Everyone is turning to LLMs to generate code, including attackers. Thus, it's no great surprise that there are now examples of malware generated by LLMs. We discuss the implications of more malware with Rob Allen and what it means for orgs that want to protect themselves from ransomware.
Resources
- https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/
- https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
- https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools/
This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more about them!
Rob Allen, Chief Product Officer of ThreatLocker, is an IT Professional with three decades of experience assisting small and medium enterprises embrace and utilize technology. He has spent the majority of this time working for an Irish-based MSP, which has given him invaluable insights into the challenges faced by businesses today. Rob’s background is technical – first as a system administrator, then as a technician and an engineer. His broad technical knowledge, as well as an innate understanding of customers’ needs, made him a trusted advisor for hundreds of businesses across a wide variety of industries. Rob has been at the coalface, assisting clients in remediating the effects of, and helping them recover from cyber and ransomware attacks.
Security Weekly listeners save $100 on their RSAC 2026 All Access Pass! RSAC 2026 Conference will take place March 23rd to March 26th in San Francisco. To register using our discount code, please visit securityweekly.com/rsac26 and use the code 56U5SECWEEKLY! We hope to see you there!
Most security conferences talk about threats. Zero Trust World lets you attack them. From March 4th to 6th, 2026 in Orlando, Florida, this hands-on cybersecurity event features live hacking labs where you’ll break real environments, think like an adversary, and learn how attacks really work. You’ll also get expert sessions, real-world case studies, CPE credits, and networking with top practitioners. And yes — the Security Weekly team will be there too. Don’t miss it! Register today at securityweekly.com/ZTW.
Mike Shema
- Vulnerabilities | OpenSSL Library
Last week we talked about criticism of OpenSSL's APIs and emphasized how APIs that appeal to developers and encourage clear, readable code are good for security. This week we're not picking on OpenSSL for having vulns (it's nowhere near alone in that regard).
This week we're looking at a theme of how security researchers are leveraging LLMs to find vulns. These dozen vulns come from a new company, AISLE, applying its flavor of LLM-based security analysis to OpenSSL. For a code base as scrutinized as OpenSSL, it's interesting to see new flaws and code quality issues identified in this way.
- CVE-2025-60021 (CVSS 9.8): Command injection in Apache bRPC heap profiler
This particular CVE is neither particularly interesting from a technical perspective nor likely impactful in terms of the overall population of potentially impacted apps.
What is interesting about it is another example of this week's news theme of LLM-based security analysis. In this case, a CodeQL plus LLM combination called Vulnhalla. The article makes some brief references to time spent by humans and potentially saved by automation, which is both a motivating factor to craft better tools and a more reliable sign of a successful tool.
If Vulnhalla has some appeal, check out the repo.
- CVE-2025-40551: Another Solarwinds Web Help Desk Deserialization Issue
This will likely get attention purely because of the Solarwinds connection. Two of the flaws reported look like common, trivial problems in an overly naive allowlist implementation and a deserialization attack.
I grabbed this more as a chance to ponder whether LLMs can generate code well enough to help orgs migrate their code to more modern frameworks or to harden their existing architectures.
- Your Clawdbot AI Assistant Has Shell Access and One Prompt Injection Away from Disaster | Snyk
The best way to deliver malware to an org is to create something trendy in the LLM space and benefit from hype to harvest downloads. To be clear, there's nothing even implicitly malicious about OpenClaw (aka Molt, Clawd) and the maintainer has been positively responsive to critique and security reports. But this kind of project shows the dangers of combining uncontrolled access to arbitrary services (from command lines to messaging apps to web sites) from unconstrained actions. It's one thing to experiment with a project like this in a sandboxed environment. It's another for orgs to have to figure out if users are installing software that can be so trivially abused to access systems and data.
The security shortcomings have also been covered by 404 Media.
- AI Agents vs Humans: Who Wins at Web Hacking in 2026? | Wiz Blog
This week's new theme is humans using LLMs to find flaws, so why not include another look at how humans and LLMs fare against certain types of vuln classes.
- The end of the curl bug-bounty | daniel.haxx.se
We already covered this last week, but here's the official announcement about the end of the curl project's bug bounty program.
Curl still has a fine vulnerability disclosure process. The critical point here is that they're removing the monetary incentive in order to avoid the influx of low-quality security reports.
The bounty program had a pretty good run for about six years, with "...87 confirmed vulnerabilities and over 100,000 USD paid as rewards to researchers."
