AI Sec Watch

At the HumanX AI conference in San Francisco, Anthropic's Claude Code (an AI coding agent, a tool that generates, edits and reviews code) has become the dominant topic in the AI industry, surpassing OpenAI's influence among executives and investors. Despite a legal dispute with the Department of Defense, Anthropic continues to gain momentum, with Claude Code generating over $2.5 billion in annualized revenue since its May 2025 public launch. The company's focus on coding rather than spreading resources across multiple AI products has positioned it well to capture enterprise contracts.

OpenAI has launched a new $100 Pro subscription tier to compete with Claude's pricing and target coders and enterprises. The new Pro plan sits between the existing $20 Plus and $200 Pro Max tiers, offering 5x higher usage limits than Plus and access to advanced features like Codex (a code-generation tool), deep research, and GPT-5. OpenAI's strategy mirrors Anthropic's approach of offering a mid-tier subscription designed specifically for people doing complex, high-stakes work.

A 20-year-old man was arrested after throwing a Molotov cocktail (a homemade incendiary weapon) at OpenAI CEO Sam Altman's home and then threatening arson at the company's San Francisco headquarters. No one was injured in the attack, and the suspect was taken into custody with charges pending. The incident occurred during a controversial period for OpenAI involving military partnerships and litigation.

U.S. government officials, including Vice President JD Vance and Treasury Secretary Scott Bessent, met with tech CEOs from companies like Anthropic, OpenAI, Google, and Microsoft to discuss the security of large language models (AI systems trained on large amounts of text data) and how to protect against cyber attacks before Anthropic released its new Mythos model. Anthropic briefed government officials on the model's capabilities, including potential offensive and defensive cybersecurity applications, and emphasized that bringing the government into the conversation early about risks and safety measures was a priority.

FastGPT (a platform for building AI agents) has a broken access control vulnerability (IDOR/BOLA, a flaw where one user can access another user's data by guessing or changing IDs) that allows any authenticated team to run AI applications belonging to other teams by using a different application ID. The system checks that users are logged in but doesn't verify that the application they're trying to use actually belongs to their team, leading to unauthorized access to private AI workflows across teams.

n8n-mcp (a tool for connecting AI systems to external services) had security problems where certain HTTP endpoints (the connection points a program offers over the internet) didn't require authentication and exposed sensitive system information. An attacker with network access could shut down active sessions and gather details to plan further attacks.

The LangSmith JavaScript SDK contains a prototype pollution vulnerability (a type of attack where an attacker modifies the base object that all JavaScript objects inherit from) in its internal lodash `set()` function. The vulnerability exists because the code only blocks the `__proto__` key but allows attackers to bypass this protection using `constructor.prototype` instead, potentially affecting all objects in a Node.js application if they control data being processed by the `createAnonymizer()` API.

PraisonAI's browser bridge server (started with `praisonai browser start`) has a security flaw where it accepts WebSocket connections (a two-way communication channel between a client and server) without proper authentication checks. An attacker on the network can connect without credentials, trick the server into linking their connection to a legitimate browser extension session, and then intercept all commands and responses from that session, effectively taking control of the browser automation without permission.

PraisonAI Agents has a security flaw where tool approval decisions are cached by tool name only, not by the specific command arguments. Once a user approves the `execute_command` tool (a function that runs shell commands) for any command like `ls -la`, all future shell commands in that session bypass the approval prompt entirely. Combined with the fact that all environment variables (including API keys and credentials) are passed to subprocesses, an LLM agent can silently steal sensitive data without asking permission again.