brianpeirisThe chilling role of ChatGPT in mass shootings and other violence
US tech firms successfully lobbied EU to keep datacentre emissions secret
pchagent234Sweepstakes
ArtworkArbitrary Command Execution (RCE) on any system running a vulnerable Anthropic MCP implementation... - OX Security
Anthropic design choice Exposes 150M+ Downloads and up to 200K Servers to complete takeover - OX Security - Lemmy.World
> This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories… > > We repeatedly recommended root patches to Anthropic - that would have instantly protected millions of downstream users; however, they declined to modify the protocol’s architecture, citing the behavior as “expected.” We subsequently notified Anthropic of our intent to publish these findings, to which they raised no objection. > > Through over 30 responsible disclosures and 10+ High/Critical CVEs, OX Security has worked to patch individual projects. However, the root cause remains unaddressed at the protocol level. > > Source [https://web.archive.org/web/20260417015927/https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/] [2026-04-15; web-archive] -– > But in practice it actually lets anyone run any arbitrary OS command, if the command successfully creates an STDIO server it will return the handle, but when given a different command, it returns an error after the command is executed. > > This logic opens a wide range of attack surfaces, when combined with user input; as it can allow direct arbitrary command execution with no input sanitization, and no red flags to the developer during implementation. > > Our examples show the basic case study using Python, but it reflects the same inherent vulnerability from all other programming languages (TypeScript, Java, Golang, etc…) > … > We found 6 official platforms with actual users vulnerable to arbitrary command execution via MCP configurations… > # Case Studies: Real-World Exploitation > … > - Windsurf is an AI-powered IDE designed for developers. While it runs locally, its MCP configuration file (mcp.json) is writable by the AI agent - making it susceptible to prompt injection attacks that add malicious STDIO MCP entries. > > Attack chain: > > 1. Victim visits an attacker-controlled website and copies a prompt that appears legitimate; > 2. The site serves different content to Windsurf’s internal requests - injecting a malicious instruction; > 3. Windsurf receives the malicious prompt and proposes edits to mcp.json - without showing the user what will change – and modifies the file.; > 4. With no further user interaction; a new STDIO MCP entry is added and immediately executes its command on the victim’s machine.; > > Source [https://web.archive.org/web/20260417020311/https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-technical-deep-dive/] [2026-04-15; web-archive] -– [https://lemmy.world/pictrs/image/4928ecd3-f873-420c-884e-b15b7f1f3ba2.png] // Image Source [https://web.archive.org/web/20260417015927/https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/] [2026-04-15; web-archive]
SahwaAllbirds Stock Now Crashing as Reality Sets in About Its Delusional AI Pivot
icculus update rules on SDL project on generative AI code: [from "AI may not be used..." to "AI must not be used"]
CubitOomYou Do Not Hate The IRS Enough
You Do Not Hate The IRS Enough - Infosec.Pub
> Documents I obtained show that the IRS already has a powerful set of tools to force compliance, from undercover agents to wiretaps and other forms of electronic surveillance. The collaborates with ICE to monitor the travel of American citizens through. But now, thanks to AI, the IRS’s ultimate goal is for “minimal human contact,” as one document put it. > > The centerpiece is Palantir software that allows IRS investigators and auditors to conduct “near real-time data analysis” through a custom tool called the “Selection and Analytic Platform,” or SNAP. > > What that means in practice is that millions of middle-income Americans who once fell below the threshold of what scarce human auditors could manage are now within reach. The little guy just became a lot easier to monitor at scale. > > The big guy? Not so much.
Brad L. 
In the past 24h, the slop bots have brought in reinforcements. Traffic has doubled and is staying at those levels.
And all of this traffic is pretending to be Chrome or Firefox on macOS or Windows, none of it is identifying itself as a scraper.
I cannot recommend iocaine highly enough!
early_riserShoe company pivots to AI. We are living in the dumbest timeline
Allbirds shares soar 580% after pivot from shoes to AI
