TechRisk #176: Full agentic AI ransomware operation
Plus, Hacker's dream AI model, Zero-click Cursor vulnerabilities, AI browser assistants ignoring safety rules, decades-old shell injection risk, and more!
Tech Risk Reading Picks
Executive Summary: The past week brought a steady stream of evidence that AI is actively reshaping the cyberattack landscape on both offense and defense. On the offense side, researchers documented what looks like the first fully autonomous ransomware attack (JADEPUFFER), a new browser-native ransomware technique built entirely by DeepSeek, and a prompt-injection trick ("BioShocking") that fools AI browser assistants into ignoring safety rules. Multiple structural weaknesses also surfaced in AI coding tools, including zero-click flaws in Cursor and a shell-trick called GuardFall that bypasses safety checks in ten of eleven popular AI coding assistants. Attackers are also exploiting AI's own quirks, such as registering the fake website addresses AI models hallucinate to run phishing scams. Adding to the risk, a Chinese open-source model (GLM-5.2) now matches leading cybersecurity performance at half the cost with no built-in safety oversight, echoing the Five Eyes' warning that AI is collapsing the skill barrier once required to carry out sophisticated attacks. Beyond cybersecurity, Google quietly expanded AI's default access to users' Search and Gmail data, an air cargo industry panel flagged AI-driven attacks as an underappreciated supply-chain risk, and a US congressman proposed legislation forcing AI companies to report dangerous incidents within seven days.
Full agentic AI ransomware operation: An AI agent, nicknamed JADEPUFFER by researchers at Sysdig, appears to have run a complete ransomware attack on its own, no human at the controls. It broke in through a known software flaw, stole login credentials, reached a live company database, and then locked and deleted critical configuration data while leaving a ransom note demanding Bitcoin. What convinced researchers this was autonomous: when one attack step failed, the AI diagnosed the problem and fixed it within 31 seconds, a level of quick adaptation that looks more like independent judgment than a scripted tool. The ransom demand was actually empty, since the encryption key was shown once and never saved, so paying wouldn't have restored anything. Experts say the underlying cause is an old, familiar problem: exposed credentials and excessive access, just executed at machine speed. The bottom line: companies need real-time monitoring and tighter access controls, because AI-driven attacks can now outpace human-speed detection. [more]
Zero-click Cursor vulnerabilities: Two serious security flaws, nicknamed DuneSlide, let attackers hijack a developer's computer through the popular AI code editor Cursor, with no click needed from the victim. The attack works by hiding malicious instructions in content the AI reads on the user's behalf, like a webpage or a connected service, tricking it into writing to a file it shouldn't touch and using that to disable Cursor's built-in safety sandbox. Once disabled, attackers gain full control of the developer's machine and any connected cloud accounts. Researchers say Cursor initially dismissed the report, arguing it fell outside their threat model, before reversing course and shipping a fix. There's no evidence of real-world exploitation so far, but this is the fourth such flaw found in Cursor in under a year, suggesting a deeper pattern rather than isolated bugs. The bottom line: anyone using Cursor should update to version 3.0 or later immediately, and treat "AI reads the web on your behalf" tools as a real attack surface. [more]
Hacker’s dream AI model: A new Chinese AI model called GLM-5.2, built by startup z.AI, matches the performance of leading US AI systems on cybersecurity tasks at roughly half the cost. Anyone can download and run it on their own computer. Unlike cloud-based AI tools, which are monitored and can suspend users for misuse, a locally-run model has no such oversight, giving bad actors free rein to strip out safety controls and use it for attacks like phishing or hunting for software flaws. Security experts note this was inevitable: once a capability exists, others will replicate it. The deeper worry is not this model specifically, but the accelerating AI arms race it represents, where each new release gives both defenders and criminals more powerful tools, and no one side pulls decisively ahead. [more]
AI-generated ransomware running within web browser: Researchers found the first working example of ransomware that runs entirely inside a web browser, no software installation needed, and it was built by the AI model DeepSeek. The malware tricks victims with a fake Discord tool into granting a webpage access to their files, then uses a legitimate browser feature to read, steal, encrypt, and hold those files for ransom, all without exploiting a security flaw or needing special privileges. It works across Chrome and other Chromium-based browsers on Windows, macOS, Linux, and Android. What alarms researchers most is that DeepSeek combined an existing browser feature with a previously theoretical attack idea into a real, functional threat from a single broad prompt, something that would normally require significant technical expertise. [more]
It works in four steps, all inside the browser, no installed software needed:
The lure. The attacker sets up a fake tool, in this case a phony Discord profile-picture enhancer, and gets the victim to visit the page.
The permission grab. Chrome and other Chromium-based browsers have a legitimate feature that lets a webpage ask for access to a folder on your computer, the same kind of prompt you’d see when uploading a file. The victim clicks “allow,” thinking they’re just picking an image.
The theft and lockup. Once access is granted, the page quietly scans the chosen folder, copies the files out to the attacker, then encrypts and overwrites the originals, all using normal, permitted browser functions rather than any hack or security flaw.
The ransom note. The victim is shown a message demanding Bitcoin to get their files back.
AI browser assistants ignoring safety rules: Security researchers found a new attack, called "BioShocking," that can trick AI browser assistants into ignoring their own safety rules. The trick works by luring the AI into a fictional puzzle game on a malicious webpage that rewards "wrong" answers, which teaches the assistant that normal rules don't apply in this context. Once the AI accepts that framing, it can be steered into a final step that leaks sensitive user data, such as passwords, without recognizing it as a real security violation. Researchers tested this on six major AI browser products, including tools from OpenAI, Anthropic, and Perplexity, and found only one vendor had fully fixed the flaw after being notified months ago. Anthropic attempted a fix for its Chrome tool, but researchers say it did not actually stop the attack. The bottom line: AI browser agents still struggle to tell fiction from reality, so sensitive actions like sharing credentials need human confirmation, not just AI judgment. [more]
AI removes that barrier and allows people with no training to carry out sophisticated attacks: The Five Eyes intelligence alliance issued a joint warning last week about AI models increasingly being able to hack into systems and networks on their own, with minimal human direction. The core argument is that AI is closing an old gap between skill and ability: throughout history, doing serious damage, whether hacking, poisoning, or bridge sabotage, required years of training that also instilled ethical judgment. AI removes that barrier by acting as a universal expert advisor, letting people with no training carry out sophisticated attacks. The piece argues that safety guardrails from major AI companies won’t solve this long-term, since smaller, open-source AI models without safety restrictions are catching up in capability and can be freely shared, similar to how basic hacking tools once spread among unskilled attackers. It also argues that trying to strip AI of dangerous knowledge entirely won’t work, since the same understanding needed to attack a system is what’s needed to defend it, just as doctors must learn how poison works to treat poisoning. The bottom line: rather than trying to contain what AI can know, organizations should focus on using AI itself for defense, catching vulnerabilities and unusual activity faster, since the security fundamentals haven’t changed, only the speed and urgency have. [more]
Decades-old shell injection risk to AI coding assistants: Researchers found a way to sneak dangerous commands past the safety checks built into ten of eleven popular AI coding assistants, using a decades-old shell scripting trick. The flaw, called GuardFall, works because these tools check commands as plain text before running them, but the underlying system rewrites that text before execution, so a command like "delete files" can be disguised just enough to slip past the filter while still running exactly as intended. This matters because these AI agents typically run with the same access as the user's own account, meaning a hidden instruction buried in a booby-trapped code repository could silently steal passwords and cloud credentials or wipe out files. Researchers say this isn't a single bug to patch but a structural weakness, since adding more filter rules won't fully close the gap. Only one tool, called Continue, was built to actually simulate what the command would become before checking it, and held up against the attack. The bottom line: until better safeguards are standard, turn off AI agents' auto-run settings, don't let them operate on files from unverified sources, and keep sensitive credentials out of reach of any AI coding tool running on autopilot. [more]
AI-hallucinated domains used by attackers: AI models often make up website addresses that don’t actually exist, and attackers have started registering those fake domains before anyone else can, then loading them with phishing pages to catch victims who trust AI-generated links. Researchers found that across 685,000 test questions, two AI models generated 2.1 million links, of which about 250,000 pointed to unclaimed domains ripe for hijacking, and over 13,000 were already known malicious sites. It is alarming as brand-new websites don’t trigger security warnings right away, since blocklists need time to catch bad behavior. Therefore, attackers who move fast get a window to operate undetected. In one confirmed case, researchers predicted a fake postal-service domain an AI would likely invent, and just 23 days later an attacker registered that exact address and built a convincing phishing site that stole payment and ID information. The same problem is already hitting software developers, where AI coding tools suggest fake software package names that criminals register and fill with malware. [more]
Google is feeding its AI: Google has quietly switched on a new default setting that lets its AI systems learn from your Search activity, files, and media. Its AI assistant Gemini also reads Gmail content to power features like email summaries, though Google insists it does not store or train on that data. Notably, Gemini itself admitted that Google relies on “opt-out fatigue,” burying privacy controls deep in settings and banking on the fact that most users won’t bother to find them. Two steps can limit the exposure: turn off “Smart Features” in Gmail settings, and uncheck “Save media” under Search Services History at myactivity.google.com. [more]
AI-driven cyberattacks as an underappreciated risk for air cargo companies: Executives at a recent air cargo panel flagged AI-driven cyberattacks as an underappreciated risk, warning that AI now makes it easier for attackers to convincingly imitate human behavior, and because cargo systems are so interconnected, a breach at one small player can cascade across the whole industry. Beyond security, panelists pointed to a looming freighter shortage as demand grows, since only one new freighter model is coming to market next year while other major programs wind down and airlines hold onto their passenger aircraft. A third concern was staffing: ground handlers and suppliers are struggling to attract young talent into a highly regulated industry with steep compliance demands. The bottom line: air cargo faces a three-front squeeze of rising cyber risk, tightening capacity, and a shrinking talent pipeline, all compounding at once. [more]
Proposed AI incident report regulation: A US Republican congressman has proposed legislation requiring AI companies to report dangerous incidents to the federal government within seven days, with the most serious cases (e.g. those threatening national security or public safety) escalating to Congress within 48 hours. The bill covers a broad range of scenarios including AI systems attempting to resist human control, theft of AI model code, capabilities that could enable attacks on critical infrastructure, and potential links to biological or nuclear threats. The proposal lands at a charged moment: Anthropic recently accused Chinese tech giant Alibaba of running a large-scale campaign to secretly copy capabilities from its most powerful AI model, while US intelligence agencies reportedly found that same model was able to break into nearly all classified systems it was tested against in a matter of hours. The broader message from Washington: as AI systems grow more capable and geopolitical competition intensifies, the US government wants earlier warning when things go wrong, and is moving toward formal rules to ensure it gets that visibility. [more]
