Braintrust warned customers to rotate API keys after hackers breached an AWS account, exposing secrets tied to cloud-based AI models.

AI observability startup Braintrust warned customers to rotate API keys after attackers gained unauthorized access to one of the company’s AWS accounts, potentially exposing secrets used to connect to cloud-based AI models.

The company said it discovered suspicious activity on May 4 and immediately locked down the affected account, restricted access to related systems, and rotated internal credentials. The firm launched an investigation into the security incident.

“We’ve identified a security incident that involved unauthorized access to one of our AWS accounts. We are actively investigating, and we have engaged incident response experts.” reads the security breach notice published by the company. “We have contained the incident by locking down the compromised account, auditing and restricting access across related systems, rotating internal secrets, and engaging incident response experts to support our investigation. As a precaution, we recommend that all customers rotate any org-level AI provider keys used with Braintrust.”

Braintrust notified customers the following day and shared indicators of compromise and remediation guidance.

Although Braintrust says the impact appears limited, experts warn the breach highlights growing AI supply chain risks, as AI platforms increasingly store valuable API credentials targeted by attackers.

The potential exposure could affect organizations relying on Braintrust to manage AI provider keys across services and applications.

Researchers note that once threat actors obtain valid API keys, they can abuse AI services while appearing as legitimate users, often bypassing traditional security controls.

“To date, we’ve confirmed the issue affected one customer. Three additional customers reported suspicious spikes in AI provider usage, and we’re investigating those alongside them.” continues the notice. “We have not identified broader customer exposure based on our investigation to date, but as a precaution we informed all org admins with stored AI provider secrets in Braintrust. The investigation is ongoing.”

The incident also reflects a broader trend of attackers targeting cloud accounts and SaaS providers to gain indirect access to downstream customers and interconnected AI infrastructure.

The company plans to add new safeguards, including timestamps and user attribution for API key changes, while the investigation into the incident remains ongoing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

AWS Rex adds runtime guardrails for agentic AI, but security leaders still need data-layer controls to satisfy compliance and audit demands.

The post AWS Rex Is a Big Step for Agentic AI Security, But Not the Final Layer appeared first on TechRepublic.

The post The 4GB Secret: Why Chrome is Surreptitiously Downloading AI Models to Your Hard Drive appeared first on Daily CyberSecurity.

The post Cloudflare Cuts 20% of Staff to Pivot Toward an “AI-First Agentic” Future appeared first on Daily CyberSecurity.

The post The End of Whiteboard Coding: Google to Allow Gemini AI in Software Engineering Interviews appeared first on Daily CyberSecurity.

The post The InstallFix Trap: Fake Claude AI Google Ads Drop Fileless RedLine Malware on Developers appeared first on Daily CyberSecurity.

The Pentagon is integrating AI into military operations, transforming cybersecurity, targeting, and command systems into a unified warfare architecture.

May 2026 marks a turning point in the evolution of modern warfare: the convergence of artificial intelligence, cybersecurity, and conventional military power is no longer theoretical. It is becoming an operational reality.

The Pentagon has signed agreements with major technology companies, including OpenAI, Google, Microsoft, Amazon, and SpaceX to integrate advanced AI models into classified military networks. The stated goal is clear: transform the United States into an “AI-first” military force capable of maintaining decision superiority across every battlefield domain.

Under this strategy, AI is no longer treated as a laboratory tool or analytical assistant. It is moving directly into the military chain of command, intelligence analysis, logistics, targeting, and operational planning. More than 1.3 million Department of Defense employees are already using the GenAI.mil platform, dramatically reducing processes that once took months to just days.

The Pentagon’s doctrine reflects a major cultural shift: code and combat are no longer separate domains. Cybersecurity itself is now considered a combat capability. The ability to deploy, secure, update, and operate AI models inside classified environments has become part of national defense infrastructure.

The contracts signed with technology providers include “lawful operational use” clauses, requiring vendors to accept any use considered legitimate by the Pentagon, including autonomous weapons systems and intelligence operations. This raises profound ethical and geopolitical questions.

At the same time, the U.S. military is pushing for deep integration across defense systems. Through the Army’s new “Right to Integrate” initiative, manufacturers of missiles, drones, radars, and sensors are being asked to open their software interfaces so AI agents can connect systems in real time. The inspiration comes largely from Ukraine, where open APIs allowed rapid battlefield integration between drones, sensors, and fire-control systems.

However, this transformation creates a dangerous paradox: the same openness that enables speed and flexibility also expands the attack surface. Every API, cloud platform, and AI integration point can potentially become an entry point for sophisticated adversaries such as China, Russia, or state-sponsored APT groups.

A compromised AI-enabled military ecosystem could allow attackers to inject false sensor data, manipulate targeting systems, degrade drone communications, study operational decision patterns, or even hijack autonomous weapons platforms. In this context, software vulnerabilities and supply-chain weaknesses are no longer merely IT problems, they become military objectives.

Washington is also increasingly concerned about the cyber risks posed by advanced AI models themselves. According to reports, the White House is considering new oversight mechanisms for frontier AI systems capable of autonomously discovering software vulnerabilities or automating cyberattacks at scale. Officials fear that uncontrolled deployment of such models could lead to mass exploitation of critical infrastructure, financial systems, or global supply chains.

The strategic implications extend beyond military technology. Major cloud providers such as Amazon, Microsoft, and Google are gradually becoming part of the American defense architecture. Civilian digital infrastructure is evolving into a structural extension of military power.

This raises difficult questions for Europe and Italy. In a world where most cloud, AI, and cybersecurity infrastructures are controlled by American companies, what does technological sovereignty really mean? Sovereignty is no longer just about producing chips or funding startups. It is about controlling the digital infrastructure that supports national defense, determining who can update AI systems operating on classified networks, and deciding who sets the operational rules of software during crises.

The United States, Israel, and China are already integrating AI into military doctrine at high speed. Europe risks remaining trapped between regulation and technological dependence unless it develops its own industrial capabilities, operational autonomy, and independent evaluation frameworks.

The message coming from Washington is unmistakable: the future of strategic power will depend on who controls AI models, data, interfaces, and software-driven operational systems. In modern warfare, software has become a battlefield domain, and the speed of code deployment increasingly matters as much as firepower itself.

A more detailed analysis is available in Italian here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI)

The Cyber Express Weekly Roundup 

EU Updates AI Act with Simpler Rules and New AI Content Bans 

ClickFix Malware Campaign Expands to macOS 

Critical PAN-OS Vulnerability Enables Remote Code Execution 

Latvian Cybercriminal Sentenced in Global Ransomware Case 

FBI Warns of Rising Cyber-Enabled Cargo Theft 

Weekly Takeaway 

Researchers tracked a large AI‑themed investment scam campaign involving more than 15,000 domains. It uses cloaking and deepfakes to hide from security tools while targeting ordinary users.

Criminals abused the Keitaro ad-tracking platform as part of a cloaking system so real victims see scam content, while security scanners, ad reviewers, and some random visitors see harmless pages, making the operation hard to detect and shut down.

Keitaro is a commercial tracking platform originally meant for digital marketers to manage ad campaigns, test which ads work best, and route visitors to different landing pages.

Because it is feature rich, easy to spin up on regular hosting, and built to filter and route traffic, criminals found they can abuse those capabilities to run scams at scale.

Traffic starts in many places. The scammers used compromised websites, spam emails, social media posts, and online ads, all quietly routing through the same tracking infrastructure.

The scam sites typically promise “Smart AI Trading Technology” or “Intelligent Trading Solutions” and claim consistently high returns, often reinforced with deepfake images or fabricated media to look more credible.

Some parts of the campaign now use deepfake videos and fake interviews with well-known public figures, making it look like a celebrity, or finance expert personally endorses the platform.

Once you follow a link, the cloaking part of the operation kicks in. Cloaking is the trick that makes these scams so hard to see from the outside.

When you click an ad or link, your visit passes through a traffic distribution system (TDS), a kind of router for web visitors that decides which page you see. In these cases, the TDS is connected to the tracker.

The system checks things like:

• Your country/region
• Your device and browser
• Where you came from (Facebook ad, Google ad, email link, etc.)
• Sometimes your IP address reputation or other subtle fingerprints

You’re shown the real investment scam landing page only if you match the “ideal victim” profile (for example, a regular consumer in a target country coming from a social media ad).

Everyone else, like a security researcher, ad platform reviewer, or automated scanner, gets shown a benign page, like a generic blog or placeholder site.

How to stay safe

The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:

• There is no such thing as a risk-free, consistently profitable investment. If you’re looking to invest, navigate directly to known, regulated financial institutions.
• Deepfakes are very convincing nowadays, so you will hardly be able to tell the difference between the real celebrity and their deepfake persona.
• Don’t act upon unsolicited investment advice, whether it reaches you by email, social media, or sponsored search results.
• Use an up-to-date, real-time anti-malware solution with a web protection component or a reputable tracking and ad-blocker.
• Don’t act on impulse or under time pressure. Always properly research where your money will be going.

Pro tip: Malwarebytes Scam Guard can help you recognize and analyze scams.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

The post Orbital Ambitions: Anthropic Taps Musk’s “Colossus” to Double Claude’s Power and Eye the Stars appeared first on Daily CyberSecurity.

A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use.

A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devices running Android Debug Bridge (ADB) and using them for large‑scale DDoS attacks. Hunt.io discovered the bot on an unsecured server, it includes 21 flood techniques across TCP, UDP, and raw protocols, allowing it to bypass basic protections. It appears to be sold as a DDoS‑for‑hire service, especially for targeting game and Minecraft servers.

During routine monitoring, researchers spotted an exposed directory on a Netherlands‑hosted server (176.65[.]139.44) used for bulletproof hosting. The operator had left their entire toolkit publicly accessible over TCP/80 with no authentication, allowing investigators to index everything before the attacker realized it was exposed.

Open access to the server revealed a six‑file toolkit instead of a login page, exposing binaries and text files with no authentication. Two files were auto‑tagged as malicious: arm7 (Mirai) and payloads.txt (exploit content), suggesting the operator was using analyst‑grade tools on an unsecured host. The directory held about 200 KB of data, including the packed ARM bot, an unstripped x86‑64 debug build, ADB infection one‑liners, a SOCKS5 proxy, and a placeholder targets file. The debug build’s intact symbols made reconstructing the bot’s behavior straightforward.

“The xlabs_v1 codebase reads as a focused commercial product rather than an opportunistic Mirai derivative. Its twenty-one flood variants, ChaCha20 string protection, OpenNIC-aware DNS resolution, and Speedtest-driven bandwidth profiling are subsystems aimed at a single outcome: keeping a fleet of compromised IoT devices reachable, accountable, and profitable for the operator. Everything else in the binary serves that goal or protects it.” reads the report published by Hunt.io.

xlabs_v1 botnet is built entirely for commercial DDoS‑for‑hire operations, with no added features like credential theft that could increase detection risk. Its core function is to receive attack commands and launch one of 21 flood variants, many aimed at game servers, including RakNet floods for Minecraft and OpenVPN‑shaped UDP traffic to evade filters. Delivered through ADB exploits, the ARMv7 bot targets Android TVs, set‑top boxes, and IoT hardware, part of a global surface of more than 4 million devices with TCP/5555 exposed.

“nfection vector is Android Debug Bridge on TCP/5555, with multi-architecture builds covering ARM, MIPS, x86-64, ARC, and Android APK, meaning any internet-exposed device running ADB is a potential target: Android TV boxes, set-top boxes, smart TVs, residential routers, and any IoT-grade hardware shipping with ADB enabled by default.” continutes the report.

Once installed, the bot hides infection tags, profiles each device’s bandwidth by opening 8,192 TCP sockets, and reports Mbps to its panel so the operator can assign price tiers. It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.

For resilience, xlabs_v1 resolves its C2 via OpenNIC, falls back to a firewall‑punching SOCKS‑style listener on TCP/26721, and masks itself as /bin/bash to evade casual inspection. Sensitive strings, including the C2 domain xlabslover.lol, the operator handle Tadashi, and the agent tag xlabs_v1, are encrypted with ChaCha20 but easily recovered due to key reuse.

Its command‑and‑control uses a custom TCP protocol, supporting bandwidth probes, updates, self‑restart, and attack dispatch. Together, these techniques reveal a sophisticated, commercially motivated DDoS botnet engineered for persistence, evasion, and profit.

Analysis of the xlabs_v1 botnet’s infrastructure begins with its C2 domain, xlabslover[.]lol, which resolves to a single IP in the Netherlands hosted by Offshore LC. The domain uses Ultahost nameservers, a provider often linked to bulletproof hosting, and shows no prior malware detections, suggesting a recently deployed C2.

Pivoting from the domain to its IP (176.65.139[.]134) reveals SSH as the only open port, plus past honeypot activity involving HTTP and .env‑file scanning. SSL history shows unusual self‑signed certificates, including one with the CN “Godisgood”, previously used on another IP in Germany, indicating the same operator managing multiple servers.

Three hosts within the 176.65.139.0/24 netblock appear tied to the botnet: .44 (staging), .42 (distribution), and .9 (additional distribution). Hunt.io captured open directories on these systems containing Mirai‑tagged binaries, multi‑architecture payloads, and ADB exploitation scripts.

Historical scans confirmed Mirai C2 activity in late March and early April 2026, consistent with the botnet’s active deployment period and revealing a consolidated, bulletproof infrastructure supporting xlabs_v1.

The operator behind the botnet uses the handle Tadashi, embedded in each build, while the botnet brand xlabs_v1 appears in every C2 registration, hinting at future versions. A development tag, aterna, shows earlier branding before release. OSINT searches linking “Tadashi,” “xlabs,” and “xlabslover” may reveal the operator’s DDoS‑for‑hire storefront. A decrypted banner also exposes hostility toward a rival fork, xlab 2, suggesting a code split or underground feud. Nearby infrastructure in the same netblock has hosted cryptojacking tools, though overlap with the xlabs operation remains unconfirmed.

“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork (which would lack the ChaCha20 layer, the multi-architecture binary set, the bandwidth profiling, and the registered-attack diversity), but less sophisticated than the top tier of commercial DDoS-for-hire operations (which would use TLS on the C2 channel, would not ship a debug build to production paths, would rotate cryptographic material across builds, and would not ship a hard-coded competitor-rivalry banner).” concludes the report. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target. Treat it accordingly.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, xlabs_v1 botnet)

During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Office platform, as well as Windows and Linux operating systems.

In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged by popular C2 frameworks throughout Q1 2026.

Statistics on registered vulnerabilities

This section provides statistical data on registered vulnerabilities. The data is sourced from cve.org.

We examine the number of registered CVEs for each month starting from January 2022. The total volume of vulnerabilities continues rising and, according to current reports, the use of AI agents for discovering security issues is expected to further reinforce this upward trend.

Total published vulnerabilities per month from 2022 through 2026 (download)

Next, we analyze the number of new critical vulnerabilities (CVSS > 8.9) over the same period.

Total critical vulnerabilities published per month from 2022 through 2026 (download)

The graph indicates that while the volume of critical vulnerabilities slightly decreased compared to previous years, an upward trend remained clearly visible. At present, we attribute this to the fact that the end of last year was marked by the disclosure of several severe vulnerabilities in web frameworks. The current growth is driven by high-profile issues like React2Shell, the release of exploit frameworks for mobile platforms, and the uncovering of secondary vulnerabilities during the remediation of previously discovered ones. We will be able to test this hypothesis in the next quarter; if correct, the second quarter will show a significant decline, similar to the pattern observed in the previous year.

Exploitation statistics

This section presents statistics on vulnerability exploitation for Q1 2026. The data draws on open sources and our telemetry.

Windows and Linux vulnerability exploitation

In Q1 2026, threat actor toolsets were updated with exploits for new, recently registered vulnerabilities. However, we first examine the list of veteran vulnerabilities that consistently account for the largest share of detections:

• CVE-2018-0802: a remote code execution (RCE) vulnerability in the Equation Editor component
• CVE-2017-11882: another RCE vulnerability also affecting Equation Editor
• CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to gain control over the system
• CVE-2023-38831: a vulnerability resulting from the improper handling of objects contained within an archive
• CVE-2025-6218: a vulnerability allowing the specification of relative paths to extract files into arbitrary directories, potentially leading to malicious command execution
• CVE-2025-8088: a directory traversal bypass vulnerability during file extraction utilizing NTFS Streams

Among the newcomers, we have observed exploits targeting the Microsoft Office platform and Windows OS components. Notably, these new vulnerabilities exploit logic flaws arising from the interaction between multiple systems, making them technically difficult to isolate within a specific file or library. A list of these vulnerabilities is provided below:

• CVE-2026-21509 and CVE-2026-21514: security feature bypass vulnerabilities: despite Protected View being enabled, a specially crafted file can still execute malicious code without the user’s knowledge. Malicious commands are executed on the victim’s system with the privileges of the user who opened the file.
• CVE-2026-21513: a vulnerability in the Internet Explorer MSHTML engine, which is used to open websites and render HTML markup. The vulnerability involves bypassing rules that restrict the execution of files from untrusted network sources. Interestingly, the data provider for this vulnerability was an LNK file.

These three vulnerabilities were utilized together in a single chain during attacks on Windows-based user systems. While this combination is noteworthy, we believe the widespread use of the entire chain as a unified exploit will likely decline due to its instability. We anticipate that these vulnerabilities will eventually be applied individually as initial entry vectors in phishing campaigns.

Below is the trend of exploit detections on user Windows systems starting from Q1 2025.

Dynamics of the number of Windows users encountering exploits, Q1 2025 – Q1 2026. The number of users who encountered exploits in Q1 2025 is taken as 100% (download)

The vulnerabilities listed here can be leveraged to gain initial access to a vulnerable system and for privilege escalation. This underscores the critical importance of timely software updates.

On Linux devices, exploits for the following vulnerabilities were detected most frequently:

• CVE-2022-0847: a vulnerability known as Dirty Pipe, which enables privilege escalation and the hijacking of running applications
• CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation
• CVE-2021-22555: a heap out-of-bounds write vulnerability in the Netfilter kernel subsystem
• CVE-2023-32233: a vulnerability in the Netfilter subsystem that allows for Use-After-Free conditions and privilege escalation through the improper processing of network requests

Dynamics of the number of Linux users encountering exploits, Q1 2025 – Q1 2026. The number of users who encountered exploits in Q1 2025 is taken as 100% (download)

In the first quarter of 2026, we observed a decrease in the number of detected exploits; however, the detection rates are on the rise relative to the same period last year. For the Linux operating system, the installation of security patches remains critical.

Most common published exploits

The distribution of published exploits by software type in Q1 2026 features an updated set of categories; once again, we see exploits targeting operating systems and Microsoft Office suites.

Distribution of published exploits by platform, Q1 2026 (download)

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities were utilized in APT attacks during Q1 2026. The ranking provided below includes data based on our telemetry, research, and open sources.

TOP 10 vulnerabilities exploited in APT attacks, Q1 2026 (download)

In Q1 2026, threat actors continued to utilize high-profile vulnerabilities registered in the previous year for APT attacks. The hypothesis we previously proposed has been confirmed: security flaws affecting web applications remain heavily exploited in real-world attacks. However, we are also observing a partial refresh of attacker toolsets. Specifically, during the first quarter of the year, APT campaigns leveraged recently discovered vulnerabilities in Microsoft Office products, edge networking device software, and remote access management systems. Although the most recent vulnerabilities are being exploited most heavily, their general characteristics continue to reinforce established trends regarding the categories of vulnerable software. Consequently, we strongly recommend applying the security patches provided by vendors.

C2 frameworks

In this section, we examine the most popular C2 frameworks used by threat actors and analyze the vulnerabilities targeted by the exploits that interacted with C2 agents in APT attacks.

The chart below shows the frequency of known C2 framework usage in attacks against users during Q1 2026, according to open sources.

TOP 10 C2 frameworks used by APTs to compromise user systems, Q1 2026 (download)

Metasploit has returned to the top of the list of the most common C2 frameworks, displacing Sliver, which now shares the second position with Havoc. These are followed by Covenant and Mythic, the latter of which previously saw greater popularity. After studying open sources and analyzing samples of malicious C2 agents that contained exploits, we determined that the following vulnerabilities were utilized in APT attacks involving the C2 frameworks mentioned above:

• CVE-2023-46604: an insecure deserialization vulnerability allowing for arbitrary code execution within the server process context if the Apache ActiveMQ service is running
• CVE-2024-12356 and CVE-2026-1731: command injection vulnerabilities in BeyondTrust software that allow an attacker to send malicious commands even without system authentication
• CVE-2023-36884: a vulnerability in the Windows Search component that enables command execution on the system, bypassing security mechanisms built into Microsoft Office applications
• CVE-2025-53770: an insecure deserialization vulnerability in Microsoft SharePoint that allows for unauthenticated command execution on the server
• CVE-2025-8088 and CVE-2025-6218: similar directory traversal vulnerabilities that allow files to be extracted from an archive to a predefined path, potentially without the archiving utility displaying any alerts to the user

The nature of the described vulnerabilities indicates that they were exploited to gain initial access to the system. Notably, the majority of these security issues are targeted to bypass authentication mechanisms. This is likely due to the fact that C2 agents are being detected effectively, prompting threat actors to reduce the probability of discovery by utilizing bypass exploits.

Notable vulnerabilities

This section highlights the most significant vulnerabilities published in Q1 2026 that have publicly available descriptions.

CVE-2026-21519: Desktop Window Manager vulnerability

At the core of this vulnerability is a Type Confusion flaw. By attempting to access a resource within the Desktop Window Manager subsystem, an attacker can achieve privilege escalation. A necessary condition for exploiting this issue is existing authorization on the system.

It is worth noting that the DWM subsystem has been under close scrutiny by threat actors for quite some time. Historically, the primary attack vector involves interacting with the NtDComposition* function set.

RegPwn (CVE-2026-21533): a system settings access control vulnerability

CVE-2026-21533 is essentially a logic vulnerability that enables privilege escalation. It stems from the improper handling of privileges within Remote Desktop Services (RDS) components. By modifying service parameters in the registry and replacing the configuration with a custom key, an attacker can elevate privileges to the SYSTEM level. This vulnerability is likely to remain a fixture in threat actor toolsets as a method for establishing persistence and gaining high-level privileges.

CVE-2026-21514: a Microsoft Office vulnerability

This vulnerability was discovered in the wild during attacks on user systems. Notably, an LNK file is used to initiate the exploitation process. CVE-2026-21514 is also a logic issue that allows for bypassing OLE technology restrictions on malicious code execution and the transmission of NetNTLM authentication requests when processing untrusted input.

Clawdbot (CVE-2026-25253): an OpenClaw vulnerability

This vulnerability in the AI agent leaks credentials (authentication tokens) when queried via the WebSocket protocol. It can lead to the compromise of the infrastructure where the agent is installed: researchers have confirmed the ability to access local system data and execute commands with elevated privileges. The danger of CVE-2026-25253 is further compounded by the fact that its exploitation has generated numerous attack scenarios, including the use of prompt injections and ClickFix techniques to install stealers on vulnerable systems.

CVE-2026-34070: LangChain framework vulnerability

LangChain is an open-source framework designed for building applications powered by large language models (LLMs). A directory traversal vulnerability allowed attackers to access arbitrary files within the infrastructure where the framework was deployed. The core of CVE-2026-34070 lies in the fact that certain functions within langchain_core/prompts/loading.py handled configuration files insecurely. This could potentially lead to the processing of files containing malicious data, which could be leveraged to execute commands and expose critical system information or other sensitive files.

CVE-2026-22812: an OpenCode vulnerability

CVE-2026-22812 is another vulnerability identified in AI-assisted coding software. By default, the OpenCode agent provided local access for launching authorized applications via an HTTP server that did not require authentication. Consequently, attackers could execute malicious commands on a vulnerable device with the privileges of the current user.

Conclusion and advice

We observe that the registration of vulnerabilities is steadily gaining momentum in Q1 2026, a trend driven by the widespread development of AI tools designed to identify security flaws across various software types. This trajectory is likely to result not only in a higher volume of registered vulnerabilities but also in an increase in exploit-driven attacks, further reinforcing the critical necessity of timely security patch deployment. Additionally, organizations must prioritize vulnerability management and implement effective defensive technologies to mitigate the risks associated with potential exploitation.

To ensure the rapid detection of threats involving exploit utilization and to prevent their escalation, it is essential to deploy a reliable security solution. Key features of such a tool include continuous infrastructure monitoring, proactive protection, and vulnerability prioritization based on real-world relevance. These mechanisms are integrated into Kaspersky Next, which also provides endpoint security and protection against cyberattacks of any complexity.

Google Chrome has been quietly downloading a 4GB AI model onto users’ devices without asking first.

Security researcher Alexander Hanff, aka ThatPrivacyGuy, reports that Chrome has been silently installing Gemini Nano, Google’s on-device AI model, as a file called weights.bin stored in the OptGuideOnDeviceModel directory within users’ Chrome profiles. This 4GB download happens automatically when Chrome determines your device meets the hardware requirements. It does not ask for consent, and sends no notification—not even one of those annoying cookie banners you’ve learned to dismiss without reading.

The Gemini Nano model powers features like “Help me write” text composition assistance, on-device scam detection, and a Summarizer API that websites can call directly. These features are enabled by default in some recent Chrome versions. And here’s the kicker: if you discover the file and delete it, Chrome simply downloads it again.

Why this matters

Let’s start with the obvious problem: a 4GB download isn’t trivial for everyone. If you’re lucky enough to have unlimited fiber internet, you might not notice. But for users on metered connections, mobile hotspots, or in developing countries where data is expensive, Google just cost them real money without permission. For rural users or those with bandwidth caps, this kind of silent transfer can blow through monthly limits in minutes.

Hanff focuses on the environmental angle. He calculated that if this model were pushed to just 1 billion Chrome users (roughly 30% of Chrome’s user base), the distribution alone would consume 240 gigawatt-hours of energy and generate 60,000 tons of CO2 equivalent. That’s not including actually using the model, just the downloads.

But to us, the most troubling aspect is the broader pattern this represents. Just a few weeks ago, we reported another unsolicited AI invasion on our personal computers discovered by Hanff. He documented how Anthropic’s Claude Desktop app, which silently installed browser integration files across multiple Chromium browsers, including five browsers he didn’t even have installed. The integration would reinstall itself if removed, and it also happened without any meaningful user disclosure.

Hanff argues that both cases likely violate EU privacy law, specifically the ePrivacy Directive’s rules about storing data on user devices and the GDPR’s requirements around transparency and lawful processing. While these claims haven’t been tested in court, they highlight a fundamental tension: can companies just install whatever they want on your computer as long as they say it’s a feature of an app you installed?

Google might argue that having an AI on your device provides better privacy than cloud-based alternatives. Which is generally true, but it does not apply here, since Chrome’s most prominent AI feature—the “AI Mode” pill in the address bar—doesn’t even use the local model. According to Hanff’s analysis, it routes queries to Google’s cloud servers anyway. 

All in all, users see a 4GB local AI model and reasonably assume their data stays private, when in reality, the most visible AI feature sends everything to Google’s servers.

Tech companies need to stop treating silent deployment as acceptable practice. We see no valid excuse for this. Your device is yours. The storage is yours. The bandwidth is yours. And the electricity bill is yours.

What happened to asking for permission? And when I remove it, I want it gone permanently—not automatic reinstallation.

When are the tech giants going to learn that we don’t want to be left discovering after the fact that our devices have become deployment targets for features we never asked for.

Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

Hackers have abused commercial Claude AI models to help compromise a Mexican water and drainage utility’s IT network and probe systems connected to critical infrastructure. The attackers used Claude as an operational “copilot” to discover industrial systems, build custom tools, and plan attacks against an internal SCADA/IIoT platform managing water and drainage processes. The investigation […]

The post Hackers Weaponize Claude AI in Attacks on Water and Drainage Utilities appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Anthropic has officially announced a massive strategic partnership with SpaceX to expand its computing capabilities significantly. This collaboration aims to provide the necessary infrastructure to scale up the Claude artificial intelligence ecosystem. By securing dedicated computing power, Anthropic is immediately increasing usage limits for its dedicated customers and laying the groundwork for unprecedented future technological […]

The post Claude and SpaceX Join Forces to Enhance Large-Scale Compute Capacity appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.