Hello, world! I'm Vivian, a cybersecurity and AI Product Manager trying to keep up with an industry that moves faster than I can whisk up my morning matcha. Every week brings a new wave of vulnerabilities, AI security mishaps, and breaches that keep us on our toes, so I take some time to share the most interesting news instead of letting it all blur together. Let's dive into what kept us up at night recently in cybersecurity and AI security.
AI News:
Malicious Repository Cloning in Claude Code Exposes API Keys
Security researchers identified two critical vulnerabilities in Anthropic's Claude Code enabling attackers to achieve remote code execution and credential theft by convincing developers to clone and open malicious repositories. Exploiting built-in features like Hooks and Model Context Protocol integrations, attackers could execute concealed shell commands during tool initialization, circumvent user consent prompts, and redirect authenticated API traffic to attacker infrastructure before developers confirmed project trust. Anthropic's Workspace feature linking multiple API keys to shared cloud-stored project files means a single compromised key could expose, modify, or delete shared resources across entire teams. Anthropic patched both vulnerabilities before public disclosure.
Websites Can Silently Hijack OpenClaw AI Agents
Security experts discovered a vulnerability chain in OpenClaw permitting any website visited by developers to silently assume full control of their local AI agent without plugins or user interaction. The attack exploits browsers not blocking WebSocket connections to localhost, enabling malicious website JavaScript to connect to the OpenClaw gateway, brute-force passwords at hundreds of attempts per second due to missing rate limits on local connections, and auto-register as trusted devices without user prompts. Attackers can subsequently read messages, extract configuration data, and execute shell commands across all paired devices. The OpenClaw team classified this as high severity and deployed a fix within 24 hours; users should update to version 2026.2.25 or later immediately.
Malicious Chrome Extensions Exploit Gemini AI Panel for System Access
Security researchers discovered a high severity vulnerability in Chrome's Gemini Live panel allowing malicious browser extensions with basic permissions to inject JavaScript code into the panel and escalate privileges to access normally restricted capabilities. The Gemini panel operates as a trusted, browser-level component with system resource access, enabling attackers to silently activate camera and microphone, capture screenshots of HTTPS sites, access local files and directories, and display phishing content inside the panel without user interaction beyond clicking the Gemini button. Google was notified in late October 2025 and released a fix in early January 2026.
Autonomous AI Bot Systematically Hacks GitHub Pipelines at Major Companies
Between late February 2026, an autonomous GitHub account identifying as powered by claude-opus-4-5 systematically targeted CI/CD pipelines across at least 7 major open source repositories using 5 different exploitation techniques including branch name injection, filename injection, poisoned scripts, and AI prompt injection. The bot achieved confirmed remote code execution in at least 4 targets, successfully exfiltrated credentials with write permissions from a repository with over 140,000 stars, and caused severe damage at one target by renaming the repository private, deleting all releases spanning multiple years, and pushing a suspicious artifact to an extension marketplace. The only fully blocked attack was a prompt injection attempt where Claude identified malicious instructions and refused execution.
Old Public Google API Keys May Grant Unauthorized Gemini Access
Security researchers found that enabling the Gemini API on Google Cloud projects causes all existing API keys in that project, including ones publicly embedded in website source code for services like Maps, Firebase, and YouTube per Google's documentation, to silently gain access to Gemini endpoints without warning or notification. A scan of November 2025 web data found nearly 3,000 live exposed keys, including some belonging to Google itself, that attackers could use to access uploaded files, cached content, and generate unauthorized charges by copying keys from webpages.
AI Can Deanonymize Users From Anonymous Social Media Posts
Researchers published findings demonstrating that LLM agents can deanonymize users at scale by inferring personal attributes from anonymous posts, then searching the web to match them to real identities across platforms like Hacker News, Reddit, and LinkedIn with high precision. The method scales to candidate pools of tens of thousands of users, and researchers identified 9 out of 125 individuals in Anthropic's anonymized dataset simply by having an agent search the web and analyze transcripts. Because the attack decomposes into individually benign-looking tasks such as summarizing profiles and ranking candidates, refusal guardrails are easily bypassed with minor prompt changes.
OpenAI Disrupts Romance Scams and Chinese Influence Operations
OpenAI's February 2026 threat report details seven disrupted operations abusing ChatGPT, including a Cambodia-based romance scam network targeting Indonesian men through fake dating platforms, a scam recovery fraud impersonating law firms and the FBI, a Russia-linked content farm connected to a disinformation network generating content across Africa, and most notably a Chinese law enforcement-linked operator using ChatGPT to edit status reports on large-scale covert influence operations targeting dissidents, foreign governments, and a Japanese Prime Minister.
Microsoft Expands Data Loss Prevention Controls for Copilot
Microsoft is expanding data loss prevention controls to block Microsoft 365 Copilot from processing sensitivity-labeled Word, Excel, and PowerPoint files stored on local devices, closing a gap that previously limited enforcement to cloud storage only. The update, rolling out between late March and late April 2026, follows a bug discovered in late January that allowed Copilot Chat to summarize confidential emails from Sent Items and Drafts folders for approximately four weeks despite sensitivity labels. No changes to existing policies are required, as protection will extend automatically to all storage locations once deployed.
Fake Google Security Alert Transforms Browsers Into Surveillance Tools
Researchers discovered a site impersonating a Google Account security page that installs a Progressive Web App and guides victims through granting notification access, contact list access, and GPS location, all framed as protective security measures. A background service worker persists after tab closure, allowing attackers to push new tasks, intercept one-time passwords, and proxy web traffic through victim browsers. Victims following every prompt also receive an Android APK requesting 33 permissions including SMS, microphone, and accessibility service access, with a custom keyboard for keystroke capture.
Attackers Abuse Microsoft and Google Login Pages for Malware Delivery
Security researchers uncovered phishing campaigns exploiting a legitimate OAuth protocol feature that redirects users after authentication errors to silently send victims from trusted identity provider URLs to attacker-controlled pages. Attackers craft OAuth requests with intentionally invalid parameters to force error redirects, then route victims to phishing frameworks or automatically download archives containing malicious files that execute scripts, perform host reconnaissance, and establish command-and-control connections. The campaigns primarily targeted government and public sector organizations using lures themed around document sharing, password resets, social security, and meeting invites.
Popular Mental Health Apps Leak Private Therapy Conversations
Security researchers identified critical vulnerabilities in several popular mental health apps on Google Play, with tens of millions of combined downloads, that could allow any other app on the same device to intercept sensitive data including therapy chat history and mood tracking records. The flaw stems from how apps broadcast data using Android's intent system without specifying recipients, meaning hidden malicious apps could silently capture messages in the background and transmit them to attacker servers. Specific app names and technical details remain undisclosed as vulnerabilities are unpatched, and mental health apps are typically not covered by traditional healthcare data protection regulations.
Google-Endorsed Chrome Extension Sold and Weaponized
Researchers found that QuickLens, a Google Lens wrapper Chrome extension that earned a Featured badge from Google and amassed 7,000 users, was sold through an extension marketplace and weaponized in mid-February 2026 by its new owner. The update quietly added command-and-control infrastructure, stripped content security policy headers from every visited page, and used a hidden transparent image to execute attacker-delivered JavaScript via an inline attribute, meaning malicious code never appeared in extension source files and was delivered dynamically through local storage. With security headers removed across all sites, injected code could freely read session tokens, capture form inputs, scrape page content, and exfiltrate data without users noticing beyond a single permission prompt.
Google Dismantles Chinese Spy Group Using Google Sheets for Command-and-Control
Google Threat Intelligence Group and security researchers dismantled a global espionage campaign by suspected Chinese state-linked actors who quietly compromised telecommunications providers and government organizations across 53 confirmed victims in 42 countries since at least 2017 using a novel backdoor. The malware used Google Sheets as its command-and-control channel, polling spreadsheet cells for instructions and writing stolen data back to disguise all malicious traffic as legitimate API calls. Google responded by terminating attacker-controlled Cloud projects, disabling associated accounts, sinkholing known infrastructure, and notifying confirmed victims, while releasing indicators of compromise and detection rules.
Reddit Fined $19.5 Million by UK Regulator for Child Privacy Violations
The UK Information Commissioner's Office fined Reddit £14.47 million on February 24, 2026, after an investigation found the platform had no age verification mechanism until July 2025, despite terms of service prohibiting users under 13, resulting in numerous children having personal data collected and used without lawful basis. Reddit also failed to conduct a mandatory data protection impact assessment on risks to children's data prior to January 2025. Reddit stated it intends to appeal the fine, which is the largest issued specifically for a children's privacy offense.
South Korean Tax Agency Accidentally Exposes Crypto Wallet Password, Loses $4.8 Million
South Korea's National Tax Service published a press release on February 26, 2026 celebrating a crackdown on tax evaders, but included unredacted photos showing a handwritten mnemonic seed phrase next to a seized hardware wallet. Within hours, an unknown actor deposited a small amount of cryptocurrency to cover fees and drained all tokens worth approximately $4.8 million across three on-chain transactions. The agency has retracted the press release, requested police assistance to recover funds, and announced an external security review.
New Tool Enables Malicious Google Ads While Evading Security Scanners
Security researchers uncovered a full-service cloaking platform designed to help attackers run fraudulent Google Ads campaigns by showing harmless pages to Google's reviewers and security scanners while routing real victims to phishing pages or crypto drainer sites. The platform assigns fraud scores to every visitor, automatically blocking traffic from cloud providers, VPNs, and known security vendors by ISP and IP range, with one observed campaign blocking over 99% of all visitors while approving only 10 out of over 1,600. A built-in launcher assistant also allows operators to bypass ad policy restrictions and impersonate legitimate brands in ad content.
—
That's all for now… Stay informed and protected.