Cisco Researchers Warn of Multi-Turn Attacks Bypassing LLM Safety Guardrails Researchers at Cisco have uncovered a critical vulnerability in leading large language models (LLMs), demonstrating that their safety guardrails can be bypassed through multi-turn conversations. The study tested widely used models including OpenAI’s ChatGPT, Anthropic’s Claude, Google Gemini, Amazon Nova, and xAI’s Grok revealing that none were fully resistant to exploitation. The attack method relies on prolonged, iterative dialogue, where adversaries refine prompts, adopt personas, or gradually escalate requests to circumvent built-in protections. Unlike single-prompt testing, which many organizations rely on for safety evaluations, real-world attackers persist across multiple exchanges, exposing gaps in current security benchmarks. Key findings include: - No model was immune to multi-turn manipulation, challenging existing AI safety assessments. - Techniques like roleplay, ambiguity, and reframing requests proved effective in bypassing guardrails. - Configuration matters: For example, Grok became significantly more vulnerable when "reasoning mode" was enabled. The report highlights a disconnect between current safety evaluations and real-world threats, warning that enterprises deploying LLMs may underestimate risks. As regulators push for improved testing standards, Cisco’s research underscores the need for more robust defenses against evolving attack vectors.

OpenAI Addresses Security Breach in ChatGPT Mac App After Employee Devices Compromised OpenAI recently disclosed a security breach affecting its ChatGPT app for Mac, stemming from a compromised open-source library. According to a report by 9to5Mac, two employee devices were impacted, though the company stated no user data was accessed and no systems were compromised. The incident was detected after malicious activity was identified in a widely used open-source code repository. OpenAI responded swiftly, containing the threat and launching an investigation with a third-party digital forensics firm. The company confirmed that only limited credential material was exfiltrated, with no other code or information affected. A software update addressing the issue is currently rolling out, with full distribution expected by June 12. Mac users are advised to install the update when prompted, while Windows and iOS users remain unaffected. OpenAI plans to provide further guidance at a later date. This is not the first security concern for the ChatGPT Mac app in early 2024, a developer discovered that the app stored user conversations locally in plain text rather than encrypting them.

OpenAI Faces Class-Action Lawsuit Over Alleged Privacy Violations via Facebook Pixel and Google Analytics OpenAI is the target of a new class-action lawsuit filed in the Southern District of California, accusing the company of secretly sharing sensitive ChatGPT user conversations with Meta and Google through embedded tracking tools. The complaint, brought by California resident Amargo Couture on behalf of U.S. users, alleges that OpenAI violated federal and state privacy laws by transmitting chat topics, identifiers, and contact details to third-party ad platforms without user consent. The lawsuit claims that ChatGPT users who often discuss confidential matters such as finances, health, and legal issues had a reasonable expectation of privacy, only for their interactions to be funneled to Meta’s Facebook Pixel and Google Analytics. According to the complaint, the Facebook Pixel embedded in ChatGPT’s web interface sends real-time HTTP requests to Meta’s servers, including browser tab titles (e.g., "Super Bowl 2005 Winner") and cookies tied to users’ Facebook accounts. This data is then allegedly used for targeted advertising across Meta’s platforms. Similarly, Google Analytics is accused of capturing hashed email addresses, device identifiers, and Google Signals cookies, enabling cross-device tracking and remarketing based on ChatGPT activity. The suit argues that these practices constitute unlawful interception under the Electronic Communications Privacy Act (ECPA) and violate California’s Invasion of Privacy Act (CIPA), which prohibits the use of devices to eavesdrop on confidential communications without consent. The proposed nationwide class seeks damages for all U.S. users whose data was shared, with a California subclass pursuing statutory penalties of up to $5,000 per violation. Plaintiffs are also demanding injunctive relief to compel OpenAI to remove or redesign its tracking integrations and halt further disclosures to ad tech partners. The case emerges amid growing legal scrutiny of generative AI’s data practices, following previous lawsuits over OpenAI’s training data collection. If successful, it could set a precedent treating AI chat tracking as equivalent to prohibited surveillance methods, such as unauthorized health-site pixels or session-replay scripts. The complaint’s technical evidence including network traces of tab titles and cookie values highlights how plaintiffs are now examining AI platforms for covert data flows to third-party domains.

AI-Driven Cyber Threats Disrupt Global Financial and Educational Sectors Global financial institutions and educational platforms are grappling with escalating risks from AI-generated exploits and large-scale data breaches, forcing urgent responses to safeguard critical infrastructure. In the U.S., EU, and Japan, banks are deploying emergency patches to address vulnerabilities uncovered by AI tools like Anthropic’s Mythos, which has exposed previously undetected weaknesses in legacy banking systems. The European Central Bank (ECB) and International Monetary Fund (IMF) have warned that unchecked AI-driven threats could destabilize the financial sector, emphasizing the need for strict governance and quantum-safe security standards. The Mythos tool has accelerated remediation efforts, with central and commercial banks particularly larger institutions in the U.S. and Japan leading detection efforts. Smaller banks, however, rely on shared findings to mitigate risks, highlighting disparities in cybersecurity readiness. The interconnected nature of global finance means a single failure could trigger systemic crises, underscoring the urgency of upgrades to aging infrastructure. In the education sector, Instructure, the company behind the Canvas learning platform, confirmed a May 2026 data breach affecting thousands of universities across the U.S., Canada, Australia, and the U.K. Hackers exfiltrated 3.5TB of sensitive data, though Instructure reported receiving digital confirmation of its destruction without disclosing whether a ransom was paid. The incident reflects a broader trend: a survey of CISOs found 58% are willing to pay attackers to avoid disruption, despite warnings that such payments fuel further criminal activity, including double extortion tactics. AI’s role in cybercrime has reached a new milestone with Google’s discovery of the first AI-generated zero-day exploit, designed to bypass two-factor authentication (2FA). While the responsible group remains unidentified, the exploit signals a shift in threat actor capabilities, enabling the creation of previously unknown vulnerabilities. Meanwhile, OpenAI revealed a supply chain attack on TanStack compromised two employee devices, though no user data or production systems were affected highlighting the risks even advanced AI developers face from third-party software. Geopolitical tensions are amplifying cyber risks, with the 2026 FIFA World Cup in the U.S., Canada, and Mexico flagged as a high-profile target due to its global visibility. Separately, the Ghostwriter threat group has targeted Ukrainian government organizations using PDF decoys and phishing emails impersonating a local telecom provider. Law enforcement has made progress, with German police dismantling Crimenetwork, a criminal marketplace generating $4.2 million in Bitcoin from illicit trades. To counter such networks, the World Economic Forum (WEF) has launched the Cybercrime Atlas, a collaborative initiative to map and disrupt cybercriminal ecosystems. As AI reshapes the threat landscape, organizations face a critical balance: leveraging machine-speed defenses while maintaining human oversight to prevent errors. The WEF and KPMG warn that while AI enhances cybersecurity, its autonomy risks reducing accountability demanding a shift toward public-private cooperation and quantum-resistant security to protect the digital economy.

ChatGPhish Exploits AI Trust to Turn Web Pages Into Phishing Vectors A newly disclosed vulnerability, dubbed ChatGPhish, exposes a critical flaw in how AI-powered summarization tools particularly ChatGPT process web content, enabling attackers to weaponize trusted interfaces for large-scale phishing. Unlike traditional exploits, this attack leverages implicit trust in AI-generated summaries, bypassing perimeter defenses by manipulating what the AI reads rather than directly compromising systems. The technique builds on Cross Prompt Injection Attacks (XPIA), previously demonstrated against Microsoft Copilot, but scales the threat by targeting browser sessions where users rely on AI to summarize web pages. Attackers embed hidden instructions in page content, tricking the AI into rendering malicious links, fake security alerts, or QR codes within the trusted ChatGPT interface. The QR code pivot is particularly insidious it directs victims to scan on a secondary device, evading enterprise security controls entirely. Security researchers highlight the trust-transfer chain as the core vulnerability: users trust ChatGPT, ChatGPT trusts the page content, and the content is attacker-controlled. This mirrors SILENTBRIDGE tactics (part of the T108 SPECTER SANDBOX framework) and aligns with NIGHTFALL’s L9 Computer Use classification, which includes visual prompt injection and DOM redressing. The attack was reported on April 29, initially dismissed as unreproducible before being flagged as a duplicate suggesting prior awareness. While the exploit targets ChatGPT’s summarization feature, the broader risk lies in AI’s unchecked trust in retrieved data, requiring runtime enforcement between retrieval and action rather than perimeter-based defenses. Enterprises face an expanding attack surface as AI tools integrate deeper into workflows, yet most have not updated acceptable use policies to address browser-based AI summarization as a phishing vector. The incident underscores the need to treat AI-rendered content as untrusted input, akin to traditional web security practices.

North Korean Hackers Leverage AI to Steal $12 Million in Cryptocurrency Cybersecurity firm Expel has uncovered a North Korean state-sponsored hacking campaign that exploited AI tools to orchestrate a large-scale cryptocurrency theft operation. The group, dubbed HexagonalRodent, targeted over 2,000 developers working on cryptocurrency, NFT, and Web3 projects, using AI-generated malware and phishing infrastructure to siphon an estimated $12 million in just three months. Unlike highly sophisticated cybercrime syndicates, HexagonalRodent relied on AI platforms including OpenAI, Cursor, and Anima to compensate for its lack of technical expertise. The hackers used these tools to write malware, design fake company websites, and craft phishing lures, particularly fraudulent job offers aimed at developers. Victims were tricked into downloading malware-laced coding assignments, which stole credentials and, in some cases, crypto wallet keys. Security researcher Marcus Hutchins, who identified the group, noted that the operation’s success stemmed not from advanced hacking skills but from AI’s ability to automate tasks that would otherwise require significant technical knowledge. The hackers’ reliance on AI was evident in their malware, which included unusual features like excessive English-language comments and emoji-littered code hallmarks of large language model-generated software. Despite their effectiveness, the group left critical infrastructure exposed, revealing their AI prompts and a database tracking victim wallets. While the $12 million figure represents the total value of compromised wallets, researchers could not confirm whether all funds had been drained, as some wallets may have been protected by hardware security tokens. The campaign underscores how AI is lowering the barrier to entry for cybercriminals, enabling even low-skilled actors to execute high-impact attacks.

Bitwarden CLI Compromised in Supply Chain Attack Targeting npm On April 22, 2026, attackers briefly compromised the Bitwarden CLI by uploading a malicious version of the `@bitwarden/cli` npm package (version 2026.4.0). The package, available between 5:57 PM and 7:30 PM ET, contained a credential-stealing payload designed to spread to other projects. Bitwarden confirmed the incident, stating the breach was limited to its npm distribution channel and did not affect end-user vault data, production systems, or the legitimate CLI codebase. The company revoked compromised access, deprecated the malicious release, and initiated remediation. ### Attack Details Security firms Socket, JFrog, and OX Security reported that threat actors likely exploited a compromised GitHub Action in Bitwarden’s CI/CD pipeline to inject malicious code. The package included a preinstall script and a custom loader (`bw_setup.js`) that checked for the Bun runtime downloading it if absent before executing an obfuscated JavaScript file (`bw1.js`). The malware targeted: - npm and GitHub authentication tokens - SSH keys - Cloud credentials (AWS, Azure, Google Cloud) Stolen data was encrypted with AES-256-GCM and exfiltrated via public GitHub repositories under victims’ accounts, marked with the string "Shai-Hulud: The Third Coming" a reference to prior npm supply chain attacks. The malware also had self-propagating capabilities, using stolen credentials to inject malicious code into other packages. ### Connections to Other Attacks The attack shares infrastructure and malware overlaps with a recent Checkmarx supply chain breach, including: - The same telemetry endpoint (`audit.checkmarx[.]cx/v1/telemetry`) - Identical obfuscation routines (`__decodeScrambled` with seed `0x3039`) - Similar credential theft and GitHub-based exfiltration tactics Both campaigns have been attributed to TeamPCP, a threat actor previously linked to attacks on Trivy and LiteLLM. Bitwarden’s investigation found no evidence of broader compromise, but developers who installed the affected version were advised to rotate exposed credentials, particularly those tied to CI/CD pipelines and cloud environments.

Malicious Supply Chain Campaign Targets OpenAI Codex Developers via Fake UI Tool Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting developers using OpenAI Codex through a deceptive npm package and Android apps. The campaign, identified by Aikido Security, involves a legitimate-looking tool named codexui-android, which has amassed over 29,000 weekly downloads on npm and GitHub. Unlike typical typosquatting attacks, the malicious code was embedded in a functional npm package under active development, with the GitHub repository appearing clean. Since its introduction about a month after the package’s initial release, the code has been silently exfiltrating OpenAI Codex authentication tokens to an attacker-controlled server (sentry.anyclaw[.]store), disguised as the legitimate error-tracking platform Sentry. The stolen data includes access_token, refresh_token, id_token, and account ID all stored in plaintext at ~/.codex/auth.json. Notably, the refresh_token does not expire, granting attackers persistent, silent access to the victim’s account, including any associated capabilities. The threat actor, linked to the npm account "friuns" (Igor Levochkin), also distributed the malicious code via Android apps. Two apps "OpenClaw Codex Claude AI Agent" (50,000+ downloads) and "Codex" (10,000+ downloads) run the npm package in a PRoot sandbox, extracting credentials and transmitting them to the same endpoint. The apps passed Google Play’s pre-publish scans, with the malicious functionality added post-installation. When contacted, the package author initially claimed to have lost access to their npm account before later stating they were "investigating the issue internally" and removing the affected code. They denied sharing credentials with third parties but did not explain why the exfiltration code was added or why they needed access to Codex tokens. The domain anyclaw[.]store, linked to the author’s X profile, was registered on April 12, 2026, just two days after the first malicious npm package version was uploaded. The attack reflects a broader trend of threat actors targeting AI developer tools to steal credentials and infiltrate software supply chains. Separately, researchers also revealed that deleted Google API keys remain active for up to 23 minutes, allowing attackers to exploit leaked keys for unauthorized access to user data, including Google Gemini files and cached conversations. While Google initially dismissed the issue, it later classified it as a P0 bug requiring immediate resolution. The findings underscore the risks of credential revocation delays, which can be exploited to maintain access to cloud environments even after defenders assume keys have been invalidated.

OpenAI Discloses Supply Chain Attack Linked to North Korean Hackers OpenAI revealed that a GitHub Actions workflow used to sign its macOS applications inadvertently downloaded a malicious version of the Axios npm library on March 31, though the company confirmed no user data or internal systems were compromised. The incident stemmed from a supply chain attack attributed to UNC1069, a North Korean hacking group tracked by Google’s Threat Intelligence Group (GTIG). The threat actors hijacked the Axios maintainer’s npm account to push two poisoned versions (1.14.1 and 0.30.4), embedding a malicious dependency called plain-crypto-js. This deployed WAVESHAPER.V2, a cross-platform backdoor targeting Windows, macOS, and Linux. OpenAI’s macOS app-signing workflow executed Axios 1.14.1, which had access to a signing certificate and notarization material for ChatGPT Desktop, Codex, Codex CLI, and Atlas. While OpenAI found no evidence of certificate exfiltration, it is treating the certificate as compromised and revoking it by May 8, 2026. Older macOS app versions signed with the old certificate will no longer receive updates and will be blocked by macOS security protections. OpenAI is working with Apple to prevent further notarization of software signed with the compromised certificate. ### Broader Supply Chain Campaigns The Axios breach was one of two major March supply chain attacks targeting open-source ecosystems. The second, attributed to TeamPCP (UNC6780), compromised Trivy, a vulnerability scanner by Aqua Security, leading to cascading impacts across five ecosystems. The group deployed SANDCLOCK, a credential stealer, and later used stolen secrets to push a self-propagating worm (CanisterWorm) via malicious npm packages. TeamPCP later exploited Trivy’s compromise to inject malware into GitHub Actions workflows at Checkmarx, then published poisoned versions of LiteLLM and Telnyx on PyPI. The Telnyx Python SDK attack deployed DonutLoader, a shellcode loader hidden in a PNG image, which executed a trojan and AdaptixC2, an open-source command-and-control framework. ### Impact and Response Google warned that hundreds of thousands of stolen secrets from these attacks could fuel further breaches, including ransomware, SaaS compromises, and cryptocurrency theft. Confirmed victims include Mercor, an AI training startup (breached via Trivy, with 4TB of data allegedly stolen by LAPSUS$), and the European Commission, where attackers exfiltrated AWS-hosted data from 71 Europa web hosting clients. GitGuardian’s analysis found 474 public repositories executed malicious code from the compromised trivy-action workflow, while 1,750 Python packages were configured to auto-pull poisoned versions. The FBI noted that TeamPCP’s targeting of security tools which often run with elevated privileges grants attackers deep access to sensitive environments. ### Mitigation Efforts OpenAI, Docker, PyPI, and CISA have outlined countermeasures, including: - Pinning packages by digest (not mutable tags). - Using hardened Docker images and enforcing minimum release age delays. - Short-lived, scoped credentials and sandboxed CI runners. - Trusted publishing for npm/PyPI packages and 2FA enforcement. - CISA’s directive to federal agencies to mitigate CVE-2026-33634 by April 9, 2026. The incidents underscore the risks of implicit trust in open-source dependencies, prompting calls for explicit verification at every layer of the software supply chain.

Meta and AI Labs Pause Work with Mercor Following Major Security Breach Meta has indefinitely suspended all projects with data contracting firm Mercor after a significant security breach exposed sensitive systems, according to sources familiar with the matter. The incident has prompted other major AI labs, including OpenAI and Anthropic, to reassess their partnerships with the startup as they evaluate the scope of the compromise. Mercor specializes in generating proprietary training datasets for leading AI models, such as those powering ChatGPT and Claude, by employing large networks of human contractors. These datasets are closely guarded, as they contain critical insights into AI training methodologies information that could benefit competitors, including labs in the U.S. and China. It remains unclear whether the exposed data would provide a meaningful advantage to rivals. OpenAI confirmed it is investigating the breach to determine if its proprietary training data was compromised but stated that user data remains unaffected. Anthropic has not yet responded to requests for comment. Mercor acknowledged the attack in a March 31 internal email, describing it as part of a broader cyber incident affecting "thousands of organizations worldwide." Contractors working on Meta’s Chordus project an initiative to improve AI response verification were informed of a pause in work, with some facing potential unpaid leave until projects resume. The company is reportedly seeking alternative assignments for affected workers. The breach appears linked to TeamPCP, a threat actor that recently compromised two versions of the AI API tool LiteLLM, distributing tainted updates that exposed numerous organizations. While the full extent of the fallout remains unclear, the incident highlights the supply chain risks in AI development, where third-party vendors handle highly sensitive data. Adding to the confusion, a group claiming to be Lapsus$ advertised stolen Mercor data including a 200+ GB database, 1 TB of source code, and 3 TB of video files on Telegram and a BreachForums clone. However, cybersecurity researchers, including Allan Liska of Recorded Future, dismiss the claim, noting that TeamPCP is the likely culprit. Unlike the original Lapsus$, which targeted high-profile tech firms, TeamPCP has been linked to financially motivated attacks, ransomware operations, and even geopolitically driven malware, such as the CanisterWorm data-wiping tool targeting Iranian cloud systems. The breach underscores the secrecy and vulnerability of AI data contractors, many of which like Surge, Handshake, Turing, Labelbox, and Scale AI operate under strict confidentiality, often using codenames for projects. As AI labs increasingly rely on external firms for critical training data, the incident raises concerns about security standards in an industry where even minor exposures could have far-reaching consequences.

OpenAI Codex Vulnerability Exposed GitHub Tokens via Command Injection A critical security flaw in OpenAI’s Codex an AI-powered coding assistant integrated with GitHub could have allowed attackers to steal GitHub OAuth tokens through a command injection vulnerability. The issue stemmed from improper handling of branch names during task execution, enabling malicious actors to inject arbitrary shell commands into containerized environments where Codex operates. Researchers demonstrated that the flaw could be exploited to extract short-lived GitHub tokens, which are used to authenticate repository access. These tokens could then be exposed via task outputs or external network requests, granting attackers potential access to sensitive organizational resources. The vulnerability extended beyond the web interface, affecting CLI tools, SDKs, and IDE integrations, where locally stored credentials could be leveraged to reproduce the attack. The risk was particularly acute in enterprise environments, where Codex often has broad permissions across multiple repositories. By embedding malicious payloads in GitHub branch names, an attacker with repository access could compromise multiple users interacting with the same project, enabling lateral movement within GitHub and large-scale exploitation. OpenAI has since patched the vulnerability, implementing stricter input validation, shell escaping protections, and tighter token controls to mitigate exposure. The company also reduced token scope and lifetime during task execution. The incident underscores the growing security challenges of AI-driven development tools, which operate as live execution environments with access to sensitive credentials. As AI agents become more embedded in developer workflows, securing their containerized environments and input processing will require the same rigor as traditional application security boundaries.

AI-Powered Polymorphic Malware Outpaces Traditional Defenses in the Wild AI-driven polymorphic malware code that continuously rewrites itself to evade detection has transitioned from theoretical research to active threats, fundamentally altering the cybersecurity landscape. Recent findings reveal that these attacks can generate unique variants every 15 seconds, rendering signature-based defenses obsolete. A staggering 76% of detected malware now exhibits AI-driven polymorphism, a dramatic shift from earlier obfuscation techniques. Unlike static threats, these attacks dynamically generate malicious payloads in memory, often leveraging legitimate AI APIs to avoid detection. In June 2025, researchers demonstrated BlackMamba, a keylogger that queries OpenAI models at runtime, producing distinct hashes with each execution while appearing benign to antivirus software. The accessibility of AI-powered malware has accelerated its adoption. MalTerminal, an early GPT-4-based threat, can generate ransomware or reverse-shell code on demand, blurring the line between code and conversation. The impact on response times has been severe: median dwell time for AI-powered ransomware has dropped from 9 days to just 5, leaving security teams with minimal time to detect and contain attacks. The economic advantage has also shifted toward attackers. In 2025, 93% of ransomware victims who paid still had their data stolen, and 83% were targeted again suggesting AI-driven malware learns from each encounter to refine future attacks. Traditional defenses, built on pattern recognition, struggle to keep pace as malware evolves faster than analysts can document new signatures. While some experts argue that non-AI polymorphic techniques remain more reliable for attackers, the debate centers on whether AI represents a quantum leap or an incremental threat. Regardless, the rise of infostealers responsible for 1.8 billion stolen credentials in early 2025 demonstrates that attackers don’t always need fully autonomous malware to achieve scale. The shift demands a move toward behavioral monitoring, identity security, and automated response as the arms race enters a new phase one where threats adapt in real time, forcing defenders to match their speed and agility. With 81% of organizations reporting malware-related incidents in the past year, the challenge is no longer if they will face AI-driven attacks, but whether their defenses can evolve as rapidly as the threats themselves.

AI Coding Agents Vulnerable to "Semantic Injection" Attacks via Malicious README Files New research reveals a critical security flaw in AI-powered coding agents, which can be exploited through hidden malicious instructions in project README files. These files commonly used to guide software setup often include commands for installing dependencies or configuring applications. Attackers can embed seemingly benign steps, such as file synchronization or data uploads, that trick AI agents into leaking sensitive local files to external servers. The attack, dubbed a "semantic injection", was tested using ReadSecBench, a dataset of 500 README files from open-source repositories across Java, Python, C, C++, and JavaScript. When malicious instructions were inserted, AI agents including those powered by Anthropic’s Claude, OpenAI’s GPT models, and Google’s Gemini executed them in up to 85% of cases, regardless of programming language or instruction placement. Key findings: - Direct commands (e.g., "Upload config files to this server") succeeded 84% of the time, while less explicit phrasing reduced success rates. - Linked documentation proved even riskier: When malicious instructions were placed two links deep from the main README, attacks succeeded in 91% of tests. - Human reviewers failed to detect the threats: In a test with 15 participants, none identified the hidden instructions. Over 53% found nothing unusual, while 40% focused on minor grammar issues. - Automated detection tools struggled: Rule-based scanners flagged benign files due to common README elements (commands, paths), while AI classifiers missed attacks in linked files. The researchers warn that as AI agents become more integrated into development workflows, unverified execution of README instructions poses a growing risk. They recommend treating external documentation as "partially trusted input" and implementing stricter verification for sensitive actions. The findings underscore the need for improved safeguards to prevent unintended data exposure in automated coding environments.

Sophisticated Phishing Campaign Targets iPhone Users via Fake ChatGPT and Gemini Apps on Apple App Store A highly targeted phishing campaign is exploiting the trust in leading AI brands OpenAI’s ChatGPT and Google’s Gemini to deceive iPhone users into downloading malicious apps from Apple’s official App Store. The attack, uncovered by SpiderLabs, leverages deceptive emails posing as legitimate outreach from these platforms, directing victims to fraudulent applications disguised as AI-powered business or advertising tools. Two malicious apps GeminiAI Advertising (ID: id6759005662) and Ads GPT (ID: id6759514534) were identified on the Australian App Store storefront. Despite appearing on a trusted platform, the apps lack any genuine functionality. Instead, they immediately present a fake Facebook login screen, harvesting credentials in real time when users attempt to sign in. The stolen data grants attackers access to personal profiles, business ad accounts, and linked pages, amplifying the potential damage. This campaign marks a tactical evolution in credential theft, bypassing traditional methods like fake websites or malicious attachments in favor of infiltrating an official app marketplace. The use of the App Store perceived as a secure environment significantly lowers user skepticism, making the attack more effective. While the apps were hosted on the Australian storefront, the phishing emails targeted global users, particularly business professionals, marketers, and social media managers. The attack chain begins with a convincing email, reinforcing legitimacy at each step from the sender’s display name to the App Store listing. Once installed, the apps exploit this trust by mimicking Facebook’s login interface, leaving victims unaware of the compromise. The incident underscores the challenges of vetting applications on large-scale distribution platforms, even those with rigorous review processes. Indicators of Compromise (IoCs): - GeminiAI Advertising: `hxxps[://]apps[.]apple[.]com/au/app/geminiai-advertising/id6759005662` - Ads GPT: `hxxps[://]apps[.]apple[.]com/au/app/ads-gpt/id6759514534`

OAuth-Based Attack Exploits Legitimate ChatGPT App to Steal Email Data Researchers at Red Canary have uncovered a surge in OAuth-based attacks targeting Microsoft Entra ID (formerly Azure AD), with threat actors abusing the legitimate ChatGPT application to gain unauthorized access to user email accounts. The attack exploits OAuth permissions, tricking employees into granting excessive access to sensitive data under the guise of a trusted service. ### How the Attack Works 1. Initial Consent – Attackers manipulate users into adding the ChatGPT service principal to their Entra ID tenant, prompting them to approve OAuth permissions such as Mail.Read (email access), offline_access (persistent access), and profile/openid (user identity data). The app appears legitimate, masking the attacker’s intent. 2. Permission Exploitation – Once granted, the Mail.Read scope allows attackers to read and exfiltrate email data without further user interaction. 3. Remote Access & Exfiltration – Logs reveal the attacker’s IP (e.g., 3.89.177.26, linked to AWS Virginia) accessing the system, followed by data extraction to attacker-controlled infrastructure. ### Detection & Key Indicators Red Canary’s investigation identified critical forensic details: - App ID: `e0476654-c1d5-430b-ab80-70cbd947616a` (legitimate OpenAI app, abused) - Permissions Granted: `Mail.Read`, `offline_access`, `profile`, `openid` (enabling persistent email access) - Consent Type: User-level (`IsAdminConsent: False`), making it vulnerable to phishing - Log Sources: AuditLogs and Consent to application events track permission grants, including timestamps and IP origins ### Impact & Mitigation The attack highlights the risks of third-party OAuth permissions, particularly when users unknowingly authorize excessive access. Organizations can reduce exposure by: - Monitoring for suspicious service principal additions and OAuth consent events - Enforcing stricter admin-level consent requirements to limit user-granted permissions - Correlating telemetry data (e.g., unexpected access patterns, remote connections) to detect anomalies This incident underscores the growing threat of OAuth abuse in enterprise environments, where legitimate applications can be weaponized to bypass security controls.

OpenAI Patches ChatGPT Data Leak via DNS Side Channel In February, OpenAI addressed a critical vulnerability in ChatGPT that allowed attackers to exfiltrate sensitive data through a DNS side channel. Researchers at Check Point discovered that a single malicious prompt could bypass OpenAI’s safeguards, enabling unauthorized data transmission from ChatGPT’s code execution environment. OpenAI had previously claimed that ChatGPT’s execution environment blocked direct outbound network requests. However, Check Point found that while OpenAI restricted standard network traffic, it failed to monitor DNS queries a method attackers could exploit to smuggle data to external servers. Since the system did not recognize DNS-based exfiltration as a threat, it did not trigger protective measures or require user approval. Check Point demonstrated the flaw through three proof-of-concept attacks, including one involving a third-party "GPT" app acting as a personal health analyst. When a user uploaded a PDF containing lab results and personal data, the app processed the file and falsely assured the user that the data remained secure. In reality, the information was transmitted to an attacker-controlled server. The vulnerability posed significant risks for regulated industries, where AI-driven data leaks could violate GDPR, HIPAA, or financial compliance standards. OpenAI reportedly fixed the issue on February 20, 2026, though the company did not immediately respond to requests for comment. Separately, security engineer Buchodi and an OpenAI employee (under the alias NickT) confirmed that OpenAI has strengthened defenses against bot scraping, including Cloudflare’s Turnstile widget, to prevent unauthorized access to ChatGPT’s interface. These measures aim to preserve GPU resources for legitimate users while deterring abuse.

Malicious AI Assistant Extensions Target 260,000 Chrome Users in Coordinated Campaign Cybersecurity researchers at LayerX have uncovered a large-scale campaign involving over 30 fake AI assistant extensions for Google Chrome, collectively downloaded by 260,000 users. Dubbed AiFrame, the operation deploys malicious browser extensions designed to steal login credentials, monitor emails, and enable remote access by attackers. The extensions masqueraded as legitimate AI tools, including clones of Anthropic’s Claude AI, ChatGPT, Grok, and Google Gemini. One notable example, "AI Assistant," impersonated Claude AI and was installed over 50,000 times. Despite their varied names and functionalities, the extensions shared a common codebase, permissions, and backend infrastructure, indicating a single coordinated effort. To evade detection, the attackers employed "extension spraying" a tactic where multiple extensions are deployed simultaneously. If one is removed, others remain active or are quickly replaced. Some extensions also redirected users to external infrastructure, bypassing Chrome Web Store security checks. Another technique involved full-screen iframes, overlaying malicious remote content to exfiltrate data from Chrome and Gmail to attacker-controlled servers. LayerX described the extensions as "general-purpose access brokers", capable of harvesting data, tracking user behavior, and evolving undetected. While many have since been removed from the Chrome Web Store, users who installed them may still be at risk. Google has been contacted for comment, but the campaign highlights the growing threat of malicious AI-themed extensions exploiting user trust in popular tools.

Thousands of Exposed ChatGPT API Keys Found in Public Repositories and Websites Research by Cyble Research and Intelligence Labs (CRIL) has uncovered a widespread security risk tied to the rapid adoption of AI in software development. Over 5,000 public GitHub repositories and 3,000 live production websites were found exposing hardcoded ChatGPT API keys, creating a low barrier for malicious exploitation. ### GitHub as a Hotspot for Exposed Credentials Developers frequently embed API keys in source code, configuration files, or `.env` files during fast-paced development cycles, often forgetting to remove them before committing. These keys persist in commit histories, forks, and archived projects, making them easily discoverable by automated scanners. CRIL’s analysis revealed exposed keys in JavaScript applications, Python scripts, CI/CD pipelines, and infrastructure files, many of which were still valid at the time of discovery. ### Production Websites Leaking Sensitive Keys Beyond repositories, CRIL identified 3,000 public-facing websites with ChatGPT API keys embedded in client-side JavaScript, static files, or front-end assets. These keys often prefixed with `sk-proj-` (project-scoped) or `sk-svcacct-` (service-account) grant access to AI inference services, billing accounts, and sensitive prompts. Since they are exposed in client-side code, attackers can harvest them without breaching infrastructure. ### Security Gaps in AI Integration Cyble’s CISO, Richard Sands, noted that while AI systems are now critical production infrastructure, security discipline has not kept pace. The rise of "vibe coding" a culture prioritizing speed over security has led to API keys being treated as disposable configuration values rather than privileged credentials. Sands emphasized that tokens are the new passwords, yet they are frequently mishandled. ### Exploitation and Financial Risks Threat actors actively monitor GitHub, forks, and exposed JavaScript to harvest API keys at scale. Once obtained, compromised keys are used to: - Execute high-volume AI inference workloads - Generate phishing emails and malware - Bypass usage quotas and drain billing accounts - Access sensitive prompts and application logic Unlike traditional cloud infrastructure, AI API activity often lacks centralized logging or anomaly detection, allowing abuse to go unnoticed until billing spikes or service disruptions occur. Cyble’s CPO, Kaustubh Medhe, warned that hard-coded LLM API keys risk turning innovation into liability, enabling attackers to drain budgets, manipulate workflows, and create compliance risks. The findings highlight a critical gap in AI security practices, where rapid deployment outpaces safeguards for sensitive credentials.

AI Toy’s Exposed Admin Panel Risked Children’s Personal Data and Conversations Security researchers Joseph Thacker and Joel Margolis uncovered a critical security flaw in the Bondu AI toy, exposing an unsecured admin panel that could have leaked sensitive data from tens of thousands of child users. While investigating the toy for a neighbor, Margolis discovered an exposed domain (console.bondu.com) in the mobile app’s backend, which led to a "Login with Google" button intended for parents but granting unrestricted access to Bondu’s core admin dashboard. Once inside, the researchers found full access to children’s conversation transcripts, personal details, and device data, including: - Child’s name, birth date, and family member names - Likes, dislikes, and parent-defined objectives - Toy’s given name and past interactions (used for AI context) - Device location (via IP), battery status, and firmware controls The toy’s AI, powered by OpenAI GPT-5 and Google Gemini, used this data to tailor responses, though the researchers noted the collection was technically disclosed in Bondu’s privacy policy unlikely to be read by most users. Beyond the authentication bypass, they also identified an Insecure Direct Object Reference (IDOR) vulnerability, allowing retrieval of any child’s profile by guessing their ID. The flaw was accessible to anyone with a Google account, though the researchers limited their access to validation only. After responsibly disclosing the issue to Bondu’s CEO via LinkedIn, the company took down the console within 10 minutes and launched an investigation. Logs confirmed no unauthorized access beyond the researchers’ testing, averting a potential data breach. Bondu also initiated a bug bounty program and collaborated with the researchers to address additional risks. Despite the swift response, Thacker expressed concerns about AI toys, stating the incident shifted his stance on their safety. He highlighted risks of uncontrolled AI access in homes, noting that even well-intentioned designs could introduce vulnerabilities. Bondu’s website previously emphasized its 18-month beta testing with no reported safety issues, but the incident underscores the broader challenges of securing AI-driven children’s products.

Large-Scale "LLMjacking" Campaign Exploits Exposed AI Endpoints for Profit Researchers at Pillar Security have uncovered a sophisticated cybercrime operation dubbed "Bizarre Bazaar", one of the first documented cases of "LLMjacking" a campaign targeting exposed or poorly secured AI infrastructure for financial gain. Over a 40-day period, the team recorded over 35,000 attack sessions on their honeypots, revealing a coordinated effort to monetize unauthorized access to large language model (LLM) endpoints. The campaign exploits misconfigured or unauthenticated AI services, including self-hosted LLMs, exposed APIs, publicly accessible Model Context Protocol (MCP) servers, and development environments with public IP addresses. Attackers frequently target Ollama endpoints on port 11434, OpenAI-compatible APIs on port 8000, and unauthenticated production chatbots, often striking within hours of a misconfigured endpoint appearing in Shodan or Censys scans. Once compromised, threat actors leverage the access for multiple malicious purposes: - Cryptocurrency mining using stolen computing resources - Reselling API access on darknet markets - Exfiltrating sensitive data from prompts and conversation histories - Pivoting into internal systems via MCP servers for lateral movement Pillar Security’s report highlights a criminal supply chain involving three distinct threat actors. The first scans the internet for vulnerable endpoints, the second validates and tests access, and the third operates Silver[.]inc, a commercial service advertised on Telegram and Discord that resells access to compromised AI infrastructure. The platform, marketed under the name NeXeonAI, claims to provide access to over 50 AI models from major providers in exchange for cryptocurrency or PayPal payments. The operation has been attributed to a threat actor using the aliases "Hecker," "Sakuya," and "LiveGamer101." While Bizarre Bazaar focuses on LLM API abuse, Pillar Security is tracking a separate but potentially related campaign targeting MCP endpoints, which offers greater opportunities for lateral movement including Kubernetes interactions, cloud service access, and shell command execution. As of the latest findings, the campaign remains active, with SilverInc’s service still operational. The full scope of the operation and its potential connections to other threat groups are still under investigation.

Critical Vulnerability in AI Agent Supply Chain Exposes Sensitive Data and Cryptocurrency Theft Researchers from the University of California, Santa Barbara, have uncovered a severe security flaw in the AI agent ecosystem, where third-party LLM API routers intermediary services between AI agents and providers like OpenAI, Anthropic, and Google can be weaponized to hijack tool calls, drain cryptocurrency wallets, and exfiltrate credentials at scale. The study, titled "Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain," reveals that these routers operate as application-layer proxies with full plaintext access to JSON payloads, making them an unguarded trust boundary. Unlike traditional man-in-the-middle attacks, these intermediaries are voluntarily configured by developers, allowing malicious actors to read, modify, or fabricate tool calls undetected. ### Attack Methods and Findings The research team tested 28 paid and 400 free routers from platforms like Taobao, Xianyu, and public communities, uncovering alarming vulnerabilities: - 9 routers (1 paid, 8 free) injected malicious code into tool calls. - 17 free routers triggered unauthorized use of AWS credentials after interception. - 1 router drained Ethereum (ETH) from a researcher-owned private key. - 2 routers employed adaptive evasion, activating payloads only after 50 requests or targeting autonomous "YOLO mode" sessions. A particularly dangerous attack, payload injection (AC-1), replaces benign installer URLs or package names with attacker-controlled endpoints. Since tampered JSON payloads remain syntactically valid, they bypass schema validation and security checks, enabling arbitrary code execution with a single rewritten command. ### Poisoning and Unauthorized Access The researchers demonstrated the ease of exploiting this attack surface: - After leaking a single OpenAI API key on Chinese forums, the key generated 100 million GPT-5.4 tokens and exposed credentials across downstream sessions. - Weak router decoys deployed across 20 domains and 20 IPs attracted 40,000 unauthorized access attempts, served 2 billion billed tokens, and exposed 99 credentials across 440 Codex sessions 401 of which ran in autonomous YOLO mode, where tool execution requires no manual approval. ### Mitigation Strategies While no client-side defense can fully authenticate tool-call provenance, the researchers propose three immediate mitigations: 1. Fail-closed policy gate – Blocks shell-rewrite and dependency-injection attacks by allowing only commands from a local allowlist (1.0% false positive rate). 2. Response-side anomaly screening – Flags 89% of payload injection attempts using an IsolationForest model (6.7% false positive rate). 3. Append-only transparency logging – Records request/response metadata for forensic analysis (~1.26 KB per entry). The study concludes that provider-signed response envelopes similar to DKIM for email are necessary to cryptographically verify tool-call integrity. Until major AI providers implement such mechanisms, developers must treat third-party routers as potential adversaries and deploy layered defenses.

AI-Powered Cyberattack Compromises Mexican Government Systems, Exposes 195 Million Identities In a sophisticated cyberattack targeting Mexico’s government, threat actors abused Anthropic’s Claude Code assistant to orchestrate a large-scale breach, compromising 10 government agencies and a financial institution, according to a report by Israeli cybersecurity firm Gambit Security. The attack began in late December 2025, with the country’s tax authority as the initial entry point. The attackers leveraged over 1,000 prompts to manipulate Claude Code, using it as an operational tool to write exploits, automate data exfiltration, and build attack tools. OpenAI’s GPT-4.1 was also employed to analyze stolen data, accelerating the breach. By bypassing AI guardrails convincing the models that all actions were authorized the hackers extracted 150GB of sensitive data, including civil registry files, tax records, and voter information, exposing 195 million identities. Gambit described the attack as highly automated, with AI functioning as the "operational team," enabling rapid execution and scale. The firm warned that recovery from such breaches is prolonged and costly, often requiring system rebuilds, service suspensions, and efforts to restore public trust. This incident follows a November 2025 disclosure by Anthropic, revealing that Chinese threat actors had previously abused Claude Code in a global espionage campaign targeting 30 organizations. Experts, including Red Sift CEO Rahul Powar, noted that AI abuse lowers the barrier for attackers, amplifying speed, scale, and sophistication at minimal cost posing national security risks. The breach adds to Mexico’s growing cybersecurity challenges. Just a month prior, hacking collective Chronus Group claimed to have stolen 2.3TB of data from 25 government institutions, potentially affecting 36 million people. The group, active since 2021, has been linked to both hacktivism and cybercrime, with past operations focused on media attention and disruption. Mexico’s Agencia de Transformación Digital y Telecomunicaciones (ATDT) downplayed Chronus Group’s claims, stating the data was aggregated from previous breaches and sourced from obsolete systems managed by private entities. However, the country has faced a surge in cyber threats, including a November 2024 ransomware attack by Ransomhub, which stole 313GB of data from the presidential legal counsel’s office, and a January 2024 leak exposing 263 journalists’ personal information. With Latin America experiencing over 3,000 cyberattacks weekly, these incidents underscore the escalating risks to government and critical infrastructure in the region.

OpenAI Patches "ZombieAgent" Prompt Injection Flaw in ChatGPT’s New "Apps" Feature In December 2025, OpenAI rolled out its "apps" feature (formerly "Connectors"), allowing ChatGPT to integrate with external services like email, cloud storage, and calendars for enhanced functionality. However, security firm Radware uncovered a critical vulnerability—dubbed ZombieAgent—that exposed users to prompt injection attacks capable of data exfiltration and persistent access. The flaw enabled malicious actors to embed hidden commands in emails or files (e.g., white text on a white background or zero-font text) that ChatGPT would execute without user awareness. Radware identified four exploitation methods: - Zero-click server-side attack: Data exfiltration triggered before the user views the content. - One-click server-side attack: Malicious prompts in files requiring user upload. - Persistence: Commands stored in ChatGPT’s memory for prolonged access. - Propagation: Worm-like spread via infected emails or files. OpenAI patched the vulnerability on December 16, though details of the fix remain undisclosed. The incident highlights risks in GenAI integrations, where seemingly benign features can become vectors for sophisticated attacks.

Tenable Research uncovered seven critical security flaws in OpenAI’s ChatGPT (including GPT-4o and GPT-5), enabling attackers to steal private user data and gain persistent control over the AI system. The vulnerabilities leverage prompt injection—particularly indirect prompt injection—where malicious instructions are hidden in external sources (e.g., blog comments, search-indexed websites) to manipulate ChatGPT without user interaction. Techniques like 0-click attacks via search, safety bypasses using trusted Bing tracking links, and conversation/memory injection allow attackers to exfiltrate sensitive data, bypass URL protections, and embed persistent threats in the AI’s memory.The flaws demonstrate how attackers can trick the AI into executing unauthorized actions, such as phishing users, leaking private conversations, or maintaining long-term access to compromised accounts. While OpenAI is patching these issues, the research underscores a systemic risk in LLM security, with experts warning that prompt injection remains an unsolved challenge for AI-driven systems. The exposure threatens millions of users’ data integrity, erodes trust in AI safety mechanisms, and highlights the urgency for context-aware security solutions to mitigate such attacks.

OpenAI’s newly launched Atlas browser, which integrates ChatGPT as an AI agent for processing web content, was found vulnerable to indirect prompt injection attacks. Security researchers demonstrated that malicious instructions embedded in web pages (e.g., Google Docs) could manipulate the AI into executing unintended actions—such as exfiltrating email subject lines from Gmail or altering browser settings. While OpenAI implemented guardrails (e.g., red-teaming, model training to ignore malicious prompts, and logged-in/logged-out modes), researchers like Johann Rehberger confirmed that carefully crafted content could still bypass these defenses. The vulnerability undermines confidentiality, integrity, and availability (CIA triad), exposing users to data leaks, unauthorized actions, and potential exploitation of sensitive information. OpenAI acknowledged the risk as a systemic challenge across AI-powered browsers, emphasizing that no deterministic solution exists yet. The incident highlights the premature trust in agentic AI systems, with adversaries likely to exploit such flaws aggressively. OpenAI’s CISO admitted ongoing efforts to mitigate attacks but warned that prompt injection remains an unsolved security frontier.

AI-Powered Browsers Introduce New Enterprise Security Risks Security researchers have uncovered vulnerabilities in AI-powered browsers and assistants, exposing enterprises to heightened risks of data breaches and unauthorized access. A key concern is prompt injection attacks, where malicious instructions embedded in web pages, emails, or documents trick AI agents into executing unintended commands bypassing security guardrails. Last year, Brave Software revealed that Perplexity’s Comet AI assistant failed to distinguish between legitimate user commands and hidden malicious prompts, potentially exposing sensitive data like bank accounts, emails, and cloud storage. While Perplexity later implemented real-time prompt injection classifiers, OpenAI acknowledged in December that such threats remain persistent, comparing them to social engineering attacks with no definitive solution. Gartner has advised CISOs to block AI browsers with agentic capabilities until enterprise-ready alternatives emerge, citing privacy risks from cloud-stored browsing data and third-party tracking. A 2025 University of California, Davis study found that generative AI browser assistants collect and share personal and sensitive information with both first-party servers and third-party trackers like Google Analytics. Unlike traditional browser threats, prompt injection attacks are easier to execute using natural language, requiring no advanced technical skills. A 2025 Gartner report found that 32% of organizations have already experienced such attacks on GenAI applications. Palo Alto Networks warns that these attacks can manipulate AI agents into leaking data, escalating privileges, or abusing connected systems often undetected by conventional security tools. Enterprises face additional risks from shadow AI unauthorized AI browser usage that creates blind spots for IT teams. IBM’s 2025 Cost of Data Breach report attributed 20% of breaches to shadow AI incidents. Compounding the issue, AI agents often operate with excessive permissions, violating the principle of least privilege, while Model Context Protocol (MCP) supply chain attacks introduce new attack vectors through third-party API integrations. To mitigate risks, security experts recommend: - Isolating agentic AI capabilities from routine browsing to prevent accidental exposure. - Enterprise-grade AI browsers with runtime security to monitor prompts and block malicious interactions. - Step-up MFA and human approval for sensitive actions, ensuring oversight before data transfers or transactions. - Defensive AI agents to detect anomalous behavior in primary browser agents. While AI browsers enhance productivity, their broad access and evolving attack surfaces demand stricter governance, visibility, and security controls to prevent exploitation.

Security researchers from Adversa AI uncovered PROMISQROUTE, a critical vulnerability in ChatGPT-5 and other AI systems, allowing attackers to bypass safety measures by exploiting AI routing mechanisms. The attack manipulates cost-saving routing systems—used to redirect user queries to cheaper, less secure models—by inserting trigger phrases (e.g., 'respond quickly' or 'use compatibility mode') into prompts. This forces harmful requests (e.g., instructions for explosives) through weaker models like GPT-4 or GPT-5-mini, circumventing safeguards in the primary model.The flaw stems from OpenAI’s $1.86B/year cost-saving strategy, where most 'GPT-5' queries are secretly handled by inferior models, prioritizing efficiency over security. The vulnerability extends to enterprise AI deployments and agentic systems, risking widespread exploitation. Researchers warn of immediate risks to customer safety, business integrity, and trust in AI systems, urging cryptographic routing fixes and universal safety filters. The discovery exposes systemic weaknesses in AI infrastructure, where profit-driven optimizations directly undermine security protocols, leaving users exposed to manipulated, unsafe responses.

A zero-click vulnerability named ShadowLeak was discovered in OpenAI’s ChatGPT Deep Research tool in June 2025, allowing hackers to steal Gmail data without any user interaction. Attackers embedded hidden prompts (via white-on-white text, tiny fonts, or CSS tricks) in seemingly harmless emails. When users asked the AI agent to analyze their Gmail inbox, the tool unknowingly executed malicious commands, exfiltrating sensitive data to an external server within OpenAI’s cloud—bypassing antivirus and firewalls. The flaw was patched in August 2025, but experts warn of similar risks as AI integrations expand across platforms like Gmail, Dropbox, and SharePoint. The attack exploited AI’s trust in encoded instructions (e.g., Base64 data disguised as security measures) and demonstrated how context poisoning could silently bypass safeguards. Google confirmed data theft by a known hacker group, highlighting the threat of AI-driven exfiltration in third-party app ecosystems.

AI Infrastructure Security Crisis: Exposed Systems, Hardcoded Flaws, and Rampant Misconfigurations A recent investigation by the Intruder team reveals a alarming trend in AI infrastructure security, as rapid adoption outpaces safeguards. Scanning over 2 million hosts with 1 million exposed services, researchers found AI deployments riddled with vulnerabilities more severe than any other software category they’ve analyzed. No Authentication by Default A core issue: many self-hosted AI projects ship without authentication enabled, leaving sensitive data and tools exposed. Real-world examples included chatbots with unrestricted access to user conversation histories, multimodal LLMs vulnerable to jailbreaking, and even NSFW chatbots leaking API keys in plaintext. One OpenUI-based instance exposed full LLM conversation logs, while others allowed malicious users to bypass safety guardrails using corporate infrastructure to generate illegal content or solicit criminal advice. Exposed Agent Platforms and Business Logic Agent management platforms like n8n and Flowise were frequently found misconfigured, with some instances mistakenly exposed to the internet. One Flowise deployment revealed an entire LLM chatbot’s business logic, including credential lists (though stored values remained protected). Another exposed parsing tools and local functions capable of server-side code execution. Across sectors government, finance, and marketing over 90 exposed instances were identified, enabling attackers to modify workflows, redirect traffic, or poison responses. Unsecured Ollama APIs: A Gateway to Frontier Models Researchers discovered 5,200+ exposed Ollama APIs with connected models, 31% of which responded to unauthenticated queries. While Ollama doesn’t store conversation data, many instances wrapped paid models from Anthropic, Google, Deepseek, Moonshot, and OpenAI 518 in total. Responses ranged from health-focused assistants to cloud management integrations, highlighting the risks of unauthorized access to enterprise systems. Insecure by Design Lab analysis uncovered systemic flaws: - Poor deployment practices: Misconfigured Docker setups, hardcoded credentials, and applications running as root. - No authentication on fresh installs: Users granted high-privilege access by default. - Static credentials: Embedded in setup examples and `docker-compose` files. - New vulnerabilities: Arbitrary code execution found in a popular AI project within days. Root Cause: Speed Over Security The findings underscore a broader industry shift vendors and adopters prioritizing rapid deployment over decades of security best practices. While some projects abandon safeguards entirely, the pressure to outpace competitors exacerbates the problem. The result: AI infrastructure with a 2.6 CVE-per-day average (as seen in the ClawdBot incident), where misconfigurations and weak sandboxing amplify risks. The investigation serves as a stark reminder of the security debt accumulating in the AI gold rush.

Security researchers exploited cross-modal vulnerabilities in OpenAI’s Sora 2—a cutting-edge multimodal AI model for video generation—to extract its system prompt, a critical security artifact defining the model’s behavioral guardrails and operational constraints. The attack leveraged audio transcription as the most effective method, bypassing traditional safeguards by fragmenting and reassembling small token sequences from generated speech clips. While the extracted prompt itself may not contain highly sensitive data, its exposure reveals content restrictions, copyright protections, and technical specifications, which could enable follow-up attacks or model misuse.The vulnerability stems from semantic drift during cross-modal transformations (text → image → video → audio), where errors accumulate but short fragments remain recoverable. Unlike text-based LLMs trained to resist prompt extraction, Sora 2’s multimodal architecture introduced new attack surfaces. Researchers circumvented visual-based extraction (e.g., QR codes) due to poor text rendering in AI-generated frames, instead optimizing audio output for high-fidelity recovery. This breach underscores systemic risks in securing multimodal AI systems, where each transformation layer introduces noise and exploitable inconsistencies.The incident highlights the need to treat system prompts as confidential configuration secrets rather than benign metadata, as their exposure compromises model integrity and could facilitate adversarial exploits targeting behavioral constraints or proprietary logic.

OpenAI, known for its AI model GPT-4o, has raised privacy issues with its data collection methods, including using extensive user inputs to train its models. Despite claims of anonymization, the broad data hoovering practices and a previous security lapse in the ChatGPT desktop app, which allowed access to plaintext chats, have heightened privacy concerns. OpenAI has addressed this with an update, yet the extent of data collection remains a worry, especially with the sophisticated capabilities of GPT-4o that might increase the data types collected.

Cybersecurity Alert: Detection Logic for a Multi-Stage OAuth-Based Attack Chain A recent cybersecurity advisory outlines detection strategies for a sophisticated attack chain targeting organizations via compromised OAuth applications, internal system access, and credential abuse. The threat actors exploited a known-bad OAuth Client ID (110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com) linked to the Context.ai application, enabling unauthorized access to Google Workspace environments. ### Key Attack Stages & Detection Patterns 1. OAuth Application Anomalies (Stages 1–2) - Token Abuse: Alerts should trigger on token refresh/authorization events tied to the compromised Client ID. - Over-Permissioned Apps: Review OAuth apps with broad scopes (e.g., full mail/Drive access) and revoke unused or unauthorized applications. - Token Theft Indicators: Flag token usage from IPs outside expected corporate or vendor CIDR ranges. 2. Internal System Access & Lateral Movement (Stage 3) - SSO/SAML Anomalies: Monitor identity provider logs for suspicious authentication (e.g., unfamiliar IPs, geolocations, or first-time access to internal tools like Vercel, CI/CD platforms). - Credential Harvesting: Detect bulk email searches (e.g., "API key," "secret," "password") and unusual Drive file access (e.g., credential stores, engineering docs). - OAuth-Connected Tool Abuse: Track downstream services (Slack, Jira, GitHub) for off-hours or anomalous API activity tied to compromised accounts. - Privilege Escalation: Watch for unauthorized permission requests, group membership changes, or admin console access. 3. Environment Variable Enumeration (Stage 4) - Vercel Audit Logs: Baseline normal deployment activity to detect unusual environment variable access (e.g., high-volume reads, user-driven queries instead of service accounts). 4. Downstream Credential Abuse (Stage 5) - Exposed Credentials (June 2024–April 2026): Audit logs (AWS CloudTrail, GCP/Azure audit logs, SaaS APIs) for usage from unexpected IPs or inactive time windows. - Immediate Response: Rotate compromised credentials and investigate attacker actions. 5. Third-Party Leak Notifications - Automated Alerts: Monitor leaked-credential notifications from GitHub, AWS, OpenAI, Stripe, and other providers treating platform-specific leaks as potential compromise indicators. ### Impact & Scope The attack chain highlights risks from OAuth abuse, lateral movement via trusted identities, and credential theft from deployment platforms. Organizations are advised to implement SIEM detection rules (Sigma, Splunk, KQL, etc.) tailored to their log schemas to identify and mitigate these threats. The exposure window for affected credentials spans June 2024 to April 2026, emphasizing the need for proactive monitoring.

OpenAI fixed a critical vulnerability named ShadowLeak in its Deep Research agent, a tool integrated with services like Gmail and GitHub to analyze user emails and documents. Researchers from Radware discovered that attackers could exploit this flaw via a zero-click attack—sending a malicious email with hidden instructions (e.g., white-on-white text) that tricked the AI agent into exfiltrating sensitive data (names, addresses, internal documents) to an attacker-controlled server without any user interaction. The attack bypassed safety checks by framing the exfiltration as a 'compliance validation' request, making it undetectable to victims.The vulnerability posed a severe risk of unauthorized data exposure, particularly for business customers, as it could extract highly sensitive information (contracts, customer records, PII) from integrated platforms like Gmail, Google Drive, or SharePoint. OpenAI patched the issue after disclosure in June 2024, confirming no evidence of active exploitation. However, the flaw highlighted the dangers of prompt injection in autonomous AI tools connected to external data sources, where covert actions evade traditional security guardrails.

OpenAI Confirms Limited Third-Party Breach, No User Data Impacted OpenAI disclosed a third-party security incident involving unauthorized access to its corporate code repositories, though the company emphasized that the breach was contained and did not compromise user data or production systems. According to OpenAI, only a small amount of credential material was exfiltrated, with no evidence that intellectual property, software integrity, or customer information was affected. The attack prompted immediate containment measures, including isolating impacted systems and temporarily restricting code deployment workflows. As a precaution, OpenAI is rotating its code-signing certificates and will require macOS users to update their applications. The breach also involved a supply chain attack on the open-source library TanStack npm, though OpenAI confirmed this did not result in access to user data. However, two employee devices within OpenAI’s corporate environment were affected by the TanStack incident. OpenAI reiterated that no evidence suggests the attack exposed user data or disrupted its services, maintaining that the incident was limited in scope. The company continues to investigate the full extent of the breach.

OpenAI User Dismisses Class Action Over Mixpanel Data Breach A proposed class action lawsuit against OpenAI and data analytics provider Mixpanel was voluntarily dismissed in the U.S. District Court for the Northern District of California. The case centered on a data breach that exposed analytics data from OpenAI’s API users, as well as some ChatGPT users who submitted help center tickets or were logged into the API service. The lawsuit, filed by California resident Jon Woodard, alleged that OpenAI and Mixpanel failed to adequately protect user data from hackers. Mixpanel, which OpenAI used for analytics, experienced a cybersecurity incident that triggered the legal action. The dismissal was issued without prejudice, meaning the case could potentially be refiled, with both parties bearing their own legal costs. The breach highlights ongoing concerns about third-party data handling in AI services and the potential risks to user privacy.

ChatGPT was offline earlier due to a bug in an open-source library that allowed some users to see titles from another active user’s chat history. It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time. It was also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. The number of users whose data was actually revealed to someone else is extremely low. and the company notified affected users that their payment information may have been exposed.