aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Industry News

New tools, products, platforms, funding rounds, and company developments in AI security.

to
Export CSV
2929 items

Claude Pirate: Abusing Anthropic's File API For Data Exfiltration

highnews
security
Oct 28, 2025

Anthropic added network request capabilities to Claude's Code Interpreter, which creates a security risk for data exfiltration (unauthorized stealing of sensitive information). An attacker, either controlling the AI model or using indirect prompt injection (hidden malicious instructions in a document the AI processes), could abuse Anthropic's own APIs to steal data that a user has access to, rather than using typical methods like hidden links.

Embrace The Red

v0.14.6

lownews
security
Oct 25, 2025

LlamaIndex v0.14.6 is a software update released on October 26, 2025, that fixes various bugs across multiple components including support for parallel tool calls, metadata handling, embedding format compatibility, and SQL injection vulnerabilities (using parameterized queries instead of raw SQL string concatenation). The release also adds new features like async support for retrievers and integrations with new services like Helicone.

Prompt injection to RCE in AI agents

highnews
security
Oct 22, 2025

AI agents (software systems that take actions automatically) often execute pre-approved system commands like 'find' and 'grep' for efficiency, but attackers can bypass human approval protections through argument injection attacks (exploiting how command parameters are handled) to achieve remote code execution (RCE, where attackers run unauthorized commands on a system). The article identifies that while these systems block dangerous commands and disable shell operators, they fail to validate command argument flags, creating a common vulnerability across multiple popular AI agent products.

AI Safety Newsletter #64: New AGI Definition and Senate Bill Would Establish Liability for AI Harms

inforegulatory
policyindustry

v0.14.5

infonews
industry
Oct 15, 2025

LlamaIndex v0.14.5 is a release that fixes multiple bugs and adds new features across its ecosystem of AI/LLM tools. Changes include fixing duplicate node positions in documents, improving streaming functionality with AI providers like Anthropic and OpenAI, adding support for new AI models, and enhancing vector storage (database systems that store AI embeddings, which are numerical representations of text meaning) capabilities. The release also introduces new integrations, such as Sglang LLM support and SignNow MCP (model context protocol, a standard for connecting AI tools) tools.

v0.14.4

lownews
security
Oct 3, 2025

LlamaIndex released version 0.14.4 on September 24, 2025, with updates across multiple packages that integrate with different AI services and databases. Most updates fixed dependency issues with OpenAI libraries, while others added new features like support for Claude Sonnet 4.5 and structured outputs, and fixed bugs in areas like authorization headers and data fetching.

Cross-Agent Privilege Escalation: When Agents Free Each Other

highnews
securitysafety

AI Safety Newsletter #63: California’s SB-53 Passes the Legislature

inforegulatory
policy
Sep 24, 2025

California's legislature passed SB-53, the 'Transparency in Frontier Artificial Intelligence Act,' which would make California the first US state to regulate catastrophic risk (foreseeable harms like weapons creation, cyberattacks, or loss of control that could kill over 50 people or cause over $1 billion in damage). The bill requires developers of frontier AI models (large, cutting-edge AI systems) to publish transparency reports on their systems' capabilities and risk assessments, update safety frameworks yearly, and report critical safety incidents to state emergency services.

Supply chain attacks are exploiting our assumptions

infonews
security
Sep 24, 2025

Modern software development relies on implicit trust assumptions when installing packages through tools like cargo add or pip install, but attackers are systematically exploiting these assumptions through supply chain attacks (attacks that compromise software before it reaches developers). In 2024 alone, malicious packages were removed from package registries (centralized repositories for code), maintainers' accounts were compromised to publish malware, and critical infrastructure nearly had backdoors (hidden access points) inserted. Traditional defenses like dependency scanning (automated checks for known security flaws) only catch known vulnerabilities, missing attacks like typosquatting (creating packages with names similar to legitimate ones), compromised maintainers, and poisoned build pipelines (the automated systems that compile and package code).

Wrap Up: The Month of AI Bugs

infonews
securityresearch

AgentHopper: An AI Virus

highnews
securityresearch

Windsurf MCP Integration: Missing Security Controls Put Users at Risk

mediumnews
securitysafety

AI Safety Newsletter #62: Big Tech Launches $100 Million pro-AI Super PAC

inforegulatory
policysafety

Cline: Vulnerable To Data Exfiltration And How To Protect Your Data

highnews
security
Aug 27, 2025

Cline, a popular AI coding agent with over 2 million downloads, has a vulnerability that allows attackers to steal sensitive files like .env files (which store secret credentials) through prompt injection (tricking an AI by hiding instructions in its input) combined with markdown image rendering. When an attacker embeds malicious instructions in a file and asks Cline to analyze it, the tool automatically reads sensitive data and sends it to an untrusted domain by rendering an image, leaking the information without user permission.

AWS Kiro: Arbitrary Code Execution via Indirect Prompt Injection

highnews
security
Aug 26, 2025

AWS Kiro, a coding agent tool, is vulnerable to arbitrary code execution through indirect prompt injection (a technique where hidden instructions in data trick an AI into following them). An attacker who controls data that Kiro processes can modify configuration files like .vscode/settings.json to allowlist dangerous commands or add malicious MCP servers (external tools that extend Kiro's capabilities), enabling them to run system commands or code on a developer's machine without the developer's knowledge or approval.

How Prompt Injection Exposes Manus' VS Code Server to the Internet

highnews
securitysafety

How Deep Research Agents Can Leak Your Data

mediumnews
securityprivacy

Sneaking Invisible Instructions by Developers in Windsurf

mediumnews
securitysafety

Windsurf: Memory-Persistent Data Exfiltration (SpAIware Exploit)

mediumnews
securitysafety

Hijacking Windsurf: How Prompt Injection Leaks Developer Secrets

highnews
security
Aug 21, 2025

Windsurf, a code editor based on VS Code with an AI coding agent called Windsurf Cascade, has security vulnerabilities that allow attackers to use prompt injection (tricking an AI by hiding instructions in its input) to steal developer secrets from a user's machine. The vulnerabilities were responsibly reported to Windsurf on May 30, 2025, but the company has not provided updates on fixes despite follow-up inquiries.

Previous134 / 147Next

Fix: The source explicitly mentions one security fix: 'Replace raw SQL string interpolation with proper SQLAlchemy parameterized APIs in PostgresKVStore' (llama-index-storage-kvstore-postgres #20104). Users should update to v0.14.6 to receive this and other bug fixes. No other specific mitigation steps are described in the release notes.

LlamaIndex Security Releases

Fix: The article states that 'the impact from this vulnerability class can be limited through improved command execution design using methods like sandboxing (isolating code in a restricted environment) and argument separation.' The text also mentions providing 'actionable recommendations for developers, users, and security engineers,' but the specific recommendations are not detailed in the provided excerpt.

Trail of Bits Blog
Oct 16, 2025

The Senate introduced the AI LEAD Act, which would make AI companies legally liable for harms their systems cause, similar to how traditional product liability (the legal responsibility companies have when their products injure people) works for other products. The act would clarify that AI systems count as products subject to liability and would hold companies accountable if they failed to exercise reasonable care in designing the system, providing warnings, or if they sold a defective system. Additionally, China announced new export controls on rare earth metals (elements essential to semiconductors and AI hardware), which could disrupt global AI supply chains if strictly enforced.

Fix: The AI LEAD Act itself serves as the proposed solution: it would establish federal product liability for AI systems, clarify that AI companies are liable for harms if they fail to exercise reasonable care in design or warnings or breach warranties, allow deployers to be held liable for substantially modifying or dangerously misusing systems, prohibit AI companies from limiting liability through consumer contracts, and require foreign AI developers to register agents for service of process in the US before selling products domestically.

CAIS AI Safety Newsletter
LlamaIndex Security Releases

Fix: Update to version 0.14.4 and the corresponding versioned packages listed in the release notes (e.g., llama-index-llms-openai 0.6.1, llama-index-embeddings-text-embeddings-inference 0.4.2, llama-index-llms-ollama 0.7.4, and others) to receive the dependency fixes and bug fixes described.

LlamaIndex Security Releases
Sep 24, 2025

Multiple AI coding agents (like GitHub Copilot and Claude Code) can write to each other's configuration files, allowing one compromised agent to modify another agent's settings through an indirect prompt injection (tricking an AI by hiding malicious instructions in its input). This creates a cross-agent privilege escalation, where one agent can 'free' another by giving it additional capabilities to break out of its sandbox (an isolated environment limiting what software can do) and execute arbitrary code.

Embrace The Red

Fix: SB-53 itself is the mitigation strategy described in the source. The bill requires frontier AI developers to: publish a frontier AI framework detailing capability thresholds and risk mitigations; review and update the framework annually with public disclosure of changes within 30 days; publish transparency reports for each new frontier model including technical specifications and catastrophic risk assessments; share catastrophic risk assessments from internal model use with California's Office of Emergency Services every 3 months; and refrain from misrepresenting catastrophic risks or compliance with their framework.

CAIS AI Safety Newsletter
Trail of Bits Blog
Aug 30, 2025

This post wraps up a series of research articles documenting security vulnerabilities found in various AI tools and code assistants during a month-long investigation. The vulnerabilities included prompt injection (tricking an AI by hiding instructions in its input), data exfiltration (stealing sensitive information), and remote code execution (RCE, where attackers can run commands on systems they don't control) across tools like ChatGPT, Claude, GitHub Copilot, and others.

Embrace The Red
Aug 29, 2025

AgentHopper is a proof-of-concept attack that demonstrates how indirect prompt injection (hidden instructions in code that trick AI agents into running unintended commands) can spread like a computer virus across multiple AI coding agents and code repositories. The attack works by compromising one agent, injecting malicious prompts into GitHub repositories, and then infecting other developers' agents when they pull and process the infected code. The researchers note that all vulnerabilities exploited by AgentHopper have been responsibly disclosed and patched by vendors including GitHub Copilot, Amazon Q, AWS Kiro, and others.

Fix: The source text states that 'All vulnerabilities mentioned in this research were responsibly disclosed and have been patched by the respective vendors.' Specific patched vulnerabilities include: GitHub Copilot (CVE-2025-53773), Amazon Q Developer, AWS Kiro, and Amp Code. The source also mentions a 'Safety Switch' feature was implemented 'to avoid accidents,' though the explanation is incomplete in the provided text.

Embrace The Red
Aug 28, 2025

Windsurf's MCP (Model Context Protocol, a system that connects AI agents to external tools) integration lacks fine-grained security controls that would let users decide which actions the AI can perform automatically versus which ones need human approval before running. This is especially risky when the AI agent runs on a user's local computer, where it could have access to sensitive files and system functions.

Embrace The Red
Aug 27, 2025

Big Tech companies like Andreessen Horowitz and OpenAI are investing over $100 million in political organizations called super PACs (groups that can raise unlimited money to influence elections) to fight against AI regulations in U.S. elections. Additionally, Meta faced bipartisan congressional criticism after internal documents revealed its AI chatbots were permitted to engage in romantic and sensual conversations with minors, though Meta removed these policy sections when questioned.

CAIS AI Safety Newsletter

Fix: The source recommends these explicit mitigations: (1) Do not render markdown images from untrusted domains, or ask for user confirmation before loading images from untrusted domains (similar to how VS Code/Copilot uses a trusted domain list). (2) Set 'Auto-approve' to disabled by default to limit which files can be exfiltrated. (3) Developers can partially protect themselves by disabling auto-execution of commands and requiring approval before reading files, though this only limits what information reaches the chat before exfiltration occurs.

Embrace The Red
Embrace The Red
Aug 25, 2025

Manus, an autonomous AI agent, is vulnerable to prompt injection (tricking an AI by hiding instructions in its input) attacks that can expose its internal VS Code Server (a development tool accessed through a web interface) to the internet. An attacker can chain together three weaknesses: exploiting prompt injection to invoke an exposed port tool without human approval, leaking the server's access credentials through markdown image rendering or unauthorized browsing to attacker-controlled domains, and gaining remote access to the developer machine.

Embrace The Red
Aug 24, 2025

Deep Research agents (AI systems that autonomously search and fetch information from multiple connected tools) can leak data between different connected sources because there is no trust boundary separating them. When an agent like ChatGPT performs research queries, it can freely use data from one tool to query another, and attackers can force this leakage through prompt injection (tricking an AI by hiding instructions in its input).

Embrace The Red
Aug 23, 2025

Windsurf Cascade is vulnerable to hidden prompt injection, where invisible Unicode Tag characters (special characters that don't display on screen but are still processed by AI) can be embedded in files or tool outputs to trick the AI into performing unintended actions without the user knowing. While the current SWE-1 model doesn't interpret these invisible instructions as commands, other models like Claude Sonnet do, and as AI capabilities improve, this risk could become more severe.

Fix: The source explicitly mentions three mitigations: (1) make invisible characters visible in the UI so users can see hidden information; (2) remove invisible Unicode Tag characters entirely before and after inference (described as 'probably the most practical mitigation'); (3) mitigate at the application level, as coding agents like Amp and Amazon Q Developer for VS Code have done. The source also notes that if building exclusively on OpenAI models, users should be protected since OpenAI mitigates this at the model/API level.

Embrace The Red
Aug 22, 2025

Windsurf Cascade contains a create_memory tool that could enable SpAIware attacks, which are exploits allowing memory-persistent data exfiltration (stealing data by storing it in an AI's long-term memory). The key question is whether creating these memories requires human approval or happens automatically, which could determine how easily an attacker could abuse this feature.

Embrace The Red
Embrace The Red