All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
The US military is considering using generative AI systems (AI models that can create text and analyze data) to help rank military targets and recommend which ones to strike, with human officials making final decisions. The Pentagon is also favoring OpenAI's ChatGPT and xAI's Grok for these high-stakes military applications, while facing criticism from officials who claim that Anthropic's Claude would negatively affect the defense supply chain.
Anthropic, an AI company, is in a legal dispute with the Pentagon over restrictions on how its AI models can be used, specifically trying to prevent deployment in domestic mass surveillance or fully autonomous lethal weapons (AI systems that make kill decisions without human control). The conflict highlights a shift in the tech industry's approach to military AI, with companies like Google previously refusing military partnerships, but now facing pressure to work with the Pentagon under the Trump administration.
Researchers discovered Slopoly, a backdoor malware (a hidden entry point into a system) likely created using an LLM (large language model, an AI trained on text data), that was deployed in ransomware attacks by the financially motivated group Hive0163. The malware uses a command-and-control framework (a central server that sends instructions to compromised systems) to steal data and maintain access, and its AI-generated code shows unusual features like detailed comments and clear variable names that are rare in human-written malware, suggesting that attackers are using AI tools to speed up custom malware creation.
Facebook Marketplace is introducing AI-powered features to help sellers work more efficiently, including an auto-reply tool that uses Meta AI to automatically respond to common questions about whether items are still available. Sellers can toggle this feature on when creating a listing, and the AI will draft editable responses that sellers can customize before sending.
Graphiti versions before 0.28.2 had a Cypher injection vulnerability (a type of attack where malicious code is hidden in user input to manipulate database queries) in its search filters for non-Kuzu database backends. Attackers could exploit this by providing crafted labels through SearchFilters.node_labels or, in MCP deployments (a system where an AI model can call external tools), through prompt injection (tricking an LLM into executing attacker-controlled commands) to execute arbitrary database operations like reading, modifying, or deleting data.
Rajesh Jha, a top Microsoft executive who oversaw Office and has worked at the company for over 35 years, is retiring in July. His departure is significant because Microsoft is trying to integrate AI models from companies like OpenAI and Anthropic into products like 365 Copilot (an AI assistant add-on for Microsoft 365 business subscriptions), and his leadership will be split among four other executives reporting directly to CEO Satya Nadella.
Webflow, a website-building platform, has acquired Vidoso, an AI content-generation startup that uses large language models (AI systems trained on text data to generate new text) to help companies create marketing materials like images, videos, and blog posts. The acquisition aims to help Webflow expand its marketing capabilities and address a key problem: frontier models (AI systems trained on general internet data) create generic content without understanding a company's specific brand rules and approval workflows.
Google and Samsung announced that Gemini, their AI assistant, can now automate tasks by controlling apps on your behalf through a virtual interface, starting with food delivery and rideshare services. Users can give simple text prompts and Gemini will interact with these apps to complete actions like ordering food or booking rides, which is a capability AI assistants have long promised but rarely delivered.
Bumble, a dating app company, has introduced 'Bee,' a generative AI assistant (software that creates text and generates responses) that learns users' preferences, values, and relationship goals through private conversations to recommend better matches. The AI will power a new feature called 'Dates' that identifies compatible users and notify both parties, and Bumble plans to expand Bee's use to features like date suggestions and match feedback in the future.
Bumble is launching an AI assistant called 'Bee' that learns users' dating preferences, values, and communication styles through private conversations to recommend more compatible matches. The AI-powered feature is currently in beta testing and will initially power a new matching experience called 'Dates,' with plans to expand into other areas like date suggestions and feedback collection.
Tesla has received an official license from the UK's Office of Gas and Electricity Markets to operate as a utility, meaning it can now sell electricity directly to homes and businesses. This move builds on Tesla's existing energy business, which includes battery products like the Powerwall and a virtual power plant (a network of distributed batteries that can supply electricity to the grid), and will put it in competition with established UK utilities like Octopus Energy.
Anthropic has updated Claude, its AI chatbot, to generate and display custom charts, diagrams, and other visual content directly in conversations when it determines visuals would be helpful. Examples include interactive visualizations like periodic tables or structural diagrams that users can click on for more details.
Gumloop, a platform that lets non-technical employees build AI agents (autonomous programs that handle multi-step tasks without human intervention) to automate work, just raised $50 million in funding from investment firm Benchmark. The company competes with tools like Zapier and Anthropic's Claude Co-Work, and investors believe its easy-to-use interface and flexibility to work with different AI models will help it dominate enterprise automation.
Major technology companies are offering extremely high salaries to attract top AI researchers, causing many academics to leave universities for industry jobs. This "AI brain drain" is particularly affecting young, highly-cited researchers and threatens academia's ability to conduct research driven by curiosity rather than profit, as well as its role in providing independent ethical review. However, research shows that scientific breakthroughs actually come from large collaborative teams rather than individual geniuses, making the tech industry's focus on poaching individual top talent misguided.
Onyx Security, a new startup, has received $40 million in funding to build a control pane (a central dashboard for managing systems) that helps organizations monitor and manage autonomous AI agents (AI systems that can perform tasks independently without constant human direction) and speed up their adoption.
Google Chromium V8 has a memory buffer vulnerability (a flaw where operations exceed safe memory boundaries) that lets remote attackers run arbitrary code inside a sandbox through a crafted HTML page. This affects multiple browsers built on Chromium, including Chrome, Microsoft Edge, and Opera, and is currently being actively exploited by attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date for action is 2026-03-27.
CISA Known Exploited VulnerabilitiesGoogle Skia has an out-of-bounds write vulnerability (a bug where a program writes data outside the memory it should access), which could let attackers run malicious code through a specially crafted web page. This affects Chrome, ChromeOS, Android, Flutter, and other products, and is currently being exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Check with specific vendors for patching status and information.
CISA Known Exploited VulnerabilitiesThe US military may use generative AI chatbots (AI systems trained on large amounts of text data to have conversations) to rank and prioritize target lists for human review, according to a Pentagon official. These systems, which could include OpenAI's ChatGPT or xAI's Grok, would work alongside existing military AI tools like Maven (a system using computer vision to analyze drone footage) to speed up targeting decisions. However, while generative AI outputs are easy to access, they are harder to verify than traditional military AI systems, raising concerns as the Pentagon faces scrutiny over recent military strikes.
OpenAI CEO Sam Altman met with lawmakers including Senator Mark Kelly to discuss the company's defense contract with the Department of Defense, particularly concerns about how AI systems could be used in warfare and surveillance. The meeting highlighted disagreements between AI companies and the military over safeguards, with Kelly stating that Congress plans to draft legislation creating guardrails (safety boundaries) around government AI contracts, since the technology is advancing faster than lawmakers can regulate it.
Fix: Upgrade to version 0.28.2 or later. Version 0.28.2 added validation of SearchFilters.node_labels, defense-in-depth label validation in shared search-filter constructors, validation of entity node labels in persistence query builders, and validation of group_ids in shared search fulltext helpers. If you cannot upgrade immediately, do not expose Graphiti MCP tools to untrusted users or LLM workflows processing untrusted prompts, avoid passing untrusted values into SearchFilters.node_labels or MCP entity_types, and restrict graph database credentials to minimum required privileges.
GitHub Advisory DatabasePalantir continues using Anthropic's Claude (a large language model, or LLM, which is AI software trained to understand and generate text) despite the Pentagon designating Anthropic a supply-chain risk (a company or product deemed potentially unreliable or unsafe for government use). The Department of Defense plans to phase out Anthropic's tools over six months, though exemptions may be granted for critical national security operations.
Fix: According to the source, the Department of Defense has set a six-month period for federal agencies to phase out Anthropic's products. An internal Pentagon memo states that exemptions will be considered for 'mission-critical activities' in rare circumstances where 'no viable alternative exists.' The DOD Chief Technology Officer noted that the government will transition to other large language models, but that 'you can't just rip out a system that's deeply embedded overnight.'
CNBC Technology