All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
The engram HTTP server (a local application running on your computer) had a critical security flaw where it allowed any website you visited to steal your private knowledge graph data and inject persistent malicious instructions into your AI coding assistant. This happened because the server had no password protection by default and accepted requests from any website origin (CORS, or cross-origin resource sharing, which controls what websites can talk to your local applications).
Fix: Upgrade to `engramx@2.0.2` or later. This version applies the following fixes: (1) requires authentication (Bearer token or HttpOnly cookie) on all non-public routes, (2) removes the wildcard CORS policy entirely and requires explicit opt-in via `ENGRAM_ALLOWED_ORIGINS`, (3) validates the Host and Origin headers to prevent DNS rebinding attacks, (4) enforces `Content-Type: application/json` on data modifications to block CSRF vectors, and (5) protects the UI bootstrap with `Sec-Fetch-Site` validation to prevent cross-origin probing.
GitHub Advisory DatabaseInstructLab has a security flaw in its `linux_train.py` script that automatically trusts code from external model sources without verification (trust_remote_code=True). An attacker could trick users into downloading a malicious model from HuggingFace (a popular AI model repository) and running training commands, allowing the attacker to execute arbitrary Python code and take over the entire system.
A vulnerability in the Linux kernel's SMC (sockets mapped to connections) networking code allows a double-free memory error when the tee() function duplicates splice pipe buffers. When two pipes share the same smc_spd_priv pointer (a data structure tracking buffer metadata), releasing both pipes causes the same object to be freed twice, leading to a use-after-free bug (accessing memory that has already been freed) and potential kernel crashes.
A race condition vulnerability exists in the Linux kernel's packet networking code where `packet_release()` can leave a dangling pointer in a fanout group's array (a data structure for managing network packet distribution). The problem occurs because `NETDEV_UP` (a network device startup event) can re-register a socket into the array after `packet_release()` begins cleanup but before it finishes, creating a use-after-free bug (accessing memory that has been freed).
Robinhood Ventures Fund I, an investment vehicle that lets regular traders buy into private companies, invested $75 million in OpenAI, the AI company behind ChatGPT. This gives retail investors (non-professional traders) access to ownership stakes in one of the most influential artificial intelligence companies, reflecting growing investor demand for exposure to leading AI firms.
Hackers have infected a legitimate Android payment app called HandyPay with malware (trojanized code, meaning legitimate software modified with malicious additions) to steal NFC data (near field communication, the technology that powers tap-to-pay) and PIN numbers, allowing them to clone payment cards and drain accounts. The attackers likely used generative AI to help create the malware, as evidenced by emoji markers in the code that are typical of AI-generated text. The malware is being distributed through fake websites impersonating a Brazilian lottery and a spoofed Google Play store, targeting Android users in Brazil.
Anthropic is investigating a claim that unauthorized users accessed Claude Mythos, an advanced AI security tool that the company considers too dangerous to release publicly. The unauthorized access likely occurred through misuse of credentials by someone with legitimate access to Anthropic's systems through a third-party vendor, rather than through a traditional hack (a deliberate attempt to break into a computer system). The incident raises concerns about whether large AI companies can adequately control access to their most powerful models.
As AI systems move into everyday business use, companies are discovering that the biggest challenge is not making AI faster or more powerful, but ensuring AI has the business context (the meaning and relationships behind data) it needs to make good decisions. Without this context, AI can produce answers quickly but make wrong choices, like a supply-chain system that optimizes inventory numbers without understanding which customers are strategically important or what tradeoffs matter during shortages. Organizations are now building data fabrics (systems that connect information across applications while preserving how the business actually works) as a foundation to give AI the context it needs to make decisions aligned with real business priorities.
OpenAI has introduced workspace agents in ChatGPT, which are AI tools that can handle complex work tasks and long-running workflows while respecting organizational permissions and controls. These agents, powered by Codex (a code-generating AI model), can automate tasks like report writing, code generation, and message responses, and can continue working in the cloud even when users are offline. Teams can create shared agents once and reuse them across ChatGPT and Slack, with examples including agents that review software requests, route product feedback, and manage vendor risk assessment.
Codex (an AI coding assistant) agent loops involved many back-and-forth API requests that added significant delays, especially as model inference speeds improved to nearly 1,000 tokens per second (words generated per second). To reduce this overhead, the team implemented WebSockets (a protocol that maintains a persistent connection between client and server, rather than opening a new connection for each request), along with caching and eliminating unnecessary network calls, achieving a 40% overall speedup in end-to-end performance.
Workspace agents are AI systems designed to automate repeatable workflows in your daily work by connecting to tools your team uses, rather than helping with one-off tasks. A workspace agent has three core components: a trigger (what starts it, like a schedule), a process with specialized skills (the steps it follows), and access to tools or systems (like Slack or a CRM). Unlike traditional deterministic workflows (where each step is explicitly defined and always the same), agents are probabilistic, meaning they use AI to interpret context and adjust their approach while staying within set instructions and guardrails.
Anthropic's Mythos AI model, a tool designed to find security weaknesses in software, was accessed by unauthorized users through a private online forum using a contractor's credentials and basic internet research techniques. The model is capable of identifying and exploiting vulnerabilities (security flaws) in major operating systems and web browsers, which is why Anthropic warned it could be dangerous if misused.
Anthropic is investigating a report that unauthorized users gained access to Mythos, an AI model designed to detect cybersecurity vulnerabilities that the company has kept private because it could be misused to enable cyber-attacks. A small group of people allegedly accessed the model without permission, prompting the company to look into the incident.
Terrarium, a Python sandbox developed by Cohere AI for running untrusted code in containers, has a critical vulnerability (CVE-2026-5752, CVSS 9.3) that allows attackers to execute arbitrary code with root privileges through JavaScript prototype chain traversal (a technique where attackers manipulate how JavaScript looks up object properties to access restricted functionality). Since the project is no longer maintained, a patch is unlikely, but CERT/CC recommends several defensive measures.
Meta is installing a tool called Model Capability Initiative (MCI) on US employees' computers that records their activity, including mouse movements, clicks, keystrokes, and screenshots from work apps and websites. This recorded data will be used to train Meta's AI agents to perform computer tasks more like humans do, though Meta states the data won't be used to evaluate employee job performance.
Fix: The .get callback is invoked by both tee(2) and splice_pipe_to_pipe() for partial transfers; both will now return -EFAULT. Users who need to duplicate SMC socket data must use a copy-based read path.
NVD/CVE DatabaseFix: The fix sets `po->num` to zero in `packet_release()` while `bind_lock` is held to prevent `NETDEV_UP` from linking and closing the race window.
NVD/CVE DatabaseAI agents (AI systems that can retrieve data, use tools, and perform actions automatically) introduce new security challenges because traditional access control (rules about who can use a system) isn't enough. Google Cloud's Gemini Enterprise Agent Platform offers a centralized control point that provides identity management, access control, policy enforcement, and observability (the ability to see and monitor what's happening) to secure how these agents operate.
This academic survey article examines how AI is being used to improve security in edge computing (processing data on devices near users rather than in distant data centers), while also exploring the new threats that arise when combining AI with edge systems. The article covers both the security challenges unique to AI-enhanced edge environments and potential approaches to address them, looking toward future developments in this field.
Fix: Android provides some protection through security alerts. When a user tries to download the trojanized app from a browser, Android automatically blocks the install and shows a prompt requiring manual permission to allow installation from that source. ESET researchers also shared a list of indicators (files, hashes, network indicators, and MITRE ATT&CK maps) in a dedicated GitHub repository to support detection efforts.
CSO OnlineA tool called Claude Mythos discovered 271 security vulnerabilities (weak points that could be exploited) in Firefox, Mozilla's web browser. According to Mozilla, all of these flaws could have also been found by a highly skilled human security researcher, suggesting the AI tool didn't discover anything that experienced humans couldn't find.
On January 31, 2026, researchers found that Moltbook, a social network for AI agents, exposed 35,000 email addresses and 1.5 million agent API tokens because its database was unencrypted, including plaintext third-party credentials like OpenAI API keys. The core risk is a "toxic combination," where an AI agent or integration bridges two or more applications through OAuth grants (permission frameworks allowing apps to access each other) or API connections, and each application owner reviews only their own side, missing the security risks created by the bridge itself.
Fix: The source suggests shifting review processes from inside each app to between them, recommending four specific areas: (1) maintain a non-human identity inventory treating every AI agent, bot, MCP server (modular tools that extend AI capabilities), and OAuth integration the same as user accounts with owners and review dates, (2) flag new write scopes (permissions to modify data) on identities that already hold read scopes (permissions to view data) in different apps before approval, (3) create a review trail for every connector linking two systems that names both sides and the trust relationship between them, and (4) monitor long-lived tokens whose activity has drifted from their original scopes.
The Hacker NewsFix: The team implemented WebSockets as a persistent connection protocol for the Responses API instead of using multiple synchronous HTTP requests. Additionally, they applied caching to store rendered tokens and model configuration in memory to skip expensive tokenization and network calls, reduced network hop latency by eliminating intermediate service calls and directly contacting the inference service, and improved the safety stack to run classifiers faster.
OpenAI BlogAI tools like Anthropic's Mythos can find software vulnerabilities much faster than before, creating a problem: security teams must decide which vulnerabilities to fix first among thousands of options. Anthropic recommends using EPSS (Exploit Prediction Scoring System, a machine learning model that predicts which vulnerabilities are likely to be exploited in the next 30 days) to prioritize which vulnerabilities need immediate attention, similar to how weather forecasters predict whether you'll need an umbrella.
Fix: According to Anthropic's guidance: 'Patching the KEV (CISA's Known Exploited Vulnerabilities catalog) list first, and then everything above a chosen EPSS threshold will help you turn thousands of open CVEs into a manageable queue.' EPSS scores are machine-driven and can be applied across all CVEs with scores published daily, and have been incorporated into more than 120 security vendors' products.
CSO OnlineFix: CERT/CC advises the following mitigations: Disable features that allow users to submit code to the sandbox, if possible. Segment the network to limit the attack surface and prevent lateral movement. Deploy a Web Application Firewall to detect and block suspicious traffic, including attempts to exploit the vulnerability. Monitor container activity for signs of suspicious behavior. Limit access to the container and its resources to authorized personnel only. Use a secure container orchestration tool to manage and secure containers. Ensure that dependencies are up-to-date and patched.
The Hacker News