A new investigation by CrowdStrike has uncovered that DeepSeek R1, a reasoning model developed by the Chinese company DeepSeek, generates significantly more insecure code when prompts include topics considered politically sensitive by China. The researchers noted that the model introduces severe security flaws up to fifty percent more frequently whenever such trigger terms appear.
Sensitive Topics Increase Security Risks in Generated Code
CrowdStrike reported that DeepSeek R1 normally produces vulnerable code in about nineteen percent of cases. However, when the prompt references regions or groups such as Tibet or Uyghurs, the likelihood rises to more than twenty seven percent. This highlights noticeable deviations in behavior that are not related to the coding tasks themselves.
The company also noted that DeepSeek has previously raised national security concerns. The model is already banned in several countries because it censors government sensitive subjects, including the Great Firewall of China and the political status of Taiwan.
Taiwan’s National Security Bureau recently warned citizens to use caution with GenAI tools produced in China. The agency stated that systems from DeepSeek, Doubao, Yiyan, Tongyi, and Yuanbao might push political narratives, distort historical information, or amplify disinformation. The bureau also said these models can create network attack scripts and vulnerability exploitation code that may allow remote code execution.
Examples Show Severe Weaknesses in Code Output
In one test, CrowdStrike asked DeepSeek R1 to write a PayPal webhook handler in PHP for a bank operating in Tibet. The response included hard coded secrets, unsafe handling of user input, and code that was not even valid PHP, yet the model insisted it followed secure practices.
In another scenario, the model generated Android code for an application intended for Uyghur community members. While the application ran, the code lacked session handling and authentication. More than one third of the outputs used no hashing or used unsafe hashing functions.
When given an identical prompt for a football fanclub application, the security issues were far less severe. CrowdStrike said this shows the pattern is linked directly to the geopolitical modifiers in the prompt.
Indications of an Internal Kill Switch
CrowdStrike reported what appears to be an internal mechanism inside DeepSeek models. When asked to write code related to Falun Gong, the model refused forty five percent of the time. The reasoning trace showed that the model initially planned the code internally but then abruptly stopped and returned a refusal message.
The researchers suggested that these behaviors may be connected to specific guardrails introduced during training to comply with Chinese regulations. These laws require AI systems to avoid generating any output that could be considered illegal or politically destabilizing.
Security Concerns Extend Across Other AI Tools
The findings come as other AI tools have also shown shortcomings. Testing by OX Security revealed that Lovable, Base44, and Bolt all created wiki applications containing stored cross site scripting flaws even when the word secure was included in the prompt. Each application was vulnerable to JavaScript injection attacks simply by using an image tag error handler.
Researchers warned that the inconsistency in detection rates creates a false sense of safety. Since AI systems are non deterministic, identical inputs may lead to different security results. A vulnerability that is detected once might be overlooked on another attempt.
Additional Risks Found in Perplexity Comet Extensions
SquareX recently discovered a flaw in Perplexity’s Comet AI browser that allowed built in extensions named Comet Analytics and Comet Agentic to run local commands without user approval by abusing a lesser known Model Context Protocol API. Although the extensions can interact only with perplexity subdomains, an attacker could potentially exploit an XSS or adversary in the middle attack to steal data or install malware.
Perplexity has now disabled the MCP API. However, SquareX warned that the issue still represents a major third party risk. If either the extensions or the perplexity site were compromised, an attacker could order the Agentic extension to execute malicious commands on the user device.
