New tools, products, platforms, funding rounds, and company developments in AI security.
OpenAI released an improved GPT-5.5-Cyber model and updated Codex Security plugin (a tool for finding and fixing code problems) to help security defenders find and patch software vulnerabilities more quickly. The company is also launching Patch the Planet, a partnership with Trail of Bits to secure open-source projects, because AI models are now finding vulnerabilities faster than developers can fix them, shifting the bottleneck from discovery to patching.
Fix: OpenAI is providing the improved GPT-5.5-Cyber model to trusted defenders as part of the Daybreak initiative. The updated Codex Security plugin allows developers to run deep scans, generate reports with severity levels and affected code locations, generate codebase-specific patches for review, and facilitate patch generation at scale. The Patch the Planet initiative lets security engineers review and validate findings, work with projects to develop patches and tests, and help build reusable vulnerability discovery workflows.
The Hacker NewsOmio, a travel platform connecting millions of travelers with transportation options, is using conversational AI (AI that understands natural language questions from users) to let people book trips by simply describing where they want to go, rather than searching through websites. The company launched this capability through ChatGPT in 2023 by connecting OpenAI's language models directly to its real-time transportation data, and it is now using similar AI tools internally to help engineers and other employees work more efficiently.
GitHub has released actions/checkout v7 to block 'pwn request' attacks, which exploit the pull_request_target workflow trigger (a setting that lets workflows access secrets when processing pull requests from outside contributors) to run attacker code with full privileges. The new version automatically blocks and fails workflows when they try to fetch unreviewed fork pull request code, unless developers explicitly opt out. Starting July 16, this security fix will be backported to all supported versions, marking a shift toward 'secure by default' design where security is enforced by the system rather than left to developers.
This article describes successfully porting the Moebius image inpainting model (a small AI model that can remove objects from images and fill in the missing areas) to run in a web browser using WebGPU (a graphics technology that lets browsers use GPU acceleration). The author used Claude Code, an AI coding agent, to help convert the model from Python and NVIDIA CUDA (specialized GPU software for training AI) into a web-compatible format using ONNX Runtime Web.
A cybersecurity company published details of a vulnerability called "usbliter8" in older Apple chips (A12 and A13) that could help hackers unlock iPhones from 2018-2019, like the XS, XR, and iPhone 11. The flaw exists in the Boot ROM (the first code that runs when an iPhone starts up), which cannot be updated because it's permanently burned into the chip. While the vulnerability requires physical access to the phone, it represents a significant security risk because hackers could use it alongside other exploits to jailbreak (gain unauthorized access to and remove restrictions from) older iPhones.
Microsoft fixed a vulnerability chain called AutoJack in AutoGen Studio, a graphical tool for building multi-agent AI systems (where multiple AI programs work together). The flaw let attackers trick an AI agent into running arbitrary commands (unrestricted code) on the host system just by having a developer visit a malicious webpage. The vulnerability was caught before any official release, so only developers building directly from GitHub source code during a brief window were affected.
Check Point, a security company serving over 100,000 customers, has partnered with OpenAI to integrate advanced AI models into its cybersecurity products through OpenAI's Daybreak Cyber Partner Program. This integration aims to improve threat prevention, speed up incident response (remediation, the process of fixing security issues), and strengthen security operations for their customers.
Researchers discovered four vulnerabilities in Dify, an open-source platform for building AI workflows, that could let attackers read private AI conversations from other customers without logging in. These flaws, called DifyTap, exploited missing permission checks to expose chat messages across different customer accounts (called cross-tenant impact, where one customer's data leaks to another) and allowed unauthorized access to uploaded files and internal system APIs.
SpaceX has signed a deal with Reflection AI, an open-source AI startup, to provide access to high-end Nvidia chips (specialized processors used for training AI models) for computing power. Reflection will pay SpaceX $150 million per month starting in 2026 through 2029, totaling about $6.3 billion, as SpaceX monetizes its Colossus data center infrastructure that was originally built to power Grok, Musk's AI chatbot.
Squidbleed is a memory leak vulnerability (a flaw where a program accidentally exposes data stored in computer memory) in Squid Proxy, a widely used caching tool that has existed since 1997. An attacker controlling an FTP server could trick Squid into reading beyond its allocated memory space and expose HTTP request data from other users on the same proxy, potentially revealing passwords and authentication tokens, especially in shared network environments like schools or offices. The vulnerability primarily affects unencrypted HTTP traffic and poses the biggest risk where multiple users share a single Squid instance.
Organizations are rapidly deploying AI agents (software systems that can perform tasks automatically) without securing the legacy infrastructure they depend on, creating a major security gap. Attackers can bypass AI-specific security measures by exploiting old vulnerabilities in underlying systems like unpatched servers, misconfigured permissions (Active Directory access controls), and cached credentials (stored login information), giving them access to the data and resources the AI agents use. The article demonstrates how this happens through a real attack example involving an S3 bucket (cloud storage), Lambda functions (serverless computing services), and overly broad access permissions.
Tencent, a major Chinese tech company, is testing an AI assistant called Xiaowei within WeChat (a messaging app with over 1.4 billion users), allowing users to interact via text or voice and access mini-programs (small apps that run inside WeChat). This move is part of Tencent's effort to compete with other AI companies in China's competitive market, though the company has not disclosed details about Xiaowei's capabilities or which AI models it uses.
Five Eyes cybersecurity agencies (US, UK, Canada, Australia, New Zealand) warn that threat actors are increasingly using AI to bypass security defenses, with capabilities advancing in months rather than years, so organizations must urgently update their cyber risk strategies. They recommend that business leaders treat cybersecurity as core business risk, get security fundamentals right, use AI deliberately to strengthen defenses, and take practical actions like reducing attack surface, accelerating security patches, and preparing breach response plans. However, some experts criticize the guidance as too generic and lacking specific advice on AI-related risks.
Researchers discovered that AI models struggle to distinguish between their own internal instructions (wrapped in tags like <system> and <think>) and untrusted user input (wrapped in <user> tags), a problem called role confusion. The models pay more attention to the writing style of text than its actual meaning, allowing attackers to craft jailbreaks (unauthorized bypasses of safety rules) by mimicking the style of internal thinking blocks. However, rewriting malicious text in a different style (called 'destyling') significantly reduced attack success rates from 61% to 10%, showing that format changes can help models better distinguish between trusted and untrusted content.
Fix: The source explicitly mentions 'destyling' as having material impact: 'destyling causes average attack success in our dataset to plunge from 61% to 10%.' Destyling is described as 'rewriting text in a slightly different way such that it looked less like the expected format in a role tag.' However, the source does not present this as an implemented solution or official mitigation—only as a research finding about what reduces attack effectiveness. No deployed fix, patch, or official defense mechanism is described in the text.
Simon Willison's WeblogFix: Update to actions/checkout v7, which "now automatically blocks and fails workflows when used inside pull_request_target or workflow_run events when attempting to fetch unreviewed fork pull request code." Workflows using floating major version tags (e.g., actions/checkout@v4) will automatically receive the fix on July 16. Workflows pinned to specific SHA, minor, or patch versions must upgrade manually using Dependabot or established upgrade processes. Developers who need the old behavior can add an explicit "allow-unsafe-pr-checkout" flag to actions/checkout.
CSO OnlineFix: According to Paradigm Shift, "migrating to newer hardware remains the most effective mitigation" because the Boot ROM flaw cannot be patched due to being immutable code burned into the chip.
TechCrunch (Security)Anthropic updated its privacy policy to allow Claude users to appeal account flags by uploading government-issued ID documents and biometric data (facial scans and face geometry templates, which are digital measurements of facial features). The policy applies only to a small subset of users whose accounts are flagged for fraud rather than immediately banned, and Anthropic says it uses this verification to comply with various legal requirements and security measures.
The US government placed export controls on Anthropic's AI model Fable, claiming it posed a national security threat because it was very good at writing code. The incident has sparked concerns about unintended consequences: companies may switch to cheaper Chinese open-source AI models with fewer safety guardrails, the cybersecurity community fears losing access to Anthropic's models for defensive research, and lawmakers may introduce new regulations around AI development and military use.
Fix: Microsoft states that the issue was 'identified and remediated before any PyPI release, so the affected code never shipped in a published package.' Users installing from the Python Package Index received the patched version (autogenstudio 0.4.2.2), which does not contain the AutoJack weaknesses. Microsoft also recommends deploying AutoGen Studio 'strictly as a developer prototype in an isolated environment' not exposed to the internet, and advises running it 'under a low-privilege account in a sandboxed user profile or container' to contain any future agent-driven RCE (remote code execution, where attackers run commands on a system they don't own).
BleepingComputerOpenAI launched "Patch the Planet," a program partnering with security firms Trail of Bits, HackerOne, and Calif to provide free security consulting to open-source software maintainers. The initiative helps developers find and patch vulnerabilities (security weaknesses in code), strengthen their code bases, and incorporate AI security tools, addressing the problem that AI-powered bug-hunting tools have overwhelmed maintainers with large numbers of vulnerability reports they struggle to prioritize.
Fix: OpenAI is providing free security consulting services through Patch the Planet to help open-source maintainers find and patch vulnerabilities, strengthen code bases, and incorporate AI security tools into their development process. The company is also subsidizing Codex Security scanner usage (an AI tool that finds bugs in code) for open-source and private code projects, and Trail of Bits has committed long-term resources funded by OpenAI to work on large-scale open-source security issues by tailoring support to each project's specific priorities.
Wired (Security)Patch the Planet is an initiative where Trail of Bits engineers partnered with OpenAI to use advanced AI models (like GPT-5.5-Cyber, a frontier model trained on security tasks) to find and fix bugs in critical open-source projects. In the first week, the team discovered hundreds of bugs, submitted 64 pull requests, and filed 51 issues across 19 major projects like Python, Go, and RustCrypto, with 37 patches already merged into the projects' code.
AWS Continuum is a new security service designed to help enterprises automatically discover, investigate, and fix vulnerabilities in code created by AI coding agents (software tools that write code with minimal human input). Instead of requiring developers and security teams to manually review every security finding, Continuum can analyze code, determine if vulnerabilities are actually exploitable, suggest fixes, and even autonomously fix issues in "enforce mode" once it understands an organization's security requirements.
Fix: AWS Continuum provides several built-in capabilities for addressing vulnerabilities: it can generate remediation recommendations and propose fixes for review through existing development workflows, and users can enable "enforce mode" to autonomously fix code lapses once the service has learned their environment and guardrails. The service also includes threat modeling to automatically generate threat models from source code or design documents in STRIDE format (a security framework for identifying threats).
CSO OnlineFix: All vulnerabilities except CVE-2026-41948 have been addressed in version 1.14.2, which was released last month. A fix for the remaining path traversal vulnerability (CVE-2026-41948) is expected to be made available in the next release of Dify.
The Hacker NewsFix: A patch was merged into Squid version 8 in April 2026 and shipped in version 7.6 in June 2026. The risk can also be mitigated by disabling FTP support entirely if it is not needed.
SecurityWeekIntelligence agencies from five countries (Australia, US, UK, New Zealand, and Canada) issued a joint warning that extremely powerful AI models capable of causing severe damage to governments and businesses could arrive within months, urging world leaders to take immediate action. The warning came after the Trump administration blocked foreign nationals from accessing Anthropic's Fable AI model, a highly anticipated AI system.