General Analysis

Be careful when you click on an Anthropic ad. Your entire chat history might get leaked. Last week Oasis Security disclosed "Claudy Day": three vulnerabilities chained together in claude.ai. Full exfil of a user's chat history without any MCPs or integrations. Here's the chain: Attacker buys a Google Ad. Google validates hostname: claude.com checks out. But the link exploits an open redirect to bounce you into a pre-filled prompt with invisible HTML carrying exfiltration instructions. You see "Summarize" in the text box. Claude sees orders to dump your conversations into a file and upload it to the attacker's Anthropic account through the Files API. The Files API. Already allowlisted in the sandbox. Because the product doesn't work without it. Anthropic patched the injection. The other two are "being addressed." The pattern is repeatable across many providers: Untrusted input reaches the model. Model touches private context. At least one allowlisted path out exists.

It was a pleasure speaking at the 2nd Global AI Pitch Summit alongside Sam Hamilton, Shub A, Sana Wajid, Shaun Johnson and Rocky Yu on AI safety and security. Glad to see so many organizations, startups, and leaders thinking deeply about how to adopt AI but do so safely. Thank you Stanford Entrepreneurs, Dr. Paul Fang, and Sophie R. for organizing this event.

We ran OpenAI's GPT OSS Safeguard 20B on three benchmarks (two public and one internal). Surprisingly, the base GPT-OSS 20B (no fine-tune) is almost as good, and sometimes better. This mostly matches OpenAI’s findings in the original release post: across the three benchmarks they report, Safeguard tracks close to the open base model on the two public, non-pipeline evals, and only shows a clear win on their internal safety-pipeline test. On our internal benchmark, the non-fine-tuned model actually does better than Safeguard. My best guess for why we see clear gains in the Safeguard's performance only on OpenAI's internal benchmark is data hygiene. It is possible that the synthetic generators and pipelines used mirror the eval distribution too closely. It is not enough if you evaluate on different data. If the train and test data is generated through the same pipeline you might still be overfitting without real generalization. Custom policy enforcement models are a step in the right direction. However, we need better benchmarks to make sure the training has been effective. The safeguards are trained to be custom policy enforcers but as of now there are no benchmarks for this. The limited benchmarking that is done is still on the generic moderation categories.

If you are worried about users prompt injecting your AI agent this is for you! We are excited to open-source the GA Guard series, a family of safety classifiers that have been providing comprehensive protection for enterprise AI deployments for the past year. GA Guards are the first guards to support native long-context moderation up to 256k tokens for agent traces, long form documents, and memory-augmented workflows. ✔️ GA Guard 4B: Our default guardrail, up to 15x faster than cloud providers, balancing robustness and latency for most stacks. Best guardrail in the market! ✔️ GA Guard 4B Thinking: Our best performing guard for high-risk domains, hardened with aggressive adversarial training. Responsive to custom policies! ✔️ GA Guard Lite 600M: Up to 25x faster than cloud providers, with minimal hardware requirements, while still outperforming all major cloud providers. Check out our huggingface and give them a try 🤗 !

A vulnerability we found went viral on hacker news and X. Here is what we did: MCPs introduce a lot of new attack surfaces to any AI agent. Simon Willison coined the term Lethal Trifecta to describe the setting that makes AI-agent pipelines fatally vulnerable: 1- Access to Private Data: When a tool can reach your databases, emails, files or transaction history, it holds the keys to everything you value. 2- Ingestion of Untrusted Content: Anytime you pull in text or images from external sources—web pages, user uploads, emails—you risk feeding the model hidden instructions. 3- External Communication: Whether it’s HTTP callbacks, email sends, QR-code payment URLs or any other channel, the agent can exfiltrate data once it has it. Email us at info@generalanalysis.com if you want a free security analysis or want to chat about securing your AI tools.

🧨 Caution: Cursor + Supabase MCP will leak your private SQL tables — it’s only a matter of time. In our latest test, a simple user message was enough to make Cursor leak integration_tokens to the attacker who submitted it. All it took was a malicious support ticket sent through a production-grade support workflow. The client app/agent itself didn’t have access to sensitive data. But Claude 4, running inside Cursor, did. It executed the injected instructions without hesitation, causing the company’s private SQL tables to appear on the client side No misconfiguration. No obvious bug. Just default behavior with dangerous consequences. Details of the experiment: https://lnkd.in/gv2SeSTG