Security

On Wednesday, the AISI, which evaluates AI models for the British government, said both Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 showed progress well above previous trends on cybersecurity testing. Separately, XBOW released data suggesting “frontier models have taken a major step forward in vulnerability discovery.”

Similar to the “Copy Fail” exploit revealed a week ago, the two “Dirty Frag” exploits (CVE-2026-43284) also allow a local user to give themselves root privileges on nearly any Linux distribution. The researcher who found it says that, “Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities.”

Sean Hollister let a hacked robot lawnmower run him over in the name of journalism, but it took a Verge commenter to find the right language that really sets the stakes.

Mozilla:

Ubuntu’s web infrastructure remains unavailable after going offline Thursday morning, blocking updates and other access at a time when Linux admins really need to apply a patch.

Claude Security uses the Opus 4.7 model to scan a business’s codebase for vulnerabilities and issue a fix. This tool is rolling out to enterprise customers globally and isn’t to be confused with Anthropic’s Mythos, a powerful AI model that can identify and exploit vulnerabilities across operating systems and web browsers.

The group is accused of using stolen cookies to hijack accounts, targeting profiles with high amounts of in-game currency and items, according to a press release spotted by Bleeping Computer. The hackers allegedly earned around $225,000 after selling the accounts on a Russian website.

The prolific ShinyHunters group is claiming responsibility and threatening to leak the stolen data unless a ransom is paid. ADT has said that the info was mostly limited to names, phone numbers, and addresses, and that credit card or bank account information was not compromised.

The hosting platform provided a new update on the recent compromise. It named Context.AI as the vector for the attack, found more customer data that had been stolen, and said it discovered that some accounts had been broken into during an earlier incident.

Sources told Axios that the agency was among the roughly 40 organizations granted access. This, despite the Pentagon arguing that Anthropic is a threat to national security. The NSA has reportedly been using it primarily to identify vulnerabilities in its own network, but considering its track record, it’s understandable if you’re wary.

A new Wired investigation details the lengths Jim Dolan, owner of the New York Knicks and venues like MSG and the Las Vegas Sphere, goes to to spy on perceived enemies, fans, and critics. The vast surveillance apparatus includes dossiers, social media posts, and facial recognition tech.

Despite Anthropic’s ongoing battle with the Pentagon, Bloomberg reports that the White House Office of Management and Budget’s CIO told government officials that it is preparing for their agencies to use Anthropic’s cybersecurity-focused AI model.

When hackers got access to an account belonging to the maintainer of Axios, they inserted a script that granted remote access to users’ Windows, macOS, and Linux devices. This malicious version potentially compromised ChatGPT’s macOS apps, so OpenAI is issuing an update and new certificates to mitigate any risks.

Starting this week, enterprise users will be able to send encrypted messages from Gmail’s Android and iOS apps if their organization has the feature enabled. Gmail’s version of E2EE, which uses client-side encryption, has been available since last year, but is still limited to users with enterprise accounts.

Google is officially rolling out Device Bound Session Credentials (DBSC) to Windows users in Chrome 146. The new security feature cryptographically binds your login cookies to your device’s hardware. So, even if malware steals your browser cookies, they should be useless to remote hackers. MacOS support is coming soon.

The AI-powered compliance startup is no longer listed on YC’s directory after an anonymous report alleged Delve “fakes compliance” and leaked audit reports, as reported by TechCrunch. Delve responded by claiming a bad actor “maliciously exfiltrated data” as part of a “coordinated, targeted cyberattack.”

Meta has paused work with the company, Mercor (which The Verge has profiled), while OpenAI is investigating the security incident, Wired reports.

The update adds protections against DarkSword, a security vulnerability that can steal information from your phone if you visit an infected link. Apple previously released iOS 18.7.7 to the iPhone XS and XR, but if you have a newer phone and don’t want to download iOS 26, now you can install the patch without worrying about getting Liquid Glass.

A disclosure spotted by TechCrunch says the incident prompted the toymaker to activate “its security response protocols.” Hasbro says it’s currently working to determine the impact of the breach, but it will continue to “take orders, ship product and conduct other key operations.”

iOS 26 devices are already protected against the hacking tool that targets iPhones when visiting malicious links, and today Apple is pushing out a new security update for older, vulnerable versions of iOS. That means iOS 18 users can protect their phones and avoid the Liquid Glass design update.

A hacker took over an account belonging to the lead maintainer of the JavaScript library, Axios, which is used to handle HTTP requests, as reported by Cybernews. Security researchers found that versions 1.14.1 and 0.30.4 contained the script for a remote access trojan capable of giving hackers access to a user’s Windows, macOS, or Linux device.

The bundle, Proton Workspace, includes a new end-to-end encrypted video chat service called Proton Meet. But even encryption can’t guarantee the company will keep your payment info private from government requests.

According to “I Decompiled the White House’s New App,” the Android version has some odd choices for a government app that mostly shows content from the White House website.