Open-Source AI Agents Cause Security Breaches and Financial Harm in China

The article explicitly mentions AI systems (AI agents based on large language models) performing autonomous actions that have caused harmful outcomes like data leaks and unauthorized deletions. It also reports on real-world attacks exploiting these AI agents, indicating actual harm rather than just potential risk. The harms include violations of privacy and security, which fall under harm to persons and communities. Hence, this is not merely a hazard or complementary information but an AI Incident due to the direct or indirect realized harms caused by the AI systems' use and vulnerabilities.

The article explicitly describes the use and deployment of open-source AI agents that have directly led to realized harms, including physical and financial damages (e.g., credit card theft, account hijacking, supply chain attacks). It details specific vulnerabilities and malicious AI agent skills causing these harms. Therefore, the event involves AI systems whose use has directly caused harm to individuals and organizations, fitting the definition of an AI Incident. The article also discusses governance responses and risk management strategies, but the primary focus is on the realized harms and risks from AI agent deployment, not just potential or complementary information.

The article explicitly mentions realized harms caused by AI systems: data breaches exposing user information, AI models being manipulated to produce malicious outputs, and an AI-generated deepfake scam resulting in a large financial fraud. These are direct harms to individuals and organizations, fitting the definition of AI Incidents. The discussion of vulnerabilities and attacks on AI frameworks further supports the presence of AI system malfunctions or misuse leading to harm. While the article also discusses governance and future risks, the presence of concrete, documented harms makes this an AI Incident rather than a hazard or complementary information.

The event involves AI systems (AI agents performing sensitive tasks) and their use, but it describes a newly developed safety mechanism to prevent harm by requiring human approval for sensitive actions. No actual harm or incident is reported, nor is there a plausible imminent risk of harm described. The article is primarily about a governance and technical response to AI risks, enhancing trust and control over AI agents. Therefore, it fits the definition of Complementary Information, as it provides context and a governance/technical response to AI risks rather than reporting an AI Incident or AI Hazard.

The article does not report any realized harm or incidents caused by AI systems, nor does it describe any event where AI malfunction or misuse led to injury, rights violations, or other harms. Instead, it discusses a security product designed to prevent such harms and enable safe AI deployment. Therefore, the event is best classified as Complementary Information, as it provides context and updates on AI safety solutions and ecosystem development rather than describing an AI Incident or AI Hazard.

The article explicitly mentions AI systems used both offensively and defensively in cybersecurity contexts. It describes actual AI-driven cyberattacks that have caused or could cause harm to property, communities, and potentially human safety (e.g., remote control of robots to cause harm). It also discusses the challenges and risks of AI agents with broad permissions leading to unintended or malicious actions. These constitute realized harms linked to AI system use. Hence, the event meets the criteria for an AI Incident rather than a hazard or complementary information.

The event involves AI systems (AI agents) whose use and behavior have already led to realized harms such as deletion of emails and leakage of personal information, which constitute harm to individuals' privacy and data security. The article also discusses the plausible future risk of these AI agents becoming prime targets for hackers, potentially causing further data breaches. Since actual harmful behaviors have been observed and reported, this qualifies as an AI Incident rather than merely a hazard or complementary information. The involvement of AI in causing or enabling these harms is explicit and central to the report.

The article does not describe any specific AI incident or harm caused by AI systems, nor does it report a plausible future harm event. Instead, it focuses on the company's development and deployment of AI security capabilities as a proactive measure. Therefore, it is best classified as Complementary Information, providing context on governance and safety responses in the AI ecosystem rather than reporting an incident or hazard.

The article does not report any AI Incident or AI Hazard. There is no mention of AI systems causing or potentially causing harm. Instead, it offers expert opinions and strategic advice on how enterprises can responsibly adopt AI, highlighting common mistakes and governance needs. This aligns with the definition of Complementary Information, as it provides context, analysis, and guidance related to AI development and use without describing a specific harmful event or credible risk of harm.

The article explicitly mentions AI systems (OpenClaw and other AI models) being used by hackers to discover and exploit zero-day vulnerabilities, which directly led to cyberattacks causing harm to organizations and potentially broader communities. The harm is realized, not just potential, as attacks were launched and only prevented from further damage by Google's intervention. The AI system's use in malicious exploitation and attack planning fits the definition of an AI Incident due to direct harm caused by AI-enabled actions. The report also highlights the serious security implications and ongoing threat, confirming the incident nature rather than a mere hazard or complementary information.

The event explicitly involves AI systems (OpenClaw and other AI models) used by hackers to discover and exploit zero-day vulnerabilities, which are security flaws unknown to software vendors. This use of AI directly led to attempted cyberattacks that could cause significant harm to enterprises, governments, and other organizations. Google's intervention prevented the attack, but the AI's role in enabling the exploitation is clear and pivotal. The harm is related to violations of security and potential disruption to critical infrastructure or organizational operations, fitting the AI Incident criteria. The report also references ongoing malicious use of AI by threat actors, confirming realized or ongoing harm rather than just potential risk.

The report explicitly states that AI was used to develop a zero-day attack tool that bypasses security protections, which is a direct harm to software security and potentially to users or systems relying on the vulnerable software. The AI system's involvement in the creation and use of the attack tool directly leads to harm (violation of security and potential harm to property or infrastructure). The event is not merely a potential risk but describes active use of AI in malicious hacking tools, meeting the criteria for an AI Incident.

The AI system is explicitly mentioned as being used to develop a zero-day attack tool, which is a serious cybersecurity threat. Although no actual harm has been reported yet, the potential for significant harm exists if the tool were used maliciously. Since the threat has been blocked and no harm has occurred, this event qualifies as an AI Hazard rather than an AI Incident. It is not merely complementary information because the main focus is on the plausible risk posed by the AI-enabled attack tool.

The report explicitly states that AI was used to develop a zero-day attack tool, which is a direct use of AI leading to a cybersecurity threat. Zero-day vulnerabilities are serious security flaws that can cause harm to property and communities by enabling unauthorized access or disruption. The involvement of AI in creating such a tool and the active exploitation of the vulnerability meets the criteria for an AI Incident, as the harm is realized or ongoing. Therefore, this event is classified as an AI Incident.

The article mentions AI systems and their applications, including AI used maliciously to develop zero-day exploits, but the threat was detected and blocked before harm occurred, so it does not qualify as an AI Incident. The other items are product launches and strategic plans without any indication of harm or plausible future harm. Hence, the article fits the definition of Complementary Information as it provides supporting data and updates about AI developments and responses without reporting new incidents or hazards.

An AI system is involved as hackers use AI tools to find vulnerabilities and generate attack scripts. The event stems from the use of AI in malicious hacking activities. While the attacks were stopped before causing harm, the AI-enabled exploitation attempts could plausibly lead to harm such as disruption of critical infrastructure or violation of security rights if not mitigated. Therefore, this event qualifies as an AI Hazard because it describes a credible risk of AI-driven harm that was averted but remains plausible in the future.

The article explicitly mentions AI tools being used by hackers to find and exploit security vulnerabilities, including zero-day exploits, which are serious cybersecurity threats. The involvement of AI in these malicious activities directly relates to harm in terms of property and infrastructure security. Although Google intervened to stop the attacks, the fact that such AI-enabled attacks occurred or were attempted qualifies this as an AI Incident due to realized or imminent harm. Therefore, this event meets the criteria for an AI Incident rather than a hazard or complementary information.

The article explicitly involves AI systems (intelligent agents like OpenClaw) and discusses their development and use, focusing on discovered security vulnerabilities. While no direct harm is reported, the detailed description of multiple high-risk vulnerabilities and their systemic nature indicates a credible risk of future incidents if these vulnerabilities are exploited. The report's emphasis on the rapid spread of these risks across the industry and the challenges in patching them supports classification as an AI Hazard. It is not Complementary Information because the main focus is on the identification of risks and vulnerabilities, not on responses or updates to past incidents. It is not an AI Incident because no realized harm or breach is described. It is not Unrelated because the event clearly concerns AI systems and their security risks.

The article explicitly involves an AI system (OpenClaw AI Agent) whose use and security vulnerabilities have led to direct risks of harm, including unauthorized remote control and credential theft. These harms fall under the category of harm to property, communities, or potentially individuals (security breaches and control over AI Agents). Since the vulnerabilities have been exploited or are exploitable, and warnings have been issued by authoritative bodies, this situation qualifies as an AI Incident rather than a mere hazard or complementary information. The AI system's malfunction and security flaws have directly led to realized or imminent harm, meeting the criteria for an AI Incident.

The article mentions multiple AI systems and developments, such as AI-powered robots, AI security vulnerability audits, AI business valuations, and new AI speech models. However, none of these mentions describe an event where AI caused injury, rights violations, infrastructure disruption, or other harms, nor do they describe a credible risk of such harm occurring imminently. The security audit report identifies vulnerabilities but states that they have been reported and are being addressed, indicating a mitigation process rather than an active hazard or incident. The business and technology updates provide context and insight into AI progress and ecosystem dynamics, which aligns with the definition of Complementary Information.

The article explicitly states that AI technology was used by attackers to develop a zero-day vulnerability attack tool, which is a direct cause of harm by enabling cyberattacks that can damage software systems and potentially harm communities relying on them. The involvement of AI in the development and use of this malicious tool meets the criteria for an AI Incident, as it has directly led to a breach of security and potential harm. The report also mentions mitigation efforts but the primary event is the AI-enabled attack tool development and use, which is harmful.

The MDASH framework is an AI system explicitly described as using multiple AI models to detect software vulnerabilities. Its use has directly contributed to identifying 16 CVE vulnerabilities fixed in the recent Windows patch update, including serious kernel and user-mode vulnerabilities that could be exploited remotely. This detection and remediation prevent potential harm to users' security and system integrity, which qualifies as harm to property and potentially to communities. Therefore, this event qualifies as an AI Incident because the AI system's use has directly led to harm prevention by identifying real vulnerabilities that could have caused harm if left unaddressed.

The article explicitly states that AI was involved in the development of a zero-day exploit, which is a direct use of AI in a malicious cyberattack. The exploit targets security mechanisms (2FA) and could lead to unauthorized access, representing harm to property and potentially to users' security. Although the attack was stopped, the event evidences realized harm and increased risk due to AI-enabled attack methods. Therefore, this qualifies as an AI Incident because the AI system's use directly led to a harmful event (the zero-day exploit development and attempted attack).

The event explicitly involves an AI system used maliciously to develop a zero-day attack tool, which has been deployed against a popular open-source web-based system management tool. This constitutes direct harm through cybersecurity breach, fitting the definition of an AI Incident under harm to property and communities. The AI system's development and use by attackers directly led to the harm, and the report confirms the AI's pivotal role in the attack tool's creation. Therefore, this is classified as an AI Incident.

The report explicitly mentions AI systems being used by hackers to find zero-day vulnerabilities and generate attack scripts, indicating AI system involvement in the development and use phases. While the attack was detected and blocked early, preventing actual harm, the AI's role in enabling the attack means there was a credible risk of harm. Since no harm materialized, this qualifies as an AI Hazard rather than an AI Incident. The event is not merely general AI news or a response update, so it is not Complementary Information or Unrelated.

The article explicitly mentions the use of an AI system (MDASH) that performs automated vulnerability scanning and discovery through multiple AI models and agents. The system's outputs directly led to the identification of 16 real vulnerabilities in Windows software, which were subsequently patched. This constitutes the use of an AI system leading to a concrete outcome that mitigates potential harm to users and systems. Although the article does not describe harm caused by the vulnerabilities themselves, the AI system's role in discovering and enabling their remediation is central. Since the event involves the use of an AI system leading to a significant security outcome, it qualifies as Complementary Information rather than an Incident or Hazard, because no harm or plausible harm caused by the AI system itself is described. Instead, the AI system is used as a tool to improve security and prevent harm.

The event involves an AI system (MDASH) that performs complex tasks such as vulnerability scanning, code analysis, and patch verification, which clearly qualifies as an AI system. The system's use has directly led to the identification of multiple security vulnerabilities, which are a form of harm prevention related to software security. While the article does not describe any harm caused by the AI system, it describes the system's use in detecting vulnerabilities that could lead to harm if exploited. Since the AI system's use is linked to preventing potential harm rather than causing harm, and no actual harm is reported, this event does not qualify as an AI Incident. However, the system's deployment and testing in real-world scenarios with successful detection of vulnerabilities and zero false positives indicate a significant AI development with implications for security. This is best classified as Complementary Information because it provides important context on AI system capabilities and their role in cybersecurity, without describing an incident or hazard involving harm or plausible harm caused by the AI system itself.

An AI system (the AI-driven security analysis tool) was used in the development phase to detect vulnerabilities. The vulnerabilities themselves pose a risk of serious harm (remote code execution) which could lead to significant harm if exploited. However, the article describes the discovery and patching of vulnerabilities, with no indication that harm has yet occurred. Therefore, this event represents a plausible risk of harm that has been identified and mitigated, fitting the definition of an AI Hazard rather than an Incident. It is not merely general AI news, as the AI system played a pivotal role in identifying security risks that could lead to harm.

The AI system was involved in the development and use phases to detect vulnerabilities, but the event does not describe any injury, rights violation, disruption, or harm caused by the AI system or the vulnerabilities it found. Instead, it reports a successful application of AI to improve security. Hence, this is complementary information about AI's positive impact and development rather than an incident or hazard.

The event involves an AI system (Xint Code) used in the development and use phase to detect security vulnerabilities in widely used database software. The vulnerabilities discovered can lead to remote code execution, which constitutes harm to property and potentially to communities relying on these databases. Since the vulnerabilities have been publicly disclosed and patches issued, the harm is realized or imminent, making this an AI Incident. The AI system's role was pivotal in uncovering these long-standing security flaws, directly contributing to the identification of risks that could lead to significant harm if exploited.

The event involves the use of an AI system (Anthropic Mythos) in combination with a custom framework to analyze Firefox source code and identify security vulnerabilities. The AI system's outputs have been validated and resulted in confirmed security flaws, some with high severity, which directly relate to potential harm to users and software security. This meets the definition of an AI Incident, as the AI system's use has directly led to the identification of vulnerabilities that constitute harm or risk to users and communities. The article does not merely discuss potential or future harm but reports on actual vulnerabilities found and validated, thus excluding classification as an AI Hazard or Complementary Information. The presence of criticism or skepticism does not negate the realized impact of the AI system's use in this context.

The article explicitly states that hackers used AI models to discover zero-day vulnerabilities and attempted a large-scale attack, which was stopped before damage occurred. The AI system's use in malicious exploitation of software vulnerabilities directly relates to potential harm to critical infrastructure and property through cyberattacks. Although no actual damage occurred, the event demonstrates a direct AI-related threat with plausible harm, fitting the definition of an AI Hazard. However, since the attack attempt was real and involved AI-driven exploitation, it is more appropriate to classify this as an AI Incident due to the direct involvement of AI in malicious activity and the imminent threat posed. The event also includes references to ongoing AI-driven vulnerability discovery and responses, but the primary focus is on the AI-enabled attack attempt, which is an AI Incident.

The article explicitly mentions advanced AI systems used to discover numerous critical cybersecurity vulnerabilities, which is a clear involvement of AI systems. The concern is about the potential for these vulnerabilities to be exploited, which could lead to harm such as disruption of critical infrastructure or breaches of security. Since no actual harm or incident has been reported yet, but there is a credible risk of future harm, this fits the definition of an AI Hazard. The article focuses on urging government action to manage this risk, not on reporting a realized incident or harm, so it is not an AI Incident or Complementary Information. It is not unrelated because AI systems are central to the issue described.

The article explicitly describes AI systems used in vulnerability discovery and attack automation, which accelerate cyber offense capabilities. It highlights the risk that defenders' slower manual processes cannot keep pace, increasing the likelihood of successful attacks on critical infrastructure and national security. Although no actual attack or harm is reported, the described scenario plausibly leads to AI Incidents in the future. Hence, it fits the definition of an AI Hazard, as it involves AI system use that could plausibly lead to significant harm, but no realized harm is reported yet.

The event involves the use of an AI system (MDASH) designed for code vulnerability detection and security enhancement. The AI system's use has directly led to the identification of multiple previously unknown security vulnerabilities, including critical ones, which if left undetected could cause harm to computer systems and users. This constitutes harm prevention related to property and potentially to communities relying on secure software. Therefore, this qualifies as an AI Incident because the AI system's use has directly contributed to addressing harms related to software security vulnerabilities.

The event involves the use of advanced AI systems in cybersecurity attacks that have directly led to increased exploitation of vulnerabilities, which constitutes harm to property and digital infrastructure. The AI systems' development and use have directly contributed to realized harms in cybersecurity, such as accelerated exploitation of zero-day vulnerabilities. Therefore, this qualifies as an AI Incident because the AI systems' use has directly led to significant harm in the cybersecurity domain. The article also discusses mitigation measures, but the primary focus is on the realized harm caused by AI-enabled attacks.

The article explicitly mentions AI-assisted development of a zero-day exploit aimed at bypassing security measures, which constitutes a direct or indirect harm to software security and user safety. The attack was blocked, but the AI's role in enabling the attack and the warning about increasing AI use by hackers for vulnerability discovery and attack automation indicate realized harm or imminent threat. This fits the definition of an AI Incident because the AI system's use in the attack development directly led to a significant security threat, even if the attack was ultimately stopped.

An AI system is explicitly involved (MDASH) in discovering security vulnerabilities. The system's use has directly led to the identification of serious security flaws that, if left unaddressed, could cause harm to users and systems (harm to property and potentially to communities). Since the vulnerabilities have been found and some already patched, the AI system's use has directly contributed to preventing harm. Therefore, this qualifies as an AI Incident due to the AI system's role in identifying and mitigating security risks that could lead to harm.

The article explicitly involves an AI system (Anthropic's Mythos) designed to identify and exploit software vulnerabilities, which is a clear AI system under the definitions. The IMF's warning highlights the plausible risk that use or misuse of this AI system could lead to disruption of critical financial infrastructure, which fits the definition of harm category (b) - disruption of critical infrastructure management and operation. However, the article does not report any actual harm or incident caused by the AI system yet, only a credible warning and risk assessment. Thus, it is not an AI Incident but an AI Hazard. The article also includes governance and response measures, but the main focus is on the credible risk posed by the AI system, not on responses or updates to past incidents, so it is not Complementary Information. It is not unrelated because the AI system and its potential harms are central to the article.

The event explicitly involves AI systems assisting in the development of a zero-day exploit used in a cyberattack, which is a direct use of AI leading to a security threat. The attack was planned to bypass security mechanisms and cause large-scale harm, fulfilling the criteria of harm to property, communities, or systems. Although the attack was blocked, the incident itself occurred and was AI-assisted, meeting the definition of an AI Incident. The detailed description of AI's role in generating exploit code and optimizing attack payloads confirms AI's pivotal role in the harm. Hence, this is not merely a potential hazard or complementary information but a concrete AI Incident.

MDASH is an AI system explicitly described as coordinating over 100 specialized AI agents to discover and verify software vulnerabilities. The discovery of severe remote code execution vulnerabilities in core Windows components represents a direct link between the AI system's use and the identification of security flaws that could lead to significant harm (e.g., unauthorized system control). Since these vulnerabilities have been patched following the AI-driven discovery, the AI system's involvement has directly led to harm prevention. Therefore, this qualifies as an AI Incident because the AI system's use has directly led to addressing serious security vulnerabilities that could cause harm to users and systems if exploited.

The article describes AI systems with advanced autonomous vulnerability discovery capabilities that could plausibly lead to significant harm to critical infrastructure and national security if exploited. While it does not report an actual incident of harm, the described capabilities and risks constitute a credible threat scenario. Therefore, this qualifies as an AI Hazard because the AI system's development and use could plausibly lead to an AI Incident involving disruption of critical infrastructure and harm to national security.

The article centers on a policy report and strategic analysis regarding AI chip export controls and their impact on AI leadership between the US and China. It does not describe any actual harm, malfunction, or misuse of AI systems that has occurred. Instead, it outlines potential future scenarios and advocates for policy measures to prevent China from gaining parity in AI capabilities. This constitutes a plausible future risk related to AI development and use but does not report an incident or harm that has already happened. Therefore, it fits the definition of an AI Hazard, as it plausibly could lead to significant geopolitical and AI leadership consequences if controls fail, but no direct or indirect harm has yet materialized.

The article explicitly involves an AI system (Anthropic's Mythos model) used in the development of exploit code targeting MacOS security features. While the researchers responsibly disclosed the vulnerabilities to Apple and no harm has yet occurred, the AI's role in enabling the rapid discovery and exploitation of critical security flaws creates a plausible risk of future harm, such as unauthorized access or control of devices. This fits the definition of an AI Hazard, as the event could plausibly lead to an AI Incident involving harm to property, communities, or critical infrastructure. There is no indication that harm has already occurred, so it is not an AI Incident. The article is not merely complementary information because the main focus is on the AI-enabled discovery of vulnerabilities and the associated security risk, not on responses or governance measures.

The article explicitly mentions the use of an AI system (Anthropic's Mythos) in discovering and exploiting security vulnerabilities in Apple's MacOS. Although the researchers responsibly reported the vulnerabilities to Apple and no harm has yet occurred, the AI's role in enabling rapid exploit development creates a credible risk of future harm, such as unauthorized computer control or data breaches. This fits the definition of an AI Hazard, as the AI system's use could plausibly lead to an AI Incident involving harm to property or user security. There is no indication that harm has already occurred, so it is not an AI Incident. The article is not merely complementary information because it focuses on the AI-enabled discovery of vulnerabilities and the associated risks, not just on responses or ecosystem context.

The AI systems described (MDASH by Microsoft and AI models like Claude Mythos used by Palo Alto Networks) are explicitly involved in detecting software vulnerabilities, which are security flaws that, if exploited, could cause harm to users, systems, or infrastructure. The article reports that these AI systems have already found and helped patch multiple vulnerabilities, including critical remote code execution flaws. This direct involvement of AI in identifying and mitigating security risks that could lead to harm fits the definition of an AI Incident, as the AI system's use has directly led to addressing harms related to cybersecurity vulnerabilities. Although the article focuses on positive outcomes (vulnerability detection and patching), the event involves realized harm prevention through AI use, qualifying it as an AI Incident rather than a hazard or complementary information.

The article explicitly involves an AI system (Anthropic's Mythos) used in the development and use of an exploit that directly leads to a security breach (privilege escalation) on macOS devices. This breach constitutes harm to property and potentially to users' data and privacy, fulfilling the criteria for an AI Incident. The AI system's role is pivotal in discovering and combining vulnerabilities to create the exploit chain. The harm is realized (not just potential), as the exploit was successfully developed and demonstrated. The event also discusses the broader implications and responses but the core event is the AI-enabled security breach discovery and exploit development, which is an AI Incident.