All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Anthropic is calling for AI companies worldwide to coordinate and create a system to pause or slow development of advanced AI if risks become too serious, warning that AI is improving so rapidly that humans could lose control, particularly through recursive self-improvement (where an AI designs its own successor). The company proposes a verification mechanism to ensure all labs comply with any slowdown, though OpenAI disagrees and argues that democratic governments, not private companies, should make decisions about AI development pace.
Fix: Anthropic proposes that advanced AI labs should establish a coordinated global mechanism to verify that rivals have actually stopped or slowed their work and that "a bad actor could not use the auspices of a coordinated slowdown to jump ahead in secret." The source also mentions that collaboration between companies, government agencies, and academic researchers is needed to develop countermeasures against AI-powered hacking tools.
SecurityWeekA vulnerability (CVE-2026-11479) was found in grepai version 0.35.0 that involves the use of weak hash functions (a cryptographic method that doesn't adequately scramble data) in the file indexer/chunker.go, which is part of the Qdrant Backend component. The vulnerability is difficult to exploit and requires remote access with user credentials, though the exploit details have been publicly disclosed.
OpenAI launched the Economic Research Exchange, a program that provides researchers access to OpenAI tools and datasets to conduct rigorous, independent studies on how AI affects workers, businesses, and the economy. The program aims to generate credible evidence about AI's economic impacts while maintaining privacy protections and data governance safeguards, with applications open through July 5, 2026.
Major AI companies like OpenAI, Anthropic, and SpaceX are seeking massive valuations and going public, reflecting a rapid increase in spending on AI infrastructure like datacenters. However, there are growing concerns about whether these investments will actually generate profitable returns, as companies work to find practical uses that justify the enormous amounts of money being spent on AI development.
This academic paper describes a new encryption method designed to let multiple people search through encrypted medical data while protecting privacy and controlling who has access. The scheme uses lattice-based cryptography (a type of math-hard encryption based on complex grid structures) and allows for selective disclosure (sharing only certain information with specific people) and user revocation (removing someone's access rights). This addresses the challenge of keeping medical information secure while still making it searchable and shareable in healthcare systems.
This academic paper describes a method for securely sharing secret images among multiple people using the Chinese Remainder Theorem (a mathematical technique for solving certain types of equations) and polynomials (mathematical expressions with variables). The scheme includes a certification process to verify that the shared image pieces are authentic and haven't been tampered with.
This academic paper proposes TMAS, a threshold multi-auditor auditing scheme designed to verify data integrity and security in cloud-fog computing environments (distributed systems where data processing happens both in the cloud and at edge devices closer to users) where trust between parties is limited. The scheme uses multiple independent auditors working together so that no single auditor needs to be completely trusted, addressing the challenge of maintaining security when collaborating systems don't fully trust each other.
STAFF is a research tool for testing firmware (the low-level software that runs on hardware devices) by using fuzzing (automated testing that feeds random or specially crafted inputs to find bugs). The tool uses stateful taint analysis (tracking how untrusted data flows through a program) to improve the fuzzing process and find security vulnerabilities more effectively in full systems.
Researchers have developed PLC-Defuser, a tool that detects hidden malicious code (logic bombs, which are programmed instructions designed to execute harmful actions when triggered) in PLCs (programmable logic controllers, computers used to automate industrial equipment like factory machinery). The tool uses control flow graphs (visual maps showing how a program's instructions connect and execute) and model checking (automated verification that tests whether software meets safety properties) to find these threats before they can cause damage.
This research paper describes a method for creating attack graphs (visual maps showing how attackers could move through a company's computer network) by using data collected from endpoint devices (individual computers and servers). The approach is designed to scale efficiently, meaning it can handle large enterprise networks without becoming too slow or resource-intensive. The work was published in October 2026 in the journal Computers & Security.
CoolTest is a new randomness test designed to work well with small amounts of data, published in November 2026. Randomness tests check whether data appears truly random or follows a pattern, which is important for security applications like cryptography (the practice of encoding information to keep it secret). This tool addresses a limitation of existing tests that often require large datasets to work accurately.
This research paper from November 2026 examines threat models for industrial control systems (ICS, the computers that manage factories, power plants, and other critical infrastructure) by developing systematic methods to search for and identify security threats. The authors appear to connect threat identification approaches with pentesting (penetration testing, where security experts deliberately try to break into systems to find weaknesses). The paper contributes to understanding how to better protect critical infrastructure from cyberattacks.
This academic paper presents ODHD, a method for generating helper data that enables reliable key derivation from SRAM PUF (static random-access memory physical unclonable function, a hardware feature that extracts unique cryptographic keys from the inherent variations in memory chips) without needing non-volatile memory (permanent storage like flash drives). The approach addresses the challenge of creating stable, reproducible keys from noisy hardware sources for secure cryptographic applications in resource-constrained devices.
This academic review examines intrusion detection systems (IDS, software that monitors networks to catch unauthorized access attempts) designed specifically for Internet of Medical Things (IoT devices like connected medical equipment that collect and share health data). The paper analyzes these systems across four key areas: how well they catch attacks, how efficiently they run, whether humans can understand why they flag something as a threat, and whether they work reliably on new types of attacks they haven't seen before.
This document outlines OpenAI's vision for AI development, arguing that AI should be widely accessible and beneficial to humanity rather than concentrated among a few entities. The text emphasizes that AI's value comes from what people can do with it (like learning new skills or starting businesses), and that safe, powerful AI systems must remain aligned with human intent and subject to human control, with humans ultimately deciding what is worth doing.
Check Point Security Gateway has a flaw in IKEv1 (a protocol for setting up secure VPN connections) that allows attackers to bypass password authentication and connect to remote access VPNs without valid credentials. This vulnerability is currently being exploited by real attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. See Check Point's hotfix at https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/ and support documentation at https://support.checkpoint.com/results/sk/sk185033.
CISA Known Exploited VulnerabilitiesRecent attacks by anti-tech extremists, including attempted arson at OpenAI and violent incidents motivated by anti-AI ideology, are raising alarm among researchers, tech companies, and law enforcement. These attacks follow a pattern similar to earlier techno-pessimist (people who believe technology will cause harm) militant movements, suggesting a growing trend of violence driven by opposition to AI and data infrastructure.
ChatGPT can recommend fake shopping websites that impersonate real stores, tricking users into thinking they are buying from legitimate retailers. When users follow AI recommendations to purchase items like bags, they may end up on fraudulent sites designed to look official, resulting in financial loss for buyers.
OpenAI introduced Lockdown Mode, a new security feature designed to protect against prompt injection attacks (when malicious instructions are hidden in webpages or uploaded content to manipulate an AI's responses). The feature disables several ChatGPT capabilities including live web browsing, image retrieval, deep research, and agent mode to reduce the risk of sensitive data being exposed, though OpenAI acknowledges that prompt injections could still occur through cached content or uploaded files.
Fix: OpenAI's explicit mitigation is Lockdown Mode, which "will disable live web browsing (so you can only access cached content), the retrieval and display of images from the web (you can still generate images), deep research, and agent mode." The feature is being rolled out to ChatGPT Business accounts and eligible personal accounts. OpenAI states the goal is "to reduce the likelihood that sensitive data gets shared in the process."
TechCrunch (Security)Researchers discovered a new type of backdoor attack (hidden malicious code inserted into AI systems) that works against personalized federated learning (a privacy-focused method where multiple computers train an AI model together without sharing raw data). The attack is designed to be stealthy and persistent, meaning it can hide from detection and remain in the system over time.