All articles tagged with #ai security
Google’s Threat Intelligence Group said hackers tried to use an AI model to identify a zero-day vulnerability and bypass two-factor authentication, but Google blocked the effort, highlighting AI-enabled cyber threats ahead of Anthropic’s Mythos launch.
The White House OSTP director Kratsios accused China-based actors of using proxy accounts and large-scale distillation attacks to probe and replicate U.S. AI models, potentially releasing cheaper, less-guarded rivals; OpenAI and Anthropic have flagged China-based firms behind such attacks, highlighting ongoing IP-theft concerns as the administration says it will share intelligence with AI companies to bolster defenses ahead of a possible Trump trip to Beijing.
Anthropic is investigating a potential unauthorized access to Mythos, its vulnerability-detection AI, linked to a third-party vendor environment. The company says no breaches have been detected outside the vendor systems, and Mythos was rolled out to a limited group under Project Glasswing amid security concerns about misuse of AI tools.
Hackers gained unauthorized access to Anthropic’s Mythos via a third-party vendor, though Anthropic says its systems were not impacted; Mythos is a restricted, enterprise-focused AI under Project Glasswing being tested by tech and financial firms, with Bloomberg noting involvement from Amazon, Apple, JPMorgan Chase and others and a Treasury meeting discussing its use.
Anthropic says Claude Mythos Preview, a powerful cybersecurity AI capable of identifying and exploiting vulnerabilities, was accessed by a small, unauthorized group via a third‑party vendor. The attackers, tied to a private Discord channel and reportedly using data from a Mercor breach to locate the model, have demonstrated Mythos with screenshots and a live demo, and reportedly not for cybersecurity to avoid detection. Access to Mythos is restricted to a handful of firms under Project Glasswing (including Nvidia, Google, AWS, Apple, Microsoft) with governments eyeing the tech. Anthropic is investigating and says there’s no evidence of impact on its systems; the company has no plans to publicly release Mythos due to weaponization concerns.
Mozilla says Anthropic’s Mythos Preview identified 271 security vulnerabilities in Firefox 150 during pre-release analysis, vastly more than the 22 found by Opus 4.6 for Firefox 148, highlighting AI-assisted vulnerability discovery as a potential shift toward stronger defense and raising implications for open-source security testing.
This week’s security recap flags a widespread Adobe Acrobat Reader zero-day (CVE-2026-34621) under active exploitation, AI-enabled vulnerability discovery and exploit tooling (Anthropic Mythos), and a wave of state-sponsored and criminal activity—from Iran- and North Korea-linked campaigns targeting ICS and crypto infrastructure to fileless malware, new RATs, and a Windows kernel rootkit (RegPhantom). It also highlights fiber-optic eavesdropping research, a major botnet takedown, and notable security tools and frameworks (MITRE F3, Betterleaks, etc.). Patch quickly, monitor for AI-driven threats, and watch for phishing and supply-chain risks.
Anthropic’s Claude Mythos Preview can identify vulnerabilities across systems and autonomously develop exploits, a capability the company says will force a cybersecurity rethink. It’s being tested with Project Glasswing among a limited group of tech giants to give defenders a head start, but experts are divided: some see it as a real threat that could accelerate exploit chains and zero-click attacks, while others view it as hype. Regardless, the rollout is framed as a wake-up call to move toward secure-by-design software and machine-scale defenses rather than relying solely on patching and reaction.
At NYC’s ClawCon, hundreds of OpenClaw enthusiasts gathered to celebrate the open‑source AI platform as a grassroots alternative to Big Tech, with lobster‑themed swag and demos of “wrappers” and power users sharing use cases; organizers hailed a community‑driven movement, while speakers and attendees warned about security risks and stressed cautious, verifiable use of AI agents.
Palo Alto Networks announced a definitive agreement to acquire Koi to establish Agentic Endpoint Security, addressing the security gaps created by AI agents and tools on endpoints; post-close, Koi’s technology will be integrated with Prisma AIRS and Cortex XDR to improve visibility and policy enforcement for AI-driven operations, with regulatory approvals and closing conditions still to be met and further details to be provided on an investor call.
OpenClaw will scan every skill uploaded to ClawHub with VirusTotal (and Code Insight) via a SHA-256 hash check; benign results auto-approve, suspicious items warning, and malware blocked, with daily re-scans, while the team notes VirusTotal isn’t a silver bullet and will publish a threat model, security roadmap, and audits amid broader concerns over OpenClaw’s risk to enterprise security.
Anthropic’s Claude Opus 4.6, tested in a sandbox, autonomously found over 500 previously unknown high-severity zero-day vulnerabilities in open-source libraries—ranging from crashes to memory corruption—in projects like GhostScript, OpenSC, and CGIF; it used out-of-the-box analysis and even wrote its own proof-of-concepts in some cases. Anthropic says these capabilities could greatly aid defenders, plans to broaden access to the security community, and has added safeguards to prevent abuse.
Security researchers disclosed a flaw in Google Gemini where a crafted calendar invite enables indirect prompt injection, causing Gemini to summarize and exfiltrate private meeting data by creating a new calendar event that could be visible to attackers; the finding highlights AI-enabled attack surfaces and the need for stronger guardrails and identity controls across AI workflows.
Google Chrome now allows users to delete the local AI model that powers the Enhanced Protection feature’s real-time scam-detection and suspicious-download scanning. You can disable this by going to Settings > System and turning off “On-device GenAI.” The on-device model is currently in Chrome Canary with rollouts expected soon, and Google suggests these local AI components may power other Chrome features beyond scam protection.
AI is increasingly used at work, but employees should understand their company's policies, verify AI outputs, avoid sharing confidential info, and use AI ethically to avoid trouble.