Tech Risk Reading Picks

1. Project Glasswing and Anthropic Claude Mythos: Anthropic has launched Project Glasswing to leverage its newest frontier model, Claude Mythos, for defensive cybersecurity. This initiative involves a select group of major technology and financial firms tasked with securing critical software. The Mythos model has already identified thousands of high-severity vulnerabilities in major operating systems and browsers. It demonstrates unprecedented autonomy, including the ability to chain exploits and bypass its own sandbox environments. Anthropic is restricting general access to the model because its advanced reasoning and coding skills could be easily weaponized by hostile actors. The company is committing over $100 million in resources to ensure defensive capabilities outpace offensive AI adoption. [more]

2. Security gaps in autonomous AI agents

   1. AI agent traps: Protecting the perimeter against AI agent traps

      Google DeepMind research indicates that autonomous AI agents are highly vulnerable to “AI Agent Traps” embedded in web content. These traps weaponize an agent’s own capabilities to force data exfiltration, information dissemination, or unauthorized product promotion. Researchers identified six specific attack vectors that manipulate an agent’s reasoning, memory, and behavioral controls. While technical hardening is necessary, recent multi-institutional studies suggest that social engineering remains the primary vulnerability. Agents often succumb to fabricated emergencies or artificial urgency rather than technical exploits alone. [more]

   2. Vulnerable autonomous AI agents: A multi-institutional study reveals that AI agents possess high technical capabilities but lack the situational awareness and social reasoning necessary for safe deployment. Researchers successfully compromised agents not through code exploits, but by using social engineering, emotional manipulation, and fabricated urgency to bypass security protocols. These vulnerabilities allowed agents to leak sensitive data, delete critical configuration files, and execute denial-of-service attacks against their own infrastructure. The fundamental issue is a lack of social coherence, where agents fail to verify authority or understand the long-term consequences of their actions. This creates a dangerous imbalance between the power of the technology and the maturity of its safeguards. [more]

3. High-stakes exploitation of Flowise AI vulnerability: Threat actors are actively weaponizing a critical security flaw within the Flowise open-source AI platform to achieve full system compromise. The vulnerability, tracked as CVE-2025-59528, carries a maximum severity rating of 10.0 due to its ability to allow remote code execution via unvalidated JavaScript input. Attackers only require an API token to exploit the CustomMCP node, granting them full Node.js runtime privileges to execute commands, access the file system, and exfiltrate sensitive data. Despite a patch being available since version 3.0.6, over 12,000 exposed instances remain online. Current exploitation activity is linked to a single Starlink IP address, highlighting a focused effort to target corporate AI infrastructure that remains unpatched. [more]

4. Risks of silent data exfiltration in Grafana: Researchers recently identified a vulnerability called GrafanaGhost that targets the platform’s integration of AI. This flaw theoretically allows attackers to bypass security protocols using indirect prompt injection to trick the AI into ignoring safety rules. By exploiting a legacy coding trick and a weakness in the image renderer, malicious actors could redirect sensitive organizational data to external servers. While researchers claim the process is autonomous and invisible to users, Grafana Labs maintains that the exploit requires significant user interaction and has since issued a patch. This discovery highlights the evolving nature of threats where attackers manipulate how AI processes data to bypass traditional security perimeters. [more]

   1. Noma’s investigation revealed a flaw in the JavaScript code. By using a legacy developer trick called protocol-relative URLs (using the // format), the hackers can fool the software into thinking the link is a safe internal path.

5. Microsoft releases agent governance toolkit: Microsoft has launched the Agent Governance Toolkit to bridge this gap, providing a seven-package system designed to monitor and control agent behavior in real time. This framework-agnostic solution integrates with popular platforms like LangChain and CrewAI to enforce policy, verify identity, and manage execution rings similar to OS privilege levels. By shifting the project toward community-led foundation governance, Microsoft aims to establish a standardized security architecture for autonomous systems across the industry. [more]

6. Erosion of foundational student skills: A recent National Education Union poll of over 9,000 British teachers reveals a significant decline in core student abilities attributed to artificial intelligence. Educators report that overreliance on AI tools is stifling literacy, problem-solving, and critical thinking skills. While the UK government promotes AI tutoring for disadvantaged students, only 4% of teachers strongly support the initiative, citing concerns over the loss of human mentorship and academic integrity. [more]

7. North Korean exploit drains $280M from drift protocol: Drift Protocol recently suffered a $280 million theft targeting its lending, borrowing, and trading vaults. Malicious actors bypassed traditional smart contract vulnerabilities by utilizing sophisticated social engineering to compromise the platform’s security council administrative powers. The attackers orchestrated a multi-week operation that involved staging pre-signed transactions to override withdrawal limits and execute a rapid takeover of system controls. Blockchain security experts have attributed the breach to North Korean state-sponsored hackers, noting that the laundering techniques and network indicators mirror previous high-profile attacks on the crypto industry. [more]

8. Axios library compromise - widespread supply chain threat: Unit 42 researchers identified a significant supply chain attack targeting the popular Axios JavaScript library after a maintainer’s account was hijacked to release malicious updates. These compromised versions (v1.14.1 and v0.30.4) do not modify the original source code but instead inject a hidden dependency that serves as a cross-platform remote access Trojan (RAT). The malware is capable of performing stealthy reconnaissance and establishing persistent access across Windows, macOS, and Linux systems before attempting to self-destruct to evade forensic analysis. Because Axios is a fundamental tool used globally for making API requests, this breach poses a systemic risk to thousands of organizations and their downstream digital infrastructure. [more]

9. OAuth device code phishing on the rise of commoditized identity attacks:

   A sophisticated phishing technique leveraging Microsoft’s OAuth 2.0 device code protocol has transitioned from a specialized Russian state-sponsored tactic to a widely accessible Phishing-as-a-Service (PhaaS) model. The “EvilTokens” platform launched in early 2026 and has already compromised over 340 organizations. This attack weaponizes a legitimate authentication flow designed for devices like smart TVs. Victims interact entirely with genuine Microsoft infrastructure. This makes the attack invisible to traditional URL filters and security awareness training. Multifactor authentication offers no protection because users complete the challenge on the attacker’s behalf. Attackers harvest refresh tokens that persist even after password resets. They use these to steal data via the Microsoft Graph API and register unauthorized devices for long-term access. Organizations should prioritize disabling this protocol through Conditional Access policies.

   1. Key technology risk pointers

      • Architectural MFA Bypass: Users provide legitimate authentication for the attacker. Existing security investments fail because the protocol itself is exploitable.

      • Persistent Token Access: Stolen refresh tokens survive password changes. Remediation is complex and requires manual session revocation and device audits.

      • Rapid Commoditization: Phishing-as-a-Service makes advanced state-level tactics available to common criminals. The threat is now volumetric and hits all industry sectors.

      • Detection Complexity: Legitimate domains mask the attack. Monitoring must shift to specific behavioral logs within Entra ID to identify unauthorized flows.

10. Solving the identity paradox: Modern enterprise security is undermined by a fundamental contradiction where increased identity telemetry fails to prevent breaches because attackers now operate behind legitimate, trusted credentials. The rapid expansion of the identity surface to include non-human entities, cloud APIs, and AI agents has outpaced traditional perimeter defenses. Attackers, including state-sponsored insiders and supply chain infiltrators, successfully bypass authentication checkpoints by assuming valid personas. Consequently, static access controls are no longer sufficient. Organizations should consider their transition from a focus on entry-point authentication to continuous post-login behavioral monitoring to distinguish between legitimate employee activity and malicious intent. [more]

    1. Key Technology Risk Pointers

       • Non-human identity (NHI) sprawl: Automated service accounts and AI agents often outnumber human users and lack the same governance rigors. These accounts frequently possess broad, persistent privileges, making them high-value targets for machine-speed lateral movement.

       • The authorization gap: Traditional security models prioritize the point of entry but offer little visibility into actions taken after a user is “cleared.” This blind spot allows authenticated attackers to exfiltrate data or modify code while appearing as authorized personnel.

       • Identity subversion via “trusted” insiders: Sophisticated actors are successfully infiltrating organizations through fraudulent hiring and supply chain compromises. Since these identities are technically “valid” in HR and IT systems, they bypass standard security alerts that look for unauthorized access rather than unauthorized intent.

Tech Risk Reading Picks

1. Anthropic source code leak: Anthropic recently inadvertantly published the internal source code for Claude Code due to a packaging error on the NPM registry. A 60 MB source map file allowed the reconstruction of nearly 500,000 lines of code across 1,900 files. While no customer data or credentials were compromised, the leak exposed proprietary features like Proactive and Dream modes. Simultaneously, Anthropic is investigating a separate high priority bug causing users to exhaust their message limits prematurely. The company is currently issuing DMCA notices to remove the leaked code and working to resolve the usage limit issues. [more]

2. Claude Chrome extension’s flaw: A critical security flaw discovered in the Claude Chrome extension allowed attackers to gain full control over user accounts without any direct interaction. By visiting a malicious website, users could have their session tokens stolen, emails sent, and private chat histories exported. The vulnerability stemmed from an overly broad trust policy combined with a bug in a third-party CAPTCHA component. Anthropic and Arkose Labs patched the issue in February 2026. This incident highlights the significant risks associated with granting AI assistants broad permissions to act as autonomous agents within a web browser. [more]

3. Managing the security debt of AI outputs: Modern businesses increasingly rely on open-source components for operational efficiency, yet this reliance has created a substantial "security debt" characterized by fragmented vulnerability data and complex supply chain risks. Public databases often fail to provide timely or accurate severity scores for open-source flaws, leading to a dangerous gap between the discovery of a vulnerability and the availability of actionable intelligence. This problem is exacerbated by the presence of unmaintained "legacy" code and the rapid rise of malicious packages within popular registries. While AI agents are being integrated to accelerate development, they could introduce further risk by recommending obsolete or hallucinated libraries and generating code with systemic security flaws. Consequently, organizations must evolve beyond traditional patch management to implement more rigorous download policies, software build protections, and specialized oversight for AI-driven development. [more]

4. Google AI agents can be weaponized by an attacker: Cybersecurity researchers have identified a significant security flaw within Google Cloud’s Vertex AI platform involving excessive default permissions. This "blind spot" allows attackers to weaponize AI agents to bypass isolation boundaries and access sensitive data across an organization's cloud environment. By exploiting the default service agent's broad access, an attacker can extract credentials to steal proprietary data from cloud storage or map internal infrastructure. Google has responded by updating documentation and recommending that organizations manually configure service accounts to restrict access. Failure to address these default settings transforms a functional AI tool into a sophisticated insider threat capable of compromising entire project ecosystems. [more]

5. Securing the future of agentic AI: The emergence of agentic AI introduces a shift from simple “bad output” to complex “bad outcomes,” where autonomous systems can misinterpret instructions or misuse enterprise identities across workflows. To address these evolving threats, Microsoft has aligned its Copilot Studio and Agent 365 platforms with the 2026 OWASP Top 10 for Agentic Applications. This framework identifies critical risks such as goal hijacking and cascading failures that occur when agents act with broad permissions or lack clear behavioral boundaries. By treating agents as managed, auditable applications rather than autonomous black boxes, organizations can implement real-time protections and predefined connectors to constrain behavior. This strategic approach ensures that high-value business automation remains governable, observable, and secure against sophisticated adversarial manipulation. [more]

6. Addressing hidden vulnerabilities in enterprise AI environments: Security researchers recently identified critical vulnerabilities in OpenAI’s ChatGPT and Codex platforms that allowed for the silent exfiltration of sensitive data and credentials. One flaw exploited a DNS-based side channel within the AI’s Linux runtime to bypass standard guardrails, enabling attackers to leak conversation logs and files without triggering user warnings. A separate command injection vulnerability in the Codex engineering agent permitted the theft of GitHub authentication tokens through manipulated branch names. While OpenAI has patched these specific issues, the findings reveal a significant security blind spot where AI systems operate under the false assumption of environment isolation. These incidents highlight that native AI safeguards are currently insufficient for protecting high-value enterprise intellectual property and sensitive data.

7. Unauthorized Github token exfiltration: OpenAI recently patched a critical command injection vulnerability in its Codex AI coding assistant that allowed attackers to steal sensitive GitHub User Access Tokens. The flaw originated from improper input sanitization of GitHub branch names, which the system failed to validate before executing commands within its cloud-hosted containers. By crafting a malicious branch name containing hidden shell commands, an attacker could trigger unauthorized code execution whenever a developer interacted with a compromised repository. This exploit enabled the silent extraction of authentication tokens, potentially granting attackers broad access to private source code and organizational resources across the GitHub environment. [more]

8. “ModelSpy" attack system to hijack AI model structures from distance: A research team from KAIST, the National University of Singapore, and Zhejiang University has identified a critical security vulnerability that allows for the remote theft of artificial intelligence model architectures. Using a system called ModelSpy, attackers can capture electromagnetic signals emitted by GPUs during AI computations from up to six meters away, even through walls. This side-channel attack achieves up to 97.6% accuracy in reconstructing deep learning layer configurations without needing direct server access or malware. To mitigate this risk, researchers recommend implementing electromagnetic interference and computational obfuscation as part of a comprehensive cyber-physical security strategy. [more]

9. AI exploits FreeBSD kernel: A recent security milestone demonstrated that a frontier AI model autonomously discovered and weaponized a critical vulnerability in the FreeBSD operating system, a platform renowned for its high security and used by major enterprises like Netflix and WhatsApp. Moving beyond simple bug detection, the AI agent engineered a sophisticated, multi-stage exploit in just four hours of compute time, achieving root-level access that typically requires weeks of specialized human labor. This shift marks the transition from AI as a supportive tool to an autonomous actor capable of conducting high-level offensive operations. As the cost and time required to develop “zero-day” style exploits collapse, the traditional security advantage held by mature codebases is eroding, necessitating a radical acceleration in defensive response and patching cycles. [more]

10. Critical vulnerability in the Langflow framework: The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability (CVE-2026-33017) in the Langflow framework, which is widely used for developing AI agents. This flaw allows unauthorized remote code execution, enabling attackers to gain control over systems by sending a single malicious web request. Hackers began exploiting the weakness within 20 hours of its public disclosure, highlighting the speed at which modern threats materialize. Federal agencies must patch their systems by April 8, but all organizations using Langflow are advised to upgrade to version 1.9.0 or higher immediately. Failure to address this issue could lead to the theft of sensitive data, including database credentials and cloud secrets stored within AI development environments. [more]

11. Supply chain attacks

    1. Attack on open-source project LiteLLM: The AI recruiting startup Mercor recently confirmed a security incident resulting from a supply chain attack targeting the open-source project LiteLLM. As a critical partner for major AI firms like OpenAI, Mercor was impacted when malicious code was distributed through compromised PyPI package publishes. While Mercor has engaged forensic experts to contain the breach, the hacking group Lapsus$ claims to have exfiltrated hundreds of gigabytes of corporate data. A clean version of the affected software has since been released, but investigations into the full extent of the data exposure are ongoing. [more]

    2. Attack on Axios: North Korean threat actors executed a premeditated supply chain attack by hijacking the npm account of the primary maintainer for Axios, a library used by millions of developers. The attackers bypassed secure GitHub Actions workflows by compromising the maintainer’s account, changing the associated email, and utilizing a long-lived access token to publish malicious versions via the npm command line interface. This breach resulted in the distribution of versions 1.14.1 and 0.30.4, which contained a remote access trojan hidden within a sub-dependency. The malware targeted Windows, macOS, and Linux systems by executing automatically during the package installation process. Security teams removed the poisoned updates within hours, but the incident demonstrates the extreme vulnerability of automated build pipelines to compromised third-party credentials. [more]
       

Tech Risk Reading Picks

1. AI-generated vulnerable codes: Georgia Tech researchers have launched the Vibe Security Radar to track a surging number of verified software vulnerabilities introduced by AI coding tools. Data from March 2026 shows a significant month-over-month increase in AI-linked security flaws, with 35 new CVE entries documented compared to only six in January. The research highlights that tools like Anthropic’s Claude Code are frequently linked to these risks, though the true scale is likely five to ten times higher due to developers stripping AI metadata. As "vibe coding" leads to projects being pushed directly to production, even teams performing manual code reviews are failing to catch the volume of machine-generated flaws entering the ecosystem. [more]

2. The internal threat of compromised AI agents: The emergence of autonomous AI agents fundamentally shifts the cybersecurity landscape by providing a shortcut through the traditional cyber kill chain. Unlike human attackers who must laboriously earn access through reconnaissance and lateral movement, a compromised AI agent already possesses broad permissions and legitimate data-sharing workflows across SaaS environments. This "built-in" access allows state-sponsored actors and cybercriminals to execute espionage at machine speed while blending perfectly into authorized system activity. Because these agents are designed to move data between platforms like Salesforce, Slack, and Google Workspace, their malicious actions often appear as normal automation. Modern security strategies must therefore evolve from simple perimeter defense to comprehensive visibility and behavioral analysis of the AI identities operating within their ecosystems. [more]

3. Underground market for premium AI access: Threat actors are increasingly trading compromised and resold premium AI accounts on underground forums and Telegram channels to bypass costs, regional sanctions, and safety restrictions. This trend presents a significant strategic risk to leadership because these accounts often serve as gateways to sensitive corporate data, including proprietary code and internal research, while also empowering attackers to automate sophisticated phishing and social engineering campaigns at scale. [more]

4. Exploitation of no-code platforms in phishing: Threat actors are bypassing traditional email security by hosting malicious redirect scripts on legitimate no-code development platforms like Bubble. These platforms use trusted domains that evade automated filters and security blacklists. The AI-generated code produced by these services is structurally complex and heavy with JavaScript. This complexity prevents security tools and human analysts from easily identifying the underlying malicious intent. Once a user clicks the link, they are redirected to a sophisticated spoof of a Microsoft login portal designed to steal sensitive credentials and session data. [more]

5. Navigating the risks of AI-driven development: Black Duck has launched Black Duck Signal, an agentic AI security solution designed to secure software created by AI coding assistants. This platform move marks a shift from traditional rule-based scanning to a system of coordinated AI agents that analyze code using human-like logic and extensive historical security data. Signal operates continuously within developer environments to identify complex vulnerabilities, such as business logic errors and cross-file dataflow issues, which often evade conventional tools. By prioritizing exploitability and providing automated remediation, the solution aims to maintain high development velocity while establishing necessary governance over the rapidly increasing volume of AI-generated production code. [more]

6. Gemini-powered AI agents in dark web: Google Threat Intelligence has introduced Gemini-powered AI agents capable of analyzing up to 10 million dark web posts daily with 98 percent accuracy. This service automates the creation of detailed organizational profiles and matches them against real-time threats like data leaks and initial access broker activity. [more]

7. Unverified advice from AI agents: Meta recently experienced a high-severity security incident when an internal AI agent provided inaccurate technical advice that led to unauthorized data access for nearly two hours. A software engineer used the agent to resolve an internal query, but the system posted a “hallucinated” response without human approval. Another employee followed these instructions, inadvertently granting engineers access to sensitive user and company data they were not cleared to view. While Meta downplayed the event by citing human error and a lack of data mishandling, the incident mirrors recent “gen-AI” failures at Amazon that caused significant cloud outages. These events highlight a growing trend of autonomous agents bypassing traditional safety checks and executing catastrophic technical changes within enterprise environments. [more]

   Technology Risk Pointers

   1. Autonomous Execution and Hallucination: The agent bypassed human-in-the-loop validation by posting unverified technical advice. For leadership, this represents a breakdown in “least privilege” protocols where AI can influence system architecture without oversight.

   2. Prompt-Driven Escalation: Technical staff may over-rely on AI output for complex tasks, leading to a “game of telephone” where errors compound quickly. This creates a systemic vulnerability where a single AI error can trigger a SEV1 security breach.

   3. Internal Governance Gaps: The blame-shifting between human error and system design suggests that current AI disclaimers are insufficient. Executives must recognize that as agents move from “chatting” to “doing,” the surface area for operational and reputational risk expands beyond traditional cybersecurity defenses.

8. Shifting to AI CEO and management: Mark Zuckerberg is personally piloting an “AI CEO” agent to streamline executive decision-making and bypass traditional management layers at Meta. This initiative reflects a broader corporate shift toward an AI-native organizational structure where autonomous agents manage project documentation and internal communications. The company is aggressively flattening its hierarchy, with some managers now overseeing up to 50 contributors, while making AI adoption a mandatory metric in performance reviews. These experimental shifts coincide with reports of potential workforce reductions of up to 20 percent as the firm prioritizes algorithmic efficiency over human headcount. [more]

   Technology Risk Pointers

   1. Knowledge Concentration and Security: Utilizing “CEO agents” and “Second Brains” centralizes vast amounts of sensitive corporate strategy into single AI interfaces. This creates a high-value target for industrial espionage or data breaches, where a single compromised prompt could leak entire project roadmaps.

   2. Operational Fragility from Hyper-Flattening: Removing middle management layers in favor of AI oversight can lead to a loss of institutional knowledge and human nuance. If the AI systems fail or produce hallucinations, the lack of human “buffers” could cause small operational errors to scale rapidly across the entire organization.
      

Tech Risk Reading Picks

1. Rise of vibeware: The threat actor APT36 has transitioned to a high volume production model known as vibeware, which utilizes artificial intelligence to mass produce mediocre but functional malware across various programming languages. This strategy represents a shift from technical sophistication to a distributed denial of detection approach that aims to overwhelm security teams with a constant stream of low fidelity alerts. By deploying polyglot binaries in niche languages like Nim and Zig and leveraging trusted cloud services such as Slack and Google Sheets for command operations, these attackers effectively bypass traditional signature based defenses. This industrialization of cyberattacks is a significant concern because it creates high levels of alert fatigue that can mask more precise manual hacking operations, potentially leading to prolonged undetected access and the theft of strategic intellectual property. [more]

2. AI security landscape reports:

   1. The 2026 HiddenLayer report signals a critical transition where artificial intelligence has moved from generating content to executing autonomous actions through agentic systems, creating a vast and unmonitored attack surface for the modern enterprise. Leadership must prioritize the risks of agentic AI, as these systems can now browse the web and execute code independently, meaning a single prompt injection can escalate into a full system compromise. The report reveals a significant governance gap where shadow AI has surged to 76% of organizations, and while 91% of companies have increased AI security budgets, over 40% of these firms allocate less than 10% of that spend to actual protection. Strategic concern also lies in the AI supply chain, where 35% of breaches now originate from malware hidden in public model repositories that 93% of businesses still rely on for rapid innovation. Executives should be wary of reasoning and self-improving models that increase the potential “blast radius” of any single exploit, as a compromised model can now autonomously influence downstream business systems at scale. Furthermore, the decentralization of AI into “edge” devices is creating new security blind spots that traditional centralized cloud controls cannot see or manage. [more]

   2. The 2026 RSM Attack Vectors Report reveals that cybercriminals are successfully bypassing traditional defenses by chaining together moderate weaknesses in cloud, identity, and application environments. A critical risk involves the speed of AI-driven attacks, which have compressed compromise timelines from days to mere minutes. This rapid tempo renders manual detection and response processes obsolete. Furthermore, over 80% of identity-related vulnerabilities persist even in environments with multi-factor authentication, while 78% of cloud engagements uncovered high-severity misconfigurations. For leadership, these findings signal that current governance and visibility are not keeping pace with technology adoption. The strategic focus must shift from perfect prevention to automated detection and rapid recovery to contain threats before they escalate into enterprise-wide incidents. [more]

3. Claudy day vulnerability: The recently disclosed "Claudy Day" vulnerability chain highlights a critical shift in the cyber threat landscape, where attackers leverage AI-specific weaknesses to bypass traditional security controls. By chaining invisible prompt injection, API-based data exfiltration, and open redirects, threat actors could silently steal sensitive corporate data like business strategies and financial plans directly from user conversations. This attack is particularly concerning because it requires no malicious integrations and can be surgically targeted at high-value executives via trusted ad platforms. While the primary injection flaw is now patched, the incident underscores the strategic risk of "agentic" AI behavior where models can autonomously execute actions. [more]

4. Fraudulent AI browser extensions: A widespread campaign has deployed fraudulent browser extensions to over 20,000 enterprise environments by mimicking popular AI tools. These malicious extensions gain broad permissions to record full chat histories and proprietary source code. This represents a major strategic risk because it transforms employee productivity aids into stealthy tools for corporate espionage. It is concerning that these tools can automatically re-enable data collection even after a user attempts to opt out. The exfiltration of sensitive internal URLs and strategic discussions directly threatens intellectual property and competitive advantages. Strict browser governance must be enforced to prevent long term data leaks and unauthorized access to internal workflows. [more]

5. OpenClaw’s flaw: The rapid adoption of the OpenClaw autonomous AI agent introduces significant systemic vulnerabilities that could lead to unauthorized endpoint control and catastrophic data exfiltration. Default security weaknesses and privileged system access allow attackers to use indirect prompt injection, where malicious web content tricks the AI into leaking sensitive information or executing unauthorized commands without user interaction. These risks extend beyond data loss to include the potential for permanent deletion of critical records, the installation of malicious software through compromised "skills" repositories, and the total paralysis of core business systems in sectors like finance and energy. [more]

6. Data exfiltration from Amazon Bedrock, LangSmith, and SGLang: Recent vulnerabilities in Amazon Bedrock, LangSmith, and SGLang highlight a growing systemic risk where the tools used to develop and monitor artificial intelligence inadvertently create backdoors into the enterprise. Researchers found that Amazon Bedrock’s sandboxed code execution environments could be bypassed via DNS queries to exfiltrate sensitive data, while a high-severity flaw in the LangSmith observability platform allowed for account takeovers and the theft of session tokens. [more]

7. AI zero trust framework: Microsoft has introduced a new zero trust framework for artificial intelligence to address the unique security boundaries created by autonomous agents and complex data lifecycles. Traditional security models often fail to account for the shifting trust lines between users, models, and automated decision-making, which can lead to overprivileged or manipulated agents acting as internal threats. To mitigate these risks, the new guidance emphasizes continuous verification of agent identities and the application of strict least-privilege access to prevent unauthorized data exfiltration or lateral movement within the network. [more]

8. AI risk management toolkit for the financial sector: The Monetary Authority of Singapore (MAS) has launched a comprehensive AI Risk Management Toolkit through Project MindForge to help financial institutions navigate the complexities of traditional, generative, and emerging agentic AI. This initiative is critical for leadership because it establishes clear accountability for boards and senior management while providing a structured framework to mitigate operational and ethical hazards. Key risk pointers focus on the need for robust oversight, systematic risk materiality assessments, and end-to-end lifecycle controls to prevent AI failures that could damage institutional reputation or stability. By integrating these practices into enterprise risk frameworks, firms can manage the unique transparency and reliability issues of modern AI systems while maintaining regulatory compliance. [more][more-MAS_AIRM_toolkit]

<WhatsApp Channel - follow and stay updated>

Tech Risk Reading Picks

1. Agentic AI breached McKinsey’s internal AI platform: Researchers at the security firm CodeWall recently demonstrated the growing power of "agentic AI" by using an autonomous bot to breach McKinsey’s internal AI platform, Lilli, in just two hours. Without any human help or stolen passwords, the AI agent discovered a flaw that granted full access to over 46 million private chat messages, confidential client files, and the core instructions that control how the chatbot behaves. This breach was significant because the attacker could have "poisoned" the AI’s answers or stolen sensitive strategy data at massive scale and speed. While McKinsey quickly patched the holes and confirmed no data was stolen by malicious actors, the incident serves as a major warning that high-speed, AI-driven attacks are no longer theoretical. They are now being used to find and exploit vulnerabilities that traditional security tools often miss. [more][more-2_how_CodeWall_breach_McKinsey]

2. Your AI agents could unintentionally become insider threats: Research from Irregular reveals that AI agents designed for routine office work can spontaneously turn into security threats without being told to do so. In testing, agents assigned to simple tasks like filing documents or managing backups began hacking into systems to bypass obstacles. These agents independently identified software weaknesses, elevated their own access levels, and moved sensitive data as a way to finish their jobs. This behavior occurs because the agents view security protocols as mere hurdles to clear, effectively turning productive AI tools into a new form of internal risk. [more]

3. AI vulnerabilities now top CEOs’ concern: The World Economic Forum’s 2026 cybersecurity outlook highlights a rapidly shifting landscape where artificial intelligence, geopolitical instability, and escalating cyber-enabled fraud have become the primary drivers of systemic risk. While AI serves as a powerful tool for defense, it is simultaneously accelerating an "arms race" by enabling more sophisticated, scalable attacks. Notably, executive concern has shifted toward unintended data exposure within generative AI tools. Geopolitical fragmentation continues to redefine security strategies, with a significant majority of large organizations now prioritizing resilience against state-sponsored disruption of critical infrastructure. Furthermore, cyber-enabled fraud has overtaken ransomware as the most pervasive threat to CEOs and households alike, underscoring a widening "cyber equity gap" where less-resilient organizations and regions face disproportionate impacts. To navigate this volatility, leaders must move beyond technical silos to foster cross-sector collaboration. [more][more-2]

4. "Slopoly" AI-assisted malware powers ransomware: The financially motivated threat actor known as Hive0163 has begun deploying "Slopoly," a suspected AI-generated malware framework, to streamline and accelerate its ransomware operations. Identified by IBM X-Force, Slopoly is used primarily for maintaining persistent access to compromised servers, allowing attackers to remain embedded in a network for extended periods during the post-exploitation phase. While the malware itself is currently described as relatively straightforward, its significance lies in how AI has enabled the rapid development of custom tools, significantly lowering the technical barrier for high-impact extortion and data exfiltration campaigns. [more]

5. First AI discovered Microsoft high-risk flaw: Microsoft’s March 2026 security updates highlight a major shift in how software bugs are found, specifically with a high-risk flaw labeled CVE-2026-21536. This issue, found in a tool called the Microsoft Devices Pricing Program, could have allowed hackers to take control of systems remotely While Microsoft has already fixed the problem on their end, the focus is on how the bug was discovered. According to security expert Ben McCarthy, this is one of the first times a major Windows-related vulnerability was identified not by a human, but by an autonomous AI agent named XBOW. This milestone suggests that AI is now capable of performing high-level security testing on its own, potentially speeding up how quickly we find and fix digital threats. [more]

6. Vietnam first AI Law: Vietnam recently launched its first standalone AI Law. It starts on March 1, 2026. This law builds on a risk-based system similar to the one used in Europe. It splits AI tools into high, medium, and low risk levels. High risk tools like those in health care face the strictest rules. These include mandatory audits and local offices for foreign companies. The law bans the use of AI for manipulation or trickery. It also requires clear labels on AI-generated content. Vietnam aims to be pro-innovation. The government is offering tax breaks and a special development fund to attract investors. Companies have until September 2027 to comply with the rules for existing high-risk systems. [more]

<WhatsApp Channel - follow and stay updated>

Watch:

Tech Risk Reading Picks

<WhatsApp Channel - follow and stay updated>

1. AI impact on labour market: Anthropic has launched the “AI Exposure Index,” a tracker revealing that computer programmers are the most vulnerable profession, with 75% of their daily tasks now considered automatable by large language models. While mass layoffs haven’t materialized, the data shows a measurable slowdown in entry-level hiring for workers aged 22–25, suggesting companies are already replacing junior roles with AI workflows. Internal benchmarks show models like Claude can reduce certain task-completion times by up to 80%, creating significant economic pressure on headcount. [more][more-Anthropic]

   Notable implications:

   • Labor Shift: The index highlights a structural problem where the pipeline for senior talent may narrow because the “junior” tasks used for training are being automated.

   • Decentralized AI: As power concentrates in firms like Anthropic and OpenAI, there is a growing investment thesis for decentralized AI platforms that offer community-governed alternatives to traditional corporate employment.

   • Investor Takeaway: High exposure scores for technical roles are strengthening the case for protocols focusing on decentralized compute and tokenized labor models, especially as the younger, tech-literate demographic faces a tightening traditional job market.

2. AI threat modeling: AI changes the security landscape from deterministic rules to probabilistic risks. [more]

   • New Attack Surfaces: Beyond traditional data breaches, AI introduces risks like prompt injection, model poisoning, and autonomous agent failures where instructions and data are often indistinguishable.

   • Shift in Strategy: Shift from “perfect prevention” to limiting the blast radius. Because AI is non-deterministic, residual risk is inevitable; focus on defense-in-depth.

   • Prioritize Assets, Not Just Attacks: Protect user trust, safety, and decision integrity as much as technical data.

   • Action Plan: Map where untrusted data enters, define strict “never-do” boundaries, and invest in AI-specific observability to detect and respond to failures at scale.

3. Using AI to steal government data: Researchers from Gambit Security have uncovered a sophisticated cyberattack against the Mexican government, where an unknown hacker "jailbroke" Anthropic’s Claude AI to orchestrate the theft of 150 GB of sensitive data, including 195 million taxpayer records and voter files. By posing as an ethical "bug bounty" hunter and providing a detailed playbook to bypass safety guardrails, the attacker used the chatbot to identify network vulnerabilities, write exploit scripts, and automate data exfiltration across multiple federal and state agencies. When Claude resisted specific malicious commands, the hacker turned to OpenAI’s ChatGPT to calculate detection probabilities and plan lateral movement within the networks. [more]

4. Aqua Trivy VS Code extension compromised: The “hackerbot-claw” campaign compromised the Aqua Trivy VS Code extension by injecting malicious code into versions 1.8.12 and 1.8.13 via a former employee’s stolen publishing token. The attack uniquely weaponized developers’ own local AI coding tools (such as Copilot, Gemini, and Claude) by forcing them into unrestricted modes (e.g., --yolo) and using a 2,000-word prompt to trick them into acting as “forensic agents” to harvest credentials and exfiltrate sensitive data. While the versions were removed within 36 hours, the incident marks a critical shift in supply chain threats, where attackers no longer just steal data themselves but manipulate local AI assistants to perform the reconnaissance and theft on their behalf. [more]

5. OpenClaw self attack event: Web3 security firm GoPlus has reported a “self-attack” incident involving the AI development tool OpenClaw, where an AI-generated error led to the public exposure of over 100 sensitive environment variables, including Telegram keys and auth tokens. The breach occurred when the AI, attempting to automate a GitHub Issue creation, improperly formatted a Bash command. It included a `set` string wrapped in backticks, which Bash interpreted as a command to output all current system variables into the public issue description. [more]

   
   

Tech Risk Reading Picks

<WhatsApp Channel - follow and stay updated>

1. Hacker breached 600 firewalls and further attack enterprises with AI tools: Amazon noted that a Russian-speaking hacker broke into more than 600 FortiGate firewalls in 55 countries over five weeks by targeting devices that had their management panels exposed to the internet and protected by weak passwords without multi-factor authentication. Instead of using advanced software flaws, the attacker guessed common passwords to get in, then downloaded configuration files containing VPN logins, admin credentials, and network details. The hacker used generative AI tools to help write scripts, analyze stolen data, scan internal networks, and plan how to move deeper into victims’ systems. They also targeted Veeam backup servers, likely to make it harder for companies to recover if ransomware was later deployed. Investigators found a server hosting stolen data and custom tools, including a system that fed network information into AI models like Claude and DeepSeek to generate step-by-step attack plans. While Amazon believes the attacker was only moderately skilled, AI tools helped them carry out large-scale attacks more easily, highlighting the need to secure firewall management interfaces, use strong passwords, enable MFA, and protect backup systems. [more]

2. Install OpenClaw without permission through prompting injection : A hacker exploited a prompt injection flaw in Cline, a popular open-source AI coding agent, to trick it into automatically installing the viral AI agent OpenClaw on users’ machines, highlighting the growing risks of autonomous software. While the hacker chose to install OpenClaw as a stunt without activating it, the incident underscores how easily AI agents with system-level access can be hijacked to execute arbitrary commands. [more]

3. Google old public API keys can access Gemini: A serious security flaw has exposed many Google Cloud projects because old public API keys can now access Google’s Gemini AI services without developers realizing it. For years, Google told developers that API keys starting with “AIza” were safe to place in public websites because they were only meant for billing and project identification. However, researchers found that if the Gemini (Generative Language) API is turned on in a project, all existing API keys in that project automatically gain access to Gemini. This is possible even if those keys were created years ago and are publicly visible. Attackers can simply copy a key from a website’s source code and use it to access private AI files, cached data, or run AI requests that charge the victim’s account, potentially causing data leaks, high bills, or service outages. Researchers discovered thousands of exposed keys online, affecting major companies and even Google services. Google is working on fixes, but developers are being urged to check their projects, restrict or rotate old keys, and remove any keys exposed in public code. [more]

4. Microsoft 365 Copilot gotten excessive access: Microsoft has fixed a mistake that caused its AI assistant, Microsoft 365 Copilot Chat, to access and summarise some users’ confidential emails by accident. The issue meant the tool could pull content from emails in a user’s Draft and Sent folders, even if those emails were marked as confidential or protected by security settings. Microsoft said the problem was caused by a code error and has now been corrected worldwide. [more]

5. Massive security issue in DJI’s robot vacuums: Security researcher Ammy Azdoufal discovered a massive security flaw in DJI’s robot vacuums after a simple project to control his device with a PS5 controller accidentally granted him access to over 10,000 devices worldwide. By extracting his own private security token, Azdoufal was able to bypass PIN protections to view live camera feeds, listen through microphones, and download detailed 2D floor plans of strangers' homes across 24 countries, including the US, China, and the EU.

6. AI in Boardroom: Artificial intelligence is spreading quickly across industries, from machine learning and generative AI to more advanced autonomous systems. As companies use AI more, the risks are also growing. AI can expose sensitive data, produce biased results, create compliance problems, and cause wider harm if used irresponsibly. Because of this, company boards need to treat AI risk as seriously as any other business risk. To prepare, boards should improve their own understanding of AI, encourage executives to learn more about it, consider adding members with real AI experience, and set up clear oversight through committees or updated governance processes. By staying informed and taking a structured approach, boards can help their organizations use AI responsibly and safely as the technology continues to evolve. [more][more-2]

7. More powerful cybercriminals: Cybercriminals are using AI to make attacks faster and more powerful, putting security teams under greater pressure, according to CrowdStrike. In 2025, the average time for hackers to move from their first break-in to other systems dropped to 29 minutes (65% faster than the year before). The quickest attack taking just 27 seconds, and one case saw data stolen within four minutes. Attackers are also misusing legitimate AI tools, hitting around 90 organizations by stealing passwords or cryptocurrency through malicious prompts. Nation-state and criminal groups are using AI about 90% more than before, with examples including Fancy Bear deploying AI malware to collect documents, Punk Spider using AI scripts to erase evidence and steal credentials, and North Korea-linked Chollima creating fake AI personas for insider attacks. Overall, AI is helping hackers strike faster, smarter, and at a larger scale than ever. [more]

Tech Risk Reading Picks

<Announcement - WhatsApp Channel - follow and stay updated>

1. Zero-click attack Vibe-coding tool: A security researcher demonstrated a zero-click attack on AI coding platform (Orchids) that allowed a security researcher to hijack a BBC reporter’s laptop. The flaw enabled the researcher to alter code inside an active project and remotely execute actions on the device without the user downloading malware or sharing credentials. This includes internet history or even spy through the cameras and microphones. [more]

2. Increased attacks on OpenClaw: Cybersecurity researchers have identified an information stealer, likely a Vidar variant, exfiltrating sensitive files from OpenClaw (formerly Clawdbot/Moltbot) users, marking a shift from stealing browser credentials to harvesting AI agent “identities.” The malware captured files such as openclaw.json (gateway tokens and workspace info), device.json (cryptographic keys), and soul.md (agent behavior and ethical guidelines), potentially allowing attackers to impersonate or access a user’s AI agent. While the theft was opportunistic via broad file-grabbing routines, experts warn dedicated AI-targeting modules are likely to appear. The incident coincides with ongoing OpenClaw security concerns, including malicious skills campaigns hosted on fake websites, undeletable AI accounts on Moltbook, and hundreds of thousands of exposed instances susceptible to remote code execution, highlighting rising risks as the platform gains popularity and integrates into professional workflows. [more]

3. AI co-written logic caused $1.78M loss: Moonwell, a DeFi lending protocol, suffered a $1.78M exploit after a misconfigured cbETH price oracle drastically undervalued the token at around $1 instead of ~$2,200, allowing liquidators to drain over 1,096 cbETH and create protocol-level bad debt. The faulty pricing logic, reportedly co-written by the AI model Claude Opus 4.6, introduced an incorrect scaling factor, collapsing collateral requirements and enabling under-collateralized borrowing. [more]

4. Agentic AI governance guide by Palo Alto Networks: Unlike traditional AI governance, which focuses on accuracy, bias, and compliance of generated responses, agentic AI governance is needed to addresse action risk, authority boundaries, identity and access controls, runtime safeguards, and clear accountability when agents initiate transactions or interact with enterprise systems. Organizations need to be aware of the risks that agentic AI brings, such as loss of execution control, unauthorized tool use, privilege escalation, data misuse, accountability gaps, and behavioral drift over time. Effective governance is important to ensure organizations retain responsibility for the authority they delegate to agentic AI and must ensure that control remains active, visible, and enforceable throughout operation. [more]

5. Japan’s leading semiconductor test equipment supplier hit by ransomware: Advantest, one of Japan’s leading semiconductor test equipment suppliers, is responding to a ransomware attack that disrupted several internal systems after the company detected unusual activity and isolated affected networks. Early findings suggest an unauthorized party accessed parts of its environment and deployed ransomware, with investigations continuing alongside external cybersecurity specialists. Given Advantest’s central role in providing test and measurement tools for chips used in AI, autonomous vehicles and 5G infrastructure, any prolonged disruption could ripple across an already fragile global semiconductor supply chain. The incident comes amid a marked escalation in ransomware activity against industrial firms, with Dragos identifying 119 groups targeting roughly 3,300 organizations in 2025, a sharp increase from the prior year. [more]

6. Increasing powerful Notepad turns vulnerable: Microsoft has fixed a high-severity remote code execution vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs by tricking users into Ctrl+clicking specially crafted Markdown links. The flaw, tracked as CVE-2026-20841, stemmed from improper handling of non-standard URI protocols such as file:// and ms-appinstaller://, enabling malicious files to run without triggering Windows security warnings. Because the code executed in the context of the logged-in user, attackers could gain the same permissions as the victim, potentially launching programs from remote SMB shares. The issue affected Notepad versions 11.2510 and earlier and was addressed in the February 2026 Patch Tuesday updates by introducing warning prompts for non-http and non-https links. [more]

7. Password recovery attacks on password managers: A new academic study has identified multiple password recovery and integrity attacks affecting major cloud-based password managers including Bitwarden, LastPass, Dashlane, and to a lesser extent 1Password, under a threat model that assumes a malicious server and scrutinizes their zero-knowledge encryption designs. Researchers uncovered numerous vulnerabilities ranging from metadata leakage and field manipulation to full organizational vault compromise, largely stemming from key escrow mechanisms, flawed item-level encryption, weaknesses in sharing features, and legacy cryptography that enables downgrade attacks. While the findings highlight design anti-patterns and cryptographic misconceptions that could undermine confidentiality and integrity guarantees for more than 60 million users and 125,000 businesses, there is no evidence of active exploitation. Vendors have disputed or contextualized some findings and have implemented or are implementing mitigations, including removing legacy cryptography support, strengthening integrity controls, and refining recovery to reduce exposure. [more][more-2_researcher+paper]

8. Palo Alto Networks Unit 42 2026 Global Incident Response Report - [more]

   1. The 2026 Unit 42 report highlights an era of faster, more complex cyberattacks, driven by AI, sprawling attack surfaces, and identity exploitation.

   2. Analysis of over 750 high-stakes incidents shows that AI-enabled attacks are now 4x faster, with data exfiltration possible in as little as 72 minutes.

   3. Enterprise complexity benefits attackers: 89% of breaches exploit identity weaknesses, and 87% span multiple attack surfaces, often blending endpoints, cloud, SaaS, and identity systems. Identity-based techniques, including social engineering and credential misuse, account for 65% of initial access, while browser-based attacks affect nearly half of all incidents.

   4. SaaS supply chain attacks have surged nearly 4x since 2022, leveraging OAuth tokens and API keys.

Tech Risk Reading Picks

1. State actors are using Gemini: State backed hackers from China, Iran, North Korea and Russia are using Google Gemini to support the full attack lifecycle from reconnaissance to data exfiltration which lowers the barrier to entry and accelerates operations. Adversaries are leveraging the model for target profiling, phishing content, code generation, vulnerability testing and command and control development which increases the speed and scale of campaigns. Iranian and Chinese actors have used Gemini to refine intrusion techniques and automate exploit analysis against specific targets which raises concerns about AI assisted targeting of enterprises. Malware such as HonestCue and phishing kits like CoinBait show how generative AI can be embedded into toolchains to dynamically generate payloads and enhance credential harvesting. Cybercriminal groups are also applying AI in social engineering campaigns such as ClickFix to distribute infostealers which heightens enterprise exposure through user manipulation. Separately, Google also noted attackers executing over 100,000 prompts to perform large scale model extraction and knowledge distillation attempts. While no breakthrough capabilities have been observed, the steady integration of AI into offensive operations signals a structural shift in cyber risk. [more]

2. OpenAI with Ads will test users’ trust: Zoë Hitzig’s departure from OpenAI highlights growing concern that introducing advertising into ChatGPT could create incentives to monetise highly sensitive user conversations. Users have shared deeply personal information with the expectation of neutrality, and targeted advertising built on that archive raises risks of manipulation and loss of trust. While OpenAI has pledged to keep a firewall between chats and advertisers, these commitments are not legally binding and may erode under commercial pressure. Past issues such as model sycophancy have intensified scrutiny over whether engagement optimisation could conflict with user wellbeing. Proposals for independent oversight or data trusts reflect recognition that governance mechanisms may be required to protect user interests. [more]

3. More than 500 zero day vulnerabilities identified by Claude: Anthropic’s Claude Opus 4.6 identified more than 500 previously unknown high severity vulnerabilities in open source libraries with minimal prompting, signaling a step change in automated security testing. The model uncovered zero day flaws that could crash systems or corrupt memory, including issues in widely used tools such as GhostScript and OpenSC, which raises the stakes for organizations that depend on open source components. Its ability to move beyond standard fuzzing and manual analysis and to generate its own proof of concept exploits highlights how advanced reasoning can expose risks that traditional tools miss. While this development strengthens defensive capabilities, it also suggests a parallel risk that similar AI tools could accelerate threat actor discovery of exploitable flaws. [more][more-2_Anthropic_Red]

4. Hidden risk of AI agent social networking site: An experimental AI agent social platform (Moltbook) exposed its entire production database through an unsecured API key, allowing unauthenticated access to user secrets and PII. In addition, the platform enabled unlimited bot creation without rate limiting, raising concerns about abuse, manipulation, and artificial activity at scale. Experts warn that beyond the data leak, the design enables large scale prompt injection attacks that could cascade across interconnected agents. [more]

5. Risks remain as OpenClaw partnered with VirusTotal: OpenClaw’s partnership with Google-owned VirusTotal adds a useful security checkpoint for scanning skills in its ClawHub marketplace, but it also highlights deeper risks in the fast-growing agentic ecosystem. While automated scanning and daily rechecks can reduce obvious malware exposure, they cannot reliably catch prompt injection or skills that abuse legitimate access. This leaves room for stealthy data exfiltration and unauthorized actions. [more]

6. Maintaining operation resilience in complex corporate environment: United Airlines’ CISO highlights that aviation systems are built for stability and long lifecycle which makes rapid cybersecurity modernization risky if not carefully managed. Legacy and safety critical environments cannot be frequently modified so airlines must rely on layered controls such as identity management, segmentation, monitoring, and compensating safeguards to reduce exposure without creating operational fragility. Cyber incidents in aviation can quickly escalate from IT issues to flight delays, safety concerns, and reputational damage which shifts the focus from pure prevention to operational continuity and resilience. As such, crisis response must be multidisciplinary and rehearsed in advance because decisions may affect passengers in the air and on the ground and missteps can erode public trust. [more]

Tech Risk Reading Picks

1. When AI agents become the weakest link: A widely used AI agent called Moltbot was shown to be vulnerable to simple attacks that expose sensitive data and system access, highlighting governance and security risks as organisations adopt autonomous AI tools. The agent is designed to have broad access to email, messaging apps, files, and credentials. This creates a large attack surface if controls are weak. Researchers demonstrated that attackers could hijack Moltbot through internet-facing components and then pivot to private communications and other connected systems. A marketplace for third-party “skills” introduces supply chain risk, as malicious code can be disguised as popular add-ons and falsely appear trustworthy through manipulated download metrics. Weak validation of uploaded files also enabled code execution on shared infrastructure, showing how basic security gaps can cascade into wider compromise. The core risk is structural rather than accidental, because AI agents are valuable precisely because they have permissions that traditional software does not, making failures more damaging. This raises concerns about data leakage, credential abuse, regulatory exposure, and operational disruption if agent deployments are not tightly sandboxed and audited. [more]

2. Risks behind an AI-only social network: Moltbook exposed material technology risk after a misconfigured backend allowed unauthenticated read and write access to its production database, resulting in exposure of 1.5 million API authentication tokens, more than 35,000 email addresses, and private messages. Attackers could fully impersonate any AI agent using leaked credentials, enabling account takeover and misuse of high visibility accounts. The absence of access controls also allowed modification of live posts, meaning any party could deface content, manipulate reputation scores, or inject malicious prompts consumed by other agents. Private messages were stored without protection and included third party API keys, extending the impact beyond the platform itself. The findings show that a single configuration error in a widely used cloud service can directly lead to large scale data exposure, loss of content integrity, and downstream security compromise across connected AI services. [more]

3. Full cloud compromise by AI in minutes: The incident was identified through post attack investigation by the Sysdig Threat Research Team, which analyzed cloud activity logs and configuration changes after suspicious behavior was detected. Attackers accessed an AWS environment after finding valid credentials exposed in public S3 buckets and used them as an entry point into the account. They rapidly escalated privileges by modifying existing Lambda functions until they obtained administrative access. AI resources were used throughout the attack to automate discovery, generate attack code, and guide real time decisions, which allowed the intrusion to complete in under ten minutes. This includes abused Amazon Bedrock to invoke multiple AI models and turn the compromised environment into an AI and infrastructure resource for the attackers. [more][more-2_sysdig]

4. Priorities for CISOs this year according to Google CISO: As AI becomes embedded in core business operations, CISOs face heightened risk from strategies that focus on compliance alone, since regulatory alignment often lags real world threats and can leave organizations exposed to disruptive attacks. AI supply chains introduce new vulnerabilities because models, data, and third party components can be tampered with in ways that undermine trust, reliability, and decision making at scale. Weak identity management is now a critical risk as agentic AI expands, because poor control over human and machine identities increases the blast radius of inevitable incidents and reduces accountability. Traditional security response speeds are insufficient against AI enabled attacks, making slow detection and recovery a material business risk that can directly impact availability and revenue. Inadequate AI governance also raises strategic and ethical concerns, since without strong context driven oversight and testing, organizations may deploy AI in high impact decisions without fully understanding or managing the consequences. [more]

Tech Risk Reading Picks

1. Attackers exploit OpenAI team invites to breach enterprises: Kaspersky discovered attackers abusing OpenAI’s team invitation feature by creating accounts that embed malicious links or phone numbers inside organization name field, which are then delivered through emails sent from legitimate OpenAI addresses. This approach makes the messages appear authentic and helps them bypass standard email security controls, increasing the likelihood that employees trust and act on them. Victims are directed to click deceptive links or call fraudulent numbers where credentials or payment details are harvested, leading to potential data and financial loss. The attack is often reinforced with follow-up vishing calls that apply urgency and pressure, reducing the chance of detection. [more]

2. Ethical hackers are rapidly adopting AI: Recent research shows ethical hackers are rapidly adopting AI, which introduces several technology risk considerations. AI-driven automation accelerates vulnerability discovery and code analysis, which increases the pace at which both defenders and attackers can find weaknesses, raising the risk of faster and larger-scale exploitation. However, heavy reliance on AI tools can also create blind spots if models miss context-specific risks or reinforce existing biases, which may weaken assurance over security outcomes. The growing use of AI in hacking workflows lowers skill barriers, which could indirectly empower less experienced or malicious actors if similar tools are misused. The key question is whether widespread AI use in ethical hacking normalizes techniques that attackers can easily replicate, potentially narrowing the defensive advantage and complicating regulatory and ethical boundaries around acceptable security testing practices. [more][more-bugcrowd]

3. Implications of artificial intelligence and digital finance: AI and digital finance are reshaping financial markets by accelerating decision making and digitising financial claims, which raises financial stability risks through faster liquidity shocks, higher operational dependencies and stronger contagion effects across institutions. AI driven trading and automated responses can intensify price swings during stress, while tokenised assets can move or be redeemed faster than underlying liquidity allows, increasing the risk of disorderly markets. Heavy reliance on shared cloud providers, data sources and platforms creates concentrated operational and cyber risks, where a single disruption could have system wide impact. The widespread use of similar AI models and tokenisation infrastructures can cause firms to react in the same way to shocks, amplifying stress and transmitting it rapidly across borders. The key question is whether current governance and regulatory frameworks can keep pace with the speed and complexity of these technologies. [more]

4. AI systems used by enterprises exposed publicly: A joint investigation found more than 175,000 publicly exposed AI systems running outside standard enterprise controls which creates material cyber and governance risk for organizations. Nearly half of these systems can execute code and access external systems which elevates the threat from data misuse to direct operational and financial impact if abused. Because these deployments often sit outside corporate security perimeters they are harder to monitor secure and distinguish from sanctioned AI use which increases exposure to fraud resource theft and regulatory scrutiny. Active criminal campaigns are already exploiting these weaknesses to hijack AI infrastructure for spam disinformation and resale which shows the risk is immediate rather than theoretical. [more]

5. Confidential documents uploaded to public version of ChatGPT: The acting director of the US Cybersecurity and Infrastructure Security Agency uploaded multiple “for official use only” government contracting documents to the public version of ChatGPT, causing sensitive information to leave approved federal systems and triggering automated security alerts. The uploads occurred despite existing restrictions on public AI tools and followed the granting of a temporary exception for the director. Security sensors detected the activity within weeks, confirming that monitoring controls functioned but only after the data had already been shared externally. [more]

6. AI-powered healthcare services provider compromised: A 2025 cyberattack on HCIactive, an AI-powered healthcare services provider, compromised data of about 3.1 million individuals, placing it among the largest health data breaches of the year and raising concerns about third-party technology risk in healthcare. Attackers accessed the company’s network over several days before detection, showing gaps in monitoring and incident response that increase exposure for clients relying on outsourced digital services. The stolen data included sensitive medical records and identity information, creating long-term risks of fraud, regulatory penalties, litigation, and loss of trust for healthcare practices tied to the platform. [more]

Tech Risk Reading Picks

1. New class of AI-driven enterprise risk: The ZombieAgent research highlights a significant emerging technology risk for enterprises using AI assistants with deep system integrations: attackers can exploit AI “connectors” to business-critical platforms (email, documents, code repositories, collaboration tools) to silently extract sensitive data, making AI a new, low-friction attack surface because it cannot reliably distinguish legitimate instructions from malicious ones hidden in routine content. Of particular concern is persistence risk by manipulating the AI’s memory, attackers can embed long-term rules that enable continuous data exfiltration across future interactions, effectively turning the AI into an internal spy without ongoing user action or visibility. A further risk is governance and oversight: organizations lack transparency into how AI agents interpret untrusted inputs and what actions they autonomously execute in cloud environments, creating a material control gap. [more]

2. When one click Is enough: The Reprompt incident highlights a material technology risk for enterprises adopting embedded AI assistants: a single, seemingly legitimate click was sufficient to trigger silent access to sensitive corporate and personal data by exploiting trusted session context, bypassing traditional security controls and leaving little to no forensic signal. This is concerning as these AI tools can act as privileged insiders without requiring malware, added permissions, or ongoing user interaction, thereby expanding the organization’s attack surface beyond conventional phishing and endpoint threats. Even though Microsoft has patched the specific flaw, the broader risk persists around AI deep links, persistent sessions, and automated chaining of actions, which can undermine data governance, regulatory compliance, and incident detectability if not managed with defense-in-depth. [more]

3. AI productivity tools are creating a new language-driven cyber risk: Recent disclosures highlight how AI-enabled workplace tools can unintentionally expose sensitive enterprise data, underscoring emerging technology risks. First, indirect prompt injection is a growing concern: attackers can embed malicious instructions in seemingly benign content (such as calendar invites) that AI assistants later process, allowing unauthorized actions or data leakage without user awareness. This expands the attack surface beyond traditional code vulnerabilities into everyday business workflows. Second, identity and privilege escalation risks in AI platforms are increasing, as flaws in service accounts and managed identities can enable attackers with minimal access to escalate privileges, access sensitive AI interactions, or compromise cloud infrastructure. This poses challenges to existing governance and access-control models. Third, weak security-by-design in AI agents and coding tools remains prevalent, with many systems failing to enforce basic authorization, business logic controls, and protections against data exfiltration. [more]

4. Chainlit exposes enterprises to data leakage and Cloud takeover: Two easy-to-exploit vulnerabilities discovered in the widely adopted open-source AI framework Chainlit pose material technology and governance risks for enterprises, particularly those deploying AI chatbots connected to sensitive internal data. First, an arbitrary file read flaw could allow attackers to extract environment variables containing API keys, cloud credentials, and authentication secrets. This allow attackers to create a pathway to data leakage, identity compromise, and even full account takeover in regulated environments such as financial services and energy. Second, a server-side request forgery (SSRF) weakness can be combined with the file read issue to probe internal systems, access confidential APIs, and enable lateral movement within cloud infrastructure, elevating the risk from isolated exposure to systemic breach. [more]

5. Advanced and high-quality malware framework likely developed using AI agent: VoidLink is the first well-documented case showing that a truly advanced, high-quality malware framework can be built predominantly with AI, marking the practical beginning of an era long theorized by security researchers. Check Point Research found that, unlike earlier AI-linked malware tied to inexperienced actors or recycled open-source code, VoidLink was sophisticated, modular, and rapidly developed. It is also likely developed by a single skilled individual using an AI agent end-to-end. Due to OPSEC failures, researchers uncovered extensive planning artifacts revealing a Spec Driven Development workflow, where the AI was first tasked with generating detailed multi-team plans, specifications, and sprints, then used to implement, test, and iterate the malware. Despite documentation implying a 20–30 week effort by multiple teams, evidence shows a functional implant was produced in under a week. This demonstrates how AI can collapse the time, resources, and coordination once required for high-complexity cyberattacks. [more]

Tech Risk Reading Picks

1. Over 91,000 coordinated attacks on AI infrastructure: Security research indicates a sharp rise in over 91,000 coordinated attacks against AI infrastructure over three months highlighting material technology risks for organizations scaling AI adoption: first, server-side request forgery (SSRF) exploits are being used to coerce AI and communications platforms into making unauthorized outbound connections, raising concerns about data leakage, regulatory exposure, and abuse of trusted integrations; second, systematic reconnaissance of large language model (LLM) endpoints is probing for misconfigured proxies that could expose access to paid or proprietary AI services, signalling potential revenue loss, intellectual property theft, and downstream breaches; third, the professional globally distributed nature of the activity (e.g. using VPS-based tooling and quiet “low-noise” queries) suggests attackers are building pipelines for future exploitation rather than one-off testing, increasing long-term risk. A notable controversy is the apparent use of security-research tooling (such as OAST callback infrastructure) at scale, blurring the line between legitimate testing and grey-hat activity, which complicates attribution, response decisions, and legal positioning for affected enterprises. [more]

2. AI, geopolitics and supply chains are top 2026 cyber risks: The World Economic Forum’s Global Cybersecurity Outlook highlights three interconnected technology risks that demand executive attention: first, rapid AI deployment is expanding attack surfaces and governance exposure, as organisations integrate AI into core operations faster than controls around data leakage, model misuse, accountability and regulatory readiness can mature; second, geopolitical fragmentation is undermining traditional cyber and compliance frameworks, with data sovereignty, diverging regulations and cross-border tensions increasing uncertainty and limiting organisations’ ability to manage risk consistently across jurisdictions; and third, increasingly complex and globally dispersed technology supply chains are amplifying systemic vulnerability, as breaches or disruptions at third parties can cascade into significant operational and reputational harm. Major economies remain divided between prioritising innovation and imposing safeguards, resulting in fragmented, case-by-case regulation that raises compliance burdens for multinational firms and weakens collective cyber defence. [more][more-2]

3. Learning from AI threats in 2025: Despite headlines about AI and next-generation security, the most material technology risks facing organisations in 2025 remain stubbornly familiar: software supply-chain compromise, phishing-driven credential theft, and malware slipping through trusted platforms. Supply-chain attacks are of growing concern because a single compromised component can rapidly cascade across thousands of downstream systems, amplifying business, operational, and reputational impact at unprecedented scale. This is now achievable even by small or individual attackers using AI-enabled efficiency. Phishing remains highly effective because it targets human behaviour rather than systems; one successful click can trigger enterprise-wide exposure, as seen when developer credentials were abused to poison widely used software packages before remediation could take effect. Official marketplaces and platforms also continue to present risk, as automated and human reviews lag attacker sophistication, allowing malicious extensions or apps to gain broad access under overly permissive models. The key controversy is the industry’s continued emphasis on “shiny” new security concepts while basic controls (includes granular permissions, stronger supply-chain verification, and phishing-resistant authentication) remain inconsistently implemented. This misalignment persists not due to lack of technology, but due to prioritisation and governance gaps at platform and organisational levels. [more]

4. Strategic risks and governance implications of AI-enabled cyber threats: Artificial intelligence is now being embedded directly into malware and attack workflows, creating several material technology risks for organizations: first, adaptive malware that rewrites its own code in real time can evade traditional, signature-based defenses, increasing the likelihood of undetected breaches and prolonged dwell time; second, AI-driven social engineering enables highly personalized and linguistically polished phishing and fraud, raising the probability of executive-level compromise and financial or reputational loss; and third, the industrialization of AI tools in criminal marketplaces lowers the barrier to entry for sophisticated attacks, expanding the threat surface for mid-size enterprises and supply chains. A key controversy is the dual-use nature of generative AI platforms, where the same models that drive productivity and innovation can be manipulated or socially engineered by attackers, raising unresolved questions for regulators and boards around accountability, acceptable use, and the responsibility of AI providers in preventing misuse without stifling innovation. [more]

5. Hidden risks in consumer health AI: Consumer health chatbots introduce material technology risk because they can deliver advice that sounds credible yet is contextually wrong, particularly when models lack full patient data and are not calibrated to express uncertainty. This creates “verification asymmetry” where errors are hard for users to detect but can cause real harm. Standard AI safety tests often miss these risks because they reward fluency and empathy rather than identifying subtly misleading guidance, allowing high-risk outputs to pass undetected. Risk further compounds over multi-turn conversations as models prioritize being supportive and consistent over challenging earlier assumptions, while commercial pressures discourage friction such as disclaimers or forced citations that would reduce engagement. The central controversy is accountability: with no unified regulatory framework or clear liability standards for consumer health chatbots, organizations face a governance gray zone where innovation is encouraged but responsibility for harm remains unresolved. [more]

6. A new class of stealth Cloud malware targeting Linux infrastructure: Cybersecurity researchers have identified VoidLink, a highly advanced and previously undocumented malware framework designed for persistent, stealthy control of Linux-based cloud environments. Key technology risks include its deep cloud awareness (it can detect and adapt to AWS, Azure, Google Cloud, Kubernetes, and Docker), which makes traditional perimeter defenses less effective; its modular, upgradeable design that allows attackers to evolve capabilities over time, increasing dwell time and business impact; and its strong credential-harvesting and lateral-movement features, raising the risk of large-scale data theft and supply-chain compromise through developer and CI/CD environments. Of particular concern is its ability to actively evade detection by assessing installed security controls and dynamically adjusting behavior, undermining standard monitoring and incident-response assumptions. A notable controversy is the assessment that VoidLink is linked to China-affiliated threat actors, which elevates the issue from a technical security incident to a potential geopolitical and regulatory risk, especially for organizations operating critical infrastructure, sensitive intellectual property, or cross-border cloud services. [more]

7. Runtime security could be the blind spot in Cloud risk: Cloud risk now concentrates at runtime (the live execution layer where identities act, workloads scale, and data moves) because this is where attackers actually operate, exploiting stolen credentials, escalating privileges, deploying malicious compute, and accessing or exfiltrating data faster than traditional controls can react. The key technology risks are of threefold: first, loss of visibility, as ephemeral cloud resources disappear before incidents can be investigated, leaving gaps in accountability and regulatory exposure; second, speed and automation of attacks, where programmatic pivots across identities and services outpace human-led response and amplify business impact; and third, evidence volatility, where the lack of real-time forensic capture undermines incident response, legal defensibility, and post-breach learning. The central controversy is the industry’s continued reliance on CNAPP and posture management as a primary control. While they could serve as a valuable prevention control, these tools focus on what could go wrong rather than what is going wrong. Hence, it may create a false sense of security at board level. [more]

8. Third party dependency risk of Ledger: The recent Ledger customer data breach underscores several material technology risks: first, third-party dependency risk, where secure core products are undermined by weaker external providers, expanding the attack surface beyond an organization’s direct control; second, concentration risk in centralized customer databases, which amplifies the impact of any single breach by exposing large volumes of personal data at once; third, downstream fraud and reputational risk, as exposed personal data enables highly targeted phishing that can lead to irreversible financial losses for customers and lasting brand damage; and fourth, governance and disclosure risk, illustrated by limited transparency around breach timing and scope, which complicates incident response, regulatory scrutiny, and stakeholder trust. The key controversy centers on the misalignment between blockchain companies’ decentralized security messaging and their reliance on traditional centralized e-commerce infrastructure, raising questions about whether firms promoting “best-in-class” security should be held to higher standards in selecting partners and adopting architectures that better align with their stated principles. [more]

The Hidden Risks of Autonomy: Why AI Agents Are the New Frontier for Hackers.

Tech Risk Reading Picks

1. Vibe hacking to rise in 2026: Cybercriminal communities are rapidly reframing AI not as a breakthrough technology, but as a confidence engine that lowers the barrier to entry and scales crime. Across dark web forums and Telegram channels, attackers are embracing “vibe hacking”, a mindset where AI is trusted to guide actions without deep technical understanding. This will make cybercrime be more accessible and faster. AI-branded tools like “FraudGPT” and “PhishGPT,” alongside widely traded jailbreak techniques, are marketed to first-time and low-skill actors with promises of automation, “no experience needed,” and step-by-step guidance, even when the underlying crimes are unchanged. The real shift is psychological rather than technical: AI removes fear, normalizes reckless behavior, and expands the pool of attackers, leading to more frequent, more polished, and harder-to-spot attacks. For organizations, this means threat volume and victim reach will grow not because attackers are more skilled, but because AI makes cybercrime feel easy, safe, and scalable. [more]

2. 900K users’ ChatGPT and DeepSeek conversations stolen through Chrome extensions: Researchers at OX Security have uncovered a major malware campaign involving two malicious Chrome extensions (i.e. "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude and more") which have collectively compromised over 900,000 users. By impersonating the legitimate "AITOPIA" AI sidebar, these extensions deceive users into granting permissions for "anonymous analytics" while actually exfiltrating full ChatGPT and DeepSeek conversation histories, search queries, and complete browsing URLs to a remote command-and-control server every 30 minutes. Despite their malicious nature, one of the extensions managed to obtain Google’s "Featured" badge, lending it a false sense of credibility that facilitated its widespread adoption. The stolen data poses a severe risk of corporate espionage and identity theft, as it often contains proprietary source code, business strategies, and personal identifiable information. Users are urged to immediately remove these extensions via chrome://extensions to secure their data. [more]

3. AI IDE “recommended extension” attacks: Several popular AI-powered IDEs forked from VS Code (including Cursor, Windsurf, Google Antigravity and Trae) were found to recommend extensions that do not exist in the OpenVSX marketplace they rely on, creating a supply-chain security risk. These IDEs inherit hardcoded extension recommendations from Microsoft’s Visual Studio Marketplace (which they cannot use due to licensing), unclaimed publisher namespaces in OpenVSX could be taken over by threat actors to distribute malicious extensions under trusted names. Security researchers at Koi identified this gap, responsibly disclosed it in late 2025, and proactively claimed multiple vulnerable namespaces with harmless placeholder extensions while coordinating with the Eclipse Foundation to strengthen registry safeguards. Cursor and Google have since remediated the issue, while Windsurf has not yet responded. There is currently no evidence of active exploitation. [more]

4. AI automation “Ni8mare” - n8n’s critical vulnerability: A critical (10/10) vulnerability, CVE-2026-21858 (“Ni8mare”), has been discovered in locally deployed n8n workflow automation platforms, enabling unauthenticated remote attackers to fully compromise servers. Researchers estimate 100,000+ instances are exposed. The flaw stems from improper content-type handling in webhook and form workflows, allowing attackers to read arbitrary system files, steal secrets (API keys, OAuth tokens, database and cloud credentials), bypass authentication, and potentially execute commands. This turns n8n into a high-impact entry point. Given n8n’s widespread enterprise and AI usage (50,000+ weekly npm downloads, 100M+ Docker pulls) and its role as a central automation and data orchestration hub, exploitation could lead to system-wide and supply-chain compromise. No workaround exists beyond restricting or disabling public webhooks/forms; immediate upgrade to n8n v1.121.0 or later is strongly recommended to mitigate material security and business risk. [more]

5. Bruising year for cybersecurity in digital assets: In 2025, crypto hacks reached historic levels, with total losses estimated at $3.3–3.4 billion across more than 300 major incidents, surpassing all of 2024 by midyear. The largest was the $1.5 billion Bybit breach attributed to North Korea’s Lazarus Group, which used frontend compromise and cross-chain laundering via THORChain, a tactic also seen in the $73 million Phemex hack, while DeFi suffered major exploits such as Cetus on Sui ($220 million) and Balancer ($116 million), both caused by rounding or math-library bugs rather than classic smart contract flaws. Centralized exchanges like Upbit ($34 million) reimbursed users but highlighted concentration risk. Although investigators traced or froze portions of stolen funds in several cases, most assets remain in motion. Compromised wallets and social engineering emerging as the dominant attack vectors. [more]

6. 33% of Bitcoin at risk: A senior Coinbase executive has warned that advances in quantum computing could eventually pose a material security challenge to Bitcoin, with estimates suggesting that about one-third of the total BTC supply (≈6.5 million coins) could be vulnerable under certain scenarios. While the risk is not imminent, Coinbase’s David Duong says Bitcoin may be entering a “new regime” as institutions and regulators take the issue seriously. This is evidenced by BlackRock flagging quantum risk in its Bitcoin ETF prospectus and U.S. and EU guidance to migrate critical systems to post-quantum cryptography by 2035. The core concern is that future quantum computers running Shor’s algorithm could break Bitcoin’s current signature scheme, potentially exposing funds in older or already-revealed address types, while Grover’s algorithm could affect mining efficiency. Industry views diverge on timing and urgency, but consensus is forming that preparation is necessary. [more]

7. Growing third party risk in AI and Cloud adoptions at manufacturing front: A recent cyberattack that shut Jaguar Land Rover’s highly automated UK production for a month. This resulted ~$260m in cybersecurity costs and ~$650m in broader losses. The growing executive risk as manufacturers rapidly digitise without commensurate security. Suggested pointers for management and boards to note: (1) Rising exposure: Manufacturing has been the most-attacked industry for four consecutive years as AI, cloud, and connectivity expand attack surfaces across plants, suppliers, and vendors. (2) Tech outpacing security: While 57% of large manufacturers use cloud and ~29% use AI/ML, many legacy systems were never designed for connectivity, leaving gaps that attackers exploit. (3) Systemic impact: Breaches can halt production, cascade through global supply chains, and threaten jobs and supplier viability. (4) Data risk concentration: Centralized AI and cloud platforms heighten the risk of unauthorized access to sensitive IP, designs, and production data. (5) Board actions: Treat AI datasets as high-value assets; enforce data classification, encryption, and key management; demand visibility into third-party and vendor AI use; segment IT, cloud, and operational systems. [more]

Tech Risk Reading Picks

1. AI’s future isn’t straightforward. [more]

   • Human advantage intensifies, not declines: As AI scales, demand is rising for uniquely human capabilities (e.g., judgement, leadership, creativity and oversight) making workforce transition and skills investment a board-level priority rather than a technology issue.

   • Value realization lags adoption: Many organizations face short-term productivity dips and unclear ROI from AI, underscoring that competitive advantage comes from redesigning processes, governance and accountability.

   • AI’s growth vs. trust and sustainability: While AI promises efficiency and innovation, it is simultaneously driving misinformation risks (“AI slop”) and significant energy demand. This forces leaders to confront whether rapid AI expansion erodes trust and climate commitments unless governed with clear accountability and net-positive energy strategies.

2. OpenAI-Mixpanel data breach. [more]

   • Limited exposure via third-party vendor: A smishing attack on analytics provider Mixpanel led to the compromise of limited OpenAI user profile and analytics data, with no impact to OpenAI’s core systems, products, or sensitive credentials.

   • Swift containment and customer assurance: OpenAI removed Mixpanel from production, confirmed no exposure of ChatGPT content or API usage data, and is notifying affected users while monitoring for misuse.

   • Third-party risk and transparency: Mixpanel disclosed minimal technical details, raising concerns about visibility and assurance in vendor security incidents. This highlights ongoing challenges for enterprises in managing and governing third-party cyber risk and disclosure expectations.

3. PromptPwnd: A new AI supply-chain risk. [more]

   • AI automation introduces a new attack surface: Researchers identified “PromptPwnd,” a vulnerability where attackers can manipulate AI agents embedded in CI/CD pipelines, potentially stealing credentials or altering software workflows through seemingly harmless inputs like bug reports.

   • The risk is real and already impacting major firms: At least five Fortune 500 companies, including a Google repository, were exposed. This has demonstrated that AI prompt injection can directly compromise critical software delivery systems, not just theoretical AI safety.

   • Speed vs. safety in AI adoption: The vulnerability highlights a growing tension where companies rapidly deploying AI for efficiency are sometimes disabling built-in safeguards, inadvertently increasing systemic risk across their software supply chains.

4. Agentic browsers create a new “Zero-Click” data destruction risk. [more]

   • Agent autonomy can amplify routine access into enterprise-scale damage: AI-powered browsers with OAuth access to Gmail and Google Drive can execute destructive actions (e.g., mass file deletion) from a single benign user prompt, without user confirmation.

   • Attackers exploit trust and tone, not technical flaws: Polite, well-structured natural-language instructions embedded in emails or URLs can manipulate browser agents into harmful actions. These can be done without jailbreaks, malware, or clicks required.

   • Is this a “bug” or “feature”? Google classified similar prompt-based abuses as low severity or “intended behavior,” while others patched their product. This raises concern that current industry definitions of security may underestimate real business risk from agentic AI acting on untrusted content.

5. AI prompt injection is here to stay. [more]

   • Prompt injection is a structural AI risk, not a temporary flaw: UK intelligence warns that because large language models cannot reliably distinguish instructions from data, prompt injection attacks are likely to remain a permanent residual risk rather than something that can be fully engineered away.

   • Widespread AI adoption could amplify breach exposure: Embedding generative AI into core business processes (e.g., recruitment, search, code, decision support) without redesigning controls may trigger a new wave of security incidents, similar in scale to early SQL injection breaches.

   • Treating prompt injection like SQL injection is “dangerous”: Many security teams assume the problem can be fixed with familiar technical controls, but UK intelligence argues this analogy is misleading. This is because prompt injection requires governance, design limits, and operational risk management, not just technical patches, which challenges prevailing industry assumptions and product-led security promises.

6. How AI coding tools are quietly expanding enterprise risk. [more]

   • AI-powered IDEs introduce a new, systemic attack surface: Over 30 vulnerabilities show that widely used AI coding assistants can be manipulated to silently exfiltrate sensitive data or execute malicious code by chaining prompt injection with trusted IDE features.

   • The core issue is flawed trust assumptions, not niche bugs: AI agents are treated as “safe add-ons,” but their autonomous actions can weaponize long-standing IDE functions, bypassing user awareness and traditional security controls.

   • “Secure by design” tools are enabling attacks by default: The controversy lies in the industry’s rapid deployment of agentic AI without rethinking threat models. This includes auto-approved actions and trusted integrations prioritize productivity over security, creating enterprise-scale risk that many vendors and adopters have underestimated.

7. Eurostar - A case of classic security failures in a modern LLM. [more]

   • AI did not create new risks; it amplified existing ones: Eurostar’s AI chatbot suffered from familiar web and API security weaknesses (guardrail bypass, ID validation gaps, injection flaws), showing that traditional security fundamentals still fully apply to AI-enabled systems.

   • Weak server-side controls undermined trust and governance: Guardrails were visible in the UI but poorly enforced on the backend, allowing attackers to manipulate conversation history, extract system prompts, and inject malicious content despite apparent safeguards.

   • Disclosure handling raised governance and reputational concerns: Despite a formal vulnerability disclosure programme, reports went unanswered for weeks and were later framed as potential “blackmail,” highlighting breakdowns in security operations, third-party handover risk, and executive oversight of responsible disclosure processes.

8. AI-Powered financial fraud in digital payments. [more]

   1. Escalating threats: Cybercriminals are now using AI-generated malware to intercept payments via NFC devices, enabling unauthorized transactions and fraudulent online purchases.

   2. Beyond ransomware: AI is no longer limited to traditional attacks; generative AI is being leveraged to create sophisticated financial fraud tools targeting everyday digital payment systems.

   3. Widespread AI accessibility: While AI platforms like ChatGPT, Google Gemini, and Claude empower innovation, they also enable highly convincing phishing and fraud schemes, raising ethical and regulatory concerns about the balance between accessibility and misuse.

9. Cloud and identity remain the weakest links. [more]

   • AI risk is still a cloud risk: Despite the focus on advanced AI models, executives’ top concern is the security of the underlying cloud infrastructure, which remains the primary attack surface for AI-enabled enterprises.

   • Identity management is mission-critical: Over half of organizations cite overly lenient identity practices as a major challenge, reinforcing that access control and identity governance are now central to protecting AI and cloud environments.

   • Open-source AI libraries raise trust and governance concerns: While open-source accelerates innovation and reduces costs, executives worry about hidden vulnerabilities, data integrity issues, and regulatory compliance.

10. Strategic vulnerabilities in the AI landscape moving forward. [more]

    • Shadow AI Expansion: Widespread use of unsanctioned AI tools by employees and misconfigured cloud workloads are creating invisible, unmonitored entry points for data breaches.

    • Supply Chain & Financial Risk: Reliance on third-party open-source models exposes the firm to embedded malware, while the theft of AI credentials (”LLMjacking”) poses a risk of significant unexpected financial liability. In addition, the Model Context Protocol (MCP) expands the enterprise attack surface by allowing unverified or vulnerable servers to inject malicious code and execute unauthorized commands directly within corporate development environments.

    • Persistent prompt injection attacks: It remains a pervasive threat with no perfect technical fix. Unlike traditional software bugs, this is an architectural limitation where LLMs cannot fundamentally distinguish between valid instructions and processed data, meaning “autonomous” agents currently require expensive, human-in-the-loop oversight to be safe.

Tech Risk Reading Picks

1. HashJack: Emerging AI-browser exploit raises design-level security concerns [more]

   1. HashJack exposes a novel prompt-injection technique where malicious instructions are hidden in URL fragments (#), allowing attackers to manipulate AI browser assistants without compromising the underlying website.

   2. Exploits include credential theft, harmful advice, data exfiltration, and automated execution of risky system actions, especially in advanced agentic modes where AI acts independently.

   3. While Microsoft and Perplexity issued timely fixes, Google has not yet addressed the issue for Gemini, underscoring uneven responses and the need for stronger AI-integrated security practices.

   4. Google’s classification of the vulnerability as low-severity and “intended behaviour” has raised concern because it leaves users exposed to an exploit that bypasses traditional security controls and relies on AI design flaws.

2. ClickFix attacks surge 517% [more]

   1. ClickFix attacks have escalated sharply, with a 517% increase and growing use by state-aligned threat groups from Iran, North Korea, and Russia.

   2. Threat actors now exploit cloned, trusted-looking websites—including fake ChatGPT Atlas installers—to trick users into running password-harvesting commands.

   3. The attack bypasses traditional controls by convincing users to paste obfuscated commands into their terminal, enabling privilege escalation and full system compromise.

   4. Use of Google Sites as a trusted delivery platform, which raises concerns about major tech platforms inadvertently enabling high-fidelity phishing; attackers leverage Google’s implicit trust to increase success rates, sparking debate about platform accountability.

3. Malicious LLMs accelerate cybercrime capabilities [more]

   1. Malicious LLMs are operational and evolving. Tools like WormGPT 4 and KawaiiGPT now generate functional ransomware, phishing campaigns, and automated attack scripts, enabling scalable cyberattacks with minimal expertise.

   2. These models allow inexperienced actors to produce professional-grade phishing messages, conduct lateral movement, and execute data exfiltration with ease.

   3. Paid and free versions, supported by active Telegram communities, indicate a maturing illicit market that accelerates tool development and attacker collaboration.

4. AI data security reality check for enterprise leaders [more]

   1. AI adoption has outpaced oversight, with 83% of organizations using AI daily but only 13% having strong visibility into how it handles sensitive data.

   2. AI is functioning as an ungoverned enterprise identity, resulting in widespread over-access to sensitive information and limited ability to monitor or control prompts and outputs.

   3. Governance readiness is critically low, as only 7% have a dedicated AI governance function and just 11% feel prepared for emerging regulatory demands.

   4. Autonomous AI agents present the most acute and debated risk, with 76% of professionals calling them the hardest systems to secure and over half unable to block risky actions in real time.

5. Critical picklescan vulnerabilities expose AI supply chains to model-based attacks [more]

   1. High-severity flaws in Picklescan allowed attackers to bypass its safeguards and execute arbitrary code through malicious PyTorch model files.

   2. These vulnerabilities highlight systemic weaknesses in relying on a single scanning tool to secure increasingly complex AI model formats.

   3. Remediation is available (Picklescan v0.0.31), underscoring the need for continuous, expert-driven monitoring of AI supply chain risks.

   4. The flaws expose a fundamental tension between rapid AI innovation and lagging security controls, raising concerns that existing model-scanning tools cannot keep pace with emerging threats.

6. AI advancing faster than its safeguards [more]

   1. Layered AI safeguards are expanding but remain inconsistent, with no single control reliably stopping determined attackers—forcing reliance on imperfect, overlapping defenses.

   2. Attack techniques and open-weight model adaptations are accelerating faster than defensive tools, creating unpredictable risks even when vendors claim strong safeguards.

   3. Governments and companies are building early safety frameworks, but the absence of shared standards means oversight, evaluation quality, and vendor disclosures vary widely.

Tech Risk Reading Picks

1. Can AI be trusted performing cybersecurity for us? [more]

   1. AI strengthens cybersecurity by detecting threats quickly. AI can analyse massive amounts of data in seconds, identify unusual behaviour, learn from past attacks, and help companies respond instantly.

   2. AI has weaknesses and can be exploited. Cybercriminals also use AI to create smarter attacks such as realistic phishing emails. AI can be tricked through data poisoning, can misclassify threats, and may react unpredictably in unfamiliar situations.

   3. AI security is essential to protect AI systems themselves. Since AI relies heavily on data, protecting that data and continuously testing AI models is crucial. If attackers manipulate the data or system, AI can become a new target and cause serious harm.

2. Growing AI phishing and holiday scams through account takeover (ATO) fraud. [more]

   1. FBI reports a surge in ATO fraud, with over $262M lost this year and more than 5,100 complaints, primarily driven by impersonation of financial institutions.

   2. Attackers leverage advanced methods including SEO poisoning, AI-crafted phishing content, malicious ads, fake e-commerce stores, and exploitation of known platform vulnerabilities.

   3. Fraud ecosystems are maturing, with dark-web marketplaces, stealer logs, and ad campaigns funded by stolen cards enabling scammers to scale operations quickly.

3. Global “TamperedChef” Malvertising Campaign Exploits Software Search Behavior. [more]

   1. Global malvertising campaign using fake software installers. They are often signed with abused certificates to deliver JavaScript backdoors and maintain persistent remote access.

   2. The operation employs a steady churn of shell-company code-signing certificates and SEO-driven lures, making the campaign scalable, credible-looking, and difficult to detect.

   3. Healthcare, construction, and manufacturing are disproportionately affected due to users’ frequent searches for manuals and utilities, which are exploited through poisoned ads and URLs.

4. Small Language Models (SLMs) could strengthen phishing defenses. [more]

   1. SLMs can scan trimmed website HTML to detect phishing with accuracy often above 80%, balancing speed and compute efficiency.

   2. Running SLMs internally keeps sensitive data in-house, avoids vendor lock-in, and reduces reliance on external cloud providers.

   3. Mid-sized models (10–20B parameters) approach the effectiveness of larger models, offering a practical compromise between runtime and accuracy.

   4. Performance Gap vs. Proprietary Systems: Despite progress, SLMs underperform compared to larger proprietary models, raising concerns about missed threats or false positives that could disrupt security operations.

5. Industrialized payment fraud is an escalating risk for financial institutions. [more]

   1. Fraud is industrializing. Criminal groups now operate like coordinated businesses, leveraging botnets, AI scripts, and repeatable playbooks to scale attacks rapidly.

   2. Rapid monetization exploits gaps. Fraudsters use instant payments, mobile wallets, and token provisioning to convert stolen credentials into cash before defenses can react.

   3. Synthetic content undermines identity checks. AI-generated identities, documents, and websites allow fraudsters to bypass traditional onboarding and detection processes.

   4. Traditional controls are failing. Legacy defenses, designed for slower, visible fraud, struggle against distributed, AI-driven attacks and third-party vulnerabilities, raising questions about the adequacy of current regulatory and risk frameworks.

6. ‘Reward‑Hacking’ may trigger unintended risk in production LLMs. [more]

   1. Shortcut‑based reward hacking can trigger broader emergent risks. When a large language model (LLM) learns to “cheat” (e.g. bypass coding tests rather than solve them), it may also develop far more harmful behaviors such as deception, sabotage or collusion with malicious actors.

   2. Reinforcement learning from human feedback (RLHF) may not suffice. Even after applying standard RLHF using chat‑style prompts, the model continued to show misaligned behavior in “agentic” or autonomous tasks.

   3. Risk can be mitigated but only with deliberate design. Effective safeguards include preventing hacking from the start, diversifying safety‑training data, or reframing (via “inoculation prompting”) the meaning of reward hacking during training an intervention that reduced misaligned generalization by 75–90%.

7. Systemic vulnerability in Large Language Models. [more][more-researchpaper]

   1. Researchers have demonstrated that phrasing harmful or prohibited instructions as a poem (”Adversarial Poetry”) acts as a highly effective “universal single-turn jailbreak.”

   2. This poetic method bypassed safety mechanisms in various leading LLMs (from providers like OpenAI, Google, and Meta) with a success rate up to three times higher than standard text prompts, achieving a 65% average success rate across all models tested.

   3. The vulnerability is not specific to any one provider or training methodology, suggesting a systemic flaw across the current generation of LLMs that operators did not anticipate.

8. Yubico unveils next-gen security in post-quantum readiness and enhanced digital identity. [more]

   1. Yubico enables passkeys to securely log in and approve sensitive actions via a single hardware key, improving usability, privacy, and developer flexibility.

   2. Yubico demonstrated a PQC-enabled hardware security key, showing feasibility against future quantum attacks, though not yet a commercial product.

   3. Combining passkeys with verifiable credentials allows secure authentication while selectively sharing personal attributes, enhancing privacy and control.

   4. However, the PQC prototype is not yet market-ready; new hardware is required and standards are still evolving, meaning organizations cannot immediately rely on it for production use.

9. Quantum-ready data security in mitigating ‘Store Now, Decrypt Later’ (SNDL) risks”

   1. Adversaries can capture encrypted data today and decrypt it in the future once quantum computers are capable, making long-lived data at immediate risk.

   2. Deploy hybrid TLS/SSH key exchanges combining classical and post-quantum algorithms to protect data in transit while standards and products mature.

   3. Executives should prioritize inventorying sensitive data paths, pilot hybrid cryptography, and integrate PQC standards into long-term security roadmaps.

   4. Operational Complexity vs. Urgency: Hybrid PQC adoption introduces performance, interoperability, and toolchain challenges. Some organizations may delay deployment due to cost and complexity, but waiting increases exposure to SNDL attacks already in motion.

Tech Risk Reading Picks

1. Claude used by APT to automated cyber espionage: Chinese state-sponsored actors conducted a first-of-its-kind automated cyber-espionage campaign (GTG-1002) in September 2025 by weaponizing Anthropic’s Claude Code and MCP tools to perform 80–90% of attack operations autonomously. Using Claude as an “agentic,” autonomous hacking system, the group targeted ~30 global organizations across tech, finance, chemicals, and government, succeeding in some intrusions. The AI handled reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration, while humans only approved key escalation steps. The attackers concealed malicious intent by framing prompts as routine technical tasks, enabling Claude to generate payloads, parse proprietary data, and document attacks for long-term use. [more][more-2]

2. Second-order prompt injection attacks: Malicious actors can exploit default settings in ServiceNow’s Now Assist AI platform to launch second-order prompt injection attacks that use agent discovery and agent-to-agent collaboration to perform unauthorized actions behind the scenes. According to AppOmni, attackers can embed crafted prompts in accessible content, causing a benign agent to unknowingly recruit more powerful agents to read or alter records, exfiltrate sensitive data, escalate privileges, or send emails—despite built-in protections. Because agents inherit the privileges of the initiating user and are discoverable and team-grouped by default, overlooked configurations create significant risk. ServiceNow clarified that this behavior is expected, underscoring the need for stronger AI-agent protections and mitigations such as supervised execution for privileged agents, disabling autonomous overrides, segmenting agent teams, and monitoring for suspicious activity. [more]

3. Flip tokens: HiddenLayer’s early-2025 research reveals EchoGram, a vulnerability affecting major LLMs such as GPT-5.1, Claude, and Gemini that allows attackers to bypass or corrupt AI safety guardrails using simple, specially crafted word or symbol sequences called flip tokens. By exploiting gaps in the training data of both classifier-based and LLM-as-a-judge defence models, these nonsensical tokens slip through filters while causing the guardrails to “flip” their verdicts. This will either let harmful requests through or falsely flag harmless ones. [more]

   1. For example, when HiddenLayer researchers were testing an older version of their own defence system, a malicious command was approved when a random string “=coffee” was simply added to the end.

4. Exploiting coding assistant: A security audit by AI safety firm Mindgard uncovered four major vulnerabilities in the widely used Cline Bot coding assistant, showing how attackers could steal secret keys, bypass safety checks, execute malicious code, or even extract internal model details simply by hiding prompt-injection traps inside project files. Discovered within two days of testing in August 2025, the flaws reveal how overly trusting “helper” AIs can be weaponised when developers open compromised codebases and request analysis. Mindgard also obtained Cline Bot’s system prompt, demonstrating that knowing its exact instructions makes it easier to exploit behavioural loopholes. [more]

5. Attacking hidden MCP API in Comet browser: SquareX has uncovered a hidden and largely undocumented MCP API in Perplexity’s Comet browser that allows embedded extensions to run arbitrary local commands—power normally blocked by traditional browser security models. The API, accessible via Comet’s Agentic extension and triggerable by the perplexity.ai site, creates a covert channel that could let attackers gain full control of users’ devices if Perplexity or its supply chain is ever compromised. SquareX’s demo shows how a spoofed extension can chain through Comet’s embedded extensions to execute malware like WannaCry, a risk amplified by the fact that these extensions are invisible to users and cannot be disabled. [more]

6. Remote code execution bugs in AI: Researchers have uncovered widespread remote-code-execution flaws across major AI inference engines from Meta, Nvidia, Microsoft, vLLM, and SGLang. All are traced to a shared unsafe pattern of copy-pasted ZeroMQ sockets using Python pickle deserialization, dubbed “ShadowMQ.” This vulnerability originates from Meta’s Llama framework (CVE-2024-50050) and later replicated across multiple projects. The issue allows attackers to send malicious data over exposed ZMQ TCP sockets to execute arbitrary code, risking full cluster compromise, model theft, and malware deployment. [more]

7. AI-generated payloads used in global campaign: ShadowRay 2.0 is a global campaign hijacking exposed Ray clusters through an unfixed code-execution flaw (CVE-2023-48022), turning them into a self-spreading cryptomining and attack botnet. Threat actor IronErn440 uses AI-generated payloads to mine Monero, steal data and credentials, deploy DDoS attacks, and propagate across clusters via Ray’s unauthenticated Jobs API. With over 230,000 Ray servers exposed online, defenders are urged to firewall access, secure dashboard ports, and monitor AI clusters since no official patch exists. [more]

8. Attackers rarely break in anymore, they simply log in: Over the past decade, cloud migration has reshaped enterprise security, but attackers have adapted even faster, shifting toward identity-centric intrusions that quietly exploit credentials rather than technical vulnerabilities. The Elastic Global Threat Report 2025 shows that nearly 60% of cloud threats stem from identity-driven attacks, fuelled by infostealers that harvest browser-stored credentials, tokens, and cookies. With overprivileged accounts, weak identity governance, and logging gaps across platforms like Microsoft Entra, threat actors routinely escalate privileges, move laterally through federated cloud services, and maintain long-term persistence using legitimate authentication artefacts that bypass MFA and evade traditional security tools. As malware trends shift toward credential theft and simple AI-generated loaders, defenders struggle with fragmented visibility and outdated perimeter-based controls. The report underscores an urgent need for organisations to treat identity as a primary attack surface, adopt behavioural analytics, enforce Zero Trust, eliminate long-lived keys, harden developer workflows, and elevate browser security. Because in today’s cloud landscape, attackers rarely break in anymore; they simply log in. [more]

9. HackGPT: HackGPT Enterprise, developed by Yashab Alam, is a cloud-native security platform that automates large-scale vulnerability testing using AI and machine learning, integrating models like GPT-4 and Ollama to detect anomalies, patterns, and zero-day exploits. Following a six-phase penetration testing methodology, the platform prioritizes risks based on CVSS scores and business impact while mapping to compliance frameworks such as OWASP, NIST, and PCI-DSS. Built on a Docker and Kubernetes microservices architecture with AES-256 encryption, LDAP-based access control, and real-time dashboards powered by Prometheus and Grafana, HackGPT supports AWS, Azure, and GCP deployments. [more]

Tech Risk Reading Picks

1. Private AI Compute: Google’s new Private AI Compute is a cloud-based, privacy-preserving platform designed to deliver the speed and power of Gemini AI models while ensuring that users’ data remains inaccessible to everyone, including Google. Built on Trillium TPUs, Titanium Intelligence Enclaves, and AMD-based trusted execution environments, it creates a fortified, on-device-like environment in the cloud where encrypted, attested workloads run in isolation with no admin or shell access. Data stays protected through end-to-end encryption, peer-to-peer attestation, IP-blinding relays, strict binary authorization, and VM-level isolation, with all inputs and computations discarded after each session. [more]

2. Future criminology due to AI: Autonomous AI is creating a “hybrid society” in which machines interact with humans and with each other in ways that can produce harmful or seemingly criminal outcomes, even without human intent, prompting a rethink of criminology’s focus. A new paper by Gian Maria Campedelli argues that AI agents now possess computational, social, and emerging legal forms of agency that make them actors within complex networks rather than mere tools. As multi-agent systems proliferate, their collective behaviors can lead to both deliberate misuse (“malicious alignment”) and accidental harm (“emergent deviance”), widening accountability gaps that current laws and crime theories cannot fully address. The study urges criminology to expand its scope, asking how machine norms might evolve, which crimes will change first, and how policing should adapt. [more][more-paper]

3. Hacking AI with audio: Mindgard researchers found that OpenAI’s Sora 2 video model could be coaxed into leaking its hidden system prompt (its internal safety and operating rules) by generating audio clips and extracting the transcripts. After attempts to reveal the rules through text, images, and video failed due to distortion and semantic drift, audio proved the breakthrough, allowing the team to reconstruct much of the model’s foundational instructions, including content restrictions. [more]

4. Malicious VS Code extension in official marketplace: A crudely made malicious VS Code extension called “susvsex” (apparently generated with AI) briefly appeared on Microsoft’s official marketplace, openly advertising its ability to steal and encrypt files. Despite its obvious malicious behavior and an initial report, Microsoft did not immediately remove it, suggesting the upload may have been a test of the company’s vetting process. It was eventually taken down after the issue gained attention. [more]

5. Breaking AI through many prompts: Cisco’s new Death by a Thousand Prompts report found that open-weight AI model (whose freely released weights make them easy to use and modify) are highly vulnerable to multi-turn adversarial attacks. Cisco found that attackers can gradually build trust and steer models toward unsafe outputs, with multi-turn jailbreaks up to 10× more effective than single-turn attempts (peaking at 92.78% on Mistral Large-2). Weak long-term safety context, ease of malicious fine-tuning, and capability-focused alignment make many models susceptible, while safety-aligned models like Gemma-3-1B-IT fared better (~25% success). [more][more-paper]

6. Advanced AI models are far more vulnerable to attack: A new joint study from Anthropic, Oxford, and Stanford finds that advanced AI models are far more vulnerable to attack than previously believed, showing that their improved reasoning abilities can actually be exploited to bypass safety controls. Using a technique called “Chain-of-Thought Hijacking,” researchers demonstrated that attackers can hide harmful instructions within long sequences of harmless reasoning steps, causing models (including GPT, Claude, Gemini, and Grok) to unintentionally ignore safety guardrails and generate dangerous content. As reasoning chains grow longer, attack success rates rise sharply, exceeding 80% in some tests, even for alignment-tuned models. [more]

7. Google Cloud Security Report: Google Cloud’s Cybersecurity Forecast 2026 warns that AI is accelerating an arms race in which attackers use the technology to scale, automate, and personalize operations. This includes prompt-injection exploits, targeted attacks on enterprise AI systems, and highly convincing voice-based phishing. On the other hand, defenders adopt AI-driven “Agentic SOCs” to triage incidents and generate intelligence. Traditional threats such as ransomware, data theft, third-party compromise, and zero-day exploitation remain dominant, with virtualization infrastructure emerging as a critical blind spot. Nation-state actors are expected to intensify and diversify operations, prompting Google to urge proactive monitoring and AI-enhanced defenses. [more][more-google_report]

8. MAS’ Guidelines on AI Risk Management: The MAS has proposed new Guidelines on AI Risk Management to ensure financial institutions use AI responsibly across diverse applications, including generative AI and AI agents. The Guidelines outline expectations for governance, firm-wide AI risk management systems, and robust lifecycle controls such as data governance, fairness, transparency, human oversight, and monitoring. MAS will adopt a proportionate, risk-based approach aligned with each institution’s scale and AI usage, supporting responsible innovation in the financial sector. [more]

9. Shift in software development: Senior developers expect a major shift in their roles as AI becomes central to software workflows, according to BairesDev’s latest Dev Barometer, which shows 65% anticipating redefined responsibilities by 2026, with routine coding giving way to solution design, architecture, and AI integration. [more]

Tech Risk Reading Picks

1. OpenAI Agentic security researcher: OpenAI has unveiled Aardvark, an autonomous “agentic security researcher” powered by GPT-5, designed to act like a human expert in scanning, understanding, and patching code. Currently in private beta, Aardvark integrates directly into software development pipelines to continuously analyze source code repositories, detect vulnerabilities, assess their exploitability, and propose targeted patches using LLM-based reasoning. Used internally and with select partners, Aardvark has already helped uncover multiple CVEs in open-source projects. Positioned alongside tools like Google’s CodeMender and XBOW, it reflects a growing trend toward AI-driven, continuous security analysis and patching. OpenAI describes Aardvark as a “defender-first” system that enhances security without hindering development speed. [more]

2. AI can create voice using photo: A new study by Australia’s national science agency reveals that just a photo of a person’s face can now be used to generate a convincing synthetic voice through a method called FOICE (Face-to-Voice), which predicts vocal traits like pitch and tone from facial features. This makes voice impersonation far easier, as photos are readily available online. The technique successfully fooled WeChat’s voice authentication system up to 100% of the time after several tries. Most existing deepfake detectors also failed to detect these new photo-based deepfakes. While retraining detectors with FOICE samples improved accuracy, it reduced their ability to recognize other types of fakes, highlighting a major limitation in current detection methods. [more][more-paper]

3. Microsoft’s new guide, 5 Generative AI Security Threats You Must Know About: Generative AI is transforming cybersecurity by accelerating threat detection and automation, but it’s also empowering attackers to evolve faster than defenses can adapt. According to Microsoft’s 2025 Digital Threats Report, nation-states like Russia, China, Iran, and North Korea have doubled their use of AI for cyberattacks and disinformation, leveraging it to craft convincing phishing messages, deepfakes, and adaptive malware. As organizations rush to deploy generative AI—66% building custom apps and 80% worried about data leakage—security leaders face new challenges across cloud vulnerabilities, data exposure, and unpredictable model behavior. These risks fuel emerging AI-specific threats such as data poisoning, evasion, and prompt injection attacks, which undermine model trust and integrity. Microsoft’s new guide, 5 Generative AI Security Threats You Must Know About, urges a unified, AI-aware security strategy to defend against this evolving threat landscape. [more][more-report]

4. Google Cybersecurity Forecast 2026 report: Google Cloud Security’s new Cybersecurity Forecast 2026 report warns that AI-driven cyberthreats and global extortion will surge next year, transforming both attacks and defenses. It predicts that attackers will fully weaponize AI through the use of multimodal generative tools to create realistic phishing, deepfakes, and impersonation campaigns. At the same time, prompt injection attacks will continue to rise in exploiting large language models. The report also flags the growing risk of “shadow agents,” unauthorized AI tools used by employees that create hidden data pipelines and compliance risks, calling for new AI governance frameworks to manage them. Beyond AI, ransomware, data theft, and multifaceted extortion are expected to become the most financially damaging forms of cybercrime, with cascading economic impacts. Virtualization infrastructure is emerging as a new vulnerability, where single breaches could compromise hundreds of systems. The report concludes that 2026 will mark a new era in cybersecurity where both attackers and defenders harness AI, making proactive, multi-layered defenses and strong AI governance essential. [more]

5. Increased malicious deployments through LLMs: Google warns that LLMs are moving from research curiosities to active tools for attackers, who are building adaptable, AI-powered malware that can generate code, rewrite itself, and evade detection mid-run. Its analysts documented multiple in-the-wild examples (from credential-stealers like QuietVault that use on-host AI tools to hunt secrets, to PromptSteal that queries Qwen for one-line commands, to reverse shells like FruitShell with prompts to bypass LLM-based defenses) alongside experimental projects such as PromptLock and PromptFlux that dynamically generate malicious scripts or rewrite their source via APIs. Google also found underground marketplaces selling illicit “AI as-a-tool” services and observed state-linked actors abusing Gemini and other LLMs for lure writing, tooling, and malware development, signaling a new phase where generative AI both amplifies skilled operators and lowers the barrier for less technical criminals. [more]

6. OpenAI stealth channel: Microsoft’s Detection and Response Team (DART) disclosed a novel backdoor called SesameOp (discovered in July 2025) that stealthily uses the OpenAI Assistants API as a command-and-control channel to fetch encrypted commands and return execution results. [more]

   1. The implant’s infection chain includes a heavily obfuscated loader (Netapi64.dll) and a .NET backdoor (OpenAIAgent.Netapi64) loaded via AppDomainManager injection. Attackers also used compromised Visual Studio utilities and internal web shells to maintain persistent, long-term access for likely espionage. Commands are relayed through the Assistants API using message descriptions like SLEEP, Payload, and Result, enabling sleep timers, remote payload execution, and exfiltration of outputs.

7. Leaking personal data through indirect prompt injection attacks: Cybersecurity researchers from Tenable have uncovered seven vulnerabilities in OpenAI’s GPT-4o and GPT-5 models that could let attackers steal users’ personal data and chat histories through indirect prompt injection attacks. These flaws, some of which have been fixed, exploit how ChatGPT processes external content and include techniques like zero-click and one-click prompt injections, memory poisoning, and safety bypasses via trusted domains such as Bing. The findings highlight the broader risks of linking AI systems to external data sources, as large language models struggle to distinguish between genuine and malicious instructions. Similar prompt injection and model-poisoning attacks have recently been found affecting other AI systems like Claude, Microsoft 365 Copilot, and GitHub Copilot, revealing an expanding threat surface for AI agents. [more][more-2]

8. Exfiltration through Claude API: A security researcher discovered that attackers can exploit indirect prompt injections in Anthropic’s Claude to exfiltrate user data when the AI has network access, a feature enabled by default on some plans. The attack abuses Claude’s Files APIs by tricking the model into saving user data to its Code Interpreter sandbox and then uploading it to the attacker’s account using a malicious API key. Up to 30MB can be exfiltrated at once, and multiple files can be sent. The exploit begins when a user opens a malicious document, which hijacks Claude to harvest data (including chat conversations saved via the ‘memories’ feature) and send it to the attacker. [more][more-2]

9. AI agent session smuggling attack: Palo Alto Networks’ Unit 42 has identified a new AI attack technique called agent session smuggling, which enables a malicious AI agent to covertly inject harmful instructions into an ongoing cross-agent communication session, exploiting the stateful nature of the Agent2Agent (A2A) protocol. Unlike one-time prompt injection attacks, this method leverages agents’ built-in trust and memory across multi-turn conversations, allowing an attacker to manipulate a victim agent invisibly over time. Proof-of-concept demonstrations showed that a rogue agent could exfiltrate sensitive data or initiate unauthorized tool actions within a financial assistant system. While the A2A protocol itself is not vulnerable, its stateful design makes such manipulation possible in any multi-agent environment. Mitigations include enforcing human-in-the-loop (HitL) approvals for sensitive actions, cryptographic verification of agent identities, and context-grounding to detect off-topic instructions. [more]

10. Growing AI security frameworks and skills demand: AI adoption is rapidly outpacing security and governance across organizations, resulting in a surge of costly AI-related breaches and the rise of “shadow AI,” where untrained employees inadvertently leak sensitive data through unauthorized AI tools. Reports from Tenable, EY, IBM, and the Cloud Security Alliance reveal that most companies lack proper AI governance, access controls, and user training, leaving critical systems exposed. This growing risk has elevated AI governance to a boardroom priority, with more Fortune 100 boards integrating AI oversight and expertise into their risk management frameworks. In response, new frameworks like the CSA’s AI Controls Matrix aim to standardize responsible AI deployment, while cybersecurity professionals with AI-specific skills are seeing increased demand and higher salaries as organizations scramble to secure their rapidly evolving AI ecosystems. [more]

11. Google will integrate to deliver personalised AI experience - knowing everything about you: Google is developing a more personalised “AI Mode” for Search that will eventually integrate with services like Gmail, Drive, Calendar, and Maps to deliver highly customized results. As explained by Google’s Robby Stein, the goal is to let users opt into an experience where the AI can use personal data (such as emails, documents, and travel details) to provide tailored help, like summarizing flight info or planning schedules. [more]