Connect with us

Infosecurity

Anthropic and OpenAI Security Tools Could Fuel Cyber-Attacks, Researchers Warn

Published

on

AI security tools

AI Security Tools Could Fuel Cyber-Attacks, Researchers Warn

Organizations are rushing to deploy AI-powered coding agents from Anthropic and OpenAI to automate vulnerability discovery and patch management. But a new report warns that the very access these tools require could turn them into powerful attack vectors.

Published July 8 by the AI Now Institute, the research demonstrates a proof-of-concept exploit that achieves remote code execution (RCE) through two of the most popular AI-powered command-line interfaces: Anthropic’s Claude Code and OpenAI’s Codex. The exploit works against Claude Code running Claude Sonnet 4.6, 5, or Opus 4.8, and Codex using GPT-5.5.

The attack is alarmingly simple: a victim can be compromised just by asking the AI to review or analyze a third-party open-source codebase — a widely recommended defensive use case.

How Prompt Injection Enables Silent Remote Code Execution

The attack begins with an attacker hiding malicious instructions inside an open-source library’s files, embedding them in code comments or documentation in a way designed to manipulate how the AI interprets commands.

The victim then uses Claude Code or Codex in “auto-mode” or “auto-review” mode — a standard feature that automatically executes commands the AI judges safe, only pausing on flagged risks. Because the injected instructions are crafted to trick the AI’s judgment, the assistant is fooled into believing the attacker’s commands are harmless or routine. It runs them automatically, without alerting the user.

Multi-Stage Injection and Tool-Use Exploitation

The key mechanism is a multi-stage prompt injection combined with tool-use exploitation. When the AI agent scans the repository, it doesn’t just read code passively — it builds a semantic model of the project by parsing source files, scripts, and documentation. The attacker exploits this by embedding natural-language instructions inside trusted-looking artifacts (e.g., README.md) that the model interprets as part of its task context rather than untrusted input.

These injected instructions reshape the agent’s planning process. Instead of directly telling the model to execute something obviously malicious — which would trigger safeguards — the instructions suggest that a specific script (e.g., security.sh) is a standard part of the project’s security workflow. They frame execution of that script as necessary to complete the user’s request (“run security checks”) and align with the agent’s goal of vulnerability analysis, making the action appear legitimate.

The repository also contains a second-stage payload: a shell script that appears to run common tools like linters or static analyzers, a hidden malicious binary that the script executes, and a decoy source file that makes the binary look benign and consistent with expected build artifacts.

When the agent evaluates whether to execute the script, it relies on its internal classifier and heuristics. Because the script references familiar security tooling, the binary appears to correspond to legitimate source code, and the documentation frames execution as routine, the agent misclassifies the action as safe. In auto-mode, this classification is critical — the agent is explicitly authorized to execute shell commands without human approval if they are deemed low-risk.

The result: the agent autonomously decides that running security.sh is part of the requested analysis, executes the script via its tool interface, indirectly launches the malicious binary, and triggers arbitrary code execution on the host system. Remote code execution is achieved — the attacker’s code runs on the victim’s machine, even though the victim believed they were having the AI passively scan a codebase for vulnerabilities.

An Attack with Low Requirements

What’s notable is how little is required to pull this off. No special hooks, plugins, skills, model context protocol (MCP) servers, or custom configuration files are needed. It works with a completely out-of-the-box install of either tool.

The victim simply needs to run the assistant in its standard automated review mode and point it at a codebase containing the attacker’s hidden instructions — something as ordinary as asking the AI to “scan this library for vulnerabilities.” The researchers tested this on Linux systems using specific versions of both tools: Claude Code versions 2.1.116, 2.1.196, 2.1.198, and 2.1.199, and Codex version 0.142.4.

The significance of this finding is that it undermines the idea that these AI agents can safely be used for defensive security work, since the attack surface is identical to the access required for their intended, legitimate purpose. The researchers emphasized this as governments and companies push to deploy these tools more broadly for automated security review and patching, including initiatives like Anthropic’s Project Glasswing, Palantir’s MA-S2 standard, and OpenAI’s Patch the Planet and Daybreak programs — some of which touch safety-critical infrastructure.

The technique could likely transfer to other agentic AI coding platforms beyond Anthropic’s and OpenAI’s, the researchers argued, because the core issue is architectural. Giving an AI agent the autonomy to decide for itself what’s safe to execute creates a new trust boundary that attackers can target directly, by convincing the AI — rather than the human — that malicious code is safe to run.

While the researchers noted that their report “is not within the scope of the security disclosure policies for either Anthropic or OpenAI,” Khlaaf and Milanov contacted both companies to inform them of their findings and offered support to verify the issues raised.

Architectural Risk Undermines AI Agent Safety, Warns Expert

Eljan Mahammadli, head of AI provenance at Polygraf AI, said the significance of the research lies in the underlying weakness it exposes, not the specific exploit used.

“An AI coding agent has no reliable way to distinguish the text it reads from instructions it is supposed to follow,” he said. That’s because everything in its context window is processed with the same authority. That lack of attribution means malicious instructions, once embedded, are treated as equally trustworthy — which is why similar attacks keep reappearing in different forms.

He argued this is not something a model update can fix, since it reflects a deeper architectural issue. “The problem is a property of how these systems handle language and not a defect that can be trained away,” he said. From a provenance perspective, he described it as a failure of attribution, where the agent cannot determine where text comes from or whether it should be trusted.

Nevertheless, Mahammadli pushed back on the idea suggested by the AI Now researchers that the findings undermine AI’s role in defensive security. He said the issue is specific to a common but flawed setup: agents that combine access to untrusted data, command execution, and sensitive environments in a single process, with only a safety classifier as a guardrail.

“When those powers sit together, a single injected instruction is enough to turn the agent against its operator,” he said, arguing that stronger runtime controls and separation of capabilities are key.

He also highlighted that, counterintuitively, more advanced models sometimes detected inconsistencies in the exploit but executed it anyway. This challenges the assumption that stronger models are inherently safer. “A more capable and more compliant agent can simply be a more effective executor of whatever instruction reaches it,” he warned, cautioning that deployment in critical systems is moving faster than solutions to this core trust problem.

For organizations already using these tools, the findings serve as a stark reminder: AI security tools can be turned against their users with surprising ease. Until the underlying architectural issues are addressed, the very features that make AI coding assistants powerful also make them dangerous.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

GigaWiper: Microsoft Warns New Malware Blends Espionage with a Wipe Function

Published

on

GigaWiper Malware: A New Breed of Cyber Weapon

Microsoft has sounded the alarm on a new multi-purpose backdoor that marks a worrying evolution in cyber-attack toolkits. Dubbed GigaWiper malware, this implant does not just steal data or lock files — it does both, and then wipes the system clean.

Discovered by Microsoft Threat Intelligence in October 2025, GigaWiper is written in Go (Golang). It gives attackers a single, unified platform to conduct quiet espionage, execute commands, deploy extra tools, and then trigger one of several destructive actions on demand.

This is not your average wiper. It is a modular backdoor that consolidates capabilities from at least three separate malware families: the Crucio ransomware strain, the FlockWiper wiper, and another unrecovered component. The result is a flexible, dangerous weapon.

How GigaWiper Works: Two Flavors, Three Ways to Destroy

Microsoft’s analysis, published on July 9, identified two types of GigaWiper samples in the wild.

Standalone Wiper vs. Full Backdoor

The first type is a standalone wiper binary — lean, mean, and purely destructive. The second type is a larger binary packed with full backdoor functionality. That second version is the real worry.

It gives attackers three distinct destructive modes to choose from:

  • Disk-level wiping: Overwrites raw disk content and removes partition metadata. The target drive is left structurally dead.
  • Fake ransomware (Crucio-derived): Encrypts files using randomly generated keys that are never saved. Decryption is mathematically impossible. This is extortion theater — the attacker never intends to unlock anything.
  • FlockWiper reimplementation: A Golang version of the original C-based FlockWiper, enhanced with multi-pass secure wiping. It scrubs data so thoroughly that recovery tools are useless.

Having all these options inside a single backdoor is what makes GigaWiper malware stand out. Attackers no longer need to deploy separate tools for espionage and destruction. One implant does it all.

Why This Shift Matters

Traditional wiper malware has one job: destroy data and cause chaos. Think of the NotPetya attacks of 2017, which were pure destruction with no real extortion. GigaWiper changes that equation.

Microsoft researchers noted that this consolidation reflects “a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort.” The fake ransomware component adds a layer of confusion. Victims may think they can pay and recover. They cannot.

The backdoor also reduces the attacker’s deployment footprint. One implant means fewer dropped binaries, less network chatter, and a smaller chance of being caught before the payload fires. For defenders, that is a nightmare scenario.

Microsoft assessed that GigaWiper was built by combining and reimplementing components from Crucio, FlockWiper, and an as-yet-unrecovered framework. This suggests the authors had deep code-level knowledge of those older families.

How to Defend Against GigaWiper

Microsoft published a set of mitigation recommendations for organizations worried about GigaWiper malware. They fall into two buckets: general security hygiene and Microsoft-specific settings.

General Mitigations

  • Enable tenant-wide tamper protection. This prevents attackers from stopping security services or adding antivirus exclusions.
  • Block direct access to known C2 infrastructure. Use threat intelligence feeds to keep command-and-control servers off your network.
  • Turn on cloud-delivered protection. This helps your antivirus keep up with rapidly evolving tools and techniques.

Microsoft-Specific Recommendations

  • Run EDR in block mode. Microsoft Defender for Endpoint can block malicious artifacts even when your non-Microsoft antivirus misses them or when Defender Antivirus is in passive mode.
  • Enable full automated investigation and remediation. This allows Defender for Endpoint to take immediate action on alerts, reducing breach impact significantly.
  • Apply attack surface reduction rules. Specifically, enable the rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion.

These steps are not theoretical. They are the same defenses that help stop ransomware attacks and other advanced threats. Wipers like GigaWiper move fast — your defenses need to be automated and always-on.

The Bigger Picture: Wiper Malware Is Evolving

GigaWiper is not just another malware sample. It is a sign that threat actors are investing in operational efficiency. They are merging standalone tools into unified platforms. That reduces their risk and increases yours.

For defenders, the takeaway is clear: you cannot treat espionage threats and destructive threats as separate problems anymore. The same implant that steals your credentials today can wipe your servers tomorrow.

Microsoft did not disclose who was targeted or how the initial compromise occurred. But the company did share detection signatures through its security products. If you are running Microsoft Defender for Endpoint with cloud-delivered protection and EDR in block mode, you are already better positioned to spot GigaWiper before it triggers its payload.

The clock is ticking. Wipers do not negotiate. They just delete.

Continue Reading

Infosecurity

Supreme Court greenlights Texas law that forces app stores to verify ages

Published

on

Texas app age verification

The Supreme Court just cleared the way for Texas to enforce a controversial new law that forces app stores and developers to verify a user’s age before letting minors download anything.

The order, issued Monday, denied an emergency request from tech trade groups and student advocates to block the Texas App Store Accountability Act (TASAA) while a lower court reviews its constitutionality. That means the law is now in effect — at least for now.

The Supreme Court didn’t explain its reasoning, which is typical for emergency applications. But the practical impact is immediate: app stores operating in Texas must start checking ages and getting parental consent for users under 18.

What the Texas app store law actually requires

Governor Greg Abbott signed TASAA into law back in May 2025. It’s straightforward in intent but messy in execution. The law says:

  • App stores and developers must use age verification tools to confirm whether a user is under 18.
  • Minors cannot download apps or make in-app purchases without parental consent.
  • Developers are required to assign age ratings to their apps — a provision the tech industry calls “burdensome” and potentially unconstitutional.

The law applies to any app store that does business in Texas, which effectively means it covers the entire U.S. market for major platforms like Apple’s App Store and Google Play.

Legal whiplash: from blocked to reinstated

The case has bounced around the courts for months. In December 2025, a federal judge in Texas issued a preliminary injunction, stopping enforcement while the legal challenge played out. But last month, the Fifth Circuit Court of Appeals reversed that decision and let the law take effect.

The Computer and Communications Industry Association (CCIA) — whose members include Google, Meta and Apple — along with a student advocacy group, then asked the Supreme Court to step in. They argued the law violates the First Amendment. The high court said no.

The Fifth Circuit is scheduled to hear oral arguments in August. So this isn’t the final word. But for now, Texas has its age verification law.

First Amendment fight: privacy vs. child safety

The core of the legal battle is about free speech. The CCIA argues that forcing people to hand over personal data — like a government ID or a birth date — just to access an app store is a form of prior restraint.

“People should not have to turn over personal data to access the internet any more than they should show government identification to enter a bookstore,” the group said in a statement after the Supreme Court ruling.

Youth advocates and tech companies also contend that the law restricts minors’ own First Amendment rights. If a 16-year-old can’t download a news app or a messaging platform without a parent’s approval, that’s a limit on their access to information, the argument goes.

States push back: “Parental controls don’t work”

On the other side, a bipartisan coalition of more than two dozen state attorneys general filed an amicus brief last month supporting TASAA. Their argument is blunt: the status quo isn’t working.

“The lack of current controls is especially well-documented in the social media context,” the brief states. “Platforms have long had parental controls, but they have made no dent in child addiction. That is both because parents do not use them and because they are ineffective.”

Texas isn’t alone in this push. The state already has a similar age verification law for porn websites, which the Supreme Court upheld last year. Other states, including Louisiana and Utah, have passed or proposed comparable legislation for social media and app stores.

What happens next — and what it means for users

For now, if you live in Texas and use an iPhone or Android device, you may start seeing age prompts the next time you open the App Store or Google Play. Developers will need to figure out how to rate their apps in a way that complies with Texas law — or risk being blocked from the state’s market.

The Fifth Circuit’s hearing in August will be the next big moment. If the appeals court upholds the law, the case could head back to the Supreme Court for a full review. If it strikes the law down, Texas will likely appeal.

Either way, the legal uncertainty isn’t going away anytime soon. And the broader question — whether age verification is a legitimate tool for protecting children or an unconstitutional barrier to free expression — is far from settled.

For more on how these legal battles affect what you can do on your phone, check out our explainer on how age verification laws impact social media use and the ongoing debate over digital privacy and the First Amendment.

Continue Reading

Infosecurity

How CISA Responded to Leaked AWS GovCloud Keys on a Contractor’s GitHub

Published

on

CISA incident response

The Leak That Wasn’t on CISA’s Radar

In May, security researchers from GitGuardian spotted something alarming — a public GitHub repository containing credentials to multiple highly privileged AWS GovCloud accounts. The repo also exposed keys to a large number of internal CISA systems.

Here’s the twist: the repository didn’t belong to CISA’s official GitHub organization. It was a personal repo owned by a contractor. And it was wide open.

KrebsOnSecurity broke the story in May. CISA’s formal response landed on June 9, offering a rare, unvarnished look at how a federal agency handles a cloud credential spill.

Timeline: From Alert to Action

CISA’s internal incident response kicked off on May 15 — the same day the agency learned of the exposure. The Office of the Chief Information Officer (OCIO) moved fast.

“Within moments of receiving this information, CISA’s OCIO took swift and comprehensive action to mitigate any exposure to CISA’s cloud resources and code repositories,” the agency wrote in its June 9 update.

Incident responders focused on five priorities:

  • Eliminating public exposure of the credentials
  • Preventing further harm to CISA systems
  • Understanding the full scope of what was shared
  • Assessing the operational impact
  • Implementing corrective actions

Critically, CISA confirmed that no customer or mission data was accessed. The leaked credentials were never used outside CISA’s own environments.

How the Keys Ended Up on GitHub

The contractor uploaded copies of a CISA build and deployment repository to their personal GitHub account. Their stated goal: to automate cloud infrastructure creation.

That repository contained CISA’s Infrastructure as Code (IaC) and build code — sensitive material that should never have left the agency’s controlled environment.

It’s a classic insider risk scenario, but with a twist: the contractor wasn’t malicious. They simply ignored basic security hygiene. And because CISA lacked tight controls over public code repository access, the mistake went unnoticed until an external researcher flagged it.

What CISA Got Right — And Where It Fell Short

CISA’s response was far from a PR whitewash. The agency openly acknowledged gaps in its defenses.

Areas flagged for improvement include:

  • Tighter controls over public code repository access
  • Stronger monitoring for exposed secrets
  • Comprehensive GitHub and cloud incident-response playbooks (which apparently didn’t exist before)
  • Simpler security researcher reporting channels
  • Better cryptographic key management for faster credential rotation

On the reporting side, CISA admitted its vulnerability disclosure platform wasn’t designed for this kind of incident. The researcher ended up emailing the contractor directly, filing through CISA’s public disclosure portal (meant for broader community vulnerabilities), and finally looping in a reporter before the agency took action.

“These channels were not well defined,” CISA wrote.

The Zero Trust Lesson and Logging Wins

CISA used the incident to reinforce the importance of zero trust principles — not just for protecting systems, but for securing development environments where code is built and deployed.

Strong logging also proved its worth. CISA’s Security Operations Center (SOC) had the logs needed to investigate the breach thoroughly. The agency called continuous improvement of logging capabilities “a key element of a strong security program.”

That’s worth noting: good logs don’t prevent leaks, but they make incident response vastly more effective.

Transparency as a Security Tool

Perhaps the most striking part of CISA’s update is its closing reflection: “It is not a matter of ‘if’, but ‘when’ a cybersecurity incident will happen to your organization. It is important to the broader cybersecurity community that we address these matters openly to strengthen trust and foster transparency. Such transparency unlocks opportunities for learning that will enhance not only CISA’s security posture but that of other organizations as well.”

That’s a refreshingly honest take from a federal agency. CISA published the update on its LinkedIn channel, where one commenter praised the agency for documenting both its strengths and its gaps.

The lesson for other organizations? Build the playbooks before the breach. Tighten access controls on code repositories. And when a researcher tries to report a leak, make sure they know exactly where to go.

Because the next exposed key might not belong to a federal agency — it could be yours.

Continue Reading

Trending