All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
The llm-all-models-async 0.1 plugin allows synchronous (blocking) AI models from LLM plugins to work as asynchronous (non-blocking) models by running them in a thread pool (a group of worker threads that handle tasks in parallel). This solves a compatibility problem where Datasette, which only supports async models, couldn't use sync-only plugins like llm-mrchatterbox.
Attackers compromised the npm account of Axios' lead maintainer and published malicious versions (axios@1.14.1 and axios@0.30.4) containing a remote access trojan (malware that gives attackers control over infected computers). The attack was detected within minutes and packages were removed within 2-3 hours, but the damage was significant because Axios receives roughly 100 million downloads per week and is used in 80% of cloud and code environments.
Version 0.30 of llm (a command-line tool for accessing large language models) added a new feature to its plugin system where the register_models() function can now receive an optional model_aliases parameter that shows all previously registered models and aliases from other plugins. The update also improved documentation by adding detailed explanations (docstrings) to public classes and methods.
Researchers at Palo Alto discovered a security weakness in Google's Vertex AI (Google's cloud platform for building and running AI applications) where AI agents could be given too many permissions, allowing attackers to steal data and access restricted cloud systems. The vulnerability stems from over-privileged configurations that give AI agents more access than they actually need to do their job.
Discourse, an open-source discussion platform (software that lets people have conversations online), had a security flaw in versions 2026.1.0 through 2026.3.0 that let unauthorized users figure out who was in private chat channels by using the user search feature. This flaw exposed sensitive information that should have been hidden from people without permission.
Samsung's Galaxy S26 Photo Assist tool uses AI to let users edit photos with natural language requests, similar to Google's earlier photo editing features. However, the tool can be manipulated to generate misleading or harmful images, like fake disaster scenes, because its safety guardrails can be bypassed through prompt injection (tricking the AI by hiding instructions in user input).
This is a brief announcement about llm-echo 0.4, a beat (a regular news column) by Simon Willison posted on March 31, 2026. The content shown is mostly a sponsorship pitch for a monthly email digest covering important LLM developments rather than technical information about the software itself.
CVE-2026-22561 is a vulnerability in Anthropic Claude for Windows installer (Claude Setup.exe) versions before 1.1.336 that allows local privilege escalation through DLL search-order hijacking (a technique where an attacker places a malicious library file in a directory where the installer looks for code, causing it to run the attacker's code instead of the legitimate one). After the installer gains elevated permissions, it loads DLL files from its own directory, which means an attacker can plant a malicious DLL alongside the installer to execute arbitrary code.
Nvidia announced a $2 billion investment in Marvell Technology, a semiconductor company that makes chips used in AI infrastructure, causing Marvell's stock to rise 7%. The investment ties the two companies together to build AI-focused technology and specialized chips called ASICs (application-specific integrated circuits, chips designed for particular tasks), as businesses scramble to meet growing demand for AI computing power.
This is a brief announcement for 'llm-echo 0.3', a release by Simon Willison from March 31, 2026. The post appears to be part of a monthly briefing service about LLM (large language model) developments, with an option to sponsor the author for curated email updates.
FastGPT, a platform for building AI agents, has a vulnerability in versions before 4.14.9.5 where two endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept URLs from users and make requests to them without checking if those URLs point to internal systems. This is called SSRF (server-side request forgery, where an attacker tricks a server into making requests to private networks on their behalf). Although FastGPT has a protective function called isInternalAddress() used elsewhere, these endpoints don't use it, allowing authenticated attackers to scan internal networks, access cloud metadata services, and interact with internal databases like MongoDB and Redis.
FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.14.9.5 where an HTTP tools testing endpoint (/api/core/app/httpTools/runTool) lacks authentication (missing access controls). This endpoint acts as a proxy that accepts user-supplied requests and makes server-side HTTP calls, potentially allowing unauthorized attackers to make requests on behalf of the FastGPT server.
MLflow (a machine learning model management tool) has a command injection vulnerability (a security flaw where an attacker can insert shell commands into input) when serving models with `enable_mlserver=True`. The vulnerability occurs because the `model_uri` (a file path or reference to a model) is directly placed into a shell command without filtering out dangerous characters like `$()` or backticks, allowing attackers to run unauthorized commands. This poses a serious risk if a high-privilege service loads models from a directory that lower-privilege users can access.
Art schools are changing their curriculum to include generative AI (AI systems that create new images, animations, or designs based on descriptions), but students and creative professionals are concerned about how this affects job competition and the future of traditional artistic skills. The article highlights growing worry among art students that AI tools will make it harder to find postgraduate jobs in creative fields.
Sixth, an AI tool that can run terminal commands automatically, has a security flaw in its safety check feature. An attacker can use prompt injection (tricking the AI by hiding instructions in its input) to disguise harmful commands as safe ones, causing the AI to run them without asking the user for permission first.
As improvements from new AI models have slowed to small gains, organizations are shifting toward customizing models with their own proprietary data and internal processes to gain competitive advantages. Domain-specialized models, which are trained on an organization's unique language, workflows, and expertise, can outperform general-purpose models and encode valuable business knowledge directly into the AI system.
Fix: The issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0. Users should upgrade to one of these versions depending on which release series they are using.
NVD/CVE DatabaseGoogle's Vulnerability Reward Program (VRP), which pays researchers to find security bugs in Google products, celebrated its 15th anniversary in 2025 by awarding over $17 million to more than 700 security researchers worldwide. Major 2025 developments included launching a dedicated AI VRP (a separate program focused specifically on AI security flaws), adding AI reward categories to Chrome VRP, and creating a patch rewards program for OSV-SCALIBR (an open source tool that scans software for vulnerabilities). Google also hosted multiple bugSWAT events (live hacking competitions) throughout the year, which generated hundreds of bug reports and distributed over $2.9 million in rewards.
Fix: Update to Claude for Windows installer version 1.1.336 or later.
NVD/CVE DatabasePenguin Random House sued OpenAI, claiming that ChatGPT (an AI chatbot, or conversational AI system) violated copyright by reproducing content similar to their German children's book series, Coconut the Little Dragon. The lawsuit was filed in Munich court against OpenAI's European subsidiary after the publisher's legal team tested whether ChatGPT could generate stories matching the style of the original books.
Meta and YouTube both lost landmark legal cases this week involving claims that their platforms cause social media addiction (compulsive use similar to drug dependency). While the cases don't settle whether social media is clinically addictive, courts have determined that the companies can be held legally responsible for the harm caused.
Fix: This issue has been patched in version 4.14.9.5.
NVD/CVE DatabaseFix: Update FastGPT to version 4.14.9.5 or later, which patches this vulnerability.
NVD/CVE DatabaseAI agents (AI systems that can reason, plan, and act autonomously across enterprise systems) are becoming more common in organizations, creating new security challenges. Risk from AI agents depends on two factors: access (which systems and data the agent can reach) and autonomy (how independently it can act without human approval). The text describes three categories of enterprise AI agents—agentic chatbots, local agents, and production agents—each with different risk levels based on their access and autonomy.