This Week in AI Security - 9th April 2026

All right. Welcome back to another episode of This Week in AI security for the week of the ninth of April, twenty twenty six. We've got a number of interesting stories to get into this week, including a couple that we're still kind of breaking news and developing last week that we chose not to cover until there was a little bit more information out there in the world. So we're going to get into those. And also things that have come out over the past seven days. Let's get into it.

First story is actually out of the FBI, and this is an FBI annual report around fraud and financial crimes specifically affecting just people in America. So in the United States of America, this is called the IC3. They fielded over four hundred and fifty thousand cyber related fraud complaints, more than seventeen billion in losses. So that's kind of one way to think about the scale of the consumer level cyber fraud that is happening. Cyber related fraud is eighty five percent of those losses. Now, what was interesting to us for this week in AI security is actually that for the first time in the report's twenty five year history, there's a specific call out for AI enabled fraud, which accounted for about eight hundred and ninety three million. So that's roughly five percent of the cost issues and twenty two thousand out of the four hundred and fifty two thousand complaints.

So that's actually less than that from the actual complaint side. But it does show maybe a slightly overweighted value in terms of the impact of an AI powered fraud campaign or an AI powered scam. They also mentioned that AI is now being used across business email compromise, romance scams, employment scams, and investment scams. So there's a pretty big diversity in the types of scams that are being used or where AI is being used rather. So something to keep an eye on. It really shows something that we've talked about many, many times on the program, which is that remember that all the tools that you have access to threat actors and criminals, cybercriminals do have access to as well.

All right, moving on to the next story. All right. The next story is about a report that came out from Cisco Talos and other authors. Cisco Talos provided a Shodan scan for publicly exposed Ollama instances around the world and found over one thousand one hundred. Now, when that scan was run again in April of twenty twenty six, the original scan was back in September of twenty twenty five, when it was rerun in April of twenty twenty six, more than twenty five thousand instances were exposed. And the interesting thing here is that the author of this, and as always, we have the link in the show notes, coupled this with a survey of one thousand European executives around their feeling, around the level of security and let's say, readiness that they have in adopting AI in less than twenty percent felt that they had adequate visibility and controls, and thirty five point seven percent are already operating AI workloads.

So you've got already just an initial mismatch. Couple that with the fact that the exposure rate is already really, really high. This is one of the topics that we've hit a number of times here is that, you know, we're adopting AI tools at a rapid pace, not thinking in advance or planning in advance what our controls are going to be. So adoption outpacing security, common common theme that we've talked about this particular author and this particular report, we're very focused on Europe and talks about how the fragmentation of different standards across the EU are actually causing some confusion, as well as a lack of action. I think that's going to change later this year with the EU AI Act is already kind of "in effect," but enforcement and fines only start in August of this year. So I'll be curious to see how that develops. We'll cover it here on this week in cyber AI security of course.

All right. Moving on. We've got an MLflow CVE. This is from a, uh sorry. We've actually got two CVEs, one in MLflow and one in PraisonAI. Both score the maximum CVSS score of ten. So these are fully, uh, you know, maximum severity. One has execute code function with no authentication and an attacker controlled Python environment. And the other is a critical command injection flaw in a model conserving the container initialization code. So these are again on the theme of the security of the infrastructure around things. So just two CVEs to be aware of. If you're using either of those packages look for the latest version and move on.

All right. Next story along the same notes of the security of the infrastructure where you're building your AI systems. This is research from Palo Alto Networks Unit 42. They discovered a flaw in the Vertex AI permission model that can be misused to allow AI agents to gain unauthorized access to sensitive data and other environments within Google Cloud Vertex AI service. So that is also, again, along the same topic of moving too quickly, not anticipating all of the security boundaries around the different infrastructure components where we're building our AI systems.

Moving on. Major breach on a corporation called Mercor. This is a ten billion dollars valued AI startup that provides AI training data to OpenAI, Anthropic, Meta. It confirms that it was a victim of the supply chain attack, part of the broader Team PCP campaign that hit a lot of open source packages in rapid succession in late March. We've talked before about a couple of those. This time, it appears to be from the Axios package, and the Axios package is a major package used in a lot, a lot, a lot. I cannot stress how much how many environments this is being used. But this is really, really a big one.

In fact, on the same topic, moving on to our next story, the SANS Institute did an emergency briefing about the Axios npm supply chain compromise. This happened on March thirty first. This is one of the stories that was kind of, uh, just starting to get a little bit of notice when we recorded last week. We wanted to wait for a little bit more information to be out there. And so we're covering it this week. Basically, a Remote Access Trojan was injected into the Axios package around midnight of March thirty first. And this was in versions one point four dot one and zero dot three dot four. And that was a that was then potentially installed up to six hundred thousand times across Windows, Mac, and Linux environments.

So the interesting thing here is to think about a couple of things. One is how did this attack happen? How was the repository compromised? How was the package overall compromised? So you think about the theme of supply chain risk that we've covered in any number of times here. But the other thing that I think is interesting is something that the SANS instructors and the SANS Institute people researchers pointed out, which is that actually the real risk is the credentials that were harvested from that Remote Access Trojan that was installed. That's probably the most valuable data that the attackers were going for. On this topic, this is one of the most widely used open source projects. The reporting from TechCrunch shows that this is probably weeks in the making. This appears to have been a very long running campaign with a lot of sophistication in very, very precise targeting, where the hackers spent weeks building rapport with the project's primary maintainer.

They posed as a real company, created a convincing Slack workspace, used fake employee profiles, shared data in Slack channels that looked very, very convincing, as if it were that organization. So, you know, if you were this type of organization, what are the types of Slack channels you would have? What are the types of messages that would be in that? All of which, by the way, is easily generated using LLMs. I can go to an LLM today and say, hey, talk to me about a company like Firetail. What are the likely Slack channels that this company is going to have? What would be the structure? What would be stories and topics that would be shared inside that organization. The maintainer was then invited into that Slack workspace, uh, and lured into downloading malware. That malware had a, um, uh, that malware appears to be how the threat actors gain the credentials to take over the package and then compromise it.

Uh, one more CVE. Sorry, we should have had this earlier in the show. This is in the Flowise agent builder. Active exploitation has been reported. Something to keep an eye on if you are using that again, patch, etc. update.

Then the next topic. This is kind of one of the other stories that was really emerging last week around the Anthropic Claude Mythos model and model family. And there was a couple of leaks around this one was the leak around the existence of the Claude Mythos model family, and some internal documentation that appears to show that there are serious concerns about Mythos' capabilities in discovering vulnerabilities, including the discovery of a vulnerability in a BSD package that goes back twenty plus years, predates GitHub, etc.. And, you know, this is one of those things where a lot of the concern is that this thing is so good at finding vulnerabilities. There is a real danger that if you put it out into the wild and it's usable by threat actors, they will find every publicly exposed vulnerability across, you know, a good chunk of the internet with a very, very rapid pace. And so that's one of the big concerns.

One of the other concerns, or one of the other leaks was some Anthropic internal tooling and methodology for how they build Claude. That includes things like the dreaming mode, a virtual pet that the agent has, all of those things that have been exposed. Those have been covered a number of times already. So we're not going to go into them very, very deeply here. They're not also very specific to the AI security theme that we cover here, which is why we're really focusing on the cybersecurity breakthrough. And so on that same topic, you know, one of the things that is particularly concerning is, you know, this is a general purpose model, but as part of this so-called Project Glasswing, it appears to have very, very specific, uh, cybersecurity capabilities. So, for instance, over ninety nine percent of the zero day vulnerabilities that Mythos discovered have not yet been patched. Even the one percent that Anthropic can discuss give a clearer picture of the substantial leap in capabilities.

We covered the twenty seven year old bug. This was something that, you know, at Unprompted, one of the researchers who was part of this publication that we're sharing and referencing here in this week, uh, presented at the Unprompted conference with very minimal prompting, but with a little bit of baseline training that is inherent in the model, the model can be prompted to go find vulnerabilities so quickly and so extensively, including, let's say, some kind of logical approaches to trying to untangle, um, business logic or untangle things like concatenated serialization of different parameters that go into a URL or an API argument or something like that, that are, you know, more along the lines of professional human pentester and sometimes even have levels of creativity and lateral thinking that I would argue a lot of pentesters may not have on their own. And so there's, there's a real concerns around like this thing may be too good and, uh, there may need to be a controlled rollout kind of capability or program that goes along with this model.

So again, that was one of the stories that was kind of developing last week. We've covered it here for you this week. I hope you find that helpful. That's all for today's episode. A little bit shorter than usual. Yay. And as always, rate and review, share like subscribe, all that good stuff. We'll talk to you next week. Thanks so much. Bye bye.

‍