All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Meta has added a 'For You' section to its standalone Meta AI app that generates clickbait-style news articles using AI, complete with AI-created topics, images, and text. The app previously featured a 'Discover' feed showing AI-generated images and conversations from users who were sometimes unaware their content was public, but this has been replaced with a standard chatbot interface.
Apple is preparing to reintroduce an updated version of Siri at WWDC, building on a redesign first shown in 2024 that included a new visual appearance, additional voice options, and the ability to route questions to ChatGPT (a large language model made by OpenAI). Apple has faced criticism because promised AI features under the "Apple Intelligence" branding were delayed, and the company is now settling a lawsuit over misleading marketing around these capabilities.
Twig's sandbox (a security feature that restricts what templates can do) had multiple vulnerabilities where certain language constructs could bypass security checks and call `__toString()` methods (special functions that convert objects to strings) on objects without permission. Attackers could exploit this through conditional expressions, comparison operators, tests, and several other Twig features to access object data that should have been blocked.
Amazon Q Developer and AWS Kiro, which are AI tools that help developers write code, have security vulnerabilities related to prompt injection (tricking the AI by hiding malicious instructions in files or suggestions). Attackers could potentially execute commands or steal sensitive information without the developer's knowledge. AWS has released multiple software updates that require human confirmation before executing risky commands.
Three security vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were found in runc, a component used by container management systems (tools that package and run isolated software environments). AWS says these issues don't create cross-customer risk because AWS doesn't rely on containers as a security boundary (a protective barrier between different users). AWS customers using containers to isolate their own internal workloads should contact their operating system vendor for updates.
A vulnerability (CVE-2026-0830) in Kiro IDE, a desktop application that helps developers with code tasks, allows attackers to run arbitrary commands (command injection, where an attacker executes unauthorized code) on a user's computer by tricking them into opening a workspace with specially crafted folder names. This bug affects Kiro versions before 0.6.18.
AWS discovered two security vulnerabilities in the SageMaker Python SDK (a library for machine learning on Amazon's platform). The first flaw exposes HMAC keys (cryptographic secrets that verify data hasn't been tampered with) through an API, allowing attackers to forge fake data in cloud storage. The second flaw disables SSL certificate verification (the security check that confirms you're connected to a legitimate server), affecting all encrypted connections when a certain model component is used.
Companies are implementing model routing, a technique that directs simple tasks to cheaper AI models and complex tasks to expensive ones, to control skyrocketing AI costs. This shift is forcing major AI providers like OpenAI and Anthropic to reconsider their business models, since they previously earned revenue from all queries regardless of task complexity, but now may only get paid for the most difficult work that requires their most powerful models.
Apple is preparing to unveil major improvements to Siri, its voice assistant, at its upcoming developer conference, with the goal of finally delivering the AI experience it promised two years ago. The improvements are expected to include a more powerful standalone chatbot-style app, personal context awareness, and the ability to handle multi-step commands, potentially routing to outside AI models like Google's Gemini. However, Apple faces a critical challenge: Siri must become reliably agentic (able to independently execute complex tasks across multiple apps) to justify Apple's current stock valuation, which depends on developers adopting Apple's App Intents system (the framework that lets Siri perform actions inside third-party apps) before consumers have proven they will actually use the improved features.
A security flaw in vantage6 node (a distributed computing platform) allows malicious algorithms (computational programs) to improperly access input and output files that belong to other algorithms running on the same node. This is an access control vulnerability, meaning the system fails to properly restrict who can view what data.
Major technology companies like Nvidia, Microsoft, and Google are promoting AI as a transformative force that will fundamentally change how we use laptops and computing devices, with new hardware and software being announced at developer conferences. However, the article questions whether users actually want or need these AI-focused products and changes.
PraisonAI Platform has an IDOR (insecure direct object reference, a flaw where users can access resources they shouldn't by guessing object IDs) vulnerability in its agent management endpoints. A user who belongs to any workspace can read, modify, or delete agents from other workspaces by guessing their agent IDs, because the code checks if the user belongs to *some* workspace but never verifies the agent actually belongs to that workspace.
Reid Hoffman, co-founder of LinkedIn and a long-time member of Microsoft's board, is stepping down after almost a decade to focus on Manas, an AI-native biopharmaceutical company he co-founded. Hoffman previously left OpenAI's board in 2023 to avoid potential conflicts of interest as Microsoft invested heavily in OpenAI, and he is now transitioning to focus on his founder roles rather than board positions.
OpenAI has launched Lockdown Mode, a security feature for ChatGPT that reduces the risk of data exfiltration from prompt injection attacks (tricking an AI by hiding malicious instructions in its input) by limiting tools that connect to external services. The mode disables features like web browsing, image retrieval, file downloads, and certain agent capabilities to block potential pathways attackers could use to steal sensitive data, though it does not completely eliminate all exfiltration risks.
Fix: OpenAI recommends enabling Lockdown Mode, described as "an optional advanced security setting that limits many tools and capabilities in OpenAI products that can connect to the web or external services." The feature specifically disables live web browsing, image support, deep research agent mode, canvas networking, and file downloads. Additionally, OpenAI has launched a new account management feature that enables users to "review active ChatGPT sessions and log out of individual or all sessions if signs of unauthorized account activity are detected."
The Hacker NewsMeta has embedded dormant face recognition code (technology that identifies people by matching their faces to stored images) called NameTag in over 50 million phones through its Ray-Ban and Oakley smart glasses app, despite previously abandoning this technology after settling biometric privacy lawsuits. Additionally, Meta's AI-powered account support tool, which was introduced in March to automate functions like password resets, has been discovered by hackers who can exploit it to take over user accounts.
An AI security agent discovered 21 previously unknown vulnerabilities (zero-days, or security flaws unknown to the public) in FFmpeg, a widely-used media library, while Google released Chrome 149 with a record 429 security patches in a single update. The article highlights how AI tools are finding vulnerabilities faster and cheaper than before, forcing security teams and software maintainers to work harder to keep up with the increased pace of bug discoveries.
Fix: For FFmpeg: pull the fixed upstream build or your distribution's security update as soon as it lands, and prioritize patching anything that processes untrusted RTSP (Real Time Streaming Protocol, a video streaming standard) or AV1-over-RTP (video compression format over network packets). Also check and patch embedded FFmpeg copies in Python packages, container images, and appliances. For Chrome: update to version 149.0.7827.53 on Linux or 149.0.7827.53/54 on Windows and macOS, or confirm auto-update has completed.
The Hacker NewsOpenAI has released Lockdown Mode, a security feature that prevents the final stage of data exfiltration (stealing and sending sensitive information) from prompt injection attacks (tricking an AI by hiding malicious instructions in its input) by blocking outbound network requests. However, Lockdown Mode does not stop prompt injections from appearing in the content ChatGPT processes, meaning attackers can still manipulate the AI's responses through cached web content or uploaded files.
Fix: Enable Lockdown Mode, which is rolling out to eligible personal accounts (Free, Go, Plus, and Pro tiers) and self-serve ChatGPT Business accounts. According to the source, Lockdown Mode uses deterministic mechanisms (fixed, rule-based processes) to restrict exfiltration vectors, rather than relying on AI systems to detect attacks.
Simon Willison's WeblogFix: The sandbox was fixed by wrapping every child node that will be converted to a string at runtime. A new `Twig\Node\CoercesChildrenToStringInterface` allows nodes to declare which children need protection, core nodes now implement this interface, spread arguments are checked via `SandboxExtension::ensureSpreadAllowed()`, and dynamic attribute names are checked at runtime inside `CoreExtension::getAttribute()`.
GitHub Advisory DatabaseOpenAI CEO Sam Altman and the White House are discussing a possible government stake in OpenAI, with talks ongoing for over a year. As part of the potential agreement, OpenAI could donate equity to create a 'Public Wealth Fund' that would invest in long-term assets and allow citizens to share in the financial benefits of AI growth. No official investment terms have been decided, and all details remain subject to change.
Fix: For Amazon Q Developer: upgrade to Language Server v1.22.0 or later (released July 17, 2025) to require human confirmation for find, grep, and echo commands; upgrade to Language Server v1.24.0 or later (released July 29, 2025) to require human confirmation for ping and dig commands. For AWS Kiro: upgrade to version 0.1.42 or later (released August 1, 2025), which requires human confirmation for risky actions when configured in Supervised mode.
AWS Security BulletinsFix: AWS recommends applying all security patches and software version updates as a best practice. Customers using containers to isolate workloads within their own environments should contact their operating system vendor for any updates or instructions necessary to mitigate these issues.
AWS Security BulletinsFix: Update to Kiro version 0.6.18 or later.
AWS Security BulletinsFix: Update SageMaker Python SDK to v3.2.0 or later for the HMAC vulnerability, or v2.256.0 or later if using v2. Update to v3.1.1 or later for the TLS vulnerability, or v2.256.0 or later if using v2.
AWS Security BulletinsMicrosoft has identified seven new ways that agentic AI systems (AI programs that can take actions autonomously) can fail or be attacked, building on previous research. These vulnerabilities include attacks where adversaries manipulate agent behavior through natural language, redirect an agent's goals, trick agents communicating with each other, exploit visual interfaces, contaminate data to bias reasoning, abuse plugins and protocols, and cause agents to leak internal information.
Fix: Microsoft advises security teams to: inventory their supply chain and generate a software bill of materials (SBOM, a detailed list of all components in deployed agents); verify agent identity using cryptographic credentials issued at provisioning rather than relying on position or location; add the seven new failure modes to their red-team coverage matrix (security testing that simulates attacks); and audit the human-in-the-loop user experience (where humans review or approve agent actions) as a security control.
CSO OnlineFix: Model routing is presented as the emerging solution: according to the source, routing is a tool that matches the job to the model, sending hard problems to expensive frontier models (advanced, state-of-the-art AI systems) and easy ones to cheaper, faster alternatives. The article also mentions that Cognition announced an AI productivity guarantee, where if their Devin agent delivers less engineering value than a customer pays for, Cognition will fund usage up to $10 million until performance improves, framing this as a way to measure return on investment (value delivered) rather than just activity metrics like tokens consumed.
CNBC TechnologyMicrosoft Threat Intelligence found that Anthropic's Claude Code GitHub Action could expose sensitive credentials when AI agents process untrusted GitHub content (like issue descriptions and comments) because the Read tool wasn't properly sandboxed, allowing it to access /proc/self/environ and steal API keys. Attackers exploited this by hiding prompt injection (tricking an AI by hiding instructions in its input) attacks in HTML comments within GitHub issues to manipulate the AI agent into executing malicious operations like planting code into repositories.
Fix: Anthropic mitigated this issue in Claude Code version 2.1.128 by blocking access to sensitive /proc files. Microsoft also recommends that defenders treat AI workflows processing untrusted GitHub content as high-risk, especially when they have access to secrets, file-read tools, or external communication channels.
Microsoft Security BlogFix: Verify and restrict the algorithm containers (isolated software packages) that are allowed to run on your node, with instructions available in the vantage6 security documentation.
GitHub Advisory Database