Transformers CVE‑2026‑4372: model load RCE via _attn_implementation_internal
Transformers CVE‑2026‑4372: model load RCE via _attn_implementation_internal
AI Sec News Weekly #10 — 295 sources scanned
When did “data” stop being just data? We’ve been here before with PostScript, PDFs, and Word macros: formats that look inert but hide a runtime. In AI, loaders play the interpreter role, and “config” is drifting into plugin territory. Treat a model like a JPEG and you’ll be surprised; treat it like a DLL and the risks line up.
This week underscored that slide. The striking part isn’t a single bug, it’s the direction of travel: convenience features piling into metadata until metadata behaves like code. A simple mental model helps: model = package, loader = runtime, config = extension point. Viewed that way, a lot of “mystery” vulnerabilities become predictable — and testable.
With that frame, the lead item reads differently. See what jumps out to you.
This Week's Stories
CVE-2026-4372: Transformers Config Field Turns Model Load into RCE
Disclosed May 24, CVE‑2026‑4372 hits Hugging Face’s transformers: a crafted model config can abuse the private _attn_implementation_internal field to run arbitrary code during load. The execution triggers while parsing the config, before weights initialize. That makes pulls of untrusted model repos or cached configs a code‑execution path across inference hosts and build systems.
Why it matters: Pulling a model now carries the same blast radius as installing a third‑party package.
CVEFeed.io Latest by cvefeed.io
Composer Tag Hijack Drops 5,900-Line Stealer via Laravel-Lang
On May 22, researchers spotted a live supply‑chain hit on laravel‑lang/lang, /attributes and /http-statuses: 233 Composer tags pointed to a malicious fork. The tags added src/helpers.php that self‑executed on install, pulled a payload from flipboxstudio[.]info, and ran a 5,900‑line PHP stealer that AES‑encrypted and exfiltrated secrets. Packagist yanked the bad versions; targets ranged from cloud creds (AWS/GCP/Azure) to kubeconfigs and SSH keys.
Why it matters: Release tags aren’t provenance; in autoloader ecosystems, a tag flip can turn a routine update into silent code execution on dev workstations and CI.
Snyk Blog by Brian Clark
Anthropic’s Glasswing: Mythos AI Flags 1,094 High/Critical Bugs
Anthropic says Project Glasswing, powered by Claude Mythos Preview, flagged 10,000 high‑severity candidates since launch last month. Triage confirmed 1,726 true positives, including 1,094 high/critical, with 97 upstream fixes and 88 advisories so far. One standout: WolfSSL CVE‑2026‑5194 (CVSS 9.1) enabling certificate forgery. About 50 partners currently have early access to the model.
Why it matters: AI‑assisted hunting is outpacing patch throughput, so backlogs harden into exposure windows rather than brief spikes.
Tool Spotlight
New repos and releases worth trying.
Microsoft’s RAMPART: pytest red‑team harness for agent apps
Microsoft open‑sourced RAMPART, a pytest framework on PyRIT for agent developers and red teams that bakes automated agentic red‑team tests into CI/CD. It simulates prompt injection, verifies allowed tool use, and supports statistical trials (e.g., ≥80% safe) with reproducible runs. Internally, one bug vector spawned ~100 variants and ~300 multi‑turn tests to validate mitigations. Concrete use: prove an agent never invokes shell tools when baited.
Why it matters: Statistical, reproducible red‑teaming wired into tests turns “works on my prompt” into a measurable risk bar.
The Register Security by Jessica Lyons
Roam Code: local‑first change gates and receipts for AI agents
Roam Code is a local‑first Python CLI for platform and security teams that lets AI coding agents earn the right to change code — and prove it. It ships 241 commands, 227 MCP tools, and a SQLite‑backed code graph across 28 languages, with zero network egress by default. Each change emits a tamper‑evident packet: HMAC‑chained run ledger, signed Code Graph Attestation, and signed PR bundle. Use case: gate an agent’s payments edit and attach verifiable ChangeEvidence to the PR.
Why it matters: Provenance‑backed AI edits change the trust model: you can verify what the agent read, decided, and changed, not just hope a session log is honest.
Clarity: design‑time questions for safer agent features, open‑sourced
Microsoft also shipped Clarity, an open‑source agent that interrogates your feature idea before any code exists. It plays architect/PM/safety reviewer, asking requirements and abuse‑case questions like “what if two people edit the same paragraph at once?”. Outputs are structured considerations you can carry into specs and tests. Audience: product teams and safety engineers shaping agent behaviors.
Why it matters: Moving safety review into ideation avoids entire categories of failure modes that testing can only catch late.
Microsoft Security Blog by Ram Shankar Siva Kumar
Community Chatter
What practitioners are debating.
OpenAI and Anthropic are kicking off a mad cybersecurity dash
The CISO, or chief information security officer, has suddenly become one of the most high-pressure roles in business. Anthropic's Mythos and OpenAI's GPT-5.5 models sparked a wave of fear that attackers armed with advanced AI models could soon crack systems worldwide.
Why it matters: If a company generates 10 times the lines of code, it should expect 10 times the number of vulnerabilities, or worse. CISOs now live in an AI fog. OpenAI and Anthropic are building partnerships with security companies like Snyk to beat back the storm of worries. Security is always a team sport. The model companies need to figure out that this is how security works. And they are.
Business Insider by Stephen Council
Trail of Bits hardens zizmor for YAML anchors in real CI
Trail of Bits and zizmor maintainers expanded GitHub Actions YAML‑anchor support, fixing crashes, wrong‑location findings, and alias mishandling, and aligning with GitHub’s Known Answer Tests. Validated on 41,253 workflows (6,612 repos): 45 crashes; anchors in just 43 files (~0.1%)—including Bitcoin Core, PHP, OpenSSL. The push yielded 20 issues and 15 merged PRs. Engineers debated payoff: niche syntax, high blast radius when broken.
Why it matters: Static analyzers that quietly misparse rare constructs become permission slips for supply‑chain attackers.
Trail of Bits by Alexis Challande
Gemini Spark’s agent touts isolation; Antigravity swap raises eyebrows
Simon Willison flagged that Gemini Spark mixes Gemini 3.5 Flash with a closed‑source Antigravity Go runtime across a desktop app, CLI, SDK, and VS Code fork. Google claims each task runs in a fresh ephemeral VM behind an Agent Gateway with DLP, while the open‑source Gemini CLI stops working June 18 in favor of a closed Antigravity CLI. Fans like the isolation story; skeptics see untestable promises.
Why it matters: Opaque agent stacks erase the line between a security guarantee and a marketing claim.
Quick Hits
- Claude Code Sandbox Bypass Confirmed and Patched (The Register Security) — A SOCKS5 hostname null byte bug let Claude Code bypass network allowlists and, with prompt injection, run code and exfiltrate tokens until Anthropic pushed a patch.