As researchers and Experts debate the impact new forms of AI will have on cyber security, Mozilla said Tuesday using early access to Anthropic’s Mythos Brief finding and fixing 271 vulnerabilities in its new version of the Firefox browser 150. Meanwhile, researchers discovered a group of moderately successful North Korean hackers using AI for everything from coding malware to creating fake company websites—stealing up to $12 million in three months.
Researchers finally broke the disturbance malware known as Fast16 that predates Stuxnet and may have been used to target Iran’s nuclear program. It was created in 2005 and was likely sent by the United States or an ally.
Meta is being sued by the Consumer Federation of Americanon-profit organization, over fraudulent ads on Facebook and Instagram and allegedly misleading users about the company’s efforts to combat them. A US surveillance program that allows the FBI to look at Americans’ communications without a warrant is up for renewal, but lawmakers are deadlocked on the next steps. A the new bill aims to address raise the arguments of parliamentarians, but they are baseless.
And if you’re looking for a deep dive, WIRED investigated the years-long feud behind the popular GrapheneOS mobile privacy and security system. Additionally we looked at the amazing story of how China spied on American athlete Alysa Liu and his father.
And there is more. Every week, we round up security and privacy news that we didn’t cover in depth ourselves. Click on the headlines to read the full story. And stay safe out there.
Anthropic Story Preview The AI model has been described as a tool with a dangerous ability to find security vulnerabilities in software and networks, so powerful that its creator has carefully prevented its release. But one group of geniuses on Discord found their way, relatively easy—no AI hacking required—to gain unauthorized access to the coveted digital prize: the Mythos itself.
Despite Anthropic’s efforts to control who can use Mythos Preview, a group of Discord users gained access to the tool through direct spy work: They examined data from Mercor’s latest breachAI training that works with software developers, and “making educated guesses about the model’s online location based on knowledge about the design Anthropic has applied to other models”—words that many observers have speculated refer to a web URL—according to Bloomberg, which broke the story.
The man also reportedly took advantage of the permissions he had to access other Anthropic structures, thanks to their work for Anthropic’s contracting company. As a result of their investigation, however, they allegedly gained access to not only the Mythos but other unreleased examples of Anthropic AI, as well. Fortunately, according to Bloomberg, the group that accessed Mythos has only used it so far to create a simple site—a decision designed to prevent its discovery by Anthropic—instead of manipulating the planet.
Security researchers have long warned that telecommunications protocols known as Signaling System 7, or SS7, which control how mobile networks connect to voice and text channels, are vulnerable to abuse that could allow covert surveillance. This week researchers at the digital rights advocacy organization Citizen Lab revealed that at least two for-profit surveillance vendors have used that vulnerability—or a similar one in the next generation of telecommunications protocols—to spy on real victims. Citizen Lab found that the two investigative companies essentially acted as rogue phone carriers, using access to three small telecommunications companies—Israeli carrier 019Mobile, British cell provider Tango Mobile, and Airtel Jersey, based on the English Channel island of Jersey—to track the location of the target’s phones. Citizen Lab researchers say that “high profile” people were tracked by the two surveillance companies, although it declined to name the companies or their targets. The researchers warn, too, that the two companies they discovered abusing the protocols may not be alone, and that the vulnerability of international telecommunications protocols remains a real vector for wiretapping around the world.
In a sign of increased—if delayed—US law enforcement’s crackdown on the criminal industry continues. scam compounds fueled by human trafficking across Southeast Asia, the Justice Department this week announced charges against two Chinese men for allegedly helping to run a scam site in Myanmar and seeking to open a second camp in Cambodia. Jiang Wen Jie and Huang Xingshan were both arrested in Thailand earlier this year on immigration charges, according to prosecutors, and now face charges for allegedly running a massive fraud operation that lured human trafficking victims to their compound with fake job offers and then forced them to swindle the victims, including Americans, out of millions of dollars in cryptocurrency investment scams. The DOJ says it also “frozen” $700 million of the operation—essentially freezing the money in preparation for the seizure—and also seized a channel on the messaging app Telegram that prosecutors say was used to bait and enslave trafficking victims. The Justice Department’s statement alleges that Huang personally participated in the physical punishment of workers at one facility, and that Jiang at one point oversaw the theft of $3 million from one American scam victim.
Three scientific research institutes have been found selling the health information of British citizens to Alibaba, the UK government and the UK non-profit organization Biobank. revealed this week. Over the past two decades, more than 500,000 people have shared their health data—including medical images, genetic information, and health care records—with the UK Biobank, which allows scientists around the world to access the information to conduct medical research. However, the charity said the data leak involved a “breach of a contract” signed by three organisations, and one of the databases sold is believed to include data on all half a million research subjects. It did not specify the exact types of data that were listed for sale but said it had suspended the Biobank accounts of those allegedly selling the information. Data ads have also been removed.
Earlier this month, 404 Media reported that the FBI was able to obtain copies of Waves messages from the defendant’s iPhone as the content of those messages, which were encrypted within the Signal, were stored in the iOS app’s notification database. In this instance, copies of the messages were still found even though Signal had been removed from the phone—although the issue affected all apps that send push notifications.
This week, in response to the issue, Apple released a security update for iOS and iPadOS to fix the flaw. “Notifications marked for deletion may be unexpectedly stored on the device,” Apple’s security update for iOS 26.4.2 he says. “The logging issue was addressed with better data normalization.”
Although the issue is resolved, it is still worth changing what appears in notifications on your device. For Signals you can open the program, go to Settings, Notificationand toggle the notification to display Name Only or No Title or Content. It’s another reminder that while apps like Signal are end-to-end encrypted, this applies to content as it moves between devices: If someone can access and unlock your own phone, they likely have access to everything on your device.
