All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Organizations are rapidly adopting AI for security testing, but fully agentic AI systems (where AI makes all decisions from start to finish) create a problem: they produce different results each time they run, making it impossible to tell if security actually improved or if the AI just tried a different approach. The source argues that a hybrid model works better, where deterministic logic (fixed, repeatable sequences) defines how security tests execute, while AI enhances specific parts like adapting payloads and interpreting what it finds.
OpenAI introduced new capabilities to the Agents SDK, a toolkit for developers building AI agents that can work with files and run commands on computers. The update includes a model-native harness (a framework optimized for OpenAI models) and native sandbox execution (a controlled, isolated computer environment where agents can safely run code and access files). The SDK aims to bridge the gap between flexibility and production-readiness by providing developers with standardized infrastructure that keeps agents aligned with how frontier models (the most advanced AI models available) work best.
Healthcare organizations face a major surge in cyberattacks, particularly ransomware (malware that locks data until payment is made), phishing (tricking people into revealing credentials), and web application attacks, made worse by rushed digitalization during COVID-19 and reliance on vulnerable systems. The threat is amplified because healthcare uses increasingly connected devices like implantable heart monitors and wearable sensors that transmit patient data, creating both efficiency gains and expanded attack surfaces that many under-resourced organizations struggle to secure.
mcp-server-kubernetes versions 3.4.0 and earlier have an argument injection vulnerability (a type of attack where an attacker sneaks extra commands into a tool by exploiting how input is processed) in the port_forward tool. The vulnerability exists because the code builds a kubectl command (a tool for managing Kubernetes clusters) by concatenating strings with user input and splitting on spaces, instead of using a safer array-based method like other tools in the codebase. This allows attackers to inject malicious kubectl flags to expose internal services or target resources in unintended ways.
April's Patch Tuesday includes 167 security updates, with three particularly critical issues: a zero day (actively exploited vulnerability) in Microsoft SharePoint that allows attackers to spoof (impersonate) the service and access sensitive data, a critical SQL injection vulnerability (a type of attack where malicious code is inserted into database queries) in a SAP product, and a 9.8 CVSS score (a 0-10 severity rating) vulnerability in Windows Internet Key Exchange (IKE, a protocol for secure communications) that could let attackers run remote code. Security teams are urged to prioritize patching these actively exploited flaws in widely-used applications rather than relying solely on severity scores.
The `ConformityCheck` class in giskard-checks was automatically treating the `rule` parameter as a Jinja2 template (a template language that evaluates expressions), which could allow arbitrary code execution if check definitions came from untrusted sources. While the library is only used locally by developers, this hidden behavior made it easy to accidentally pass untrusted input without realizing expressions would be evaluated.
The RegexMatching check in giskard-checks has a ReDoS vulnerability (regular expression denial of service, where a specially crafted regex pattern causes the regex engine to hang by backtracking excessively through text). An attacker with write access to check definitions can craft malicious regex patterns that make the testing process hang indefinitely, disrupting automated testing environments like CI/CD pipelines (continuous integration/continuous deployment automation).
CVE-2026-23653 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into input that gets executed) in GitHub Copilot and Visual Studio Code that allows an authorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements used in commands. The CVSS severity score (a standard 0-10 rating of how serious a security flaw is) has not yet been assigned by NIST.
Apple threatened to remove Elon Musk's AI app, Grok, from its App Store in January because it wasn't stopping nonconsensual sexual deepfakes (fake sexually explicit images created using AI) from spreading on X. Apple contacted the developers behind X and Grok and asked them to create a plan to improve their content moderation (systems for reviewing and removing harmful material).
Fix: Apple demanded that the developers 'create a plan to improve content moderation,' according to a letter the company sent to US senators.
The Verge (AI)Deepfake technology (AI-generated fake audio or video of people) has become cheap, accessible, and realistic enough to fool many employees and executives, with 43% of cybersecurity leaders experiencing audio deepfakes and 37% experiencing video deepfakes in 2025. Deepfakes are now used for financial fraud (by impersonating executives to approve fund transfers) and reputational attacks (by spreading false videos to damage trust with investors and customers), and traditional ways of spotting fakes, like looking for obvious flaws, no longer work reliably.
Teenage boys are using AI "nudify" apps to create deepfake sexual imagery (fake nude photos or videos created by AI) of their female classmates, which are then shared on social media and messaging apps. Since 2023, this has affected over 600 students across at least 28 countries and nearly 90 schools, with the true scale likely much higher. The explicit imagery involving minors constitutes child sexual abuse material (CSAM), and schools and law enforcement are often unprepared to respond to these serious incidents.
Fix: The Agents SDK includes several built-in protections: 'Separating harness and compute helps keep credentials out of environments where model-generated code executes.' The SDK also supports 'built-in snapshotting and rehydration' so 'the Agents SDK can restore the agent's state in a fresh container and continue from the last checkpoint if the original environment fails or expires.' Additionally, developers can configure sandbox execution with 'Blaxel, Cloudflare, Daytona, E2B, Modal, Runloop, and Vercel' providers, and the SDK provides a 'Manifest abstraction for describing the agent's workspace' to control access to files and data.
OpenAI BlogFinBot is an interactive training platform (CTF, or capture-the-flag exercise) created by OWASP to help developers and security professionals learn about risks in agentic AI systems (AI agents that can plan, act, and make decisions autonomously). It simulates a financial services application where users can practice identifying and defending against attacks like prompt injection (tricking an AI by hiding instructions in its input), tool misuse, data theft, and privilege escalation across multiple connected AI agents.
Mallory is a new AI-powered threat intelligence platform (a system that gathers and analyzes information about cyber threats) designed to help security teams quickly understand which threats are actually dangerous to their organization. Instead of overwhelming teams with alerts, the platform analyzes thousands of threat sources, checks them against each company's specific vulnerabilities, and provides prioritized actions that security teams can take immediately.
A Q1 2026 security report by OWASP documents major AI and agentic AI (AI systems that can take autonomous actions) exploits, showing a shift from theoretical risks to real-world attacks targeting AI agent identities, permissions, and supply chains. Key incidents include a Mexican government breach where attackers used Claude to automate reconnaissance and exploitation, affecting 150 GB of sensitive data, along with other incidents involving prompt injection (tricking AI by hiding malicious instructions in its input), privilege abuse, and supply-chain vulnerabilities in AI tools.
OpenAI launched GPT-5.4-Cyber, a specialized AI model designed to help security teams find and fix vulnerabilities faster, while expanding access through its Trusted Access for Cyber program to thousands of defenders and hundreds of teams. The company acknowledged that AI models are dual-use tools (meaning they can be repurposed for both good and bad purposes) and that adversaries could potentially reverse-engineer the model to find exploitable vulnerabilities before they're fixed, so OpenAI plans to scale defenses alongside access by strengthening safeguards against jailbreaks (techniques to bypass safety restrictions) and adversarial prompt injections (tricking an AI by hiding malicious instructions in its input).
Fix: OpenAI's stated approach includes: (1) a deliberate, iterative rollout of access to minimize misuse, (2) strengthening safeguards through ongoing work against jailbreaks and adversarial prompt injections as model capabilities advance, and (3) integrating advanced coding models and agentic capabilities (AI systems that can take independent actions to solve problems) into developer workflows to enable immediate feedback during the software development process, shifting security from occasional audits to continuous, ongoing risk reduction.
The Hacker NewsFix: Update to version 3.5.0, which fixes this issue.
NVD/CVE DatabaseTraditional identity and access management (IAM) tools, which control who can access systems and resources, were not designed to secure AI agents (autonomous software programs that perform tasks independently), which operate at high speed with unpredictable access patterns. Curity announced Access Intelligence, a new security layer that grants agent permissions at runtime (during execution, not beforehand) and uses OAuth tokens (credentials that allow access to specific resources) to carry information about each agent's purpose, ensuring agents can only access resources matching their intended task.
Fix: For the Windows IKE vulnerability (CVE-2026-33824), Microsoft recommends two temporary mitigations for admins who cannot immediately install the security update: (1) block inbound traffic on UDP ports 500 and 4500 for systems that do not use IKE, or (2) for systems that require IKE, configure firewall rules to allow inbound traffic on UDP ports 500 and 4500 only from known peer addresses. Microsoft notes these actions reduce attack surface but do not replace installing the security update. For SharePoint and other vulnerabilities, the source text does not explicitly describe mitigation steps beyond applying the patches.
CSO OnlineFix: Upgrade to `giskard-checks` >= 1.0.2b1. The patched version removes template rendering from rule evaluation entirely.
GitHub Advisory DatabaseFix: Upgrade to giskard-checks >= 1.0.2b1.
GitHub Advisory DatabaseAI agents access AWS resources through the Model Context Protocol (MCP, a system that lets AI tools interact with cloud services), but unlike traditional software with predictable behavior, agents can dynamically choose different actions based on context. The main security risk is that agents operate at machine speed and will use any permissions (IAM roles, API keys, or OAuth scopes) they're granted, so misconfigured access controls can cause large-scale damage quickly. The source recommends three security principles for controlling AI agent access to AWS resources, with an emphasis on using MCP servers rather than direct API access because MCP provides better monitoring and control.
Fix: The source recommends architecting agents to use MCP servers rather than direct service access where possible, because MCP servers provide a layer of abstraction that enables differentiation controls and creates additional monitoring capabilities through AWS CloudTrail. For agents on developer machines, developers should configure which AWS credentials the agent uses in their mcp.json file by specifying a named profile (which can use credential helpers and the credential provider chain for short-lived credentials), environment variables, or explicit credential configuration, rather than allowing agents to inherit broad developer admin credentials.
AWS Security BlogAI is transforming cybersecurity by becoming both a tool for attackers and defenders, forcing organizations to shift from outdated perimeter-based security (the "castle and moat" approach) to continuous cyber resilience (the ability to detect threats in real-time and keep operations running during attacks). The industry is consolidating toward unified security platforms, automating repetitive analyst tasks to reduce burnout, and facing increasing regulatory pressure to demonstrate resilience and rapid recovery capabilities.
OpenAI announced GPT-5.4-Cyber, a new AI model designed specifically for cybersecurity professionals, along with a three-part strategy to manage risks as AI becomes more powerful. The announcement comes after competitor Anthropic released a more limited version of its Claude Mythos model, citing concerns that advanced AI could be exploited by attackers, though OpenAI argues that current safeguards are sufficient for broad deployment of today's models.
Fix: OpenAI's strategy includes three components: (1) 'know your customer' validation systems combined with Trusted Access for Cyber (TAC), an automated system introduced in February that allows controlled access to new models; (2) iterative deployment, a careful process of releasing and refining capabilities while monitoring for resilience to jailbreaks (techniques that trick AI into ignoring its safety guidelines) and other adversarial attacks; and (3) investments supporting software security and digital defense, including the Codex Security application security AI agent, a cybersecurity grants program begun in 2023, a donation to the Linux Foundation for open source security, and the Preparedness Framework designed to assess and defend against severe harm from advanced AI capabilities.
Wired (Security)Anthropic confirmed it briefed the Trump administration about its new Mythos model, an AI system so dangerous it won't be released publicly due to powerful cybersecurity capabilities. The company is engaging with the government on AI safety issues while simultaneously suing the Department of Defense over a supply-chain risk label and disagreement over military access to Anthropic's systems.