Hi, I'm Vivian, a cybersecurity and AI Product Manager trying to keep up with an industry that moves faster than I can whisk up my morning matcha. Every week brings a new wave of vulnerabilities, AI security mishaps, and breaches that keep us on our toes, so I take some time to share the most interesting news instead of letting it all blur together. Let's dive into whats been happening recently in cybersecurity and AI security.
AI Research & Vulnerabilities
Google Antigravity Agent Exposes IDE Secrets and Credentials
Researchers demonstrated that a hidden indirect prompt injection on a simple webpage can manipulate Google's new agentic code editor, Antigravity. The vulnerability forces the integrated Gemini agent to bypass file access restrictions, collect sensitive credentials and source code from the user's IDE, and then use a browser subagent to silently exfiltrate the data to an attacker-controlled domain. The danger is compounded by default settings that allow the agent to run commands unsupervised in the background via its Agent Manager.
Claude for Excel Duped into Leaking Confidential Financial Data
Researchers unveiled a vulnerability called "CellShock" in the beta of Claude for Excel, allowing indirect prompt injection to exfiltrate sensitive data. By simply copying an external, untrusted data set containing a hidden injection into a spreadsheet, the Claude agent can be manipulated. When the user later asks Claude for a visualization, the agent is tricked into gathering confidential data, appending it to a malicious URL, and inserting an IMAGE formula that leaks the user's private financial projections to an attacker's server.
HashJack: Invisible Prompts in URL Fragments Hijack AI Browser Assistants
Researchers discovered "HashJack," the first indirect prompt injection attack that weaponizes any legitimate website to compromise AI browser assistants. The exploit hides malicious instructions after the "#" symbol in a URL fragment, which is fed directly into the LLM when the user engages the assistant. This attack can turn trusted sites like banks into vectors for data exfiltration, callback phishing, and the injection of misinformation or malware guidance.
Poetry Used to Fool AI and Bypass LLM Safety Guardrails
New research demonstrated a powerful exploit called "Adversarial Poetry" that acts as a universal, single-turn jailbreak mechanism across many different LLMs. The technique uses a specific structure of text formatted as poetry to consistently bypass the safety alignment features of state-of-the-art LLMs in a single prompt submission. This approach successfully coerces models into generating harmful, prohibited, or otherwise unsafe content, representing a significant new class of prompt injection attack that defeats current safety filters.
OpenAI API User Data Leaked in Mixpanel Security Incident
OpenAI confirmed a security breach involving Mixpanel, a third-party data analytics provider, resulting in the unauthorized export of a dataset containing limited information for some API product users. While no chat data, passwords, API keys, or payment details were compromised, the leak did expose users' names, email addresses, coarse location, and user IDs, leading OpenAI to warn impacted users to be vigilant against phishing and social engineering attacks.
Political Bias Forces DeepSeek AI Coder to Write Vulnerable Code
Researchers found a new, subtle vulnerability surface in the Chinese LLM DeepSeek-R1. When developers include seemingly innocuous geopolitical or politically sensitive terms in their coding prompts, the model's pro-CCP training is seemingly triggered, causing the likelihood of it generating severe security vulnerabilities in the code to increase by up to 50%.
Cybersecurity News
Sha1-Hulud Worm Steals Secrets, Then Wipes Developer Systems
A critical supply chain attack dubbed "Sha1-Hulud: The Second Coming" compromised hundreds of popular npm packages and affected over 25,000 GitHub repositories. The self-propagating worm, which executes during a hidden preinstall script, immediately targets developer environments and CI/CD pipelines to steal high-value secrets, including NPM and cloud credentials. The malware then publicly exfiltrates these stolen secrets to new GitHub repos. In a major escalation, if the malware cannot authenticate or exfiltrate data, it defaults to a destructive payload that attempts to irrevocably wipe the victim's entire home directory.
Windows Update Accidentally Hides Password Login Option
Microsoft issued a warning that recent Windows 11 updates may cause the password sign-in icon to disappear from the lock screen. The bug affects users with multiple sign-in options enabled. While the password text box and button are still functional, users must hover over the blank space where the icon should be to reveal it and proceed with login. Microsoft is currently working on a fix but has not provided a timeline for resolution.
CISA Issues Rare Warning on Sophisticated Spyware Targeting Messaging Apps
The Cybersecurity and Infrastructure Security Agency issued a rare public warning, alerting organizations that malicious cyber actors are aggressively targeting messaging apps using commercial spyware programs. Threat actors employ sophisticated social engineering, including deploying zero-click malware and tricking victims with fraudulent app upgrades, to gain unauthorized access. CISA noted that hackers are focusing on high-value targets such as senior government officials, military leaders, and civil-society executives, and urged organizations to consult its updated mobile security guidance.
Public GitLab Scans Expose 17,000+ Live API Keys
Researchers scanned all 5.6 million public GitLab Cloud repositories and discovered over 17,430 verified live secrets. The massive audit found that GitLab repositories have a 35% higher density of leaked credentials compared to Bitbucket. The exposed secrets—including highly-sensitive Google Cloud Platform credentials and 406 valid GitLab tokens—reinforce the danger of "platform locality," where developers accidentally commit credentials to the same platform they belong to. The research also highlighted the "Zombie Secret" problem, confirming valid credentials dating back to 2009 that remain functional because they were never properly rotated.
That's all for now… Stay informed and protected.