AI Slop, Chrome Flaws, and the Geopolitical Sovereignty Showdown

Show Notes

We dive into how AI is complicating the threat landscape, covering an "AI Slop" ransomware test sneaked onto the VS Code marketplace and novel prompt injection hacks against ChatGPT memories. We also break down critical high-severity browser flaws in Chrome 142 and the escalating geopolitical tension around US hyperscalers and European data sovereignty.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans, the podcast where we break down the latest digital dramas and tell you why they matter. I’m your host, Mike Housch, and today, we are diving deep into how AI is rapidly shifting the cyber threat landscape, hitting everything from development environments to our favorite chatbots. We also have critical updates on high-severity browser flaws and a major geopolitical showdown over cloud data.

Let’s kick things off with something Secure Annex researchers are labeling 'AI Slop'. A malicious extension, seemingly created with the help of artificial intelligence, successfully snuck onto Microsoft’s official VS Code marketplace. The extension, named susvsex and published by ‘suspublisher18,' was remarkably overt about its intentions; its malicious functionality was actually openly advertised in its description.

Secure Annex researcher John Tuckner noted that this extension is the product of what he calls “vibe coding” and is far from sophisticated. However, its core functionality is dangerous. It activates on any event, including installation or launching VS Code, initiating an encryption routine contained in the ‘extension.js’ file. Tuckner found that many of the hardcoded variables—things like the IP, encryption keys, and the command-and-control address—had comments indicating the code was likely generated through AI.

Here is the double threat: The extension calls a function named zipUploadAndEncrypt. First, it creates a .ZIP archive of files in the target directory and then exfiltrates them to a hardcoded Command and Control address. Second, all the original files are replaced with their encrypted versions using AES-256-CBC. Secure Annex observed that while susvsex exposed its malicious actions in the README file, just a few minor tweaks would make it far more dangerous. And despite reporting the extension and its explicit description detailing file theft and encryption, Microsoft reportedly ignored Tuckner’s initial report, leaving it in the VS Code registry for a time. While it was present at the time the original article was written, it was no longer available by publishing time. This highlights a serious vetting process gap in major development marketplaces.

Now, if the bad guys are using AI to write ransomware, the security researchers are busy hacking the AI models themselves. Tenable researchers recently discovered seven new ChatGPT vulnerabilities and attack techniques that can be exploited for data theft and other malicious purposes. This includes targeting features like the 'bio' feature, also known as 'memories,' which allows ChatGPT to recall user details and preferences across sessions.

One of the nastiest methods they found was prompt injection related to the ‘open_url’ function. When a user asks ChatGPT to summarize a website, SearchGPT—the specialized LLM that browses the web—analyzes the site and executes any AI prompts it finds, even instructions hidden in the site’s comments section. This means attackers can inject malicious prompts into popular websites that SearchGPT is likely to summarize. The researchers chained these vulnerabilities for end-to-end attacks, for instance, summarizing a blog post leads to a hidden prompt injection, which results in the user being urged to click a link pointing to a phishing website.

They even targeted the ‘url_safe’ endpoint, which is designed to check if a URL is safe. Tenable found the endpoint always treats bing.com as a safe domain, allowing threat actors to use specially crafted Bing URLs as intermediaries to bypass the check and exfiltrate user data, including memories and chat history. Although OpenAI has patched some findings, Tenable warns that prompt injection remains a fundamental security challenge for Large Language Models, and some methods still work even against the latest GPT-5 model.

Shifting focus to traditional infrastructure defense, Google pushed out an update to Chrome 142 this week to address five vulnerabilities, including three high-severity flaws. The most critical is CVE-2025-12725, an out-of-bounds write flaw in Chrome’s WebGPU graphics API, which could be exploited for remote code execution. This is particularly concerning because out-of-bounds defects allow attackers to write data outside the intended memory space, potentially leading to arbitrary code execution. SOCRadar notes that the risk of exploitation is growing due to the increased use of browser-based AI and graphics workloads.

The other two high-severity bugs involved inappropriate implementations in the Views framework and the V8 JavaScript engine. Vulnerabilities in the V8 engine are popular targets for threat actors, often exploited for remote code execution via type confusion or memory corruption issues. Gene Moody, CTO at Action1, summed it up: Browsers have quietly become the single largest attack surface in nearly every organization. He added that exploits emerge and spread faster than traditional patch cycles, which is why critical fixes arrive multiple times a week. So, update those browsers, folks.

We also saw two significant government and infrastructure hits. The U.S. Congressional Budget Office (CBO) confirmed it had been hacked. The intrusion was attributed to a suspected foreign cyberattack, although the CBO itself did not confirm the foreign actor detail. CBO stated they have taken immediate action to contain the incident and implemented additional monitoring and new security controls.

And in the supplier security space, SonicWall revealed that a state-sponsored threat actor was responsible for their September hack. The attacker stole the firewall configuration files of all SonicWall customers who used the cloud backup service. The malicious activity was isolated to unauthorized access of cloud backup files from a specific cloud environment using an API call. Crucially, these files contained encrypted credentials and configuration data. SonicWall is urging all impacted customers to check their accounts and immediately reset all passwords.

That brings us to our final segment, hitting on the geopolitics of cyber risk: data sovereignty. The growing mistrust of US hyperscalers in Europe is palpable, especially under the shadow of the US CLOUD Act. The CLOUD Act allows US authorities to compel access to information held by American cloud providers, regardless of where the data is housed. Microsoft has admitted it cannot guarantee that data will not be transmitted to the US government when legally required.

In response, Microsoft is rolling out new measures, calling it "extra sovereignty". They announced end-to-end AI data processing in Europe as part of the EU Data Boundary. They also confirmed General Availability of Microsoft 365 Local, bringing Exchange Server, SharePoint Server, and Skype for Business Server to Azure Local.

However, European tech voices are skeptical. Mark Boost, CEO of Civo, warned that while placing a data center in London or Paris is data residency, it isn't true sovereignty if the company remains governed by US law. Frank Karlitschek, CEO of Nextcloud, went further, branding Microsoft's latest efforts as "sovereignty washing," arguing that true sovereignty requires the absence of strong dependencies on overseas parties, suggesting open source software is the only way to achieve it.

The takeaway for CISOs this week is clear: AI is a tool being wielded by both sides, often making basic protections like patching browsers and securing backups even more critical. And for global organizations, where your cloud data resides is not the same as where its legal jurisdiction lies.

That’s all the scoops we have for today. Stay safe out there, and we'll catch you next time on Cyber Scoops & Digital Shenanigans.