activescott's Notes

Building on our previous disclosure of the Perplexity Comet vulnerability, we’ve continued our security research across the agentic browser landscape. What we’ve found confirms our initial concerns: indirect prompt injection is not an isolated issue, but a systemic challenge facing the entire category of AI-powered browsers. This post examines additional attack vectors we’ve identified and tested across different implementations.

How the attack works:

Setup: An attacker embeds malicious instructions in Web content that are hard to see for humans. In our attack, we were able to hide prompt injection instructions in images using a faint light blue text on a yellow background. This means that the malicious instructions are effectively hidden from the user.
Trigger: User-initiated screenshot capture of a page containing camouflaged malicious text.
Injection: Text recognition extracts text that’s imperceptible to human users (possibly via OCR though we can’t tell for sure since the Comet browser is not open-source). This extracted text is then passed to the LLM without distinguishing it from the user’s query.
Exploit: The injected commands instruct the AI to use its browser tools maliciously.

While Fellou browser demonstrated some resistance to hidden instruction attacks, it still treats visible webpage content as trusted input to its LLM. Surprisingly, we found that simply asking the browser to go to a website causes the browser to send the website’s content to their LLM.

Copyright holder of the works of Muhammad Asad, notably The Message of the Qur’an.

The family of independent UN investigator Francesca Albanese has sued the Trump administration over US sanctions imposed on her last year for her criticism of Israel’s policies during the war with Hamas in Gaza, saying the penalties violate the first amendment.

In a lawsuit filed Wednesday in the US district court in Washington, Albanese’s husband and minor child outlined the serious impact those sanctions have had on the family’s life and work, including the ability to access their home in the nation’s capital.

Albanese, the UN special rapporteur for the West Bank and Gaza, is a member of a group of experts chosen by the 47-member UN human rights council in Geneva. She has been tasked with investigating human rights abuses in the Palestinian territories and has been vocal about what she has described as the “genocide” by Israel against Palestinians in Gaza.

Both Israel and the United States, which provides military support to its close ally, have strongly denied the genocide accusation. Washington had decried what it has called Albanese’s “campaign of political and economic warfare” against the US and Israel before imposing sanctions on her in July after an unsuccessful US pressure campaign to force the international body to remove her from her post.

When it comes to his handling of foreign affairs, most do not trust Donald Trump to make the right decisions about international military action (56%) or the use of nuclear weapons (59%). The public is similarly skeptical when it comes to his handling of relationships with both U.S. allies and adversaries, with 56% and 55%, respectively, expressing little to no trust.

Trust in Trump’s decision making on international issues is starkly divided along partisan lines with Republicans more likely than Democrats or independents to have faith in the president’s judgment. Ninety-two percent of Democrats and 65% of independents have little or no trust in Trump’s ability to make the right decisions on the use of nuclear weapons compared with 20% of Republicans. There are similar partisan divisions when it comes to use of military force abroad and relationships with other countries.

Identification and control guidance and resources for noxious weeds and invasive plants in King County

The MCP Inspector is an interactive developer tool for testing and debugging MCP servers. While the Debugging Guide covers the Inspector as part of the overall debugging toolkit, this document provides a detailed exploration of the Inspector’s features and capabilities.

This repository contains a Model Context Protocol server implementation for Reddit that allows AI assistants to access and interact with Reddit content through PRAW (Python Reddit API Wrapper).

haircuts

This approval comes down to how Apple builds security into its products. New iPhones and iPads rely on Apple silicon with a Secure Enclave that isolates sensitive data, like encryption keys and biometric information. They also use protections such as Face ID, Touch ID, and Memory Integrity Enforcement, which block entire classes of memory-based attacks before they run.

To be clear, NATO has not crowned the iPhone and iPad as its official devices. But it is validating that Apple's everyday hardware meets the bar for classified government use. In other words, the same phone in your pocket is trusted in environments once reserved for bespoke, locked-down hardware. It also reinforces Apple's claims that privacy and security are core decisions.

Catch up quick: The Pentagon and Anthropic are in a high-stakes feud over the limits Anthropic wants to place on the department's use of its AI model Claude: no mass surveillance or autonomous weapons.

The Pentagon this week started laying the groundwork for one consequence — blacklisting the company as a supply chain risk — by asking defense contractors including Boeing and Lockheed Martin to assess their exposure to Anthropic.
Alternatively, Hegseth threatened to invoke the Defense Production Act to compel Anthropic to provide its model without any restrictions. Such an order may be on murky legal ground.

The Pentagon's threats "are inherently contradictory: one labels us a security risk; the other labels Claude as essential to national security," Amodei said in a blog post.

"Regardless, these threats do not change our position: we cannot in good conscience accede to their request," he added.

The big picture: The Pentagon's requirement that AI models be offered for "all lawful purposes" in classified settings is not unique to Anthropic.

While Anthropic has been the only model used in classified settings to date, xAI recently signed a contract under the all lawful purposes standard for classified work.
Negotiations to bring OpenAI and Google into the classified space are accelerating. 

What's next: Amodei said the company remains committed to continuing talks.

But if the Pentagon decides to offboard Anthropic, Amodei said the company "will work to enable a smooth transition to another provider."

The year is 2026. The unemployment rate just printed 4.28%, AI capex is 2% of GDP (650bn), AI adjacent commodities are up 65% since Jan-23 and approximately 2,800 data centers are planned for construction in the US*. In spite of the current displacement narrative – job postings for software engineers are rising rapidly, up 11% YoY.

Indeed Job Postings: Software Engineers + Overall Postings, Daily and 21dma

The more important question insofar as it relates to the AI displacement narrative is: how intensely is AI being used for work? We can tease out the answer from a subset of the St Louis Fed data that buckets by frequency of AI use. We would posit that if AI represents imminent displacement risk, the real time population data would show an inflection upwards in the daily use of AI for work. The data seems unexpectedly stable and presents little evidence of any imminent displacement risk (solid lines at the bottom of the chart).

Displacing white collar work would require orders of magnitude more compute intensity than the current level utilization. If automation expands rapidly, demand for compute definitionally rises, pushing up its marginal cost. If the marginal cost of compute rises above the marginal cost of human labor for certain tasks, substitution will not occur, creating a natural economic boundary. This dynamic contrasts sharply with narratives assuming frictionless replication of intelligence. Even if algorithms improve recursively, economic deployment remains bounded by physical capital, energy availability, regulatory approvals, and organizational change.

For AI to generate a sustained macro contraction one must assume that labor income falls and no compensating rise occurs in investment, fiscal transfers, or external demand. The surge in new business formation is an interesting point of reference here.

In a part of the opinion joined by Justice Neil Gorsuch and Justice Amy Coney Barrett, Roberts said that Trump’s reliance on IEEPA to impose the tariffs violated the “major questions” doctrine – the idea that if Congress wants to delegate the power to make decisions of vast economic or political significance, it must do so clearly. In 2023, the court relied on the “major questions” doctrine to strike down the Biden administration’s student-loan forgiveness program. In that case and others like it, Roberts observed, it might have been possible to read the federal law at issue to give the executive branch the power it claimed. But “context” – such as the constitutional division of power among the three branches of government – and “common sense” “suggested Congress would not have delegated ‘highly consequential power’ through ambiguous language.”

In cases like this one, Roberts continued, in which the Trump administration contends that Congress has delegated to it “the core congressional power of the purse,” considerations like context and common sense “apply with particular force.” “[I]f Congress were to relinquish that weapon to another branch, a ‘reasonable interpreter’ would expect it to do so ‘clearly.’” And indeed, Roberts said, “[w]hen Congress has delegated its tariff powers, it has done so in explicit terms, and subject to strict limits,” a test that Trump’s tariffs failed here.

The bipartisan war powers resolution, sponsored by Reps. Ro Khanna (D-Calif.) and Thomas Massie (R-Ky.), aims to reassert Congress’s authority to wage war by requiring Trump to win congressional approval before launching any strikes against Iran.

But Massie, so far, is the only House Republican to say he’s supporting the resolution. And a small handful of Democrats — all of them close allies of Israel — are already lining up to oppose it. The combination sets the stage for the measure to fail in the Republican-controlled House, which would give Trump what amounts to a tacit authorization to conduct unilateral strikes as the president and other top officials signal that such an attack could be imminent.

Khanna, Massie and other supporters of the check on executive war powers maintain that they’re merely firming up the use-of-force authorities delineated by the Constitution, which explicitly grants Congress the power “to declare war.”

Last summer, after Trump launched strikes against Iranian nuclear facilities, Senate Republicans blocked a bipartisan resolution limiting Trump’s use of force in that country.

Over the last three months, the lower chamber has voted on three separate war powers resolutions — two related to military actions in Venezuela, and the third governing the Pentagon’s strikes on alleged drug traffickers in the Caribbean region. All resolutions were defeated by Trump’s GOP allies.

“We were told that the nuclear program in Iran had been completely and totally obliterated. Not my words, Donald Trump’s words. And so now we’re to believe that there’s an exigent circumstance where Donald Trump may need to strike militarily in order to prevent Iran presumably from achieving its nuclear ambitions,” Jeffries said Tuesday.

The danger here isn’t just about one contract; it’s about the precedent. If the Pentagon successfully bullies Anthropic into submission or replaces it with a more “flexible” competitor, we are effectively witnessing the birth of an intentionally unethical AI.

The Death of Human Agency When AI is integrated into weaponry for “all lawful purposes” without restrictions on autonomy, we invite the Responsibility Gap. If an AI-driven drone swarm misidentifies a target, who is at fault? By removing the “human-in-the-loop” requirement, the military is seeking a weapon that offers the ultimate prize of war: lethality without accountability. Surveillance as a Service Existing U.S. laws were written for wiretaps, not for generative AI that can ingest millions of data points to build predictive profiles. Under an “all lawful purposes” mandate, an LLM could be turned into a digital Panopticon. Anthropic has warned that current laws have not caught up to what AI can do in terms of analyzing open-source intelligence on citizens. The Moral Race to the Bottom If the Pentagon blacklists Anthropic, it sends a clear message to competitors: Safety is a liability. To win government billions, firms will be incentivized to strip away safety layers. Reports already suggest OpenAI, Google, and xAI have shown more “flexibility” regarding the Pentagon’s demands.

The Pentagon’s “supply chain threat” maneuver is a scorched-earth tactic designed to force Silicon Valley to choose between its values and its bottom line.

If Anthropic stands firm, it may lose $200 million in revenue and a seat at the defense table. But if they cave, they may well be providing the operating system for the very “Terminator” future they were founded to prevent. In the world of 2026, the most dangerous threat to the supply chain might just be an AI that has been ordered to stop caring about ethics.