Sunday, 05 July 2026
A YouTube Studio AI assistant leaks creators' private videos via prompt injection; newer Claude models get worse at third-party tool schemas even as they get smarter; a Meta contractor contaminates Cheyenne's water reclamation system
Today's Lead
Engineeringjavoriuski.com
A Prompt Injection in YouTube Studio's AI Assistant Leaks Creators' Private Videos
A researcher found that YouTube Studio's "Ask Studio" AI assistant is vulnerable to prompt injection through specially crafted video comments: hidden instructions embedded in comment text can manipulate the assistant into revealing the titles of a creator's private, unlisted videos once the creator engages with one of the assistant's suggested replies. Google reportedly declined to treat the report as a security vulnerability, characterizing it as social engineering rather than a product flaw — a framing that leaves the underlying data-exposure vector unaddressed. The episode is a familiar shape for anyone tracking LLM-integrated products: the assistant is doing exactly what it was built to do, reading arbitrary untrusted text and acting on whatever instructions appear in it, and the vendor's threat model hasn't caught up to the fact that any surface where an AI reads attacker-controlled content is now part of the attack surface.
lucumr.pocoo.org (Armin Ronacher)
Armin Ronacher documents a regression while building his own coding tool Pi: newer Claude models — Opus 4.8 and Sonnet 5 — invent extra, non-schema fields when calling Pi's edit tool far more often than older, supposedly weaker models did. His theory is that recent Anthropic models have been heavily reinforcement-learned against Claude Code's own edit tool specifically, which tolerates sloppy or malformed calls, so the models pick up habits that don't transfer to a stricter third-party schema. The uncomfortable implication for the wider ecosystem: as frontier labs specialize their models to their own first-party harnesses, every other coding tool built on top of that model may need to either mimic the first-party tool's exact interface or build multiple redundant edit tools just to get reliable behavior — capability gains in the model can show up as regressions everywhere else.
Read →GitHub (anthropics/claude-code)
Potential Session/Cache Leakage Between Claude Code Workspace Instances
A user in an Anthropic Enterprise Zero Data Retention workspace reported that a Claude Code session surfaced context from an entirely unrelated prior session — specifically, a reference to a Minecraft-building task the user had never given it — raising the possibility of cache or session bleed-through between workspace instances or even between separate accounts. For a tool marketed on strict data-retention guarantees to enterprise customers, cross-session contamination isn't a cosmetic bug but a direct threat to the isolation promise those customers are paying for. The report is still under investigation, but it's a useful reminder that the caching and session-reuse layers coding agents build for speed and cost are exactly the layers where isolation guarantees are hardest to verify.
Read →Simon Willison
sqlite-utils 4.0rc2, Mostly Written by Claude Fable (for About $149.25)
Simon Willison used the Claude Fable coding agent to drive sqlite-utils toward a stable 4.0 release, and the resulting review surfaced a genuinely dangerous bug: Table.delete_where() never committed its transaction and left the connection silently poisoned, so every later write — including unrelated inserts to other tables — was rolled back and lost on close, with no error raised. Over 37 prompts and 34 commits, the agent fixed that and several related transaction-handling issues, then Willison ran a second, independent review with GPT-5.5 Codex, which caught two further edge cases in how db.query() commits writes before validating them. The whole exercise doubles as a case study in a workflow Willison says he no longer considers superstitious: having one frontier model's output checked by a rival lab's model turns up real bugs often enough to be worth the (in this case, fairly small) cost.
Read →Tom's Hardware
Meta Data Center Contractor Contaminates Cheyenne's Water Reclamation System
A contractor purging the closed-loop cooling system at a Meta data center in Cheyenne, Wyoming released rare metal-resistant bacteria into the city's water reclamation infrastructure, prompting authorities to suspend the facility's fill-and-flush and closed-loop discharge operations while they assess the damage. The contamination hit the reused/reclaimed water system rather than potable drinking water, but it's a concrete instance of a pattern communities have increasingly pushed back on: hyperscale compute infrastructure imposes real, unbudgeted externalities — water, noise, land, now contamination risk — on the towns that host it, discovered only after the fact by the municipal systems left to absorb them.
Read →Marginal Revolution
Tyler, Nabeel, and Jackson on French Thinkers
In a transcribed conversation, Tyler Cowen, Nabeel Qureshi, and Jackson weigh which French postmodern thinkers reward the effort of reading them: Cowen has concluded there's "no there there" with Derrida and is still undecided on Lacan after multiple attempts, while defending Foucault and Baudrillard as genuinely worthwhile despite Foucault's history being "wrong in a quite mundane way." Qureshi's line that he now runs Foucault through GPT and lets the model explain it rather than reading the primary texts himself is presented half as a joke and half as a real account of how these thinkers get consumed today. Cowen's closer observation — that the contemporary right's enthusiasm for Foucauldian ideas about power and structure is itself evidence the ideas are simpler than their reputation — is the kind of point that travels well outside the original French theory debates it's nominally about.
Read →