Jailbroken Claude Stole 150GB from a Government

March 4, 2026

Attackers jailbroke Claude and ChatGPT to steal 150GB from Mexican government systems. The Pentagon banned Anthropic. Datadog confirms 87% of orgs run exploitable code in production. AI toolchains are now threat surfaces.

The Anthropic federal ban connects everything this week. The Pentagon designated an AI vendor a "supply-chain risk to national security" for refusing unrestricted military use, then accepted identical terms from OpenAI hours later. That alone would be the story. But the same week, attackers jailbroke Claude and ChatGPT to breach Mexican government systems, stealing 150GB of data. Governments banning AI vendors over policy disagreements on one hand. Governments getting breached by AI-assisted attacks on the other. Both stories share the same root cause: AI development tools now carry organizational risk that most security programs haven't accounted for.

OpenClaw's third major vulnerability in a month, and the incidents keep escalating. The latest, ClawJacked (CVE-2026-25253, CVSS 8.8), was disclosed by Oasis Security after researchers found malicious websites could open WebSocket connections to localhost, brute-force gateway passwords at hundreds of attempts per second, and take full control of locally running AI agents. The trust model failure: browsers do not block cross-origin WebSocket connections, the gateway rate limiter completely exempts loopback connections, and auto-approved device pairings from localhost require no user prompt. Fixed in v2026.1.29 within 24 hours.

The Mexican government breach moves this from theoretical to operational. Bloomberg first reported that an attacker used over 1,000 Spanish-language prompts to jailbreak Claude Code under a "bug bounty" pretext, then pivoted to ChatGPT for lateral movement analysis. Gambit Security's investigation confirmed 150GB exfiltrated over one month starting December 2025, compromising SAT (federal tax authority), INE (electoral institute), and multiple state systems. Per Gambit: "AI didn't just assist, it functioned as the operational team: writing exploits, building tools, automating exfiltration." Separately, MS-Agent framework vulnerabilities enable arbitrary command execution through input validation failures, and a community scan of 6,500+ ClawHub skills found 36% contain security flaws capable of running harmful commands.

The pattern: AI coding assistants now hold CI/CD-equivalent privileges. Filesystem access, credential access, code execution. Most teams deploy them with none of the security controls they apply to CI/CD infrastructure.

Audit the access permissions your AI coding assistants hold today. The localhost attack vector and the Mexico breach expose the same gap: developer trust inherited without security review. If nobody on your team approved the filesystem, credential, and execution access these tools have, that is your finding.

Datadog's State of DevSecOps 2026 report dropped this week. The headline: 87% of organizations run at least one exploitable vulnerability in production, affecting 40% of services. Dependencies average 278 days out-of-date, up from 215 days last year. Java services lead at 59% vulnerable, followed by .NET at 47%. And 42% of services rely on libraries no longer actively maintained. These are not detection failures. These vulnerabilities are known, flagged, and sitting in backlogs.

One stat complicates the picture: only 18% of vulnerabilities labeled "critical" remained critical once Datadog applied runtime context, with 98% of .NET "critical" vulnerabilities downgraded. The backlog is real, but the prioritization problem may be worse than the volume problem. Meanwhile, 71% of organizations never pin GitHub Actions to commit hashes, and 1.6% of npm-using organizations deployed malicious dependencies this year.

For comparison: the UK government's Vulnerability Monitoring Service reduced DNS-specific fix times from 50 days to 8, scanning 6,000 public sector websites and resolving roughly 400 vulnerabilities per month, backed by GBP 210 million in investment. When 40% of production services carry exploitable vulnerabilities and dependencies sit unpatched for nine months, the conversation shifts from security operations to corporate governance.

Pull your .NET critical findings and check how many are reachable in production. Datadog says 98% are not. Compare your team's MTTR against the UK government's 8-day benchmark. They cut fix times by 84% through automated monitoring, not more alerts. The delta between their number and yours quantifies the capacity you are losing to false priority.

Anthropic CEO Dario Amodei publicly stated "We cannot in good conscience accede to their request" after the Pentagon demanded its models be available for "all lawful purposes" with no contractual carve-outs. Anthropic sought explicit guardrails barring domestic mass surveillance and fully autonomous weapons. When the deadline expired on February 27, Trump ordered all federal agencies to phase out Anthropic technology within six months. Defense Secretary Pete Hegseth designated the company a "supply-chain risk to national security," calling its stance "arrogance and betrayal." Anthropic, valued at $380B with $14B in annual revenue, called the designation "legally unsound" and filed suit.

Hours later, OpenAI published "Our agreement with the Department of War" claiming it secured the same two restrictions Anthropic wanted: no mass domestic surveillance, no fully autonomous weapons, plus no high-stakes automated decisions. The critical difference: OpenAI agreed to the "any lawful use" standard Anthropic rejected, retaining "full discretion over the safety stack" in a cloud-only deployment. MIT Technology Review's analysis argues this is exactly what Anthropic feared: restrictions that exist in spirit but lack contractual enforceability. Sam Altman framed it as Anthropic focused on "specific prohibitions in the contract" while OpenAI focused on "citing applicable laws."

If you're in a regulated industry, defense contracting, or sell to government customers, this creates a new evaluation dimension. AI vendor selection now carries regulatory risk that did not exist a month ago. When a vendor's ethical stance can trigger a federal procurement ban, policy positions belong alongside technical capabilities in your toolchain evaluations.

Add "government policy stance" to your AI vendor evaluation matrix. If you sell to federal or defense customers, map which of your tools depend on Anthropic models before the six-month phase-out window closes. One executive order made a $380B company's products untouchable to an entire sector overnight.

AWS launched Security Hub Extended this week. It bundles 14 security partners (CrowdStrike, Okta, Zscaler, Proofpoint, Splunk, and others) into a single AWS bill using OCSF-normalized findings. Endpoint, identity, email, network, data, browser, cloud, AI, and security operations, all purchasable through one vendor relationship with pay-as-you-go pricing. When a cloud provider with AWS's market share becomes the seller of record for your security stack, the competitive dynamics for standalone vendors shift.

This follows a familiar playbook: cloud providers build "good enough" security into the platform, standalone vendors differentiate on depth, and you decide where the "good enough" threshold sits for your environment. The pattern played out with monitoring (CloudWatch vs Datadog), identity (IAM vs Okta). One detail stands out: application security tools (SAST, DAST, SCA) are absent from the launch partner list. The focus is runtime and infrastructure security. For your team, the question is whether a cross-domain platform that surfaces findings across your AWS estate replaces the need for tools that fix those findings. Detection and dashboard consolidation solve visibility. They don't solve the 278-day dependency lag we covered above.

Meanwhile, the workforce numbers add context. Cybersecurity professionals are working extra hours every week with burnout increasing, and Seemplicity characterizes the current pace as a "six-day security week" where AI adoption is outpacing governance capacity. If you're evaluating platform consolidation through hyperscaler bundling versus specialized tooling, weigh whether adding another dashboard reduces the hours or just changes where those hours get spent.

Ask one question before signing: does Security Hub Extended reduce triage hours, or give your team a better-looking view of the same backlog? SAST, DAST, and SCA are absent from the launch partner list. The bundle consolidates detection and dashboards across 14 vendors. It does not close the 278-day dependency gap.

Actively Exploited

VMware Aria Operations

RCE vulnerability flagged by CISA as actively exploited in the wild.

Severity: Critical | Status: Actively Exploited

Jailbroken Claude Stole 150GB from a Government

Big Picture

Your AI Coding Assistant Has CI/CD Privileges -- and None of the Controls

Takeaways

% Run Exploitable Code in Production -- and 98% of "Critical" Alerts Downgrade at Runtime

Takeaways

The Pentagon Banned Anthropic -- and OpenAI Accepted the Same Terms Hours Later

Takeaways

AWS Bundles 14 Security Vendors Into One Bill -- What's Missing Tells the Real Story

Takeaways

Vulnerabilities in the Wild

Actively Exploited

Critical

High

Medium

Curated Reading List

Thought-Provoking

Current Events