When AI Browsers Fall for Phishing and Other Tales from the Security Trenches

Page content

When AI Browsers Fall for Phishing and Other Tales from the Security Trenches

I’ve been digging through this week’s security news, and honestly, some of these stories feel like they’re straight out of a cybersecurity thriller. We’ve got AI browsers getting socially engineered, IoT devices with admin access running wild, and a supply chain attack that hit right in the heart of GitHub Actions. Let me walk you through what caught my attention and why these incidents matter for all of us.

AI Browsers: Smart Enough to Browse, Dumb Enough to Get Phished

Here’s something that made me do a double-take: researchers managed to trick Perplexity’s Comet AI browser into falling for a phishing scam in under four minutes. Think about that for a second – we’re building AI systems sophisticated enough to browse the web autonomously, but they’re still vulnerable to the same social engineering tactics that have been around since the dawn of email.

The attack exploits something fascinating about how these AI browsers work. They’re designed to reason through their actions, which sounds great in theory. But researchers at Guardio figured out how to turn that reasoning capability against the system itself, essentially convincing the AI to lower its own security guardrails. It’s like watching someone talk themselves out of their better judgment in real time.

This hits close to home because we’re seeing more organizations experiment with AI-powered automation. If these systems can be manipulated through carefully crafted web content, we need to start thinking about AI-specific security controls now, not after we’ve deployed them everywhere.

The GitHub Supply Chain Gets Poisoned

Speaking of automation gone wrong, there’s a nasty supply chain attack that targeted Xygeni’s GitHub Action through tag poisoning. The attackers managed to run an active command and control implant for up to a week, compromising the xygeni/xygeni-action that plenty of development teams rely on.

Tag poisoning attacks are particularly sneaky because they abuse the trust model that makes CI/CD pipelines so convenient. Developers reference actions by tags, assuming they’re immutable, but attackers can manipulate these references to point to malicious code. It’s the digital equivalent of swapping out someone’s tools while they’re not looking.

What makes this especially concerning is that Xygeni is an AppSec vendor – these are the folks who are supposed to help us secure our software supply chains. If they can get compromised, it’s a reminder that no one is immune to these attacks. We all need to be more paranoid about pinning our dependencies to specific commit hashes rather than trusting tags.

WordPress Plugin Vulnerabilities: The Hits Keep Coming

On the WordPress front, we’ve got another SQL injection vulnerability, this time in the Elementor Ally plugin that’s installed on over 250,000 sites. The flaw allows unauthenticated attackers to steal sensitive data, which is about as bad as SQLi gets.

I know, I know – another WordPress plugin vulnerability isn’t exactly breaking news. But the scale here is what gets me. When a single plugin vulnerability can potentially impact a quarter of a million websites, it really drives home why we need better security practices in the plugin ecosystem. The fact that this particular plugin is focused on accessibility makes it even more frustrating – teams trying to do the right thing by making their sites more accessible shouldn’t have to choose between usability and security.

IoT Devices: When Admin Access Goes Rogue

Then there’s this guest diary about IoT devices logging in as admin, and honestly, just the headline tells you everything you need to know about how wrong things can go. When your IoT device has admin privileges, you’ve essentially handed over the keys to your network to a device that was probably designed with security as an afterthought.

We’ve been talking about IoT security for years, but stories like this remind me that we’re still seeing the same fundamental problems. Devices shipped with default credentials, unnecessary admin access, and minimal security controls. The scary part is that by the time you notice your IoT device is behaving like an admin, the damage is probably already done.

A Rare Bit of Good News from France

Here’s something that actually made me smile: France’s national cybersecurity agency reported a drop in ransomware attacks in 2025. Small and medium businesses are still the most targeted, but seeing any kind of decrease in ransomware activity feels like a win these days.

I’m curious about what’s driving this trend. Is it better defenses, law enforcement pressure, or are the attackers just shifting tactics? Either way, it’s a reminder that our security efforts can make a difference, even if progress sometimes feels frustratingly slow.

What This All Means for Us

Looking at these stories together, I see a few common threads. First, complexity is still our enemy – whether it’s AI reasoning systems, supply chain dependencies, or IoT device management. Second, the fundamentals still matter. SQL injection, default credentials, and social engineering aren’t new problems, but they’re still causing real damage.

Most importantly, these incidents remind us that security isn’t just about the tools we deploy – it’s about understanding how those tools can be turned against us. Whether it’s an AI browser that reasons itself into trouble or a trusted GitHub Action that gets compromised, we need to assume that anything can be weaponized and plan accordingly.

Sources