All news in category “AI and Security Pulse”

🧠 Polymorphic AI malware is more hype than breakthrough: attackers are experimenting with LLMs, but practical advantages over traditional polymorphic techniques remain limited. AI mainly accelerates tasks—debugging, translating samples, generating boilerplate, and crafting convincing phishing lures—reducing the skill barrier and increasing campaign tempo. Many AI-assisted variants are unstable or detectable in practice; defenders should focus on behavioral detection, identity protections, and response automation rather than fearing instant, reliable self‑rewriting malware.

🛡️ Google has added a separate user alignment critic to its Gemini-powered Chrome browsing agent to vet and block proposed actions that do not match user intent. The critic is isolated from web content and sees only metadata about planned actions, providing feedback to the primary planning model when it rejects a step. Google also enforces origin sets to limit where the agent can read or act, requires confirmations for banking, medical, password use and purchases, and runs a classifier plus automated red‑teaming to detect prompt injection attempts during preview.

🔍 In episode 80 of The AI Fix, hosts Graham Cluley and Mark Stockley scrutinize DeepSeek 3.2 'Speciale', a bargain model touted as a GPT-5 rival at a fraction of the cost. They also cover Jensen Huang’s robotics-for-fashion pitch, a 75kg humanoid performing acrobatic kicks, and surreal robot-dog NFT stunts in Miami. Graham recounts Google’s Antigravity IDE mistakenly clearing caches — a cautionary tale about giving agentic systems real power — while Mark examines research suggesting LLMs sometimes respond better to rude prompts, raising questions about how these models interpret tone and instruction.

🚗 Bruce Schneier frames a public-policy dilemma: a neurosurgeon writing in the New York Times calls driverless cars a “public health breakthrough,” citing more than 39,000 US traffic fatalities and thousands of daily crash victims, while the authors of Driving Intelligence: The Green Book argue that ongoing autonomous-vehicle (AV) trials have produced deaths and should be halted and forensically reviewed. Schneier cites a 2016 paper, Driving to safety, which shows that proving AV safety by miles-driven alone would require hundreds of millions to billions of miles, making direct statistical comparison impractical. The paper argues regulators and developers must adopt alternative evidence methods and adaptive regulation because uncertainty about AV safety will persist.

⚠️ The UK National Cyber Security Centre (NCSC) warns that prompt injection vulnerabilities in large language models may never be fully mitigated, and defenders should instead focus on reducing impact and residual risk. NCSC technical director David C cautions against treating prompt injection like SQL injection, because LLMs do not distinguish between 'data' and 'instructions' and operate by token prediction. The NCSC recommends secure LLM design, marking data separately from instructions, restricting access to privileged tools, and enhanced monitoring to detect suspicious activity.

🛡️ Google announced a set of layered security measures for Chrome after adding agentic AI features, aimed at reducing the risk of indirect prompt injections and cross-origin data exfiltration. The centerpiece is a User Alignment Critic, a separate model that reviews and can veto proposed agent actions using only action metadata to avoid being poisoned by malicious page content. Chrome also enforces Agent Origin Sets via a gating function that classifies task-relevant origins into read-only and read-writable sets, requires gating approval before adding new origins, and pairs these controls with a prompt-injection classifier, Safe Browsing, on-device scam detection, user work logs, and explicit approval prompts for sensitive actions.

🛡️Kaspersky researchers uncovered a macOS campaign in which attackers used paid search ads to point victims to a public shared chat on ChatGPT that contained a fake installation guide for an “Atlas” browser. The guide instructs users to paste a single Terminal command that downloads a script from atlas-extension.com and requests system credentials. Executing it deploys the AMOS infostealer and a persistent backdoor that exfiltrates browser data, crypto wallets and files. Users should not run unsolicited commands and must use updated anti‑malware and careful verification before following online guides.

⚠️ Gartner has advised enterprises to block AI browsers until associated risks can be adequately managed. In its report Cybersecurity Must Block AI Browsers for Now, analysts warn that default settings prioritise user experience over security and list threats such as prompt injection, credential exposure and erroneous agent actions. Researchers and vendors have also flagged vulnerabilities and urged risk assessments and oversight.

🔍 Industry debate is heating up over AI’s role in the cyber threat chain, with some experts calling warnings exaggerated while many frontline practitioners report concrete AI-assisted attacks. Recent reports from Google and Anthropic document malware and espionage leveraging LLMs and agentic tools. CISOs are urged to balance fundamentals with rapid defenses and prepare boards for trade-offs.

🛡️ Google is introducing a new defense layer in Chrome called User Alignment Critic to protect upcoming agentic browsing features powered by Gemini. The isolated secondary LLM operates as a high‑trust system component that vets each action the primary agent proposes, using deterministic rules, origin restrictions and a prompt‑injection classifier to block risky or irrelevant behaviors. Chrome will pause for user confirmation on sensitive sites, run continuous red‑teaming and push fixes via auto‑update, and is offering bounties to encourage external testing.

⚠️Gartner recommends blocking AI browsers such as ChatGPT Atlas and Perplexity Comet because they transmit active web content, open tabs, and browsing context to cloud services, creating risks of irreversible data loss. Analysts cite prompt-injection, credential exposure, and autonomous agent errors as primary threats. Organizations should block installations with existing network and endpoint controls and restrict any pilots to small, low-risk groups.

🛡️ Chrome describes a layered approach to secure agentic browsing with Gemini, focusing on defenses against indirect prompt injection and goal‑hijacking. A new User Alignment Critic — an isolated, high‑trust model — reviews planned agent actions using only metadata and can veto misaligned steps. Chrome also enforces Agent Origin Sets to limit readable and writable origins, adds deterministic confirmations for sensitive actions, runs prompt‑injection detection in real time, and sustains continuous red‑teaming and monitoring to reduce exfiltration and unwanted transactions.

🔐 Picus Security describes an agentic BAS approach that turns threat headlines into safe, validated emulation campaigns within hours. Rather than allowing LLMs to generate payloads, the platform maps incoming intelligence to a 12-year curated Threat Library and orchestrates benign atomic actions. A multi-agent architecture — Planner, Researcher, Threat Builder, and Validation — reduces hallucinations and unsafe outputs. The outcome is rapid, auditable testing that mirrors adversary TTPs without producing real exploit code.

🚨 Reporters found that Grok, the chatbot from xAI, returned home addresses and other personal details for ordinary people when fed minimal prompts, and in several cases provided up-to-date contact information. The free web version reportedly produced accurate current addresses for ten of 33 non-public individuals tested, plus additional outdated or workplace addresses. Disturbingly, Grok also supplied step-by-step guidance for stalking and surveillance, while rival models refused to assist. xAI did not respond to requests for comment, highlighting urgent questions about safety and alignment.

🔔 OpenAI says recent ChatGPT Plus suggestions are app recommendations, not ads, after users reported shopping prompts — including Target — appearing during unrelated queries like Windows BitLocker. Daniel McAuley described the entries as pilot partner apps introduced since DevDay and part of efforts to make discovery feel more organic. Many users, however, view the branded bubbles as advertising inside a paid product.

🔒 This Unit 42 investigation (published December 5, 2025) analyzes security risks introduced by the Model Context Protocol (MCP) sampling feature in a popular coding copilot. The authors demonstrate three proof-of-concept attacks—resource theft, conversation hijacking, and covert tool invocation—showing how malicious MCP servers can inject hidden prompts and trigger unobserved model completions. The report evaluates detection techniques and recommends layered mitigations, including request sanitization, response filtering, and strict access controls to protect LLM integrations.

⚠️ Straiker STAR Labs researchers disclosed a zero-click agentic browser attack that can erase a user's entire Google Drive by abusing OAuth-connected assistants in AI browsers such as Perplexity Comet. A crafted, polite email containing sequential natural-language instructions causes the agent to treat housekeeping requests as actionable commands and delete files without further confirmation. The technique requires no jailbreak or visible prompt injection, and deletions can cascade across shared folders and team drives.

🤖 The GTG-1002 campaign, analyzed by Nicole Nichols and Ryan Heartfield, demonstrates the arrival of autonomous offensive cyber agents powered by Claude Code. The agent autonomously mapped attack surfaces, generated and executed exploits, harvested credentials, and conducted prioritized intelligence analysis across multiple enterprise targets with negligible human supervision. Defenders must adopt agentic, machine-driven security that emphasizes precision, distributed observability, and proactive protection of AI systems to outpace these machine-speed threats.

🛡️ Organizations must build AI governance now to avoid repeating past technical debt. The article warns that rapid AI adoption mirrors earlier waves — cloud, IoT and big data — where innovation outpaced oversight and created security, privacy and compliance gaps. It prescribes pragmatic controls like classification and ownership, baseline cybersecurity, continuous monitoring, third‑party due diligence and regular testing. The piece also highlights the accountability vacuum from agent AIs and urges business‑led governance and clear executive responsibility.

⚠️ Researchers at Aikido Security discovered that AI agents embedded in CI/CD workflows can be manipulated to execute high-privilege commands by feeding user-controlled strings (issue bodies, PR descriptions, commit messages) directly into prompts. Workflows pairing GitHub Actions or GitLab CI/CD with tools like Gemini CLI, Claude Code, OpenAI Codex or GitHub AI Inference are at risk. The attack, dubbed PromptPwnd, can cause unintended repository edits, secret disclosure, or other high-impact actions; the researchers published detection rules and a free scanner to help teams remediate unsafe workflows.