This Week in AI Security - 2nd April 2026

All right. Welcome back to another week in this week in AI security recording for the week of the second of April twenty twenty six. We've actually got a slightly shorter than average episode. And I promise this is not a leftover April Fool's joke. But let's dive in and let's see where we go.

We've got a little bit of fallout from last week's story around LiteLLM and some of the upstream supply chain takeovers around the Trivy package, and we now can disclose that, in fact, some of the malicious code searched the infected systems for credentials, including environment variables, SSH keys, and database passwords. It does, in fact look like those were compromised and exploited as part of this.

Moving on to the next story, we've got a CVE classified by CISA, the Cybersecurity and Infrastructure Security Agency. This has been added to the Known Exploited Vulnerabilities catalog after confirming active exploitation of a critical unauthenticated remote code execution flaw in Langflow. Langflow is a popular low code AI workflow builder. We've covered a lot of similar stories in the past. Things around n8n, things around cloud platforms, and some of the services that are there to automate the building of AI powered systems, etc. This is another one of those. This has been confirmed exploited in the wild. Go read up on this if you are a user of Langflow.

All right, moving on to the next one. Researchers at BeyondTrust Phantom Labs have discovered a critical vulnerability in OpenAI's Codex coding agent that allowed attackers to steal GitHub OAuth tokens via command injection through maliciously crafted branch names. Now we've talked, I think, at length and kind of ad nauseam, and I feel like every week we have at least one story of some kind of indirect prompt injection, whether it's in a Readme file, whether it's in a comment, in a commit, in some code base or something like that. I think this is the first time that we've seen it in a branch name. But remember, any text that is going to get picked up as any part of your environment, of your development environment is going to get interpreted by an LLM. So think about that as you go into that.

Moving on. Georgia Tech's Vibe Security Radar project tracked thirty five CVEs in March twenty twenty six alone, directly attributable to AI generated code that was up from six in January and fifteen in February. You can kind of see the early trend line already forming. So this project monitors fifty AI coding tools, including Claude Code, GitHub Copilot, Cursor, Devin, etc. tracing vulnerabilities from public databases back to the commits that introduced them. Now, what we should think about here is that even teams doing code review can't catch everything, because the pace of coding is now outstripping the pace of the generation or sorry, the pace of human review for that code. So definitely something to keep an eye on.

Alright, moving on to the next story on the same topic at RSAC conference last week, the head of the UK's National Cyber Security Centre, NCSC, gave a talk where he basically said that vibe coding and AI generated code currently presents an, quote, intolerable risk for most organizations. So, you know, this is kind of a regulator saying like, we've got a risk, a systematic risk that we're introducing as a broad industry as a result of this. And this is Richard Horne, who acknowledges the opportunity and why organizations are going into this. But the volume of software may be on course to double every forty two months. Combine that with the last story about the increasing rate of AI introduced vibe coding vulnerabilities, and that becomes a real problem.

Moving on to the next story, hacker crew Team PCP told Forbes that they used AI to turbocharge a series of attacks on AI developer tools, with the FBI's cyber division issuing a critical alert after the group breached two hugely popular developer platforms used by millions of AI creators. The group used an AI powered automated agent to trick the vulnerability scanner into exposing the GitHub authentication keys. That ties back to the Trivy story. Um, but also they used it to perform other AI accelerated offensive cyber operations against other repositories and organizations. And this is actually one of the first times, you know, we've called out the kind of multiplying effect and the automation effect and the kind of speed effect of AI, um, for offensive operations. You know, for attackers and defenders alike. But in this case, attackers, we've called that out a number of times.

One of the things that was interesting to me about this story is that the team felt like they wanted to share this story with Forbes, and I don't really necessarily understand the motivation here. I don't know if this is a, hey, we're we're cool, we're bad, look at us kind of thing, or whether this is a warning shot or whether this is, you know, something that accidentally got out and then they decided to go ahead and own it as a threat actor. A lot of threat actors do like to own their things. It kind of helps their brand, as it were. Um, and we've talked a number of times on Modern Cyber, especially in conversations with Mikko about how, you know, these criminal gangs, threat actors, whatever you want to call them, but they actually do have brands and reputations to protect. And so if you are a cyber criminal looking to affiliate yourself with one of them, you might look for the organization that is the most leading edge that has created the most havoc that has caused the most impact on the industry. So it was really just an interesting story, made me kind of pause for a second and go like, huh, why would they actually engage with a mainstream media publication like this to disclose some of their, their methods around this? And that was the best that I came up with. So just an interesting kind of thought experiment or exercise to kind of go into.

All right, moving on. Anthropic did confirmed it's testing a powerful new model called Claude Mythos. Uh, this was leaked in the media there. I have seen some online debate about whether that was a planted leak, a quote unquote leak that actually originated from the company. It was kind of done on purpose, again, potentially along the lines of noting to organizations that, uh, you know, they are continuing to innovate. It's becoming a little bit clearer in kind of the LLM landscape that Anthropic, I think is really sitting in position number one, leading position as kind of the LLM or the LLM provider of choice for the enterprise with the Anthropic enterprise platform and the APIs that you can build in apps, etc..

We're also seeing a number of organizations adopting Claude AI for their workforce tool as well instead of things like ChatGPT and Gemini, um, and so you kind of got a big three forming over there on the more of the end user side. And then I'd say like, you know, Anthropic is ahead of the rest of the pack when it comes to the enterprise. Let's call it the back end application agent building those types of use cases. So, um, that was a leak that came out. Anthropic is describing it as a step change. They did confirm the leak very shortly after it went live. Um, a lot of changes. And it's funny, you know, the leak originated from a content management system. Uh, there were three thousand unpublished assets rather that were publicly accessible. You can think of those as things like pages that were in draft mode, that were not meant to be accessible, but a lot of CMSs if you they rely on security through obscurity for those, for those draft posts. So they are actually accessible if you have the right link. And, you know, with a little bit of, let's say, like an indexing error or a accidental direction of an email to a wrong party, it's pretty easy for those things to get leaked.

All right, moving on. Just wanted to highlight we've talked about this any number of times. Prompt injection does continue to be the number one risk. There was a report in March of twenty twenty six that did look at seventy three percent of production AI deployments and confirms that, you know, this really is the thing to watch out for. It's no longer jailbreaks to avoid kind of ethical guardrails. It's now prompt injection delivering cross-site scripting payloads through AI generated content, bypassing WAFs. Um, the lack of content inspection and the lack of kind of input and output, validation and sanitization continues to pop up in this domain as one of the key contributing factors to prompt injection. So definitely something to keep in mind as you're thinking about planning the designs for your AI powered applications, agents, whatever you want to call them, etc., moving forward.

All right. A couple last stories here, which is the California Security Research team launched something that they're calling MAD Bugs—the Month of AI Discovered Bugs. So the MAD is Month of AI Discovered Bugs. This is similar to the Georgia Tech initiative looking at bugs, but theirs is looking at older systems, looking at existing and running pieces of software, as opposed to looking at new pieces of code that are being developed. They were able to find critical zero day remote code execution vulnerabilities in both Vim and GNU Emacs. If you are of the same vintage of me, you will have probably used both of those text editors in your early whether in my case, it was my academic and early professional career. So kind of around that late nineties, two thousand time frame, uh, these were identified using a number of LLMs. Claude identified the Vim flaw. Uh, and, uh, I don't have attribution for the second one, but this is just one of those other things that is a reminder that, you know, for both new software that's vibe coded and all the risks that come along with that and for existing software that's been around for a long time, LLMs are now reaching the point that they can discover things going back decades. There was a fascinating talk from Nicolas Carlini of Anthropic at the unprompted conference a couple of weeks back. I would encourage you to go have a look at that. He showed how Claude identified some stuff that predates GitHub. Um, some from code commits all the way back before GitHub even existed.

All right. And last story more on the philosophical side. So this was another presentation for RSAC conference. Uh, this was Kevin Mandia, formerly of Mandiant and Morgan Radomski of, formerly of the US Cyber Command, and Alex Stamos, who has had a number of high profile positions, I think most notably as the Chief Information Security Officer at Meta and Facebook. And it really ties into a couple of the things that we've hit on both at Georgia Tech Group, the California security research team. AI is discovering vulnerabilities faster than defenders can respond. There is currently a perception in the industry that there may be a temporary advantage coming for attackers. Alex Stamos, in particular, described the coming two to three years as being pretty insane and Mandia calls it a perfect storm for offense.

So, you know, attackers have this kind of perfect confluence of conditions. We've got defenders who have not yet adjusted to things like auto patching and rolling out, you know, all of the controls that you might want to think about, whether that is things like network segmentation, whether that is things like least privileged access control, what have you. And along the same notes, you know, these vulnerabilities are being picked up so quickly that there is a real risk to defenders that they can't respond in time to keep pace with what's going on. So this asymmetry is kind of what is being called out more than anything. And if, you know, if this is you, if this is applicable to you as someone in your organization, you know, bear in mind that you've got a compounding of risk factors and you've got a confluence of risk factors.

Just think about it from the perspective of almost any vulnerability can and will be found. And similarly, almost anything that is exposed on your network can and will be found. So when you overlay the vulnerabilities that can and will be found and the things on your network that can and will be found, that does pretty much imply that vulnerabilities accessible on your network can and will be found. So you want to think about your your patching plans. You want to think about your maintenance plans. You want to think about all of the standard defense in depth, different layers of controls that you might want to put in place. And give pay a quick revisit to that and think about your incident response plans and your recovery plans as well.

All right. So a little bit shorter than usual for this week. Like and subscribe, rate and review, all that good stuff. And we'll talk to you next week. Bye bye.