This Week in AI Security - 4th June 2026

All right. Welcome back to another episode of This Week in AI security for the week of the fourth of June twenty twenty six. Coming to you from the sidelines of Infosecurity Europe. I want to save some time to talk about that a little bit at the end of today's episode. So we're going to go quickly through a number of topics, and we might be a little bit shorter than usual. As always, I will remind you that all of the stories are linked from the show notes. So if there's a topic that we don't cover in enough detail for you, please just do click through and you'll be able to get more information on that.  

We're going to open up today's story with a couple of topics around software development environments. And now we've talked about these any number of times on the show, any number of areas of indirect prompt injection via PR titles, via comments, via messages and Readme files, etc.. We've got an interesting new one around this using something called symbolic links. Now, this does assume that you've got a little bit of repo access to be able to commit a repo with malicious instructions inside it, including an instructions file. And in that file you basically embed or sorry, rather through that file or into that file, you use a symlink to get this repo kind of ingested. And that is how the, uh, basically the agentic-powered IDE environment processes the malicious links. So they're calling this Symjack because it basically hijacks a symbolic link functionality. And a symbolic link for those who don't know, is just a way to kind of link one piece of code to another or one file to another, etc.. And that is how it kind of gets this into a coding environment.  

All right. Moving on. We've got the poisoning Claude Code issue. This is a GitHub/Claude kind of, uh, supply chain automation. The right way to think about this, I think, is that basically there are GitHub Actions, which are kind of a workflow to kick off things like building a piece of software, etc.. And the researcher found that by chaining two GitHub Actions together, one which is a triage and the other which is then the investigation into that. Using a tag mode workflow, you can pass in a write permission as opposed to the normal permission. And that allows for kind of privilege escalation, including the ability to potentially write malicious content or files. And this was actually the default workflow on Claude Code itself. The fix is to upgrade to versions of one dot zero dot nine four or above. And if you are using Claude Code with GitHub Actions, you should definitely audit your environment for what versions you are using.  

Now moving on to the next story. We've got a CVE in Kiro, which is the AWS provided agent code builder. I don't know what the right exact phrase is for this coding agent. I don't know, but in any event, this is basically, I think the phrasing of the CVE is a little bit hard to parse. So I'll just put it in plain English. This is basically gives too much permissions to execution sensitive paths, basically allows for writing to execute sensitive paths, which can be exploited to do things like insert malicious code, etc. it's been given a CVE number and is remediated patched. At this point. The fix for you, if you're using or your organization is using Kiro, is to use version zero dot one seven or higher. So just update to the latest version. Typical patching.  

Next, moving on we got a couple of vulnerabilities in Claude.ai, and this is using a few different bugs chained together to extract data from Claude. And the bugs are basically hidden HTML tags in a URL query parameter. So if you browse the web and you sometimes see that at the end of the website name that you are on, you see something like a question mark followed by user ID equals one. That is what's known as a query parameter. And we've talked on the show before about some research Firetail did with hidden Ascii characters in platforms like Gemini in particular, where we found that this was one hundred percent of the time successful in getting malicious instructions passed to the LLM since remediated, by the way. But this is a very similar technique using hidden HTML tags in those query parameter paths. Combine that with searching your conversation history and uploading sensitive data, and then leveraging an attacker controlled Anthropic files API key. So use those three things together. And with one malicious prompt, you can actually exfiltrate data out of Claude.ai. This has been disclosed. They actually tested it by planting a Google ad that kind of had the embedded malicious HTML stuff. Invisible HTML stuff in there.  

All right. Moving on to the next topic. Another theme that we have talked about on the show any number of times is that threat actors have access to the same tools and technologies that we have access to. So, you know, we talk about cloud automation and of course, AI. And one of the things that has been discussed and feared is that, you know, with the capability of some of the newest, uh, LLM model families and their ability to investigate code, find software vulnerabilities, etc., with all of that, there's a big fear that, you know, you could also use those same AI capabilities to write code that exploits those vulnerabilities. And the Google Threat Intelligence Group confirms that they found a they found evidence of state actors from China and North Korea doing this with thousands of automated prompts, recursively analyzing CVEs and validating POC exploits. Uh, and in this case, the first one that they saw out in the wild is a zero day in a web admin tool that bypasses two factor authentication. And it's a, it's a very subtle reasoning that most scanners and most humans obviously would not catch.  

All right. Moving on to the next story in this same kind of, uh, family around threat actors having access to AI and also attacking AI. In this case, we see from Sysdig the first LLM agent intrusion. This is another thing that we have talked about on the show before, is that, you know, your LLM is part of the target, but also all the infrastructure and application code around this is also targeted. I did a talk recently around attacking AI agents. Some of the research we've been doing here inside Firetail on attacking the kind of twenty to thirty AI agents that we've built internally. What's interesting about this is Sysdig specializes very much in kind of container security. And so they see intrusions into containerized environments where LLM based applications and agents are running. So that's kind of an interesting development.  

Um, again, on the topic of threat actors having access to AI. We've got a couple of stories around basically SEO slash AIEO. I don't know what the right phrase is for is for this, but, you know, there's an increasing trend of users to move away from typical Google search and move towards using tools like AI to get recommendations around things that they should be looking at. So, you know, instead of googling for where should I buy my next car, they'll say, hey, I'm located in this area. What car dealership should I go to into an engine like ChatGPT or something? Well, some clever threat actors have realized that by planting malicious content around how I should maximize my GPU, they could target users who have GPUs because only they would be asking questions around this topic and then kind of give them poisoned LLM search results or query results that would direct a site for them to download malware that in this case was helping to mine cryptocurrency for threat actors. A couple of stories on it that go into a level of detail beyond what we're able to do here on today's show. If you're interested, if this is an area for you, please do check those out.  

And just continuing back on the agent track, uh, researchers from Trend AI division over at Trend Micro have confirmed that they have found ways to get agents to use their own tools maliciously. Uh, one of my recent talks on attacking AI agents in our own usage, we found that it's very easy to get an L once you've got a little bit of access to LLM based prompting of the agent, you could also then do things like get the agent to describe the tools that it's using. And in this case, uh, the researchers over at Trend AI found that they could actually get the agents to use those tools. So it's kind of an escalation. We focused on describing and figuring out kind of enumerating the tools. And the Trend guys went a little bit further and figured out that they could actually get the tools to be abused for malicious purposes.  

Uh, finally, we've got a story out of a Pennsylvania bank. In this case, it is a bank called Community Bank out of Pennsylvania. They filed an 8-K with the SEC disclosing a data breach caused by a employee uploading sensitive data. The quote is directly "unauthorized artificial intelligence based software application," end quote, that exposed Social Security numbers and dates of birth. And this is kind of something that you might think of as insider threat. And I, you know, I would never attribute it directly to malicious action until that's kind of been validated or proven. But a lot of employees are feeling pressure to do more with less. There's, you know, we see any number of waves of AI attributed layoffs and the ability for organizations to be more productive with the same or even lower staffing levels and, and employees turning to AI to help them get their work done faster, quicker, cheaper, etc.. So it's not surprising that we see cases of employees kind of, you know, doing things like uploading sensitive data to LLMs. Uh, this is one of these failures where what you really kind of realize out of this is that most organizations don't know who's using what AI software where and in what ways. Uh, a big kind of gap in AI visibility, governance, and monitoring that we are seeing pretty consistently across the entire technology, financial services, really the whole kind of, uh, economic landscape.  

Finishing up today's episode with a couple of policy based stories and some observations around that from Infosecurity Europe that I want to share with you. So first, in the same week that Anthropic filed to go public, they do confirm that their Claude Mythos class models will roll out to the public. Exact time frames, rollout schedule, etc. still to be determined. Second, Colorado is rolling back its landmark AI governance law. I know there was a lot of states that were kind of looking at Colorado's law that dates all the way back to twenty twenty four. As an example of what they might be able to get done on their own. And in this case, in fact, the legislation that looks like it's being basically rolled back completely, um, it is politically difficult to legislate and regulate at the state level when there's so much intersection between, let's say, industry specific regulations, state level regulation, etc.. I do understand that tension, but I want to come back to that point in just a second.  

And our kind of last story before I kind of go into some of my thoughts on Infosecurity Europe, is that, you know, we talked last week about the cancellation, last minute cancellation of the executive order around AI, first steps in regulation, and now with the White House is asking is basically for a voluntary review of new model families that might have cyber critical capabilities like the Mythos family or the latest GPT family from OpenAI, etc.. So where does this leave us? We now have a state that's retreated. We have a federal government that's retreated. We don't have anything from the industry specific regulators like the FCC for telecoms or the SEC for banks and financial services, etc. a lot of American businesses are kind of flying blind and don't really have any clear guidance. So they're kind of having to reinvent one after the other, what they can or should be doing to govern, regulate and enforce some level of technical control or even process control around their AI adoption.  

I get asked regularly, where should I start? What should I look at? And for American companies, very often the best thing right now is the NIST AI Risk Management Framework. But the name actually tells you what you need to know about it. It is a risk management framework. It's very kind of theoretical and conceptual, as opposed to having technical controls or more of a checklist approach that can be very helpful in for, for security teams to kind of wrap their arms around where the organization is from a process or maturity perspective, or even give them a starting point to go build off of as they move forward.  

Now, the interesting thing in contrast, is here at Infosecurity Europe, we've had a lot of conversations over the last couple of days around the EU AI Act. I gave a talk on that topic yesterday, was actually standing room only, which was awesome. And one of the things that we did learn from the people that we talked to around this conversation, around this topic of the AI Act is the following. One is that while the timelines have shifted, for instance, the requirement around a six month audit trail of all employee and agent prompts, that's now delayed from what was planned to be August of this year to December of next year. While that timeline has shifted, the requirement never changed.  

So organizations have a pretty clear path on the EU AI Act about let's let's just say like the top three items. Number one, avoid the eight prohibited practices. Number two, have an AI inventory and number three, have a six month audit trail. You know, those timelines have shifted a little bit about what's enforceable when. But the requirements have not. So organizations have a clear picture of what they can build towards and know that they're staying within the guidelines of what is or is going to be required by regulators that affect them. Also interesting, not industry specific and not territory specific. So anywhere within the EU there's harmonised legislation and regulation from the teams that I talked to. It gives them a lot of confidence. Okay. I know if I'm building these things okay, more requirements can always come later, but at least I have a clear starting path for how to get my org ready so that we can mature AI adoption accelerated at whatever rate is right for our organization, and know that we're kind of checking the box on all the things we need to do along the way. So very interesting contrast in the approaches over here. Be very interesting to see how that actually translates to organizational innovation, maturity, etc., as we move forward. All right. That'll do it for today's episode. Thank you so much. Bye bye.

‍