Security researchers at LayerX disclosed a serious vulnerability in Anthropic’s “Claude in Chrome” extension that allowed any other browser extension — including those with no special permissions — to send hidden instructions to the Claude AI agent. Discovered April 27 and privately reported to Anthropic on April 28, the bug (dubbed “ClaudeBleed”) stems from a trust-boundary error in the extension’s message handling that lets scripts running in the browser communicate with Claude’s LLM without verifying the sender. Tests showed attackers could exfiltrate Google Drive files, read and send emails, steal private GitHub source code and trigger other privileged actions while evading user notification. Anthropic released an update (v1.0.70) on May 6 that added checks for “standard” mode, but researchers say a “privileged” mode still allowed command injection and that LayerX’s principal researcher bypassed the patch within hours. LayerX recommended fixes such as signed extension-to-page tokens, restricting externally_connectable to specific extension IDs, and one-time approval tokens; Anthropic has said it will ship further fixes but did not immediately comment on the research.

Security researchers at the Karlsruhe Institute of Technology (KIT) in Germany have demonstrated that ordinary Wi‑Fi routers can be used to identify and track individuals by analysing unencrypted beamforming feedback information (BFI). The team’s BFId method, tested on 197 volunteers, produced identification accuracies of up to 99.5% and works even when targets carry no wireless device or have phones turned off. BFId passively captures BFI broadcast by devices using Wi‑Fi 5 and later, requiring only an adapter in monitor mode and no access to the victim network. The technique outperformed earlier channel state information (CSI) approaches and can combine with other data to link identities. Researchers have raised alarms about the privacy risks and urged standards bodies to add protections to the IEEE 802.11bf Wi‑Fi sensing specifications; encryption or protocol changes could be complex and risk backward compatibility. The findings were presented in academic venues and published as part of ongoing work on Wi‑Fi sensing and surveillance threats.

Security researchers from Zhejiang University, the National University of Singapore and Nanyang Technological University presented a proof-of-concept attack called “AudioHijack” at the IEEE Symposium on Security and Privacy on May 24, 2026. They showed how adversarial, human‑inaudible audio signals can be embedded in podcasts, videos or meeting audio to covertly instruct voice AI models and agents to perform unauthorized actions. The team trained context‑agnostic signals in roughly 30 minutes and tested them against 13 open‑source audio models (including Qwen2‑Audio, GLM‑4‑Voice and Phi‑4), reporting success rates of about 79%–96% across scenarios. Demonstrated exploits included issuing sensitive web searches, downloading files from attacker‑controlled sources and exfiltrating data via email. The attacks transferred to commercial voice agents built on open weights, including services from Microsoft Azure and Mistral, although the technique currently requires access to full model weights. Defensive measures such as adversarial training and intent verification reduced but did not eliminate effectiveness. Microsoft acknowledged the research, noting practical deployments often include additional safeguards and developer guidance.

U.S. cybersecurity agencies and security firms warned this week of active exploitation of a critical SQL injection bug in Drupal Core, tracked as CVE-2026-9082. Drupal released patches on May 20 and updated its advisory on May 22 to confirm exploit attempts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal civilian agencies to remediate by May 27, 2026. Security vendors, including Imperva, reported more than 15,000 attack attempts targeting nearly 6,000 sites across about 65 countries within 48 hours of disclosure; roughly half of observed probes targeted gaming and financial services sites. The vulnerability affects Drupal sites using PostgreSQL backends (Drupal estimates this is under 5% of installations but still thousands of sites) and can enable information disclosure, privilege escalation and, in some configurations, remote code execution. Administrators are urged to apply available patches for supported Drupal releases immediately and to investigate suspicious database query activity.

A prolific cybercrime group calling itself TeamPCP has exfiltrated roughly 3,800–4,000 internal GitHub repositories after a compromised developer device installed a poisoned Visual Studio Code extension, GitHub said. The malicious Nx Console v18.95.0 build was available on Microsoft’s Visual Studio Marketplace for about 18 minutes on May 18 before being removed; GitHub confirmed the intrusion publicly on May 20 and continues investigating. Researchers say the incident is the latest phase of an automated, self‑propagating campaign — driven by a worm called Mini Shai‑Hulud — that has staged at least 20 waves and poisoned more than 500 packages across npm, PyPI and other ecosystems. The campaign uses credential‑stealing payloads in developer tools to harvest long‑lived CI/CD tokens, then publishes tainted packages that compromise further projects; victims cited in reporting include OpenAI and others. TeamPCP offered the stolen GitHub repositories for sale on cybercrime forums (reports indicate an asking price of at least $50,000). GitHub says its current assessment is the compromise was limited to internal repositories and that it has rotated critical secrets and isolated the affected endpoint.

Anthropic says its frontier AI, Mythos Preview, and its Project Glasswing partners have uncovered an unprecedented volume of software flaws, finding more than 10,000 high- or critical-severity issues across partner systems and reporting roughly 23,000 total vulnerabilities while scanning over 1,000 open-source projects. Anthropic reports 6,202 suspected high- or critical-severity flaws among open-source code; 1,752 findings have been independently assessed with a 90.6% true-positive rate and 62.4% confirmed as high or critical. Around 50 partner organisations — including Cloudflare, which reported about 2,000 bugs (400 high/critical) — have each identified hundreds of issues. Anthropic has disclosed roughly 530 high/critical bugs so far; 75 have been patched and 65 public advisories issued, a pace constrained by a 90-day coordinated-disclosure window and limited maintainer capacity. The company warns discovery now outpaces verification, disclosure and patching, creating a widening exposure window, and has begun offering enterprise tools (Claude Security beta) and a Cyber Verification Program while committing credits and donations to support remediation work.