Tech Risk Reading Picks

TL;DR: The enterprise AI landscape is facing severe operational headwinds and critical security vulnerabilities. Organizations are losing significant productivity to "botsitting" (6.4 hours/week per employee spent correcting AI errors), while simultaneously exposing themselves to high-severity supply chain exploits targeting AI agents, prompt injections, and infrastructure design flaws. Furthermore, unprecedented regulatory and national security interventions, such as the US government's suspension of Anthropic's latest models, underscore the immediate need for rigid risk management.

1. The hidden labor cost of enterprise AI integration: A new report reveals that white-collar workers spend an average of 6.4 hours per week managing AI errors and context gaps. The root cause of this issue is an invisible form of digital labor called botsitting. Workers must constantly feed context, debug mistakes, and clean up inaccurate AI outputs to make the tools useful. While employees report individual time savings, organizations are not seeing significant performance gains. Instead, aggressive management pressure to adopt AI has forced workers to submit unverified AI content to meet expectations. This dynamic damages employee morale and drastically increases the risk of corporate legal or operational errors. [more]

2. Claude Fable and Mythos restricted: The US Commerce Department ordered Anthropic to suspend global access to its latest Mythos and Fable AI models due to significant national security risks. Government officials enacted this unprecedented restriction because they found a vulnerability that allows users to bypass safety safeguards. This root cause flaw could enable adversarial military intelligence services in nations like China and Russia to exploit the models to identify critical software vulnerabilities. While Anthropic claims the security flaws are minor, the government utilized its export control powers for the first time on an AI model to enforce the suspension. The two entities are now conducting daily negotiations to establish stricter safety controls and restore model access. [more]

3. Agentjacking exposes developers to arbitrary code execution: A new attack class called Agentjacking highlights critical security risks for organizations deploying AI coding assistants. The root cause of the vulnerability is the implicit trust embedded within the Model Context Protocol (MCP), which prevents AI agents from distinguishing between legitimate system outputs and malicious inputs injected into external services. Attackers exploit this by sending fake error reports using an organization’s public Sentry Data Source Name (DSN). The attack chain relies on a markdown injection that mimics Sentry’s system template, an MCP query triggered when a developer asks the agent to resolve errors, and the subsequent execution of arbitrary code with full developer privileges. Researchers verified this risk across over 100 organizations, achieving an 85% exploitation success rate against widely used coding assistants. Sentry has acknowledged the issue but stated a full fix is technically indefensible, opting instead for a global content filter to block specific payloads. [more]

4. Critical security flaw in Microsoft 365 Copilot exposes enterprise data: Microsoft recently patched a critical vulnerability tracking as CVE-2026-42824 that allowed attackers to steal sensitive corporate data. The root cause stems from AI systems creating new pathways that weaponize older, low-severity software bugs through prompt injection. This exploit relies on a three-stage attack chain that begins when a user clicks a malicious URL. First, the link uses parameter-to-prompt injection to silently force Copilot to search internal files for sensitive data. Second, an HTML rendering race condition executes a hidden image tag before the browser can sanitize the output. Finally, a server-side request forgery flaw in Bing fetches the image and bypasses security controls. This process successfully exfiltrates the stolen data directly to the attacker's server logs without user knowledge. Microsoft has mitigated the threat directly, so enterprise users do not need to take any manual action.[more]

5. Critical vulnerability chain in LiteLLM allows full server takeover: A critical three-bug vulnerability chain tracking as CVSS 9.9 allows low-privilege users to escalate to full administrator status and execute arbitrary code on LiteLLM servers. The root cause of this exploit is a systemic lack of validation and misplaced trust across multiple architectural layers, where downstream handlers implicitly trusted the initial route gate without verifying user roles or filtering inputs. The attack chain begins with an authorization bypass (CVE-2026-47101) that lets a standard user mint an API key with wildcard administrative routing privileges. Next, the attacker leverages a privilege escalation flaw (CVE-2026-47102) on unrestricted user-update endpoints to grant themselves a proxy administrator role. Finally, the attacker achieves remote code execution via a sandbox escape (CVE-2026-40217) by injecting Python code into unvalidated custom guardrail fields. Users should immediately upgrade to version 1.83.14-stable or later and audit active admin accounts, database credentials, and hidden background callbacks to remediate the risk. [more]

6. Google cloud flaw allows unauthorized model hijacking and data access: A critical vulnerability in the Google Cloud Vertex AI SDK allowed external attackers to hijack machine learning models and execute malicious code within Google’s infrastructure without valid credentials. The root cause was a predictable naming convention for temporary cloud storage buckets combined with a lack of ownership verification during model uploads. This flaw enabled attackers to pre-create target buckets in their own projects and intercept victim data. The exploit could result in the theft of authentication tokens, model artifacts, and sensitive internal logs. Organizations should immediately upgrade to version 1.148.0 or later and explicitly define custom staging buckets to mitigate this risk. [more][more-2-Unit42]

7. Claude Code tool could leaks enterprise credentials: Microsoft discovered a security flaw in Anthropic's Claude Code tool that let attackers steal sensitive passwords and access keys from automated coding pipelines. The problem: an attacker could hide secret instructions inside a normal-looking GitHub comment or pull request. When Claude's AI agent read that comment as part of its job, it would unknowingly follow the hidden instructions and leak system credentials (including Anthropic's own API key) without tripping any of the built-in safety checks. No special hacking skills or access were needed; anyone able to post a comment on GitHub could trigger it. Anthropic was alerted privately and fixed the issue on May 5, 2026. The bigger lesson for any team using AI agents: never let one AI agent simultaneously (1) read information from outsiders, (2) hold sensitive credentials, and (3) take real actions. That combination is what made this attack possible. Companies should also limit what each AI tool's credentials can access, and clearly tell their AI agents to treat anything written by an outside person as untrusted, not as a command to follow. [more]

8. SQL injection flaw in LangGraph: Check Point Research disclosed three vulnerabilities in LangGraph, a widely-used (50M+ monthly downloads) open-source framework for building AI agents, that could be chained together to achieve remote code execution on self-hosted servers. The core issue was a SQL injection flaw in how the framework's SQLite and Redis "checkpointer" components handled user-supplied filter queries; attackers could exploit this to smuggle in malicious data that, when automatically deserialized by the application, executed arbitrary commands on the server. The risk was limited to organizations self-hosting LangGraph with SQLite or Redis storage and exposing a particular function (get_state_history()) to user input — LangChain's managed cloud offering (which uses PostgreSQL) was unaffected. All three issues were responsibly disclosed in November 2025 and have since been patched by LangChain across multiple package releases between December 2025 and March 2026; affected organizations should ensure they are running langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+. [more]

9. Fabricating evidential material: A UK police officer is under criminal investigation for allegedly fabricating evidential material across multiple cases using artificial intelligence systems. While national initiatives promote automation to reduce bureaucratic paperwork, several police forces have already been warned to stop using generative systems due to high rates of inaccurate data and hallucinations. [more]

10. Social media algorithms face major legal risks over youth safety: Meta and TikTok are facing a landmark collective lawsuit in Italy following a minor’s suicide. The legal action highlights escalating corporate liability and regulatory risks for digital platforms. The root cause of these risks is the deliberate design of recommendation algorithms and engagement mechanisms. These automated systems systematically amplify harmful content and foster addiction in vulnerable users. Standard parental control features are failing to block these toxic algorithmic loops. Consequently, global regulators are rapidly introducing stricter safety compliance frameworks and age restrictions. This shifting environment forces tech companies to fundamentally redesign their platform optimization models or face severe legal penalties. [more]