ai security7 articles
EU's Cyber Watchdog Gets Access to Anthropic's Scary Vulnerability-Finding AI
Anthropic has agreed to grant the EU's cybersecurity agency ENISA access to its powerful AI model, Mythos, through Project Glasswing — making ENISA the first European entity to join the initiative. Mythos has drawn significant concern due to its ability to autonomously discover and exploit software vulnerabilities at unprecedented speed and scale, raising fears about lowering the barrier for sophisticated cyberattacks. While the European Commission views the access as essential for assessing AI-related cyber risks, the terms are still being negotiated, and it remains unclear whether the US agency CISA has been granted similar access.
Meta's AI Assistant Handed Hackers the Keys to High-Profile Instagram Accounts
Hackers exploited a "confused deputy" logic flaw in Meta's AI-powered account recovery assistant to take over hundreds of high-profile Instagram accounts, including those of the Obama White House, Sephora, and a senior Space Force official. By simply asking the chatbot to link a new email address to targeted accounts, using VPNs to spoof locations and AI-altered photos to bypass identity checks, attackers were able to reset passwords and circumvent two-factor authentication without alerting victims. Meta has since patched the vulnerability, but the incident highlights the critical risk of granting AI agents broad system access without robust authorization controls.
AI Chatbots Are Sending Users Straight to Cryptojacking Malware
If you ask an AI chatbot to recommend a useful tool or service and it helpfully provides a link, you might want to think twice before clicking. Security researchers have identified a pattern where chatbot recommendations are directing users toward sites hosting cryptojacking malware, software designed to quietly hijack your hardware and mine cryptocurrency for someone else's benefit.
Chrome Vulnerability Numbers Are Skyrocketing. AI Is Almost Certainly Why.
Google has seen a dramatic surge in Chrome vulnerability discoveries, with the number of internally found flaws jumping from a handful in March to 100 in a single advisory published on May 5, likely due to its use of AI tools. While Google has not explicitly confirmed AI is responsible, the timing aligns with its own statements that AI and automation are helping its teams remediate risks "at an unprecedented rate." Google has been developing AI-powered vulnerability discovery tools such as Big Sleep and CodeMender, and is also among a select group of organisations with access to Anthropic's powerful Claude Mythos model.
Shadow AI Is the Insider Threat Nobody's Watching
Verizon's 2026 Data Breach Investigations Report reveals a fourfold increase in "shadow AI" use, with 67% of employees who regularly use AI at work doing so through unauthorized personal accounts, potentially exposing sensitive corporate data such as source code, documents, and proprietary research to unvetted third-party platforms. The report also highlights worsening vulnerability management, with remediation rates for critical flaws dropping from 38% to 26% and resolution times rising from 32 to 43 days, while ransomware featured in nearly half of all breaches. On a positive note, ransom payments continued to decline, with 69% of victims refusing to pay and the median payment falling slightly to just under $140,000.
ChromaDB Has an Unpatched RCE Flaw and Its Developers Aren't Picking Up the Phone
An unpatched remote code execution vulnerability (CVE-2026-45829, dubbed "ChromaToast") in ChromaDB allows unauthenticated attackers to gain full shell access to a server by supplying a malicious HuggingFace model identifier, which the server downloads and executes *before* performing any authentication checks. The flaw affects all ChromaDB versions since 1.0.0 and approximately 73% of internet-accessible deployments, potentially exposing sensitive data such as API keys, environment variables, and files. Despite multiple disclosure attempts by both HiddenLayer (from February 2025) and an independent researcher (from November 2025), Chroma has not responded or issued a patch as of version 1.5.8, leaving administrators to mitigate the risk by restricting network access to trusted clients only.
Linus Torvalds: AI Bug Hunters Are Drowning the Linux Security List in Duplicate Garbage
Linus Torvalds has criticised the flood of AI-generated bug reports overwhelming the Linux kernel's security mailing list, saying mass duplication from multiple researchers using the same tools has made it "almost entirely unmanageable." He argues that AI-detected bugs are not secret by nature and should not be submitted to a private list, where reporters cannot see each other's duplicate reports, creating pointless extra work. Torvalds urged researchers to go further than simply filing AI-generated reports by also developing patches and adding genuine understanding, rather than submitting drive-by reports with no real context.