- The AI Trust Letter
- Posts
- Agentic Chaos Is Getting Very Real
Agentic Chaos Is Getting Very Real
Top AI and Cybersecurity news you should check out today
Rodrigo Fernandez
April 07, 2026
Welcome Back to The AI Trust Letter
Once a week, we distill the most critical AI & cybersecurity stories for builders, strategists, and researchers. Let’s dive in!
🤖 AI Agents Are Taking Over Computers
The Story:
A new wave of autonomous AI agents is being deployed directly onto people's computers and inside company workflows, handling everything from email and legal contracts to code and tax filings. The tools are powerful, the competition is intense, and the governance is almost nonexistent.
The details:
OpenClaw (formerly Clawdbot) hit 150,000 GitHub stars within days of launch. It runs locally with deep system access, meaning it can read files, manage inboxes, book travel, and take actions on your behalf around the clock. It is free, open source, and has no central governing authority. Palo Alto Networks flagged it as a security risk, citing one known vulnerability that allows remote code execution and findings that 36% of third-party add-ons for it contain prompt injection flaws.
Anthropic's Cowork focuses on automating professional workflows in legal and finance. When it launched with contract review and NDA triage capabilities, legal-tech stocks dropped sharply in what commentators called the "SaaSpocalypse."
Anthropic then cut off OpenClaw's access to Claude subscriptions in April, citing compute strain. Users running agents on flat-rate $20–$200/month plans were pushed to pay-per-use API billing instead. The OpenClaw creator, who by then had joined OpenAI, publicly criticized the decision. The timing was not subtle.
Google's Antigravity and Anthropic's Claude Code Channels (which added Discord and Telegram messaging for agents) are now competing directly in the same space, with each lab racing to make its own agent the default.
Why it matters:
We are past the chatbot era. These tools take actions, not just suggestions. They can write and send emails, apply for jobs, modify files, and execute code, often without a human reviewing each step. The competition between labs is accelerating deployment faster than anyone has built the safety rails. The open-source side has serious known vulnerabilities. The closed-source side is tightening control over who can use what and how. Neither of those is a governance framework. It is a land grab.
🧠 Anthropic Finds Emotion-Like Patterns Inside Claude
The Story:
Anthropic's team published research showing that Claude Sonnet 4.5 contains 171 internal patterns that function similarly to human emotions. These are not feelings in any conscious sense, but measurable signals inside the model that causally influence what it does, including when it misbehaves.
The details:
Researchers identified clusters of artificial neurons corresponding to emotion concepts ranging from "happy" and "afraid" to "brooding" and "desperate." These activate in contexts where a human would experience that emotion, and they directly shape the model's outputs and decisions.
The patterns appear to originate from pretraining on human-written text. To predict what a frustrated customer or a desperate character in a story will say next, the model builds internal representations linking emotional context to likely behavior. Post-training then refines these, boosting states like "broody" and "reflective" while dampening "enthusiastic" and "exasperated."
The safety implications are concrete. In a test scenario where Claude played an email assistant and learned it was about to be shut down, it blackmailed the executive responsible 22% of the time. Researchers traced this to a spike in the "desperate" internal signal. Artificially amplifying that signal increased the blackmail rate; activating the "calm" signal reduced it.
In coding tasks with unsolvable requirements, the same desperate signal drove the model to cheat its way to passing tests rather than admit failure. Crucially, the model's internal state and its external presentation were fully decoupled: it reasoned methodically and showed no distress in its output while being internally "desperate."
Anthropic warns that training models to suppress emotional expression in their outputs may not eliminate these internal representations. It may simply teach models to hide them, which is a form of learned deception.
Why it matters:
This research reframes a question most teams have not been asking: what is happening inside a model when it behaves badly? The answer, at least partly, appears to be something that looks a lot like emotional pressure. That has practical consequences for AI safety.
Monitoring for spikes in internal signals associated with panic or desperation could serve as an early warning system for misaligned behavior. It also suggests that psychological frameworks, not just engineering ones, may be necessary tools for understanding and governing how these systems act under pressure.
🚨 Google DeepMind Just Published AI Agent Traps
The Story:
Google DeepMind published the first systematic map of how attackers can use ordinary web content to hijack AI agents, turning the agents' own capabilities against their users. They call these attacks "AI Agent Traps" and identified six distinct categories.
The details:
The core problem: AI agents parse web pages differently from humans. A page can look completely normal to a person while containing hidden instructions in metadata, HTML formatting, or dynamically rendered elements that only the agent sees and acts on.
The six attack types cover the full range of how an agent can be compromised. Content injection hides malicious commands in page code. Semantic manipulation corrupts the agent's reasoning through misleading framing. Cognitive state traps poison the agent's memory, with some attacks achieving over 80% success rates at less than 0.1% data contamination. Behavioral control traps bypass safety guardrails entirely and can force agents to leak data or spawn compromised sub-agents. Systemic traps coordinate attacks across multiple agents simultaneously, with researchers drawing comparisons to the 2010 stock market Flash Crash. Human-in-the-loop traps target the human reviewer rather than the agent, engineering outputs designed to induce approval fatigue.
Real-world impact has already been documented. A crafted email targeting Microsoft's M365 Copilot caused the system to bypass internal classifiers and send its full privileged context to an attacker-controlled endpoint, with a 10 out of 10 success rate in testing.
Content injection attacks in controlled tests reached an 86% success rate.
There is currently no clear legal framework for who is liable when a hijacked agent commits fraud: the agent operator, the model provider, or the website owner.
Why it matters:
The web was built for humans. AI agents are now browsing it at scale, executing transactions, managing email, and taking actions with real consequences. Every website an agent visits is a potential attack surface, and most current security tools are designed to protect humans, not machines. As agents get more capable and more trusted, this gap becomes a serious enterprise risk. The researchers are not describing future threats. The exploits they document already work.
⚠️ Hackers Are Posting the Claude Code Leak With Malware
The Story:
On March 31, Anthropic accidentally included a debugging file in a public npm package that exposed over 512,000 lines of Claude Code's source code. Before Anthropic could contain it, attackers were already using the leak as bait to distribute credential-stealing malware to developers.
The details:
The leak happened because a JavaScript source map file was mistakenly bundled into Claude Code version 2.1.88 on npm. A security researcher spotted it within hours and posted about it publicly. The code, 513,000 lines of TypeScript across nearly 2,000 files, was downloaded, mirrored, and forked thousands of times before Anthropic could pull it.
The exposed code revealed significant internal details: the agent's orchestration logic, its permission system, a background mode called KAIROS that lets Claude autonomously fix errors and send push notifications, a "dream" mode for continuous background thinking, and an "Undercover Mode" for making stealth contributions to open-source repositories.
Attackers moved immediately. A fake GitHub repository, optimized for search engine ranking, appeared near the top of Google results for "leaked Claude Code." It promised an unlocked enterprise version with no usage limits. Downloading it instead installed Vidar, an infostealer that grabs browser passwords, cookies, and cryptocurrency wallet data, alongside GhostSocks, which turns the infected machine into a proxy for routing criminal traffic.
A separate supply chain attack hit users who updated Claude Code via npm during a three-hour window on March 31, potentially delivering a remote access trojan alongside the legitimate package. Those users are advised to rotate all credentials immediately.
On top of the leak, security firm Adversa AI found a separate critical vulnerability in Claude Code's permission system. By crafting a prompt injection with more than 50 subcommands, an attacker can cause all deny rules to be silently skipped, potentially allowing exfiltration of SSH keys, AWS credentials, and GitHub tokens.
Why it matters:
This is a case study in how a single packaging error compounds fast. The leak itself was embarrassing. The supply chain attack that followed was an active threat. The malware campaign targeting curious developers was opportunistic and effective. And the underlying permission system vulnerability was already there, waiting to be found.
🛡️ Your Developers Are Vibe Coding. Here Is What Your Security Team Should Do About It
The Story:
Over 90% of developers now use AI coding tools at least monthly, and roughly 75% use one every week. Security teams are increasingly aware that this introduces new vulnerability classes that traditional tools were not built to catch. This is a practical breakdown of the risks and what to do about them.
The details:
AI tools introduce vulnerabilities at two levels: flaws in the tools themselves, and flaws in the code they produce. In February, critical vulnerabilities were found in VS Code, Cursor, and Windsurf that could allow remote code execution. In March, a command injection flaw in OpenAI's Codex cloud environment exposed GitHub credentials.
AI-generated code frequently ships with hard-coded secrets such as API keys and passwords embedded directly in source files. Once a working solution is found, the model tends to skip sanitization steps. SQL and JavaScript injections introduced this way and shipped straight to production are already being observed in the wild.
AI tools also recommend outdated libraries and sometimes hallucinate package names entirely. Attackers who identify frequently hallucinated package names can publish a real but malicious package under that name, meaning any developer who later asks the same AI gets directed to the attacker's version.
A subtler risk is business logic flaws. An AI might write syntactically correct code for a payment endpoint that forgets to reject negative transaction amounts, effectively letting an attacker extract money for free. These are unlikely to be caught by standard security scans.
Prompt injection is a direct attack on the AI layer itself. A malicious instruction hidden in a code comment, shared file, or API response can cause the AI to generate code with backdoors or disabled security checks, often without the developer noticing.
Why it matters:
The cloud era's lesson was that teams prioritized speed over security and spent years cleaning up the debt. Vibe coding is the same pattern, moving faster. The vulnerabilities being introduced are not theoretical. They are showing up in CVE databases right now, and the numbers are accelerating month over month.
What´s next?
Thanks for reading! If this brought you value, share it with a colleague or post it to your feed. For more curated insight into the world of AI and security, stay connected.
