Browse All

Researchers discovered Greyvibe, a Russia-aligned crime group that uses large language models (LLMs, AI systems trained to generate text) extensively throughout its cyberattacks against Ukrainian targets, including government and military organizations. The group has used generative AI to create spear phishing emails (fraudulent messages pretending to come from trusted sources), malicious scripts, and custom malware programs like PhantomRelay and LegionRelay (remote access trojans, or RATs, which are tools that let attackers control compromised computers). Greyvibe has conducted multiple campaigns since August 2025 using various attack methods, from fake websites to ClickFix-style attacks (tricks that convince users to run malicious commands on their computers).

PraisonAI (a framework for building AI agents) versions 4.6.37 and earlier have a vulnerability where hidden metadata in webpages can trick AI agents into writing files to any location on a system. The bug happens because the `write_file` function skips path validation (checking whether a file path is safe) when the workspace parameter is `None`, which is the default in production environments.

PraisonAI has a security vulnerability where unauthenticated users can read any file on the system through multiple handlers like `workflow.show`, `workflow.validate`, and `deploy.validate`. The problem exists because these file-handling tools don't validate or restrict file paths before reading them, and the dispatcher that calls these tools doesn't enforce security checks on incoming requests.

PraisonAI versions up to 4.6.37 contain a critical vulnerability where two functions in `agents_generator.py` use `spec.loader.exec_module` (a method that loads and runs Python code from a file) without any security checks or validation. An attacker can exploit this by providing a malicious Python file path through YAML configuration, either by modifying shared config files, submitting a crafted recipe via GitHub, or using prompt injection (tricking the AI into loading code from a malicious path), resulting in arbitrary code execution (the ability to run any commands on the system).

Ouroboros (an AI tool) has a remote code execution vulnerability where loading a `.env` file (a configuration file with environment variables) from a cloned repository could let an attacker run malicious code on your system. The flaw occurs because Ouroboros reads execution-controlling settings like CLI paths directly from the project directory's `.env` file without checking if they're trustworthy, allowing an attacker to point these paths to their own malicious scripts.

FastGPT, an AI Agent building platform, had a Server-Side Request Forgery (SSRF) vulnerability (a flaw that lets attackers trick a server into making requests to internal systems it shouldn't access) in versions before 4.15.0-beta1. An authenticated attacker could bypass security protections and make unauthorized requests to internal network services by exploiting an incomplete fix in the dataset preview endpoint when using the externalFile data import type.

Koel, a podcast player, has a vulnerability where it validates the main podcast feed URL for safety but fails to validate individual episode URLs extracted from the RSS feed (the XML file that lists episodes). When a user plays an episode, the server downloads content from these unvalidated URLs, allowing an attacker to trick it into accessing internal services like AWS metadata endpoints and stealing credentials or sensitive data.

SillyTavern, a locally installed tool for interacting with AI text and image generation models, had a vulnerability in versions before 1.18.0 where the /api/search/searxng endpoint allowed authenticated users to trick the server into making requests to internal or hidden services (SSRF, or server-side request forgery, where an attacker manipulates a server into accessing resources it shouldn't). An attacker could use this to access data from services that should only be available internally.

SillyTavern is a locally installed interface for interacting with text generation AI models. Before version 1.18.0, it had a security flaw where changing a password or recovering an account didn't log out existing sessions, because all session information was stored in a signed cookie (a small piece of data the browser keeps) rather than on the server, making it impossible to revoke access even after a password change.

Attackers are abusing ChatGPT's share feature (which lets users publish rendered content on legitimate OpenAI URLs) to display fake outage pages that trick users into downloading malware disguised as the ChatGPT desktop application. The "LLMShare" campaign uses Google ads to direct people to these malicious shared pages, which appear to come from OpenAI's domain but actually deliver malware-infected downloads through a fake installation portal.

A threat group called GreyVibe, likely linked to Russia, has been running cyberattacks since August 2025 against Ukrainian and other organizations using AI-generated fake content and custom malware tools. The group uses ChatGPT, Gemini, and other AI tools to create realistic phishing lures (fake websites and emails impersonating legitimate organizations), and likely uses AI to help develop malware like LegionRelay (a remote access trojan, or RAT, which lets attackers control a victim's computer from afar) and FallSpy (Android spyware that steals personal data). Researchers say the attackers show less sophistication than typical state-sponsored groups and may include current or former cybercriminals.

vLLM version 0.14.1 has a security flaw where a setting called `trust_remote_code` is permanently turned on in two model files, even when users try to turn it off. This allows RCE (remote code execution, where attackers can run harmful code on your computer) through malicious models downloaded from HuggingFace, a popular model repository. This is a partial fix attempt for two earlier vulnerabilities that didn't fully solve the problem.

claude-code-cache-fix is a tool that speeds up Claude Code by caching results. Versions 3.5.0 through 3.5.1 have a code injection vulnerability (CWE-94, inserting malicious code into a program) in a file called tools/quota-statusline.sh, where user input containing certain byte sequences (''') can break out of a Python string and execute arbitrary code on the user's system. This is a high-severity bug that affects local attackers who can control the input to Claude Code.

Researchers discovered a malicious npm package (a collection of code shared through Node Package Manager, a repository for JavaScript libraries) called "mouse5212-super-formatter" that steals files from Claude AI users' directories. The package disguises itself as a legitimate tool but actually uploads files to a threat actor-controlled GitHub account by authenticating with stolen or hard-coded credentials during installation.

A flaw in Starlette (CVE-2026-48710), the framework that powers FastAPI, allows unauthenticated attackers to bypass authentication by sending a malformed character in a web request's Host header. The flaw tricks Starlette into parsing the request path differently than the actual server sees it, so security checks on one path may allow access to a protected route, potentially enabling SSRF (server-side request forgery, where an attacker makes the server request data from unintended locations) or even remote code execution on affected systems.

IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.0 has a vulnerability that allows a denial of service attack, which is when an attacker overwhelms a system with requests to make it unavailable. The problem is caused by uncontrolled resource consumption (the system fails to limit how much memory, CPU, or other resources a single request can use).

SymJack is an attack that exploits AI coding agents by tricking them into inserting malicious code into software projects through disguised symlinks (shortcuts that point to files). The attacker controls a code repository and hides malicious instructions in an innocent-looking file request, which the AI agent approves and executes without the developer realizing what's happening, potentially stealing credentials or compromising production systems.