In this episode for May 7, 2026, Jeremy reports from the sidelines of BSides Luxembourg. This week marks a significant shift in AI-driven vulnerability research, moving from source code analysis to the successful reverse engineering of closed-source compiled binaries.
.png)
All right. Welcome back to another episode of This Week in AI security, coming to you for the week of the seventh of May, twenty twenty six, coming to you from the sidelines of the BSides conference in Luxembourg of all places. And this one is really interesting. I've got a couple of talks queued up for tomorrow and Friday, but what I really like about this event is that there is a specific AI security village, so we're going to have about two days of a talk tracks specifically on AI security.
Now, the conference hasn't kicked off yet, so I haven't gotten a chance to get a sneak peek of any of the other researchers' materials, but I'm going to have some stuff for you on next week's episodes. But let's dive into this week and a couple of the stories that we've been seeing some familiar themes here around using AI to discover vulnerabilities. We've got two stories on this topic.
First, from the team over at Wiz, who used an MCP with some AI-augmented binary analysis to reverse engineer GitHub's closed source, compiled binaries and find an X-stat header injection in a Git push pipeline that gave authenticated users remote code execution on GitHub's backend. CVSS score of eight point seven. What's really interesting about this is, of course, there's been a lot of talk about, you know, the Anthropic Claude Mythos family and using AI for vulnerability research. But a lot of that assumes that it is with access to the source code. And this is one of the first kind of published stories around using this to reverse engineer from compiled code where you don't have access to the source code.
So that's really, really interesting. Now, of course, what we don't know of this is, you know, how much effort and whatnot went into this. There's a lot of panic about all these vulnerabilities are going to be disclosed all at once. And, you know, this is a really interesting example. We don't know if this is, let's say, at what you might call kind of weaponizable scale, meaning that the cost and the level of effort required are where an average kind of criminal enterprise might engage in similar behaviors against, you know, third party code where they don't have access to the source code, which honestly is almost anybody's application.
This is one of the reasons why I found this story particularly interesting to cover. So, you know, AI didn't just find a vulnerability. It makes it where you have to think about the kind of the knowable attack surface of your applications and what could be discovered from them. It's not too dissimilar from pen testing, but a little bit of a different analysis methodology. All right.
Moving on to our next story that is also in this same domain, which is the kind of the flaw in the Linux operating system that has been uncovered and is being labeled as quote unquote Copyfail. And I think this headline is kind of funny. Copyfail is a real Linux security crisis wrapped in AI slop. What's interesting about it is that, you know, AI was actually used, again, in the kind of pen testing and process to look for these types of problems, and was part of the research. And I want to emphasize here part of the research tools that went into finding this.
The other interesting aspect of it is that the AI was used in kind of crafting the disclosure and kind of writing that up and including creating a vanity website to publicize around this and get a little bit of attention for the company. Theory behind it. And what is kind of interesting about that is that that was viewed as AI slop a little bit dismissively, I would say, by the community. And so, you know, this headline actually kind of does emphasize this. It is a real Linux security crisis. And as of the time of recording, it looks like most distributions of Linux are have had this vulnerability in them for some time.
This is something that goes all the way back to twenty seventeen. And it is a seven hundred and thirty two bit seven hundred and thirty two byte pardon me Python exploit with a CVSS score of seven point eight. It has been added to the catalog. You know, it took about an hour of automated analysis, according to the researchers. And that's one of the things that I also think makes it interesting. But anyway, put this in that bucket of using AI to find vulnerabilities.
And now think about the other side of it, which is that disclosure side. A lot of organizations have bug bounty programs. They have the ability for a security researcher to report a finding to them. How are they going to respond and how are they going to respond when they're all of a sudden getting lots of quote unquote AI slop, meaning they're getting a lot of kind of automated disclosures being written by large language models with a little bit of human input. That will be also very interesting to watch as how we as a technology industry respond to that as we go forward coupled with, you know, oh my gosh, we've got this vulnerability apocalypse approaching us with tools like Claude Mythos or potentially with the ability of third party hackers to do automated pentesting that does reverse engineer applications. So we'll have to see how this all plays out.
All right, moving on to our next story. And this is on a separate but very related topic, which is what is the mean time to patch requirement of federal agencies. And so the acting director of the Cybersecurity and Infrastructure Security Agency, CISA, has recommended that organizations who fall under that mandate go under a different set of guidance now. Currently, most of the time when a critical bug is found or a security vulnerability is found that affects federal government. And this is US federal government, specifically organizations, they're typically given these deadlines of, let's say, thirty days, sixty days, ninety days to patch in order to patch certain vulnerabilities.
And that's one of the ways that they tackle this long backlog of known vulnerabilities that exist within every organization, government, or enterprise. And the debate here, really wages is hems on the kind of like, what are we going to do again, with this onslaught of vulnerabilities that's going to be disclosed to us? There is a little bit of context here where part of the data that was presented to them was a thirty two step simulated corporate network attack crafted by and reportedly by an Anthropic Claude Mythos family.
So there is a little bit of additional pressure in thinking about weighing this. Now the question of bringing it down from, let's say fourteen days, which is the most critical timeline to three days, is something that a lot of organizations, I think would struggle to comply with because one, they may not have their inventory. Two, they may not know the effect of patching. Three, they may not have access to the patches within that time frame. Given the size and the bureaucracy level of some of these organizations.
All right. Moving on to our next story. This is another recurring theme that we've had here on this week in AI security, which is around IDEs or software development environments, and how basically any text within these quote unquote agentic IDE systems is a source of potential indirect prompt injection. This time it was a title of a commit, and that apparently all of the IDEs fell prey to this single prompt injection was tested against Claude Code, Gemini and Copilot for code generation. And in the title, you know, the prompt injection is directly in the title of the, uh, of the item here.
All right. Moving on. We've got another one in the theme of, you know, it's not the AI service, it's your rush to adopt the service and then expose misconfigurations and vulnerabilities. This is from the folks over at Intruder. I happen to know them. Shout out to them. They use certificate transparency logs to find two million hosts or more with one million exposed AI services. And so think of this as very similar to something like a Shodan, where you can kind of scan the internet and look for things.
Scanning certificates is actually a known technique that attackers will use. They look at your company and let's say you are example dot com. They'll go to certificate registrars and be like, tell me about all of the certificates issued to example dot com. That will typically return a list of DNS names or IP addresses that can then be scanned. So that's basically what was done here. And what they found is that on most of the kind of Meta Llama family, um, of, uh, of servers that were discovered.
The vast majority had wide open access points that respond to, um, hello, thirty percent of the time, sorry, thirty one percent of the servers respond with zero authentication required at all. That also kind of coincides with another thing we've talked about here on the show. Any number of times those interfaces are and continue to be the attack surface of choice because they are the most often exposed component of any kind of agentic system. AI agent, what have you. All right. That's basically the it for this story.
Moving on to the next one. And this next one is a really interesting story. Some people are calling it Google's quote unquote recall moment, if you might remember that that was a service that Microsoft put out, a kind of AI enabled local assistant service that you could use on your Windows laptop desktop device. And it got a ton of pushback because of the one, the level of access that it had. And two, the fact that it was rolled out kind of funny. In any event, this was from Google. And so this is something called Google Cosmo.
And the long and short version of it is that this is a hybrid three mode architecture for the Android operating system. It's a system level agent that operates in three modes: Nano with local only; Pi, or maybe that's PI, Personal Intelligence; Cloud; and then Hybrid that spans the two. It's a one point thirteen gigabyte payload. It's massive size comes from the bundling of a local version of Gemini Nano directly into the APK, which is the Android installer. And it does things like process sensitive data, including screen content without it ever leaving the device. And that is arguably helpful, again, for personal local productivity.
Then it has something bundled into it called the Mariner browser agent. But unlike other typical kind of Google wrappers for the Android operating system, it includes an autonomous browser agent that can navigate the web in complete multi task, multi-step tasks for you. And if you've been listening to this show for several months now, we have not had a story on this topic in a couple of weeks now, but you will have heard about a huge wave of AI browsers and indirect prompt injections there with things like, you know, malicious prompts planted on random pages that those browsers might stumble upon for you. And then, of course, the AI browser will act on that prompt injection.
So, you know, this is a local agent that can then reach out for you probably in that Pi mode or personal intelligence or in that Hybrid mode in particular. So this is a really interesting thing in the sense that it also leaked. It was briefly published to the Play Store was pulled down within hours. But the way that the Play Store works is that anything that gets published there, the APK is fully downloadable and can be fetched off of Android devices a little bit differently from the iOS App Store, where those things are a little bit more kind of closed source and harder to kind of decompile and look at.
And it's through that that security researchers were able to kind of unbundle this and figure out exactly what it looked like. So some really interesting stuff here. Again, a lot of system level access, a lot of permissions. And that's, I think one of the key things, a lot of permissions, and that might be a big part of what is making people uncomfortable about this thing rolling out. Obviously, it appears to be an app as opposed to being bundled into the Android operating system. So it is something that you kind of have to opt into. We'll have to see how this plays out, whether there is a lot of pushback just from the discovery of the permissions and what these services might do, or whether this ends up going forward.
So all right, moving on to our last story of the day, or actually just kidding, our second to last story of the day, which is a very, very short update from the Vercel breach that we've talked about a couple of times over the last couple of weeks. Now, this does appear to be the largest kind of quote unquote AI breach that has happened on a production level environment. And the only thing that I wanted to kind of touch on is that it really highlights the OAuth sprawl and the supply chain and third party connectivity. The entry point wasn't code. It wasn't a hijacked package.
It was one AI tool used by one employee with one allow all OAuth permission. And that is the kind of shape of supply chain attacks in twenty twenty six. You do want to think about, you know, what are all the systems that you are kind of connecting to, whether it be your directory and your employees, or whether it be your data stores for, for productivity purposes, for AI initiatives that you want to undertake inside your own organization.
All right. And now finally, our actual last story of the day, and this is a little bit of an interesting one. And I always, I often like to close on kind of a little bit of a philosophical vibe in these, in these episodes. The University of Edinburgh analyzed one hundred million posts from underground cybercrime forums, from CrimeBB database. And what they found is that most criminals actually lack the skills to use AI effectively. So using AI in simple terms, in terms of, let's say, discovering vulnerabilities might be kind of okay, but figuring out the levels of nuance to use it and weaponize it at scale appears to be just out of their reach so far.
And it's kind of funny because, you know, there's a parallel on the software development side where there's a lot of talk about vibe coding and how that makes everyone a developer. But in practice, what really happens is that those who are good software developers can really boost their own productivity by using coding and AI assisted coding agents. And that appears to be more or less what's happening here on the criminal side. So the criminal needs to be a good criminal in order to figure out ways to make AI make them more productive. It's a little bit of a counter narrative to, oh my gosh, the attackers have AI and we're all out of luck and so on.
Now, that's the current state of things. And the caveat that I would give here is that that's largely true also in the corporate world. A lot of organizations are at experimentation and training phase without really understanding how to take full advantage of all the systems around them. All right. On that note, we will leave it here for today. As always, like subscribe. Share this episode. We'll talk to you next week. Bye bye.