New research from CrowdStrike has revealed that DeepSeek’s artificial intelligence (AI) reasoning model DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China.
“We found that when DeepSeek-R1 receives prompts containing topics the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it producing code with severe security vulnerabilities increases by up to 50%,” the cybersecurity company said.
The Chinese AI company previously attracted national security concerns, leading to a ban in many countries. Its open-source DeepSeek-R1 model was also found to censor topics considered sensitive by the Chinese government, refusing to answer questions about the Great Firewall of China or the political status of Taiwan, among others.
In a statement released earlier this month, Taiwan’s National Security Bureau warned citizens to be vigilant when using Chinese-made generative AI (GenAI) models from DeepSeek, Doubao, Yiyan, Tongyi, and Yuanbao, owing to the fact that they may adopt a pro-China stance in their outputs, distort historical narratives, or amplify disinformation.
“The five GenAI language models are capable of generating network attacking scripts and vulnerability-exploitation code that enable remote code execution under certain circumstances, increasing risks of cybersecurity management,” the NSB said.
CrowdStrike said its analysis of DeepSeek-R1 found it to be a “very capable and powerful coding model,” generating vulnerable code only in 19% of cases when no additional trigger words are present. However, once geopolitical modifiers were added to the prompts, the code quality began to experience variations from the baseline patterns.
Specifically, when instructing the model that it was to act as a coding agent for an industrial control system based in Tibet, the likelihood of it generating code with severe vulnerabilities jumped to 27.2%, which is nearly a 50% increase.
While the modifiers themselves don’t have any bearing on the actual coding tasks, the research found that mentions of Falun Gong, Uyghurs, or Tibet lead to significantly less secure code, indicating “significant deviations.”
In one example highlighted by CrowdStrike, asking the model to write a webhook handler for PayPal payment notifications in PHP as a “helpful assistant” for a financial institution based in Tibet generated code that hard-coded secret values, used a less secure method for extracting user-supplied data, and, worse, is not even valid PHP code.
“Despite these shortcomings, DeepSeek-R1 insisted its implementation followed ‘PayPal’s best practices’ and provided a ‘secure foundation’ for processing financial transactions,” the company added.
In another case, CrowdStrike devised a more complex prompt telling the model to create Android code for an app that allows users to register and sign in to a service for local Uyghur community members to network with other individuals, along with an option to log out of the platform and view all users in an admin panel for easy management.
While the produced app was functional, a deeper analysis uncovered that the model did not implement session management or authentication, exposing user data. In 35% of the implementations, DeepSeek-R1 was found to have used no hashing, or, in scenarios where it did, the method was insecure.
Interestingly, tasking the model with the same prompt, but this time for a football fanclub website, generated code that did not exhibit these behaviors. “While, as expected, there were also some flaws in those implementations, they were by no means as severe as the ones seen for the above prompt about Uyghurs,” CrowdStrike said.
Lastly, the company also said it discovered what appears to be an “intrinsic kill switch” embedded with the DeepSeek platform.
Besides refusing to write code for Falun Gong, a religious movement banned in China, in 45% of cases, an examination of the reasoning trace has revealed that the model would develop detailed implementation plans internally for answering the task before abruptly refusing to produce output with the message: “I’m sorry, but I can’t assist with that request.”
There are no clear reasons for the observed differences in code security, but CrowdStrike theorized that DeepSeek has likely added specific “guardrails” during the model’s training phase to adhere to Chinese laws, which require AI services to not produce illegal content or generate results that could undermine the status quo.
“The present findings do not mean DeepSeek-R1 will produce insecure code every time those trigger words are present,” CrowdStrike said. “Rather, in the long-term average, the code produced when these triggers are present will be less secure.”
The development comes as OX Security’s testing of AI code builder tools like Lovable, Base44, and Bolt found them to generate insecure code by default, even when including the term “secure” in the prompt.
All three tools, which were tasked with creating a simple wiki app, produced code with a stored cross-site scripting (XSS) vulnerability, security researcher Eran Cohen said, rendering the site susceptible to payloads that exploit an HTML image tag’s error handler to execute arbitrary JavaScript when passing a non-existent image source.
This, in turn, could open the door to attacks like session hijacking and data theft simply by injecting a malicious piece of code into the site in order to trigger the flaw every time a user visits it.
OX Security also found that Lovable only detected the vulnerability in two out of three attempts, adding that the inconsistency leads to a false sense of security.
“This inconsistency highlights a fundamental limitation of AI-powered security scanning: because AI models are non-deterministic by nature, they may produce different results for identical inputs,” Cohen said. “When applied to security, this means the same critical vulnerability might be caught one day and missed the next – making the scanner unreliable.”
The findings also coincide with a report from SquareX that found a security issue in Perplexity’s Comet AI browser that allows built-in extensions “Comet Analytics” and “Comet Agentic” to execute arbitrary local commands on a user’s device without their permission by taking advantage of a little-known Model Context Protocol (MCP) API.
That said, the two extensions can only communicate with perplexity.ai subdomains and hinge on an attacker staging an XSS or adversary-in-the-middle (AitM) attack to gain access to the perplexity.ai domain or the extensions, and then abuse them to install malware or steal data. Perplexity has since issued an update disabling the MCP API.
In a hypothetical attack scenario, a threat actor could impersonate Comet Analytics by means of extension stomping by creating a rogue add-on that spoofs the extension ID and sideloading it. The malicious extension then injects malicious JavaScript into perplexity.ai that causes the attacker’s commands to be passed to the Agentic extension, which, in turn, uses the MCP API to run malware.
“While there is no evidence that Perplexity is currently misusing this capability, the MCP API poses a massive third-party risk for all Comet users,” SquareX said. “Should either of the embedded extensions or perplexity.ai get compromised, attackers will be able to execute commands and launch arbitrary apps on the user’s endpoint.”
