All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A group of Discord users gained unauthorized access to Anthropic's Mythos Preview (a restricted AI model designed to find security vulnerabilities) by examining data from a breach of Mercor (an AI training startup) and making an educated guess about the model's online location based on Anthropic's known URL patterns. They exploited this access to build simple websites rather than conduct more harmful activities, potentially avoiding detection by Anthropic.
OpenAI has released a prompting guide for GPT-5.5 (a new version of their language model), which includes tips for improving user experience and migrating existing code. One key recommendation is to send brief status updates to users before starting multi-step tasks, so long-running operations don't appear frozen. The guide also advises treating GPT-5.5 as a new model family rather than a drop-in replacement, suggesting developers start fresh with minimal prompts (instructions given to the AI) and gradually tune them for the new model instead of reusing old ones.
LLM version 0.31 adds support for the new GPT-5.5 model and introduces two new command-line options: one to control text verbosity (how much detail the AI outputs) for GPT-5+ models, and another to set image detail levels for images sent to OpenAI models. The release also registers models from a configuration file (extra-openai-models.yaml) as asynchronous (able to run multiple requests without waiting for each to finish).
DeepSeek released V4, an open-source AI model (software available for anyone to download and modify) that can process much longer text inputs than previous versions and offers performance comparable to top commercial models at significantly lower costs. The model comes in two versions: V4-Pro for complex coding tasks and V4-Flash for faster, cheaper operation, with both offering reasoning modes (where the model shows its step-by-step thinking). This release matters because it demonstrates that open-source models can compete with expensive commercial alternatives, potentially allowing developers to access advanced AI capabilities without high costs.
LangChain (a framework for building AI agents and applications powered by large language models) versions before 1.1.14 had a TOCTOU vulnerability (time-of-check-time-of-use, where a security check and an action happen at different times with a gap in between) in its image token counting feature. An attacker could trick the system by making a hostname first resolve to a safe public IP address during a security check, then resolve to a private or localhost IP address during the actual network request, bypassing security protections.
LangChain's HTMLHeaderTextSplitter had a security flaw where it validated URLs initially but then followed redirects (automatic forwarding to different URLs) without rechecking them, allowing attackers to redirect requests to internal or sensitive servers and potentially leak data. This SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended locations) was fixed in version 1.1.2.
US House Republicans introduced two privacy bills (SECURE Data Act and GUARD Financial Data Act) that would create national privacy standards but weaken enforcement by eliminating private lawsuits and overriding stronger state privacy laws like California's. Privacy advocates criticize the bills as inadequate because their data minimization rules (the principle that companies should collect only necessary data and retain it only as long as needed) tie collection limits to what companies voluntarily disclose rather than imposing stricter necessity requirements.
Gemini CLI had two security vulnerabilities that could allow remote code execution (running malicious code on a system). First, in headless mode (non-interactive environments like CI/CD pipelines), the tool automatically trusted workspace folders and loaded configuration files without verification, which could be exploited through malicious environment variables. Second, the `--yolo` flag bypassed tool allowlisting (restrictions on what commands can run), allowing unrestricted command execution via prompt injection (tricking the AI by hiding instructions in its input). Version 0.39.1 and later now require explicit folder trust and enforce tool allowlisting even in `--yolo` mode.
Scattered Spider is a criminal gang that hacks into company computer systems to steal virtual currency, using social engineering attacks (tricks that manipulate people into revealing information) like SMS phishing (fake text messages with malicious links) and impersonating employees to deceive help desks. Despite several arrests in 2024, some members remain active and continue attacking businesses, so security leaders are being warned to stay alert.
Google is investing up to $40 billion in Anthropic, an AI company that competes with OpenAI, with an initial $10 billion upfront and the remaining $30 billion dependent on performance milestones. This investment is part of a broader partnership that includes providing Anthropic with computing resources and cloud infrastructure access. The funding addresses Anthropic's need to expand its infrastructure to handle growing demand for its Claude AI assistant.
This item describes a prompt injection vulnerability (tricking an AI by hiding malicious instructions in its input) in k8sGPT-Operator, a tool that helps manage Kubernetes clusters (container orchestration systems). The content explains the framework for measuring vulnerability severity through metrics like attack complexity and potential impact, but does not provide specific details about the vulnerability itself or how it works.
Claude Code had a security flaw where it checked a git worktree (a Git feature allowing multiple branch checkouts in separate directories) `commondir` file to decide if a folder was trustworthy, but didn't verify the file's contents. An attacker could create a malicious repository with a fake `commondir` file pointing to a folder the victim had previously trusted, tricking Claude Code into skipping its safety dialog and running malicious code from `.claude/settings.json` (a configuration file). This attack required the victim to clone the malicious repository and open it in Claude Code, and the attacker had to know a path the victim had already marked as safe.
A bug in rustls-webpki (a Rust library for validating certificates) causes the program to crash when processing a malformed CRL (certificate revocation list, a list of revoked digital certificates) with a specially crafted BIT STRING (a data structure in certificate formats). The crash happens in the `bit_string_flags()` function when it tries to access an array element that doesn't exist, but only affects applications that explicitly enable CRL checking and load CRL data from untrusted sources.
LiteLLM's proxy API key verification has a SQL injection vulnerability (a type of attack where an attacker inserts malicious database commands into input fields). An unauthenticated attacker could send a specially crafted authorization header to exploit this flaw and potentially read or modify the proxy's database, gaining unauthorized access to stored credentials.
Ray Data registers custom Arrow extension types (special data format handlers) globally in PyArrow, and when PyArrow reads a Parquet file (a data storage format) containing these types, it automatically deserializes metadata bytes using cloudpickle.loads(), which can execute arbitrary code. This vulnerability was reintroduced in July 2025 after a similar issue was supposedly fixed in May 2024, allowing attackers to run malicious code just by having Ray read a specially crafted Parquet file.
LiteLLM Proxy had a server-side template injection vulnerability (a security flaw where user input is processed as code rather than plain text) in its `/prompts/test` endpoint that allowed authenticated users to run arbitrary code within the proxy process and potentially access sensitive information like API keys or database credentials. The vulnerability affects any deployment running an affected version of LiteLLM Proxy.
A critical vulnerability allows attackers to forge Stripe webhook events (messages confirming payments) and illegally credit their accounts with quota without paying, because the system uses an empty default secret key and doesn't verify which payment method was actually used. Three compounding flaws enable this: the webhook handler accepts empty secrets, signature verification can be bypassed with an empty key, and the system fulfills orders from any payment gateway when it receives a forged Stripe webhook.
A vulnerability in the Linux kernel's lan966x network driver causes memory leaks when certain initialization functions fail. Specifically, a page pool (a memory management structure that pre-allocates memory pages for efficient network operations) is created but not properly cleaned up if later operations fail, wasting system memory.
Fix: OpenAI recommends running the command "$openai-docs migrate this project to gpt-5.5" in Codex to upgrade existing code. For manual migration, OpenAI advises: begin with a fresh baseline instead of carrying over every instruction from older prompts, start with the smallest prompt that preserves the product contract, then tune reasoning effort, verbosity, tool descriptions, and output format against representative examples.
Simon Willison's WeblogOpenAI's leader Sam Altman apologized for not reporting a ChatGPT account to police before a mass shooting in Canada killed eight people in January, even though the company had identified and banned the account for problematic usage. OpenAI stated it did not alert law enforcement because the account activity did not meet the company's threshold for showing a credible or imminent plan for serious physical harm. The company now faces lawsuits and a criminal investigation related to this incident and another shooting.
Fix: OpenAI has said it will strengthen its safety measures and will continue to focus on working with all levels of government to help ensure similar incidents do not happen again.
BBC TechnologyFix: Update langchain-openai to version 1.1.14 or later.
NVD/CVE DatabaseFix: Update langchain-text-splitters to version 1.1.2 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Gemini CLI version 0.39.1 or 0.40.0-preview.3. For workflows running on trusted inputs, set the environment variable `GEMINI_TRUST_WORKSPACE: 'true'` in your GitHub Actions workflow. For workflows processing untrusted inputs, review the guidance at https://github.com/google-github-actions/run-gemini-cli to harden your workflow against malicious content and set the same environment variable after implementing appropriate security measures. If you have specified a specific version of gemini_cli, upgrade to one of the patched versions and audit your workflow settings.
GitHub Advisory DatabaseAnthropic's Claude Mythos, an AI model designed to find bugs in software, has been distributed to select government agencies and industry groups through a program called Project Glasswing, but the US cybersecurity agency CISA does not have access yet. Unauthorized users from a private Discord community have also gained access to Mythos and have been using it regularly, raising concerns since the model could potentially be used to discover and exploit software vulnerabilities.
Fix: Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseFix: Fixed in version 1.83.7. The caller-supplied value is now always passed to the database as a separate parameter. Upgrade to 1.83.7 or later. Alternatively, if upgrading is not immediately possible, set `disable_error_logs: true` under `general_settings` to remove the path through which unauthenticated input reaches the vulnerable query.
GitHub Advisory DatabaseFix: Upgrade to version `1.83.7-stable` or later, which fixes the issue by switching the prompt template renderer to a sandboxed environment (a restricted area where code runs with limited permissions) that blocks the attack. If upgrading is not immediately possible, block the `POST /prompts/test` endpoint at your reverse proxy or API gateway, and review and rotate API keys that should not have access to prompt management routes.
GitHub Advisory DatabaseFix: Add the missing page_pool_destroy() calls in both error paths to properly clean up the page pool when initialization fails.
NVD/CVE Database