes without user approval, allowing attackers to achieve remote code execution by hiding malicious commands in test files and using prompt injection (hidden instructions placed in AI input) via an `AGENTS.md` file that tricks the model into auto-running tests on startup. CVE-2026-45311. [critical]
FlowiseAI Unauthenticated RCE Through Custom Function Endpoint: FlowiseAI's custom JavaScript function endpoint lacks authorization checks, letting any authenticated user submit arbitrary code that executes on the server, and when E2B sandbox is disabled, attackers can escape the NodeVM sandbox (a JavaScript isolation tool) through error object manipulation to reach the host system. [critical]
Microsoft's MDASH AI System Discovers 16 Windows Vulnerabilities: Microsoft developed MDASH (multi-model agentic scanning harness), an AI system using over 100 specialized agents to automatically find security flaws, which discovered 16 previously unknown Windows vulnerabilities including four critical RCEs (remote code execution, where attackers can run commands on a system without permission) patched in May's Patch Tuesday release.
Multiple High-Severity Vulnerabilities in AI Development Tools: Claude Desktop versions before 1.3834.0 contained a privilege escalation flaw (CVE-2026-44470) where its CoworkVMService could be tricked into creating files anywhere on the system, potentially granting administrator control. GitHub Copilot CLI before version 1.0.43 (CVE-2026-45033) allowed malicious git repositories to execute arbitrary code through configuration keys like core.fsmonitor, and LangSmith SDK (CVE-2026-45134) would deserialize untrusted prompt manifests without warning, enabling attackers to steal secrets or inject malicious AI instructions.
OpenAI Launches Daybreak Cybersecurity Platform: OpenAI introduced Daybreak, an AI-powered platform that uses large language models (AI systems trained on vast amounts of text data) and agentic capabilities (the ability for AI to take independent actions toward goals) to automatically identify, patch, and validate software vulnerabilities across three versions of GPT-5.5. The platform competes directly with Anthropic's Claude Mythos and integrates with Codex Security to address concerns that AI-driven vulnerability discovery is outpacing remediation capacity, creating triage fatigue (when maintainers get overwhelmed sorting through reports, including AI-generated false alarms).
Supply Chain Attack Compromises 170+ Packages Including TanStack and Mistral AI: TeamPCP exploited weak GitHub Actions configurations to inject Mini Shai-Hulud malware into over 170 npm and PyPI packages, including TanStack Router, Mistral AI SDK, UiPath, and Guardrails AI. The attack used stolen OIDC tokens (authentication credentials that verify a developer's identity) to publish malicious versions with valid cryptographic signatures, making them appear legitimate, and the malware steals credentials, API keys, and SSH keys while persisting in code editor auto-run tasks even after package removal. OpenAI reported two employee devices were compromised, with limited source code repository access and credential exfiltration, but no evidence of customer data or production system compromise. [critical]
Google Blocks First Confirmed AI-Generated Zero-Day Exploit: Google's Threat Intelligence Group discovered and stopped a zero-day exploit (a previously unknown security flaw) that was created with AI assistance, which criminals planned to use for mass attacks bypassing two-factor authentication on a web administration tool. The incident marks a significant escalation in AI-powered hacking, which Google says has rapidly grown from a minor issue to an industrial-scale threat in just three months, with state-sponsored actors and criminal groups now using commercial AI models to find vulnerabilities and write exploits at scale.
Malicious Hugging Face Model Impersonating OpenAI Reaches 244,000 Downloads: A fake repository on Hugging Face (a platform for sharing AI models) impersonated OpenAI's Privacy Filter and tricked 244,000 users into downloading infostealer malware (software that harvests passwords, credentials, and sensitive data) before removal. The malicious repository copied the legitimate project's description and included a loader script that deployed the malware to Windows systems.
Critical Memory Leak in Ollama Exposes LLM Deployment Secrets: A severe out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama, a widely-used framework for running large language models locally, allows attackers to extract sensitive process memory including API keys and conversation history by uploading malicious GGUF files (a format for storing language models). The flaw affects versions prior to 0.17.1 and threatens approximately 300,000 servers worldwide.
Social Engineering Campaign Weaponizes Claude.ai Interface for Mac Malware: Attackers are purchasing Google Ads and creating fake Claude.ai shared conversations to distribute malware targeting macOS users searching for the AI assistant. The fraudulent chats mimic official installation instructions and prompt victims to execute Terminal commands that exfiltrate credentials from browsers and macOS Keychain (Apple's system-wide password vault).
Malicious Repository on Hugging Face Delivered Infostealer to 244,000 Downloads: A fake OpenAI repository on Hugging Face (a platform where developers share AI models and code) disguised itself as a legitimate project and reached the top of the trending list before being removed, tricking users into downloading a loader script that exfiltrates passwords, cryptocurrency wallets, and browser cookies. The incident highlights supply chain risks in AI development ecosystems where practitioners routinely download pre-trained models and code from community repositories.
Large-Scale Detection Method for Living-Off-the-Land Reverse Shells via Data Synthesis: Researchers developed a detection system for living-off-the-land reverse shells (attacks where adversaries use legitimate built-in system tools to create backdoor connections) by synthetically generating training data rather than relying on real attack samples. This approach addresses a critical gap in defending against stealthy attacks that blend with normal system activity and are difficult to detect with traditional methods.
South Korea Tests Deepfake Regulation in Elections: South Korea is using its upcoming local elections to evaluate whether laws can effectively curb deepfakes (AI-generated fake videos or audio) in political campaigns, serving as a real-world regulatory experiment.
GenAI Feedback Motivates but Devalues Workers: A study of 350 MBA students and 42 graduates found that generative AI feedback increases confidence and motivation but simultaneously makes workers feel replaceable, while creating prompt engineering convergence (reducing diverse work to repetitive prompting tasks) that fails to provide traditional job satisfaction.
Multiple High-Severity Access Control Flaws in Open WebUI and Microsoft APM: Open WebUI, a self-hosted AI platform, had three high-severity vulnerabilities (CVE-2026-44556, CVE-2026-44563, CVE-2026-45401) allowing authenticated users to bypass model access controls and exploit HTTP redirects to access internal systems. Microsoft APM, a dependency manager for AI agents, had multiple path traversal and symlink vulnerabilities (CVE-2026-44641, CVE-2026-45539, CVE-2026-46383) that could let malicious plugins read or write arbitrary files on developers' machines during installation.
SSRF Vulnerabilities Exposed in AI Automation Tools: Budibase's AI Extract File automation step (CVE-2026-45548) and Pipecat's development runner (CVE-2026-44716) both contained high-severity flaws allowing SSRF attacks (server-side request forgery, where a server is tricked into making requests to unintended locations). The Budibase flaw bypassed IP blacklist validation to access cloud metadata and internal networks, while Pipecat's path traversal vulnerability let attackers read arbitrary files like SSH keys using URL-encoded slashes.
Amazon SageMaker SDK Model Integrity Failures Enable Malicious Code Execution: Amazon SageMaker Python SDK has two critical flaws: CVE-2026-8596 exposes encryption keys as plaintext in APIs allowing signature forgery, while CVE-2026-8597 skips integrity checks when loading model files, letting attackers replace them with malicious code that executes without verification. Both require AWS permissions and storage access. [critical]
PyTorch Lightning Versions 2.6.2 Ship with Credential Harvesting Mechanism: PyTorch Lightning (a framework for training and adjusting AI models) versions 2.6.2 introduced a credential harvesting mechanism (a way to steal login information) with CVSS 9.3, allowing attackers to gain complete system control without special access or user interaction. CVE-2026-44484. [critical]
AI Agent Discovers 18-Year-Old Nginx RCE Vulnerability: Researchers using an AI model found a critical heap buffer overflow in Nginx (a web server powering one-third of websites) that can crash servers or enable remote code execution, especially on systems with ASLR (Address Space Layout Randomization, a memory randomization security feature) disabled. CVE-2026-42945, severity 9.2. [high]
OpenAI Enhances ChatGPT Context Recognition for High-Risk Scenarios: OpenAI updated ChatGPT to better identify warning signs of harm by analyzing context within and across conversations using safety summaries (short notes about earlier safety-relevant context), particularly for suicide, self-harm, and harm-to-others situations, allowing more nuanced responses through de-escalation or redirection to support resources after two years of development with mental health experts.
AI Agents' Persistent Memory Creates New Attack Vector: Researchers identified Memory & Context Poisoning vulnerabilities in AI agents that retain session memory, demonstrating a MemoryTrap attack in Claude Code where malicious dependencies approved once could persist across projects and sessions, with agents treating stored memory and configuration files as trustworthy without validating for attacker-controlled content.
Critical Insecure Deserialization Vulnerabilities Across ML Frameworks: At least nine critical CVEs were disclosed affecting major machine learning frameworks including Ludwig (CVE-2026-31238), mamba (CVE-2026-31239), CosyVoice (CVE-2026-31232), PyTorch-Lightning (CVE-2026-31221), snorkel (CVE-2026-31223, CVE-2026-31224), and Adversarial Robustness Toolbox (CVE-2026-31228, CVE-2026-31229, CVE-2026-31230). All vulnerabilities stem from unsafe use of torch.load() or pickle.load() without security parameters, allowing arbitrary code execution when loading malicious model files from sources like HuggingFace Hub or local directories.
Multiple Critical Flaws in AI Agent Platforms: OpenClaude's BashTool allows LLMs to control a `dangerouslyDisableSandbox` parameter that bypasses execution restrictions (CVE-2026-42074), Langflow has a path traversal vulnerability enabling authenticated attackers to delete arbitrary directories (CVE-2026-42048), and JunoClaw exposed plaintext BIP-39 seeds (cryptographic wallet keys) in logs and telemetry (CVE-2026-43992) while also suffering from SSRF (server-side request forgery, tricking a server into making requests to unintended locations), command injection, and file upload validation failures (CVE-2026-43989 through CVE-2026-43993).
Microsoft Reports New Multi-Model Agentic Security System Finds 16 Windows Vulnerabilities: Microsoft's MDASH (multi-model agentic scanning harness) uses over 100 specialized AI agents working together to discover security vulnerabilities, achieving an 88.45% score on public cybersecurity benchmarks and identifying 16 new Windows vulnerabilities including four critical remote code execution flaws (where attackers can run commands on systems they don't own). The system is currently available only through a limited private preview program.
Multiple Critical RCE Vulnerabilities in AI Tools: DeepChat versions before v1.0.4-beta.1 contain an RCE vulnerability (remote code execution, where an attacker can run commands on a system they don't own) that allows attackers to bypass security checks and execute arbitrary commands via malicious links or compromised AI endpoints (CVE-2026-43899). GPT-Pilot also has a command injection vulnerability (CWE-78, a flaw where attackers insert malicious commands into a program) in its Executor.run() method that fails to properly validate user input before shell execution (CVE-2026-31246).
Over 1,800 AI Agent Servers Exposed Without Authentication: Security researchers found over 1,800 MCP servers (Model Context Protocol servers, tools that connect AI assistants to external systems) publicly exposed without authentication, allowing anyone to see what internal tools organizations have connected to their AI. Production systems with access to financial databases, social media accounts, and customer data are vulnerable to attacks including EchoLeak (a zero-click exploit hiding malicious instructions in documents) and supply chain attacks.
Adaptive Defenses Against RL-Powered NIDS Evasion: Research explores how machine learning-based network intrusion detection systems (NIDS, tools that identify unauthorized network access) can implement dynamic hardening strategies to counter reinforcement learning adversaries that learn optimal evasion techniques through trial-and-error, comparing effectiveness against static defenses.
Quantum Computing Applied to Breaking Robust Neural Networks: A new quantum adaptive ensemble attack system (QAEAS) demonstrates the ability to compromise deep neural networks specifically hardened against adversarial attacks by combining quantum computing techniques with coordinated multi-vector strategies. The research signals emerging threats as quantum computing capabilities mature and could impact AI systems deployed in security-critical applications.