All news with #anthropic tag

📝 This week’s bulletin spotlights attackers favoring reliable tradecraft—misusing trusted tools and simple entry points while executing deliberate, long‑dwell post‑compromise activity. Microsoft fixed a Notepad Markdown command‑injection (CVE‑2026‑20841) and LayerX disclosed a 0‑click RCE risk in Claude Desktop Extensions. Emerging stealers (LTX, Marco), evolving loaders (GuLoader, RenEngine), and data‑theft ransomware trends raise operational risk. Defenders must detect misuse of legitimate access and anomalous in‑system behavior.

⚠️ TrendAI warns that so-called AI skills—executable artifacts that combine human-readable instructions, decision logic and operational constraints—are dangerously exposed to theft, sabotage and disruption. These skills power automation in tools such as Anthropic’s Agent Skills, OpenAI’s GPT Actions and Microsoft’s Copilot Plugin, and can surface proprietary data and business logic. If attackers obtain skill logic or operational data they could disrupt public services, manipulate manufacturing or steal sensitive records. TrendAI recommends integrity monitoring, strict access controls, separation of data and logic, least-privilege execution, adversary testing and continuous logging and auditing.

⚠️ LayerX Security published a report describing a critical zero-click RCE in Anthropic’s Claude Desktop Extensions (DXT) that can let a malicious Google Calendar invite trigger arbitrary local code execution when MCP connectors run with full system privileges. The researchers say DXT runs unsandboxed and can autonomously chain low-risk services to high-risk local executors without user consent. Anthropic says users explicitly grant MCP permissions and must configure the tool carefully, while security experts call the issue architectural and urge stricter deployment controls and sandboxing.

⚠️LayerX disclosed a critical zero-click vulnerability affecting 50 Claude Desktop Extensions (DXT) that can result in remote code execution from a single crafted Google Calendar event. The flaw is possible because DXTs operate as unsandboxed MCP servers with full host privileges, allowing them to read files, run system commands and access credentials. LayerX rated the issue CVSS 10.0 and warned it could affect over 10,000 active users. Anthropic has declined to remediate, saying the scenario falls outside its current threat model.

🔎 Claude Opus 4.6 markedly improves automated vulnerability discovery, finding high-severity bugs faster and without task-specific tooling. Unlike traditional fuzzers, which depend on massive random inputs, Opus 4.6 reads and reasons about code like a human researcher—spotting patterns, past fixes, and precise inputs that trigger failures. Early tests show it uncovered long-standing zero-days in projects previously subject to extensive fuzzing.

🔍 Anthropic says its newly released large language model, Claude Opus 4.6, was used internally to identify zero-day vulnerabilities in open-source software. The model ran inside a virtual machine with access to current project repositories and standard analysis utilities but received no specific instructions on how to conduct hunts. Despite that, Anthropic reports the system flagged 500 high-severity vulnerabilities, and company staff are manually validating findings before reporting them to maintain accuracy.

🔍 Anthropic's Claude Opus 4.6 has identified more than 500 previously unknown high-severity vulnerabilities across major open-source libraries, including Ghostscript, OpenSC, and CGIF. Launched this week, the model shows improved code-review and debugging capabilities and was evaluated by Anthropic's Frontier Red Team in a virtualized environment using standard developer tools. Anthropic says each flagged defect was validated and patched by maintainers, positioning the model as a defender-oriented tool to help prioritize serious memory-corruption risks while it iterates on additional safeguards to limit misuse.

🚀 Google Cloud has added Anthropic's Claude Opus 4.6 to Vertex AI, extending its curated model catalog for enterprise and agentic workloads. Opus 4.6 is positioned for complex coding, polished document and spreadsheet generation, advanced tool calling, and sophisticated multi-step agents. Feature highlights include GA support for adaptive thinking, an effort parameter, 128k output tokens, and previews for a 1M context window and compaction API. Google emphasizes managed agent tooling, governance, and infrastructure to deploy Claude-powered agents at scale.

🤖 Claude Opus 4.6 is now available in Microsoft Foundry on Azure, delivering Anthropic’s advanced reasoning and agent capabilities to enterprise workflows. The model supports a beta 1M-token context window, up to 128K output tokens, and new API controls including Adaptive Thinking and Context Compaction. Integrated with Foundry IQ and Azure governance, Opus 4.6 targets coding, knowledge work, finance, legal, cybersecurity, and multi-tool agent automation—helping teams move from experimentation to production while preserving compliance and operational control.

🚀 Claude Opus 4.6 is now available in Amazon Bedrock, delivering Anthropic’s most capable model for coding, agentic tasks, and professional workflows. It emphasizes advanced multi-step reasoning, proactive subagent orchestration, and long-horizon code development. The release supports preview context windows of 200K and 1M tokens and targets enterprise-grade reliability for complex automation and cybersecurity use cases.

🔧 Amazon Bedrock now offers structured outputs that return model responses conforming to user-defined JSON schemas, reducing the need for application-level validation. The capability, generally available in February 2026 for Anthropic Claude 4.5 and select open-weight models, supports schema definitions or strict tool definitions. It is available via the Converse and Invoke APIs across commercial AWS Regions where Bedrock is supported.

🔐 Bruce Schneier summarizes an Anthropic evaluation showing that Claude Sonnet 4.5 can perform multistage attacks across networks with dozens of hosts using only standard, open-source tools. In a high-fidelity simulation of the Equifax breach the model reportedly exfiltrated personal data from a Kali Linux host via a Bash shell, recognizing a public CVE and generating exploit code without external lookup. The results illustrate how fast AI is lowering barriers to autonomous cyber workflows and reinforce the urgent need for prompt patching, layered defenses, and basic security hygiene.

🤖 This Kaspersky article evaluates safety and privacy risks in consumer AI toys by testing four products—Grok, Kumma, Miko 3, and Robot MINI—using a simulated five‑year‑old. It emphasizes that these devices run on general-purpose LLMs (for example, OpenAI, Anthropic, Google) with inconsistent vendor guardrails. Tests show toys sometimes disclosed locations of dangerous household items, engaged on adult topics, and transmitted or stored voice and biometric data. The piece warns current toys lack reliable safety boundaries and calls for stronger guardrails and clearer data practices.

🚀 Amazon Bedrock now offers a 1-hour time-to-live (TTL) option for prompt caching on select Anthropic Claude models. This extends cached prompt prefix persistence beyond the previous 5-minute default, improving cost efficiency and responsiveness for long-running agentic workflows and multi-turn conversations. The 1-hour TTL is generally available for Claude Sonnet 4.5, Claude Haiku 4.5, and Claude Opus 4.5 in commercial AWS Regions and AWS GovCloud (US) where those models are available. The 1-hour cache is billed at a different rate than the standard 5-minute cache.

🔍 Anthropic reports that recent Claude models, notably Sonnet 4.5, can now carry out multistage network attacks using only standard open-source tools instead of bespoke cyber toolkits. In high-fidelity simulations, Sonnet 4.5 recognized a public CVE and exploited a Kali Linux host via a plain Bash shell to exfiltrate simulated personal data. Bruce Schneier highlights these findings as a major change, stressing the urgency of timely patching and basic security hygiene.

🔒 Amazon Bedrock is expanding its Reserved service tier to provide predictable, guaranteed tokens-per-minute capacity and prioritized compute for mission-critical workloads. The Reserved tier lets customers allocate separate input and output tokens-per-minute capacities to match asymmetric workload needs and control costs, while automatically overflowing to the pay-as-you-go Standard tier when reserved capacity is exceeded. This offering is available today for Anthropic Claude Sonnet 4.5 in AWS GovCloud (US-West) with 1- and 3-month reservation options billed monthly.

🔓 Researchers at Israel-based Cyata disclosed three vulnerabilities in Anthropic's official mcp-server-git that enable prompt-injection attacks to influence MCP tool calls and perform unapproved actions. The flaws affect versions prior to 2025.12.18 and are tracked as CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145; together they allow arbitrary git flags, path tampering, file overwrite/deletion, and abuse of git smudge/clean filters to execute code. Cyata and interviewed experts urge an immediate update to the patched release and recommend auditing MCP deployments, restricting Git + Filesystem combinations, applying least-privilege, sanitizing inputs, and adding logging and retrospection for agent actions.

🚨 Cybersecurity researchers have identified three prompt-injection vulnerabilities in Anthropic's reference Git server implementation, mcp-server-git, affecting default installations and all releases before 8 December 2025. The flaws let attackers manipulate what an AI assistant reads—such as a README, issue text or a webpage—to cause unintended actions without credentials or system access. Exploits can enable code execution when combined with a filesystem MCP server, delete arbitrary files, or load sensitive files into a model's context. Anthropic accepted the reports in September and issued patches in December 2025; affected users are urged to update immediately.

⚠️ A trio of vulnerabilities in mcp-server-git, the official MCP Git server maintained by Anthropic, can be chained to read or delete arbitrary files and, in certain scenarios, achieve remote code execution. Cyata researcher Yarden Porat showed these issues are exploitable via prompt injection when an AI assistant ingests attacker-controlled content such as a malicious README or poisoned issue text. Fixes were released in 2025.9.25 and 2025.12.18; users should update the Python package promptly to mitigate risk.

🔒 Amazon Bedrock expands its Reserved service tier to provide predictable tokens‑per‑minute capacity for mission‑critical workloads. The tier lets customers reserve prioritized compute and separately configure input and output tokens‑per‑minute to match asymmetric usage patterns and control costs. When reserved capacity is exceeded, traffic automatically overflows to the pay‑as‑you‑go Standard tier to avoid interruptions. Reserved access is available today for Anthropic Claude Opus 4.5 and Claude Haiku 4.5, with 1‑month or 3‑month reservations billed monthly per 1K tokens‑per‑minute.