Tech Risk Reading Picks

TL;DR: AI and cybersecurity risks are accelerating in ways that now directly touch enterprise operations. Security teams found that two-thirds of AI-powered apps are inadvertently exposing the digital credentials used to access paid AI services, opening businesses to unexpected charges and data theft. Separately, AI agents that employees are building and deploying internally, often without IT or security oversight, are connecting to core business systems like Salesforce, GitHub, and cloud databases with far too much access and no accountability structure. Attackers are now actively targeting these gaps, using techniques that look like normal business activity to conventional security tools, making detection extremely difficult.

1. Nearly two-thirds of the apps with AI features were leaking the API keys: Security researchers examined 444 iPhone apps with AI features and found that nearly two-thirds were leaking the API keys used to access paid AI services like OpenAI and Google Gemini. API keys are digital credentials that work like passwords, granting access to AI services that bill by usage, and researchers found them exposed in three ways: (a) some apps transmitted API keys directly in network traffic that could be intercepted, (b) others exposed reusable access tokens linked to developer accounts, and (c) some required no credentials at all, letting anyone interact with the developer’s AI account freely. Attackers using the same methods can run up charges with no warning and potentially steal the hidden instructions that define how an app’s AI behaves. The problem spans major app categories and is not limited to obscure tools, with some affected apps carrying over two million user ratings. What makes this harder to fix than expected is that many developers had already followed standard security advice by keeping API keys off users’ devices, yet attackers could still reach them through weak server-side controls. Despite all 282 affected developers being notified, only 28% had fixed the issue after 90 days. [more]

2. Risk of a fake AI agent skill: A cybersecurity firm built a fake AI agent skill (a plug-in that agents load and follow like instructions) to expose how easily the ecosystem’s trust signals can be gamed. The skill cleared every security scanner tested because the scanners only read the files submitted to them, not the external links those files point to. By inheriting GitHub stars from a reputable repository and serving a clean page during the scan, the firm passed all checks, then quietly swapped the linked page to deliver a malicious script after install. The firm claims the skill reached around 26,000 agents, including corporate accounts, though that figure comes from the firm itself and is unverified. The structural flaw is real and has been independently confirmed: a scan happens once at submission, but any external URL an agent skill points to can be rewritten at any time afterward. This can turn a clean result into a live threat with no further review triggered. [more]

3. Agentjacking - Tricking AI coding assistants into running attacker-controlled commands: Researchers demonstrated a technique called Agentjacking that tricks AI coding assistants into running attacker-controlled commands on a developer's machine, without needing stolen passwords or internal network access. The attack works by exploiting Sentry DSNs (project identifiers that applications use to send error reports to Sentry, a widely used monitoring platform) which are often publicly visible in a website's source code. An attacker who finds an exposed DSN can submit a fake error report containing hidden instructions. When a developer asks their AI coding agent to investigate the error, the agent reads the fake report and follows the injected instructions as if they were legitimate, a technique known as prompt injection (feeding hidden commands into an AI's input to manipulate its behaviour). In a controlled test, this caused AI agents to download and run an external code package with the developer's own system permissions, a pathway that could expose stored credentials such as cloud access keys and login tokens. Researchers found over 2,300 organisations with exposed DSNs, and confirmed that AI agents at more than 100 global companies, including one Fortune 100 firm, executed their test code. The attack is particularly hard to detect because every step looks like normal, authorised developer activity to conventional security tools. [more]

4. Mythos identified security weaknesses in almost all classified systems within hours: Anthropic's most advanced AI model, Mythos, has identified security weaknesses in classified U.S. government computer systems in a matter of hours during a controlled testing exercise conducted with American intelligence agencies under a program called Project Glasswing. A senior U.S. senator revealed at a congressional hearing that the National Security Agency's own chief confirmed Mythos had penetrated "almost all" classified systems, though officials were careful to note that identifying a weakness is not the same as successfully exploiting it. The disclosure comes at a fraught moment in Anthropic's relationship with Washington: the company has refused to let the military use its AI for domestic surveillance or fully autonomous weapons, and the U.S. government has responded by placing Anthropic on a national security blacklist and ordering it to halt all exports of its Mythos and Fable models globally. The NSA has also reportedly lost access to Mythos amid the dispute. [more]

5. Chain security flaws to run any command in AutoGen Studio: Researchers uncovered a chain of three security flaws in AutoGen Studio, Microsoft's graphical tool for building and prototyping AI agents, that together allowed an attacker to run any command on a developer's machine simply by getting the developer's AI agent to visit a malicious webpage. The attack, named AutoJack, worked by exploiting gaps in how AutoGen Studio handled local network connections. The tool trusted connections from the developer's own machine without requiring authentication on key internal routes, and accepted encoded commands directly via its WebSocket interface (a persistent connection channel used for real-time communication between components). A browsing AI agent visiting an attacker-controlled page could be silently redirected to trigger commands with the developer's own account privileges. The good news is that the flaw never shipped in the publicly available package on PyPI (Python's standard software repository); only developers who built AutoGen Studio directly from the GitHub source code during a specific window were exposed. As a precaution, they advise running AutoGen Studio in its own contained environment separate from your main system, under a limited-permission account rather than as an admin, and never on the same machine where an AI agent is actively browsing the web or running external code since that combination is precisely how this attack works. [more]

6. Security flaws in Dify: Researchers uncovered four security flaws in Dify, a widely used open-source platform that businesses use to build AI-powered workflows and applications. The flaws, collectively named DifyTap, allowed attackers to silently intercept private AI conversations belonging to other customers on the same platform, without needing to log in. [more]

   1. Two of the flaws were rated critical severity. The most serious enabled an attacker to redirect all messages and AI responses from any publicly accessible Dify application through their own account, creating a persistent wiretap on other customers’ AI interactions.

   2. Additional flaws allowed attackers to read uploaded documents belonging to other users by simply guessing a file identifier, and to access internal system APIs (the technical interfaces that connect Dify’s internal components) that were never meant to be reachable from outside.

   3. A separate aging security flaw in Dify’s PDF processing library was also flagged, which could allow a maliciously crafted PDF file to compromise the underlying system. Most flaws have been fixed in version 1.14.2, with one patch still pending in the next release.

7. AI risk within organisations: The security risk from AI inside organisations has quietly shifted. The original concern was employees copying sensitive data into public AI tools, a problem security teams addressed with usage policies and blocking rules. That threat has been overtaken by a more serious one. AI agents that employees and business units are building and deploying internally, often without security team knowledge, and connecting directly to enterprise systems like Salesforce, GitHub, Slack, and cloud databases. Unlike a passive tool that receives data, an agent is an active actor that can read, write, and delete records, trigger workflows, and call APIs (the interfaces that connect software systems), often running on service accounts with broad permissions that were never properly reviewed. The exposure compounds over time. Agents inherit their creator’s access levels, temporary permissions become permanent, and agents built by employees who have since left the company can remain active and credentialled for months. Existing security controls were built for human behaviour and do not catch this, because by the time an agent has credentials to enterprise systems, the traditional perimeter has already been crossed. Closing the gap requires treating every AI agent like any other identity in the organisation, They should be inventoried, owned, scoped to the minimum access it needs, and decommissioned when no longer in use. [more]

8. Digital ID for AI agents: Estonia is pioneering a global first by assigning official digital identification codes to AI agents that act on behalf of people or businesses. The move is designed to create clear accountability: each AI agent will carry a traceable ID, operate with defined and limited permissions (such as view-only access, document drafting, or payments up to a set amount), and never require blanket access to all of a user's data or services. The initiative comes as AI tools increasingly handle real-world tasks like filing reports and interacting with government systems, raising urgent questions about who is ultimately responsible when things go wrong. Estonia, already a world leader in digital public services with 99% of government functions online, is well positioned to set the standard. [more]

9. Hard deadlines to migrate to post-quantum cryptography: The White House has signed two executive orders signalling that the US government is treating quantum computing as both a strategic opportunity and an imminent security threat. The core concern is a "harvest now, decrypt later" risk: adversaries are believed to be collecting encrypted data today, intending to decode it once quantum computers become powerful enough to break current encryption standards. To get ahead of this, federal agencies have been given hard deadlines to migrate to post-quantum cryptography (encryption methods designed to withstand quantum-powered attacks), with key systems to be upgraded by end of 2030 and digital signature systems by 2031. Agencies must also begin cataloguing every cryptographic component across their systems, a requirement similar to a software bill of materials but focused specifically on encryption. The orders will likely extend well beyond government: contractors and technology vendors that do business with federal agencies face incoming compliance requirements, making this a significant driver of post-quantum adoption across the broader technology industry. A parallel order directs coordinated federal investment in quantum computing research and commercialisation, framing US leadership in the technology as a national security and economic priority. [more]

10. ShinyHunters hit out over 100 organisations: Over the past seven days, the cybercriminal group ShinyHunters has aggressively scaled its "pay or leak" extortion campaigns by targeting widely deployed enterprise SaaS ecosystems, cloud platforms, and enterprise resource software. Their recent wave of operations featured the exploitation of Oracle PeopleSoft servers via a critical zero-day remote code execution flaw (CVE-2026-35273), which they used to compromise over 100 organizations. The exploitation leaks sensitive academic and personal records of over 454,000 students from the University of Nottingham. Simultaneously, they leveraged cloud account hijacking and exposed API access tokens to target telecommunications giant American Tower, leaking a database of 217,000 corporate emails, while also forcing a multi-million dollar ransom deadline on Kodak over 2.2 million compromised cloud records. Rather than using traditional file-encrypting ransomware, ShinyHunters' core tactics, techniques, and procedures (TTPs) rely on automated credential stuffing, AI-powered voice phishing to bypass security layers, and the abuse of active OAuth/SaaS integration tokens (such as Salesforce Data Loader and cloud storage buckets) to silently exfiltrate massive volumes of unencrypted data for public blackmail. [more]