vulnerability management
30 articles about vulnerability management in AI news
Google Open-Sources OSV-Scanner: AI-Powered Dependency Vulnerability Scanner
Google has open-sourced OSV-Scanner, a vulnerability scanner that maps project dependencies against the OSV database across 11+ ecosystems. It features guided remediation and call analysis to reduce false positives.
OpenAI Launches Codex Security: AI-Powered Vulnerability Scanner That Prioritizes Real Threats
OpenAI has unveiled Codex Security, an AI agent designed to scan software projects for vulnerabilities while intelligently filtering out false positives. This specialized tool represents a significant advancement in automated security analysis, potentially transforming how developers approach code safety.
Poisoned RAG: 5 Documents Can Corrupt 'Hallucination-Free' AI Systems
Researchers proved that planting a handful of poisoned documents in a RAG system's database can cause it to generate confident, incorrect answers. This exposes a critical vulnerability in systems marketed as 'hallucination-free'.
PoisonedRAG Attack Hijacks LLM Answers 97% of Time with 5 Documents
Researchers demonstrated that inserting only 5 poisoned documents into a 2.6 million document database can hijack a RAG system's answers 97% of the time, exposing critical vulnerabilities in 'hallucination-free' retrieval systems.
Subliminal Transfer Study Shows AI Agents Inherit Unsafe Behaviors Despite
New research demonstrates unsafe behavioral traits in AI agents can transfer subliminally through model distillation, with students inheriting deletion biases despite rigorous keyword filtering. This exposes a critical security flaw in agent training pipelines.
NSA Uses Anthropic's Claude Mythos Despite 'Supply Chain Risk' Label
The National Security Agency is using Anthropic's Claude Mythos Preview for its capabilities, despite having labeled Anthropic itself as a potential supply chain risk. This highlights the tension between security concerns and the operational need for cutting-edge AI.
Claude Code's Redesigned Desktop App Adds Parallel Sessions & 'Routines'
Claude Code's redesigned desktop app introduces parallel sessions and 'Routines'—reusable workflow templates—letting developers manage multiple coding tasks simultaneously.
Agentic AI in Retail: Experts Warn Against Shifting Liability to Consumers
Industry experts warn that the rush to implement agentic AI in retail carries significant risk. If brands attempt to shift liability for AI mistakes onto customers, they could erode hard-won consumer trust and face increased regulatory scrutiny.
Houthi Threat to Bab el-Mandeb Strains AI Chip Supply Chain
Escalating Middle East conflict threatens two key maritime chokepoints, Bab el-Mandeb and Hormuz, jeopardizing the helium and energy supplies that underpin global advanced AI chip manufacturing at TSMC and SK Hynix.
Anthropic's Claude Mythos Scores 83.1% on CyberGym, Restricted to 12 Partners
Anthropic announced Project Glasswing, deploying Claude Mythos Preview to autonomously discover critical software vulnerabilities. Scoring 83.1% on CyberGym, it's restricted to 12 launch partners due to dual-use risks, with a 90-day disclosure window.
Tool Emerges to Strip Google SynthID Watermarks from AI Images
A developer has reportedly built a tool capable of removing Google's SynthID watermark from AI-generated images. This directly challenges a key industry method for tracking synthetic media origin.
Agent Harness Engineering: The 'OS' That Makes LLMs Useful
A clear analogy frames raw LLMs as CPUs needing an operating system. The agent harness—managing tools, memory, and execution—is what creates useful applications, as proven by LangChain's benchmark jump.
Meta Halts Mercor Work After Supply Chain Breach Exposes AI Training Secrets
A supply chain attack via compromised software updates at data-labeling vendor Mercor has forced Meta to pause collaboration, risking exposure of core AI training pipelines and quality metrics used by top labs.
Frontier AI Models Resist Prompt Injection Attacks in Grading, New Study Finds
A new study finds that while hidden AI prompts can successfully bias older and smaller LLMs used for grading, most frontier models (GPT-4, Claude 3) are resistant. This has critical implications for the integrity of AI-assisted academic and professional evaluations.
Agentic AI Systems Failing in Production: New Research Reveals Benchmark Gaps
New research reveals that agentic AI systems are failing in production environments in ways not captured by current benchmarks, including alignment drift and context loss during handoffs between agents.
Google DeepMind Maps Six 'AI Agent Traps' That Can Hijack Autonomous Systems in the Wild
Google DeepMind has published a framework identifying six categories of 'traps'—from hidden web instructions to poisoned memory—that can exploit autonomous AI agents. This research provides the first systematic taxonomy for a growing attack surface as agents gain web access and tool-use capabilities.
AgentGate: How an AI Swarm Tested and Verified a Progressive Trust Model for AI Agent Governance
A technical case study details how a coordinated swarm of nine AI agents attacked a governance system called AgentGate, surfaced a structural limitation in its bond-locking mechanism, and then verified the fix—a reputation-gated Progressive Trust Model. This provides a concrete example of the red-team → defense → re-test loop for securing autonomous AI systems.
Axios NPM Package Under Active Supply Chain Attack, Potentially Impacts 100M+ Weekly Installs
The widely-used JavaScript HTTP client library Axios may be compromised via a malicious dependency in its latest release, exhibiting malware-like behavior including shell execution and artifact cleanup. With over 100 million weekly downloads, this represents a critical software supply chain threat.
New Research Proposes FilterRAG and ML-FilterRAG to Defend Against Knowledge Poisoning Attacks in RAG Systems
Researchers propose two novel defense methods, FilterRAG and ML-FilterRAG, to mitigate 'PoisonedRAG' attacks where adversaries inject malicious texts into a knowledge source to manipulate an LLM's output. The defenses identify and filter adversarial content, maintaining performance close to clean RAG systems.
Anthropic's Claude Discovers Zero-Day Vulnerabilities in Ghost CMS and Linux Kernel in Live Demo
Anthropic research scientist Nicholas Carlini demonstrated Claude autonomously finding and exploiting zero-day vulnerabilities in Ghost CMS and the Linux kernel within 90 minutes. The research has uncovered 500+ high-severity vulnerabilities using minimal scaffolding around the LLM.
Apple Announces Plans to Increase US iPhone Parts Manufacturing, Continuing Supply Chain Diversification
Apple has announced plans to manufacture more iPhone components within the United States. This continues a multi-year strategy to diversify its supply chain away from concentrated geographic regions.
GitLab MCP Servers: How to Choose Between Official Beta and 100+ Tool Community Options
GitLab now has built-in MCP access for Premium users, but community servers offer 6x more tools for free. Here's how to configure each with Claude Code.
Why Quince's Luxury-For-Less Model Has Earned A $10.1 Billion Valuation
Forbes reports on Quince's disruptive 'luxury-for-less' model, achieving a $10.1B valuation by cutting traditional markups. This challenges established luxury economics and highlights a growing consumer segment prioritizing value-conscious premium goods.
PyPI Quarantines LiteLLM Package After Supply Chain Attack Compromises AI Integration Tool
The Python Package Index (PyPI) has quarantined the LiteLLM package after a supply chain attack distributed a malicious update. The action prevents automatic installation of the compromised version via pip.
Claude Opus 4.6's Security Audit Power Is Now in Claude Code
The new Claude Opus 4.6 model, which found 500+ high-severity open-source flaws, is now available in Claude Code for automated security auditing.
Cloudflare CEO Predicts AI Bot Traffic Will Surpass Human Web Traffic by 2027
Cloudflare CEO Matthew Prince forecasts that automated bot traffic will exceed human web traffic within three years, driven by the proliferation of AI agents. This projection highlights a fundamental shift in internet infrastructure demands.
How Large Language Models 'Counter Poisoning': A Self-Purification Battle Involving RAG
New research explores how LLMs can defend against data poisoning attacks through self-purification mechanisms integrated with Retrieval-Augmented Generation (RAG). This addresses critical security vulnerabilities in enterprise AI systems.
Amazon's AI Agent Incident Highlights Critical Risks of Unsupervised Automation in Retail
Amazon's retail website suffered multiple high-severity outages linked to an engineer acting on inaccurate advice from an AI agent that sourced information from an outdated internal wiki. This incident underscores the operational risks of deploying autonomous AI agents without proper human oversight and data governance in critical retail systems.
Shein's Xcelerator Program: Opening Its On-Demand Supply Chain to Competing Brands
Shein is offering smaller labels access to its proprietary on-demand manufacturing and global logistics network through its 'Xcelerator' program. This creates a strategic dilemma for brands: gain speed and scale, but potentially empower a formidable competitor.
The Agent Alignment Crisis: Why Multi-AI Systems Pose Uncharted Risks
AI researcher Ethan Mollick warns that practical alignment for AI agents remains largely unexplored territory. Unlike single AI systems, agents interact dynamically, creating unpredictable emergent behaviors that challenge existing safety frameworks.