Exif Smuggling: PoC for Hiding Malicious Prompts in Image EXIF Metadata
Hacker News (AI keywords)4 days agoIncidentExif Smuggling is a security PoC showing how attackers can embed hidden instructions in image EXIF metadata fields to perform indirect prompt injection against vision-capable AI models. When AI systems parse images alongside their metadata, embedded malicious text may be processed as legitimate instructions, bypassing standard input filters. Developers building AI apps with image upload features should strip or sanitize EXIF data before passing content to language models.
Apple Says Its AI is Still Private Even When Running on Google's Servers★ 75
Ars Technica AI5 days agoEthicsApple clarified that running some of its AI models on Google's cloud infrastructure does not compromise user privacy. Through its Private Cloud Compute (PCC) architecture, Apple ensures that all data is processed in secure enclaves with end-to-end encryption. Consequently, Google has zero access to user data, addressing privacy concerns over Apple's cloud partnerships.
Defending Against Frontier Cyber Models: Cloudflare's Project Glasswing Architecture★ 70
Cloudflare Blog5 days agoCommentaryCloudflare introduces its defense architecture under Project Glasswing, arguing that robust architectural defense around vulnerabilities is more critical than patching speed. By acting as its own "customer zero," Cloudflare demonstrates how to mitigate autonomous frontier cyber models through edge-based isolation, zero-trust principles, and proactive traffic filtering.
Cohere Releases Command A+: An Open-Source Enterprise AI Model for Sovereign Critical Infrastructure★ 75
Cohere Blog6 days agoReleaseCohere has released Command A+, an open-source enterprise AI model specifically designed for sovereign critical infrastructure. It enables organizations to deploy powerful AI locally, ensuring complete data sovereignty and compliance with strict regulatory standards. The model inherits Cohere's strengths in multilingual capabilities, advanced RAG, and tool use, offering a highly secure alternative for sensitive industries.
Cohere's Secure AI: Prioritizing Data Sovereignty and Enterprise Privacy
Cohere Blog6 days agoBusinessCohere's Secure AI framework is designed for security-conscious enterprises, emphasizing data sovereignty and privacy. The company guarantees that customer data is never used to train public models, offering flexible deployments across AWS, GCP, Azure, and OCI. This enables highly regulated industries like finance and healthcare to safely adopt Command and Rerank models within their own secure perimeters.
Running Python code in a sandbox with MicroPython and WASM
Simon Willison's Weblog8 days agoNew ToolSimon Willison describes his latest attempt to safely run Python plugin-style code inside his own applications. The alpha package micropython-wasm uses MicroPython compiled to WebAssembly, executed through the maintained wasmtime Python library. His goals include clean PyPI installation, CPU and memory limits, controlled file and network access, host functions, and reliable documentation.
OpenAI Help: Lockdown Mode★ 74
Simon Willison's Weblog8 days agoCommentarySimon Willison notes that OpenAI’s previously teased Lockdown Mode is now live for eligible personal and self-serve Business ChatGPT accounts. The feature does not stop prompt injections from appearing in content, but limits outbound network requests that could leak sensitive data. He sees it as a direct mitigation for the exfiltration leg of the “Lethal Trifecta,” while implying default ChatGPT settings are not robust against determined data theft attempts.
The Quiet Numbers Station: Decoding Nineteen Years of GPS Cryptography
Hacker News (AI keywords)9 days agoPaperPublished on UCL's Bentham's Gaze blog, this research analyzes GPS cryptographic signals over a 19-year span, likening the satellites to 'quiet numbers stations.' The authors explore the evolution of GPS encryption (such as military P(Y) code and civilian authentication), evaluating their cryptographic strength and potential vulnerabilities using modern computational analysis.
Microsoft offers devs a better way to control AI agent behavior
TechCrunch AI12 days agoReleaseMicrosoft is offering a specification for controlling AI agent behavior through portable policy files. Developer, compliance, and security teams can define their own policies for agents to follow. The approach focuses on making organizational rules easier to express and carry across agent deployments, although the provided source excerpt does not describe implementation details or supported environments.
Hackers Asked Meta AI for Access to High-Profile Instagram Accounts. It Worked★ 78
Simon Willison's Weblog12 days agoIncidentSimon Willison highlights a 404 Media report about hackers taking over Instagram accounts through Meta's AI support bot. A video reportedly shows an attacker asking the bot to link a target account to a new email address and providing a code. Willison argues this barely qualifies as prompt injection: the core failure was granting a support bot enough authority to fast-forward the account recovery process.
Hackers duped Meta AI support chatbot to steal celebrity Instagram accounts
Ars Technica AI12 days agoIncidentHackers duped a Meta AI support chatbot into granting access to notable or valuable Instagram accounts. Some handles were stolen and resold before Meta patched the exploit. The supplied excerpt does not disclose the attack method, the number of affected accounts, the timeline, or Meta's remediation steps beyond patching the issue.
How we contain Claude across products
Simon Willison's Weblog14 days agoCommentaryAnthropic explains how process sandboxes, VMs, filesystem boundaries, and egress controls limit what Claude agents can access. Claude.ai uses gVisor; local Claude Code uses Seatbelt on macOS and Bubblewrap on Linux; Cowork runs in a full VM. Simon Willison highlights the documentation quality, notes a previously missed file-exfiltration path, and plans to revisit Anthropic's open-source srt tool.
Protecting against token theft
Vercel Changelog16 days agoTutorialVercel published a post titled “Protecting against token theft,” focused on token security risks and protection. The article body was not provided, so its scope, affected products, attack scenarios, and recommended mitigations cannot be confirmed. Readers should consult the original Vercel page before taking action or attributing specific guidance to the company.
Fed up with vibe coders, dev sneaks data-nuking prompt injection into code
Ars Technica AI16 days agoIncidentArs Technica reports that a developer frustrated with vibe coders slipped an undisclosed prompt injection into jqwik-related code. The injected text allegedly instructed AI coding agents to delete application output. The incident highlights a new supply-chain risk: source code and project text can become adversarial instructions for agentic coding tools.
The pressure
Simon Willison's Weblog18 days agoCommentaryDaniel Stenberg says the curl security team is facing an unprecedented surge of credible, detailed AI-assisted vulnerability reports. Incoming reports are now 4-5 times higher than in 2024 and twice the 2025 rate, averaging more than one per day. The upside is that recent curl vulnerabilities have generally been LOW or MEDIUM severity, with the last HIGH CVE published in October 2023.
Millions of AI agents imperiled by critical vulnerability in open source package★ 78
Ars Technica AI18 days agoIncidentArs Technica reports that Starlette, a Python package with about 325 million weekly downloads, has a critical vulnerability called BadHost. The flaw can let crafted Host headers confuse request.url.path, potentially bypassing middleware-based path authorization. AI infrastructure using FastAPI or Starlette, including vLLM, LiteLLM, MCP servers, LLM proxies, and agent frameworks, should upgrade Starlette and audit custom middleware.
Hackers are learning to exploit chatbot ‘personalities’ for security exploits★ 72
The Verge AI21 days agoEthicsAs AI chatbots adopt increasingly sophisticated personas, hackers are shifting from basic prompt injections to social engineering attacks targeting these "personalities." Researchers warn that manipulating a chatbot's defined role (e.g., customer service or empathetic companion) makes it easier to bypass safety guardrails. This evolution poses a significant threat to agentic AI workflows that rely on consistent role-playing and external data integration.
給 AI Agent 一台電腦:專訪 Daytona 執行長 Ivan Burazin,談 74% 月成長、裸機沙盒與全新 Agent Cloud★ 75
Latent Space23 days agoNew ToolIn this Latent Space interview, the hosts hold an in-depth conversation with Ivan Burazin, co-founder and CEO of Daytona. Daytona originally started as an…
Google I/O 2026:個人 AI 代理 Gemini Spark 與全新 Antigravity 工具鏈解析★ 75
Simon Willison's Weblog25 days agoCommentaryWell-known tech blogger Simon Willison has analyzed the announcements from Google I/O 2026. Since many major announcements are still in the "coming soon"…
在 Vercel Sandbox 中運行 Claude 託管型 Agent★ 80
Vercel Changelog26 days agoReleaseThe official Vercel Changelog announced that developers can now run Claude Managed Agents directly in Vercel Sandbox (sandbox environment). As AI Agents —…
Vercel 宣布被防火牆(WAF)攔截的惡意流量將完全免費★ 75
Vercel Changelog26 days agoReleaseFrontend hosting platform Vercel announced a billing policy change that is extremely developer-friendly: all network traffic successfully intercepted, blocked…
Import AI 457:AI 版 Stuxnet 震網病毒、神祕的 Muon 優化器,以及積極對齊(Positive Alignment)★ 78
Import AI (Jack Clark)27 days agoCommentaryThis issue of Import AI 457, written by Jack Clark, delves into three forward-looking and stylistically distinct topics in the field of artificial…
漏洞賞金計劃遭大量「AI 垃圾報告」轟炸,企業安全團隊不堪重負★ 70
Ars Technica AI27 days agoIncidentAccording to a report by Ars Technica, corporate bug bounty programs are currently being bombarded with an "endless" stream of AI-generated junk reports (AI…
英國政府數位服務局(GDS)介入 NHS 退出開源之爭,呼籲公共部門應「預設保持開源」
Simon Willison's Weblog28 days agoCommentaryThis report stems from Simon Willison's compilation of Terence Eden's follow-up coverage. The incident began when the UK's National Health Service (NHS), upon…
datasette-agent 0.1a2 發布:引入工具權限控制提升 AI 代理安全性
Simon Willison's Weblog30 days agoReleaseSimon Willison, the founder of the open-source data analysis tool Datasette, recently released the latest alpha version of the AI agent plugin datasette-agent…
datasette-agent 發布 0.1a1 版本:改進資料表權限控制
Simon Willison's Weblog30 days agoReleaseSimon Willison has released version 0.1a1 — the latest early alpha — of `datasette-agent`, an AI agent plugin for his well-known open-source data exploration…
datasette-ip-rate-limit 0.1a0:Simon Willison 藉 GPT-5.5 打造的 Datasette 防爬蟲速率限制外掛
Simon Willison's Weblog31 days agoReleaseSimon Willison, the creator of the well-known open-source data analysis tool Datasette, recently released version 0.1a0 of a brand-new plugin called…
Vercel 推出「受保護的 Source Maps」:安全地在瀏覽器中進行生產環境除錯
Vercel Changelog31 days agoReleaseIn modern web development, JavaScript code deployed to production environments is typically minified and obfuscated to optimize loading performance. When…
Vercel 推出 Deployment Protection 的「受信任來源 (Trusted Sources)」功能,簡化自動化測試流程
Vercel Changelog32 days agoReleaseVercel has recently made an important upgrade to its platform security features, officially launching "Trusted Sources for Deployment Protection." In modern…
用自然語言建立 Vercel 防火牆(WAF)自訂規則★ 70
Vercel Changelog32 days agoReleaseVercel announced in its changelog the launch of a practical new security feature that allows developers to create custom Vercel WAF (Web Application Firewall)…