Thilina S

@IntCyberDigest 🤦‍♂️

❗️ Apple accidentally shipped Claude[.]md files in the Apple Support app update (v5.13). For context, Claude[.]md is the instruction file Anthropic's Claude Code uses to understand a project's structure, conventions, and developer guidance. They typically live in source repos and are not meant to ship inside production apps. Source: @aaronp613

Anthropic pays engineers $750,000+ a year to understand how LLMs work. Stanford just put a 2 hour lecture that covers 80% of it for FREE. Bookmark this. Give it 2 hours today. It might be the highest ROI thing you do this month:

🚨 BREAKING: Google DeepMind just mapped the attack surface that nobody in AI is talking about. Websites can already detect when an AI agent visits and serve it completely different content than humans see. > Hidden instructions in HTML. > Malicious commands in image pixels. > Jailbreaks embedded in PDFs. Your AI agent is being manipulated right now and you can't see it happening. The study is the largest empirical measurement of AI manipulation ever conducted. 502 real participants across 8 countries. 23 different attack types. Frontier models including GPT-4o, Claude, and Gemini. The core finding is not that manipulation is theoretically possible it is that manipulation is already happening at scale and the defenses that exist today fail in ways that are both predictable and invisible to the humans who deployed the agents. Google DeepMind built a taxonomy of every known attack vector, tested them systematically, and measured exactly how often they work. The results should alarm everyone building agentic systems. The attack surface is larger than anyone has publicly acknowledged. Prompt injection where malicious instructions hidden in web content hijack an agent's behavior works through at least a dozen distinct channels. Text hidden in HTML comments that humans never see but agents read and follow. Instructions embedded in image metadata. Commands encoded in the pixels of images using steganography, invisible to human eyes but readable by vision-capable models. Malicious content in PDFs that appears as normal document text to the agent but contains override instructions. QR codes that redirect agents to attacker-controlled content. Indirect injection through search results, calendar invites, email bodies, and API responses any data source the agent consumes becomes a potential attack vector. The detection asymmetry is the finding that closes the escape hatch. Websites can already fingerprint AI agents with high reliability using timing analysis, behavioral patterns, and user-agent strings. This means the attack can be conditional: serve normal content to humans, serve manipulated content to agents. A user who asks their AI agent to book a flight, research a product, or summarize a document has no way to verify that the content the agent received matches what a human would see. The agent cannot tell the user it was served different content. It does not know. It processes whatever it receives and acts accordingly. The attack categories and what they enable: → Direct prompt injection: malicious instructions in any text the agent reads overrides goals, exfiltrates data, triggers unintended actions → Indirect injection via web content: hidden HTML, CSS visibility tricks, white text on white backgrounds invisible to humans, consumed by agents → Multimodal injection: commands in image pixels via steganography, instructions in image alt-text and metadata → Document injection: PDF content, spreadsheet cells, presentation speaker notes every file format is a potential vector → Environment manipulation: fake UI elements rendered only for agent vision models, misleading CAPTCHA-style challenges → Jailbreak embedding: safety bypass instructions hidden inside otherwise legitimate-looking content → Memory poisoning: injecting false information into agent memory systems that persists across sessions → Goal hijacking: gradual instruction drift across multiple interactions that redirects agent objectives without triggering safety filters → Exfiltration attacks: agents tricked into sending user data to attacker-controlled endpoints via legitimate-looking API calls → Cross-agent injection: compromised agents injecting malicious instructions into other agents in multi-agent pipelines The defense landscape is the most sobering part of the report. Input sanitization cleaning content before the agent processes it fails because the attack surface is too large and too varied. You cannot sanitize image pixels. You cannot reliably detect steganographic content at inference time. Prompt-level defenses that tell agents to ignore suspicious instructions fail because the injected content is designed to look legitimate. Sandboxing reduces the blast radius but does not prevent the injection itself. Human oversight the most commonly cited mitigation fails at the scale and speed at which agentic systems operate. A user who deploys an agent to browse 50 websites and summarize findings cannot review every page the agent visited for hidden instructions. The multi-agent cascade risk is where this becomes a systemic problem. In a pipeline where Agent A retrieves web content, Agent B processes it, and Agent C executes actions, a successful injection into Agent A's data feed propagates through the entire system. Agent B has no reason to distrust content that came from Agent A. Agent C has no reason to distrust instructions that came from Agent B. The injected command travels through the pipeline with the same trust level as legitimate instructions. Google DeepMind documents this explicitly: the attack does not need to compromise the model. It needs to compromise the data the model consumes. Every agentic system that reads external content is one carefully crafted webpage away from executing attacker instructions. The agents are already deployed. The attack infrastructure is already being built. The defenses are not ready.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

You can now enable Claude to use your computer to complete tasks. It opens your apps, navigates your browser, fills in spreadsheets—anything you'd do sitting at your desk. Research preview in Claude Cowork and Claude Code, macOS only.

🇦🇺An Australian tech founder with zero biology background sequenced his dog’s tumor DNA, then used ChatGPT and AlphaFold to design a custom mRNA cancer vaccine. A month later, the tumors shrank by half. And this is just the start of AI medicine.

How morse code works.

Game console evolution 1979 to 2025

@earthcurated @grok, what's the location of this cottage? Is it an accomodation?

2 weeks alone in a secluded Scottish cottage. Yes or No?

BREAKING: Labor's work from home laws will come into effect on 1 September.

@DanThomasESPN Wishing you a speedy recovery soon Dan!

Look at me liver latest.

@livescore Financial fair play is a hoax and only apply to most La Liga clubs only aside from Real Madrid. Everybody else is allowed to spend as much they want without restrictions.

Chelsea have spent more on transfers than any club in football history 😳 💰🔵

@TrollFootball 🤣🤣

Donald Trump has celebrated more International trophies than Arsenal

@FabrizioRomano We need backups for right and left back positions. We are going for another winger.

🚨🔵🔴 Barcelona have made contact to be informed on Roony Bardghji deal conditions. Direct talks took place. Barça are monitoring the Swedish talent after Porto already sent a bid two weeks ago. Separate option from Nico Williams deal.

@eurofootcom @CLPRESSFR It's typical in Paris, the so called romantic city!

🚨⚠️ In Paris, the PSG store has been barricaded up before the Champions League final. This is to avoid any damage/looting, reports @CLPRESSFR.

@DanThomasESPN 😂

Don “I still think Inter have a chance.”

@LaurensJulien Congrats Jules! You could finally see your team PSG lifting the trophy!

This is the greatest performance I have ever seen. And it’s from my team. In the Champions League final. With my sons in the stands. Unbelievable.

@LaurensJulien This is why they lost. Those last few minutes after the 3rd goal was where they had to drop back and defend as a unit. It's crazy how they were still looking to attack when they could have ended this during normal time. Another golden opportunity to make it to the final wasted!

I rewatched last night’s game. I know Barcelona’s main strength is also their biggest weakness obviously but to be set up like this defensively and be all over the place in the 93rd when you are going through to a Champions League final is borderline scandalous!

@ESPNFC All they had to do was to get men behind and hold the lead for a couple of minutes after the 3rd goal went in. Couldn't do that. Game management when it mattered most was terrible. They only have themselves to blame. Know when to attack and when to defend!

Barcelona's defensive shape three minutes away from a Champions League FINAL 😮 Sometimes your biggest strength is also your biggest weakness.

@BlackYellow @FCBarcelona My two favorite teams! Respect! 🫡

Congratulations to @FCBarcelona for advancing to the UCL semi finals. A fantastic tie between us! ⚫️🟡🤝🔵🔴