All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Recent physical attacks targeting AI industry leaders, including an alleged Molotov cocktail attack on OpenAI CEO Sam Altman's home and gunfire at an official who supported a data center project, have raised concerns about safety in the AI industry. These incidents appear connected to activist concerns about AI's risks, including extinction fears and opposition to infrastructure expansion.
A 20-year-old man was arrested for allegedly throwing a Molotov cocktail (an improvised incendiary weapon) at OpenAI CEO Sam Altman's home and threatening to burn down OpenAI's headquarters because of his opposition to AI technology. The suspect possessed a document listing names and addresses of other AI executives and warned of humanity's extinction from AI, leading prosecutors to request he be held without bail due to public safety concerns.
Google is adding a new feature to Chrome called 'Skills' that lets you save your favorite Gemini prompts (instructions you give to AI) and reuse them across different webpages with a single click, instead of typing the same prompt repeatedly. This saves time when you want to perform the same AI task, like asking for vegan recipe substitutions, on multiple pages.
Kiro IDE (a development environment that uses AI agents to help developers) has a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a web browser) in versions before 0.8.140. An attacker can exploit this by creating a malicious workspace with a crafted color theme name, and if a user opens and trusts that workspace, the attacker's code will execute on their computer.
A side-channel vulnerability (a security flaw where attackers extract secrets by analyzing physical signals like power consumption or timing) exists in how Trezor hardware wallets process BIP-39 mnemonics (seed phrases used to generate cryptocurrency keys) in versions 1.13.0 to 1.14.0. An attacker with physical access during wallet setup could use deep learning analysis to recover the mnemonic and steal assets, but the issue was patched.
A vulnerability in OpenAI Codex CLI v0.23.0 and earlier allows attackers to execute arbitrary code by creating malicious configuration files (.env and .codex/config.toml) in a repository. When a user runs the codex command in a compromised repository, the tool automatically loads these files without asking for permission, triggering the attacker's embedded commands.
A developer claims to have reverse-engineered Google DeepMind's SynthID system, which is a watermarking technology that embeds hidden marks in AI-generated images to prove their origin. The developer says they can strip these watermarks from images or add fake ones, though Google disputes this claim.
This article discusses how AI companies like Anthropic use marketing to promote their capabilities, using Claude as an example of technology that may be overhyped despite being genuinely advanced. The piece cautions readers against getting swept up in marketing claims about AI's power without critical evaluation.
AI is transforming threat detection by processing massive amounts of security data and identifying suspicious patterns faster than humans alone, with 50% of threat detection platforms expected to use agentic AI (AI systems that can take independent actions) by 2028. Organizations are already automating routine tasks like alert review and investigation work, seeing 40-50% efficiency gains for lower-level security operations, while AI agents reduce alert fatigue by clustering similar alerts and prioritizing them based on risk.
A 20-year-old Texas man has been charged with attempted murder and federal felony charges after allegedly throwing a Molotov cocktail (a homemade incendiary weapon) at OpenAI CEO Sam Altman's San Francisco home and attempting to set fire to OpenAI's headquarters. Authorities found the suspect carrying documents that opposed AI development and called for violence against AI executives and investors. OpenAI and law enforcement officials condemned the violence, with OpenAI calling for debate through democratic processes rather than violence.
An SSH/SCP option injection vulnerability in the @aiondadotcom/mcp-ssh library allowed attackers to execute arbitrary commands locally on the machine running the MCP server (a tool that connects an AI to external systems). By crafting malicious input like `-oProxyCommand=...`, attackers could trick SSH into running their code before any network connection happened, potentially stealing SSH keys and credentials. The vulnerability could be triggered even without a malicious user, since an LLM (large language model) could be tricked through prompt injection (hiding attacker instructions in text it reads) to pass the malicious input to the tool.
Daniel Moreno-Gama was arrested and charged with federal crimes after traveling from Texas to California and attacking OpenAI's facilities and CEO Sam Altman's home with a Molotov cocktail (an incendiary weapon made from a bottle of flammable liquid). He also attempted to break into OpenAI's headquarters and stated he intended to burn down the building and kill people inside. His charges include attempted destruction of property using explosives and illegal possession of a firearm.
This academic survey examines how well large language model-based agents (AI systems that use LLMs to make decisions and take actions) can generalize, meaning how effectively they perform on new tasks or situations they weren't specifically trained for. The paper reviews research across different domains to understand what factors help or limit an agent's ability to adapt and work reliably in unfamiliar contexts.
Fix: Update Kiro IDE to version 0.8.140 or later.
AWS Security BulletinsAnthropic's new Mythos model is an AI designed for cybersecurity that can identify and exploit technical vulnerabilities better than most humans, but European regulators have been largely denied early access to it. The company limited initial access through Project Glasswing to a few US tech companies like Apple, Microsoft, and Amazon for security reasons, while most EU countries were excluded. European officials worry that private companies controlling access to such powerful technology raises concerns about national security and who should have influence over these systems.
This research proposes ENClose, a framework that lets control systems (automated systems that adjust themselves based on feedback) operate securely using fully homomorphic encryption, or FHE, a cryptographic method that keeps data encrypted while performing calculations on it. The main innovation addresses two problems: noise building up in encrypted feedback loops and the slowness of doing complex nonlinear operations (calculations that don't follow straight-line relationships) on encrypted data. ENClose uses techniques like function segmentation and tree-based selection to speed up these encrypted calculations by 3 to 20 times compared to previous methods, as demonstrated in real-world tests like vehicle formation control and anomaly recovery.
Asynchronous federated learning (AFL, where multiple devices train a shared AI model without waiting for each other to finish) is faster than synchronous methods but more vulnerable to Byzantine attacks (when some devices send false or corrupted data to sabotage the model). Researchers propose Belisa, a framework that uses feature fingerprints (unique patterns in how local models represent data) to identify and filter out malicious devices, improving robustness and efficiency in real-world scenarios where devices have different data and hardware capabilities.
Fix: The source proposes Belisa as a Byzantine-robust AFL framework that addresses this vulnerability. Belisa works by leveraging a reference model trained on publicly available data to quantify feature fingerprints (discrepancies between feature representations of local models) and filtering out malicious models through clustering. According to the paper, Belisa lowered average test error rates to 0.42x that of baseline methods under attack scenarios and accelerated aggregation by an average of 12.3x compared to other methods.
IEEE Xplore (Security & AI Journals)AI models like Mythos are making cyberattacks faster and more dangerous by shortening the time between when security flaws are discovered and when attackers exploit them. Security leaders (CISOs, chief information security officers) need to prepare urgently for this new threat environment where attacks happen at high speed.
AI is moving from experimentation to production deployment in cybersecurity, and security leaders must treat it as a fundamental shift in how security operations work, not just an added tool. Attackers are using AI to conduct faster intrusions (some occurring in under 30 seconds), which exceeds the speed of human-only security responses, making AI deployment urgent for defenders. There is currently a limited window where defenders and attackers have roughly equal access to AI technology, but advantage will go to those who operationalize it most effectively and quickly.
Quantum computing poses a major threat to current security systems because it can break traditional encryption methods that protect critical infrastructure and cloud services. This paper examines how quantum computing affects different layers of infrastructure (from applications to networks) and proposes moving toward quantum-resistant cryptography (encryption methods designed to withstand quantum computer attacks) as a protective strategy. The authors advocate for collaboration across sectors to develop and implement these new security approaches before quantum threats become critical.
Fix: Fixed in version 1.3.5. The patch includes: adding `--` argument terminators to all SSH/SCP invocations (which tells the command where options end and arguments begin), implementing a strict whitelist for host aliases that rejects leading dashes and shell metacharacters, requiring all host aliases to be defined in `~/.ssh/config` or `~/.ssh/known_hosts`, and resolving `ssh.exe`/`scp.exe` to absolute paths with `shell: false` on Windows to prevent command re-parsing. No workarounds exist; users must upgrade to 1.3.5.
GitHub Advisory DatabaseOpenAI is expanding its Trusted Access for Cyber (TAC) program to provide AI tools to thousands of cybersecurity defenders and teams protecting critical software. The company has created GPT-5.4-Cyber, a specialized version of its AI model designed specifically for defensive cybersecurity work, and is implementing cyber-specific safeguards (built-in restrictions to prevent misuse) in model deployments. This effort aims to help defenders find and fix security vulnerabilities faster while preventing attackers from misusing the same AI capabilities.
Fix: The source explicitly mentions the following measures: cyber-specific safeguards included in model deployments starting in 2025; the Preparedness Framework (strengthened in 2023); identity verification and KYC (know-your-customer, a process to confirm who someone is) to control access to advanced capabilities; Codex Security tool to identify and fix vulnerabilities at scale; iterative deployment with continuous updates to models and safety systems based on learning about capabilities and risks; and improvements in resilience to jailbreaks (techniques that try to bypass AI safety restrictions) and other adversarial attacks.
OpenAI Blog