Security

Attorney General Rob Bonta filed a lawsuit against Chrome Holding Co. — formerly 23AndMe — claiming that the company failed to protect user information, leading to the massive 2023 breach that included data belonging to 6.9 million users. In 2024, 23andMe agreed to pay $30 million to settle a class action lawsuit related to the breach.

The Aqara U500 lineup includes three separate models. There’s a “Rim Lock” for standard entrance and interior doors that doesn’t require a mortise, a “Gate Lock” for metal grille-style doors, and even a lock that’s designed for glass doors. They’re only available in Europe for now though.

Upon request, “qualifying” customers can use things like skills, a Claude harness, and a threat model builder, Anthropic says as part of a bigger update about Project Glasswing.

YouTuber Coffeezilla first reported the leak of customer details, now apparently fixed. Trump Mobile CEO Pat O’Brien has now confirmed to The Verge there was a breach, which he blames on “a third-party platform provider.”

A security bulletin from Nvidia breaks down new vulnerabilities found in some of its GPU drivers for Windows and Linux and vGPU software. As Digital Foundry and Club386 point out, they affect drivers prior to 596.36 on the current branch, so if you’re running the most recently released update (596.49, which was released on May 12th), you don’t have anything to do.

The company traced the incident to a “poisoned” VS Code extension on an employee’s device. While the hacking group TeamPCP has claimed responsibility for the breach, GitHub says it has since removed the malicious extension and that the exfiltration was limited to internal data, as reported by Bleeping Computer.

Researchers at the security firm Calif say they used Anthropic’s cybersecurity AI to create a privilege escalation exploit, the Wall Street Journal reports:

On Wednesday, the AISI, which evaluates AI models for the British government, said both Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 showed progress well above previous trends on cybersecurity testing. Separately, XBOW released data suggesting “frontier models have taken a major step forward in vulnerability discovery.”

Similar to the “Copy Fail” exploit revealed a week ago, the two “Dirty Frag” exploits (CVE-2026-43284) also allow a local user to give themselves root privileges on nearly any Linux distribution. The researcher who found it says that, “Because the embargo has now been broken, no patches or CVEs exist for these vulnerabilities.”

Sean Hollister let a hacked robot lawnmower run him over in the name of journalism, but it took a Verge commenter to find the right language that really sets the stakes.

Mozilla:

Ubuntu’s web infrastructure remains unavailable after going offline Thursday morning, blocking updates and other access at a time when Linux admins really need to apply a patch.

Claude Security uses the Opus 4.7 model to scan a business’s codebase for vulnerabilities and issue a fix. This tool is rolling out to enterprise customers globally and isn’t to be confused with Anthropic’s Mythos, a powerful AI model that can identify and exploit vulnerabilities across operating systems and web browsers.

The group is accused of using stolen cookies to hijack accounts, targeting profiles with high amounts of in-game currency and items, according to a press release spotted by Bleeping Computer. The hackers allegedly earned around $225,000 after selling the accounts on a Russian website.

The prolific ShinyHunters group is claiming responsibility and threatening to leak the stolen data unless a ransom is paid. ADT has said that the info was mostly limited to names, phone numbers, and addresses, and that credit card or bank account information was not compromised.

The hosting platform provided a new update on the recent compromise. It named Context.AI as the vector for the attack, found more customer data that had been stolen, and said it discovered that some accounts had been broken into during an earlier incident.

Sources told Axios that the agency was among the roughly 40 organizations granted access. This, despite the Pentagon arguing that Anthropic is a threat to national security. The NSA has reportedly been using it primarily to identify vulnerabilities in its own network, but considering its track record, it’s understandable if you’re wary.

A new Wired investigation details the lengths Jim Dolan, owner of the New York Knicks and venues like MSG and the Las Vegas Sphere, goes to to spy on perceived enemies, fans, and critics. The vast surveillance apparatus includes dossiers, social media posts, and facial recognition tech.

Despite Anthropic’s ongoing battle with the Pentagon, Bloomberg reports that the White House Office of Management and Budget’s CIO told government officials that it is preparing for their agencies to use Anthropic’s cybersecurity-focused AI model.