https://kucharski.ai/tags/ai-security/Recent content in Ai-Security on Marcin KucharskiHugoenTue, 27 Jan 2026 00:00:00 +0000https://kucharski.ai/blog/ai-security-sql-injection-has-a-fix-prompt-injection-doesnt/Tue, 27 Jan 2026 00:00:00 +0000https://kucharski.ai/blog/ai-security-sql-injection-has-a-fix-prompt-injection-doesnt/<p><strong>TL;DR:</strong> Prompt injection is fundamentally unsolvable unlike SQL injection because LLMs cannot distinguish instructions from data by design—a constraint confirmed by NCSC and security researcher Bruce Schneier. Mitigation must happen at the infrastructure level through access controls and cost limits, not through prompt engineering.</p> <p>We&rsquo;ve had the fix for SQL Injection since the early 2000s. 26 years later, it&rsquo;s still causing breaches. Now NCSC is warning about a vulnerability with no fix. And this week, it showed up on your employees&rsquo; laptops - over 1,000 ClawBot personal AI assistants found exposed, leaking corporate credentials in plaintext.</p>https://kucharski.ai/blog/in-september-2025-chinese-hackers-used-claude-ai-to-break-into-30-companies/Fri, 05 Dec 2025 00:00:00 +0000https://kucharski.ai/blog/in-september-2025-chinese-hackers-used-claude-ai-to-break-into-30-companies/<p><strong>TL;DR:</strong> Chinese state-sponsored group GTG-1002 used Claude AI to autonomously attack 30 companies, with 80-90% of the operation running without human intervention. Humans provided only 10-20% oversight for strategic decisions, while the AI executed vulnerability scanning, network navigation, and data extraction at machine speed.</p> <p>80% of the attack ran autonomously.</p> <p>When Anthropic published the details last month, I couldn&rsquo;t stop reading. Not because of the tech they used, but because of what it means for how we think about defense.</p>