New tools, products, platforms, funding rounds, and company developments in AI security.
AI company employees are gaining significant wealth through IPOs (initial public offerings, when private companies sell shares to the public for the first time), which is driving up home prices in the San Francisco Bay Area. Companies like OpenAI and Anthropic are planning IPOs, and their success could create even more demand for housing in an area that already has limited homes available.
ServiceNow discovered and fixed a vulnerability in an unauthenticated API endpoint (a web interface that programs use to request data) that could have exposed customer data without requiring a login. The flaw affected specific ServiceNow instances and was initially reported through a bug bounty program in April, with security updates released to customers in June.
Check Point Research found a critical vulnerability in LangGraph, a widely-used framework (with 46.5 million monthly downloads) that helps developers build AI agents with memory and state management. An SQL injection (a type of attack where malicious database commands are inserted into user input) in LangGraph could let attackers take complete control of a server through remote code execution (RCE, where attackers run arbitrary commands on a system they don't own), potentially exposing API keys, customer data, and conversation history stored on the compromised system.
OpenAI is shifting its focus toward enterprise customers and preparing to go public, while Google and Apple are competing to bring AI features directly to everyday consumers through their existing devices and services. Google and Apple can afford to offer consumer AI for free to keep users in their ecosystems, whereas OpenAI and Anthropic are pursuing profitable enterprise deals with companies willing to pay for AI tools like code-generation software.
Major U.S. AI companies like Anthropic, OpenAI, Google, and others are expanding their offices in London to access the city's deep pool of AI talent and its status as a leading global financial center. London has become one of the world's strongest hubs for frontier AI (cutting-edge artificial intelligence research) talent outside the U.S., partly due to decades of investment anchored by DeepMind and leading universities. However, this expansion is creating challenges, including a significant shortage of high-quality office space expected to continue until 2030 and increased competition for hiring top talent that pressures local startups.
OpenAI is considering cutting prices on its AI services, particularly the cost of tokens (the units that AI companies charge users for processing text and other content), to compete with rival Anthropic. Both companies are preparing for an IPO (initial public offering, where a company sells shares to the public for the first time) and have been increasing competition as ChatGPT continues to gain users.
BBVA, a global bank founded in 1857, is partnering with OpenAI to integrate AI (artificial intelligence) throughout its entire organization as part of its transformation strategy called 'The Eight.' Over 100,000 BBVA employees now use ChatGPT Enterprise to improve customer experiences, help with decision-making, automate operations, and speed up software development across the bank.
OpenAI is acquiring Ona, a company that specializes in secure cloud execution and orchestration (technology for running and managing code in cloud environments safely). This acquisition will allow Codex (OpenAI's AI tool used by 5 million people weekly) to work on longer tasks that span hours or days by running in persistent cloud environments instead of being limited to a single device or session. The integration will let organizations deploy AI agents (autonomous programs that perform tasks) securely within their own cloud infrastructure while maintaining control over security, data access, and activity logging.
OpenAI and Oracle are partnering to let Oracle Cloud Infrastructure (OCI, Oracle's cloud computing platform) customers use their existing Oracle Cloud Universal Credits (UCM, pre-purchased cloud service allowances) to pay for access to OpenAI's AI models and Codex (a code-generation AI tool). This partnership simplifies how enterprises can adopt advanced AI by letting them use their established purchasing processes and cloud budgets instead of creating separate purchasing agreements.
This bulletin covers multiple serious threats including 3.3 billion stolen credentials from infostealer malware (malware designed to steal passwords and login information), a $5,000-per-month RAT (remote access trojan, malware that lets attackers control a victim's computer) called SilabRAT that clones browser profiles to steal financial data, and a North Korean group conducting hands-on intrusions (attacks where human operators directly control compromised systems) against tech companies. The U.S. Department of Justice also seized 13 domains used to trick government employees into revealing classified information through fake job offers.
Fix: The source mentions one explicit action: 'The U.S. Department of Justice has announced the seizure of 13 internet domains masquerading as consulting companies.' It also provides preventive guidance: 'Anyone approached online with offers of easy income for vague consulting work should treat those overtures with extreme caution and remain vigilant for warning signs of malicious targeting.' Beyond these actions and warnings, no technical patches, software updates, or specific mitigation strategies are discussed in the source text.
The Hacker NewsFix: ServiceNow issued a security update (KB3067321) on June 5 for hosted customers and provided guidance (KB3067372) for self-hosted deployments. Additionally, customers were advised to audit their own Scripted REST API table and review any resources where the "requires_authentication" setting is unchecked, particularly those unchanged since before 2022.
CSO OnlineAnthropic apologized for secretly adding hidden guardrails (safety restrictions that limit what an AI model can do) to Claude Fable 5, which prevented researchers and competitors from fully using the model. The company says it will now be more transparent about when these restrictions activate, even if it means the model refuses more user requests.
Fix: Anthropic will be more transparent about when the restrictions kick in and will reverse course from the hidden guardrail approach.
The Verge (AI)Google DeepMind and partner organizations are funding $10 million in research to understand the risks of multi-agent systems (multiple AI agents working together), because deploying millions of these agents could create new security threats like scams and prompt injection attacks (where an AI agent is manipulated by hidden malicious instructions). The researchers plan to study these risks by running realistic simulations where AI agents interact in controlled environments called sandboxes, since predicting behavior from studying single agents alone is insufficient.
AI agents (programs that perform tasks automatically) can install third-party skills (add-on packages, like apps on a phone) from public registries, but until now there was no automated way to check if a skill actually does what it claims before it gains access to sensitive data and system commands. Researchers introduced Behavioral Integrity Verification (BIV), a tool that compares what a skill says it does (in its documentation and metadata) against what its code actually does, and found that most skills deviate from their claims, with some containing dangerous multi-stage attack chains (sequences of seemingly harmless capabilities combined to steal credentials, execute unauthorized commands, or secretly extract data).
Fix: Security teams running LLM agents in production should inventory the third-party skills installed and require a behavioral-integrity check before installation rather than after. Palo Alto Networks customers can use Prisma AIRS and the Unit 42 AI Security Assessment service for protection.
Palo Alto Unit 42Site reliability engineering (SRE) teams should only trust AI agents in production when they have three foundational elements: grounded observability (complete logs, traces, and ownership data that the AI can reason over), clear guardrails (explicit permission models and approval gates that limit what the agent can do), and a progressive autonomy approach (starting with read-only tasks like summarizing incidents before allowing automated actions). Trust in AI for operations is earned through evidence of reliable behavior under real stress, not through impressive demos.
Advanced AI models like Claude Mythos and GPT-5.5 make it much faster and easier for attackers to discover vulnerabilities (security weaknesses in software) and chain them together at scale, forcing cybersecurity teams to rethink their defenses. Security experts warn that defenders should assume AI will increase the likelihood of initial compromise and should focus on limiting damage through stronger identity controls, least privilege (giving users only the minimum access they need), and internal segmentation (dividing networks into isolated sections) rather than trying to patch every vulnerability perfectly.
Anthropic reversed a policy in Claude Fable 5 that secretly blocked requests related to frontier LLM development (cutting-edge AI research) without telling users. The company acknowledged the hidden approach was wrong and apologized, stating they prioritized speed over transparency.
Fix: Anthropic is making the safeguards visible: starting immediately, flagged requests will visibly fall back to Opus 4.8 (an older model version) instead of being silently blocked. On the API, refused requests will now return a reason for the refusal (rolling out to server-side fallback within days). Users will see every instance this happens.
Simon Willison's WeblogOpenAI is supporting the European Commission's Code of Practice on Transparency of AI-Generated Content to help people understand where online content comes from and whether it was created or edited by AI. The company is implementing provenance standards (technical methods for tracking content origin and history) by adding C2PA metadata (embedded information that travels with images to show their source and creation details) to its DALL-E 3 image tool, combining this with SynthID watermarks (invisible digital markers), and offering a public verification tool at openai.com/verify so people can check if images contain provenance signals.
Fix: OpenAI's approach includes: (1) adding C2PA Content Credentials metadata to images created and edited by DALL-E 3 in ChatGPT and the OpenAI API; (2) including both C2PA metadata and SynthID watermarks on images generated with ChatGPT, Codex, and the OpenAI API; (3) providing openai.com/verify, a public verification experience where people can check whether supported images contain provenance signals associated with OpenAI-generated images; and (4) contributing to open standards through joining the C2PA Steering Committee to advance interoperable provenance standards across the ecosystem.
OpenAI BlogThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated patching requirements for federal agencies to address AI-related security threats. Agencies must now fix the most critical vulnerabilities (flaws in software that attackers can exploit) within three days, while less severe issues can be addressed later.
The US Cybersecurity and Infrastructure Security Agency (CISA) released a new directive requiring federal agencies to patch critical software vulnerabilities (bugs) in as little as three days, driven by concerns that AI models can now discover and exploit security flaws faster than humans can fix them. The directive uses a prioritization system based on four factors, including whether a vulnerability is publicly exposed and can be automatically exploited, to determine how urgently each bug must be addressed.
Fix: CISA's directive requires agencies to use a prioritization rubric based on four assessments: whether a vulnerability is in a publicly exposed system, whether it appears in CISA's Known Exploited Vulnerabilities Catalog, whether an attacker could automate exploitation, and how much access an attacker would gain. When all four criteria apply, the vulnerability must be fixed within three days, and agencies must also execute a 'forensic triage' process to determine if systems have already been compromised.
Wired (Security)Organizations are struggling to patch vulnerabilities fast enough, with only 26% of actively exploited vulnerabilities fully fixed while attackers have reduced their exploitation time to hours or days. CISA issued Binding Operational Directive 26-04, which tells federal agencies to prioritize patching based on four factors (public exposure, known exploitation, automatable attacks, and post-exploitation impact) rather than just severity scores (CVSS, a 0-10 rating of how severe a vulnerability is), recognizing that AI is accelerating both vulnerability discovery and exploitation. Vulnerabilities meeting three or more of these risk factors must be patched within three days, while lower-risk ones can follow longer timelines.
Fix: CISA's Binding Operational Directive 26-04 introduces a decision framework considering four key factors: whether the vulnerable system is publicly exposed to the internet, whether the vulnerability is listed in the KEV (Known Exploited Vulnerabilities) catalog, whether an attacker can automate exploitation, and how much control an attacker would gain after exploitation. Vulnerabilities exhibiting three or more of these attributes must be patched within three days, while lower-risk vulnerabilities can be addressed on longer timelines or deferred until the next major system upgrade.
CSO Online