Anthropic Announces Zero-Day Exploit Writing LLM

Anthropic has released a blog post stating that they have been using their new Mythos LLM for cybersecurity purposes, and have found that it is good at writing zero-day exploits.

According to Anthropic, the model was not designed with this capability, but the company has discovered that it is much better at this task than their other frontier models. The company states that they have disclosed many bugs in prominent open source operating systems and other software, but can only disclose about 1% of what they have found. An example in their blog post includes a 27 year-old bug in OpenBSD. The company has founded Project Glasswing to work with the industry on this problem, and has indicated that Mythos is not available to the general public.

AI Finds 575+ Bugs in Python

Daniel Diniz has posted that he used a Claude Code plugin that has found, so far, over 575 confirmed bugs in Python C extensions.

Unlike the AI slop PRs investing many open source project issue trackers, Daniel appears to have used AI with a custom test harness that appear to have found issues more often than not.

Daniel also approached each maintainer with bug reports tailored to their specific project needs and style, demonstrating how AI can be used to correctly report bugs.

Brazil Requires Age Verification But Forbids Collection Of Personal Data in 12 Days

On the heals of the sudden realization that stupid and obnoxious age verification laws have been passed in both California and Colorado, it has now come to light that Brazil passed an age verification law on 17 September last year. The law goes into enforcement 180 days after passage – 16 March 2026 or 12 days as of this writing.

The law intends to be a comprehensive protection for minors with online and computer services but includes operating systems. Even further, the law prohibits the use of “personal data” of a minor, of which a minor’s age is considered personal data.

It seems the tech community is just now coming to grips with these stupid laws as many were unaware of them. As reported earlier, some open source operating systems have altered their licenses to forbid their use in California. Others have suggested specific “spins” only for age-verification regions.

MidnightBSD Forbids Use by Californians

Responding the new California Law, AB1043, which threatens developers of Open Source operating systems with fines if they do not implement an age verification mechanism, MidnightBSD has modified their license to exclude use by Californians staring Jan 1, 2027.

While California is the first state to inact age-verification mandates at the OS-level, Colorado recently passed a similar law.

OpenClaw Wipes the Inbox of Meta AI Director

Summer Yue, Director of Alignment for Meta’s Super Intelligence Lab, had her email inbox wiped, Hillary Clinton style, by OpenClaw. Lacking any intelligence of her own, she asked OpenClaw to flag any emails that should be deleted but to ask for permission before deleting them. However, OpenClaw decided to operate on the “it is better to get forgiveness than permission” plan.

Democrats Infringe on Open Source, Legislate Spyware

Adafruit, the maker-focused electronics design house and manufacturer based in New York, keeps finding that it needs to defend open source from busy-body politicians. Last month, the outwardly non-political, tech-focused company spoke out against New York Mayor Mamdami’s misinformed actions against Raspberry Pis.

Now Adafruit is speaking out against proposed legislation in Democratically-controlled Colorado that would require Linux and other open source operating systems to implement unsound age-verification practices. The Electronic Frontier Foundation maintains a website on the perils of age-verification technlogy.

Adafruit’s blog post also points out other recent challenges to makers and 3D printing, highlighting legislation in the Democratically-controlled states of New York and California that would limit 3D printers from printing parts that are somehow deemed usable in firearms. Adafruit is correct in asserting that such laws do not work, infringe on other uses of 3D printing technology, and drive up the costs and legal risks for manufacturers of maker-focused manufacturers and hobbyists.

Hundreds of Malicious OpenClaw Skills Discovered

OpenClaw, is a self-hosted personal AI assistant that is all the rage lately. However, its centralized skills repository, ClawHub, has been found to have 314 malicious AI skills to be used in malware campaigns and other compromises.

Indications are that the malicious AI skills uploaded to ClawHub are not just one-off attacks but are a “systemic threat” to OpenClaw and ClawHub.

These AI skills appear a legitimate agents, but are intended to exfiltrate data, install backdoors, and execute other compromises.

As predicted, OpenClaw is an opsec nightmare.

237 Repos Hit with AI Hallucinated NPM Vulnerability

Charlie Eriksen of Aikido Security discovered an npx command that was hallucinated by Artificial Intelligence and found its way into 237 GitHub repositories.

The command, “npx react-codeshift”, has never existed, yet it replicated in so many code bases due to AI hallucinations.

The package for the command did not exist, so Charlie claimed the package before a bad actor could, thus preventing what could have been a very damaging exploit.

This incident highlights the need for humans to double check the output of AI.

ISP Goes Bankrupt Because Rats Keep Chewing Through Their Fiber

UK internet service provider G.Network has gone bankrupt in part because rats keeping chewing through their fiber optic cables made with biodegradable sheathing composed of soy and corn substances.

FitzWalter Capital, the private equity firm who owns G.Network, was attempting to unload the business on Community Fibre. However, Community Fibre backed out of the deal upon learning of G.Network’s underground rodent snacks.

Microsoft Hijacks Example.com

For six years, Microsoft has been rerouting example.com to a company in Japan according to tinyapps.org and first reported on 1 January. Assessment of the damage is unknown, but configurations of email services that used example.com were being incorrectly set to the services of Sumitomo Electric at sei.co.jp. According to ArsTechnica, it appears any credentials used with this configuration were sent to Sumitomo Electric.

According to the ArsTechnica article, it does appear Microsoft is now aware of the problem and has taken steps to correct the issue.

Lingering Vulnerability In Telnetd Found

A recently discovered vulnerability in the GNU InetUtils telnetd server has just been revealed. The bug allows a user to obtain root access by passing in a simple environment variable.

Though recently revealed, the bug has been in the code since 2015.

“Do not run a telnetd server at all.” advises Simon Joseffson, one of the patch submitters.

New Raspberry Pi AI HAT +2

The Raspberry Pi has introduced the new AI Hat +2, an AI co-processor and add-on board, featuring the Hailo-10H neural network accelerator and 8GB of dedicated on-board RAM. With this new AI board, generative AI workloads maybe off-loaded from the main CPU on to the Hailo-10H.

The product is available now for $130.

Italy Moves to Censor DNS

The Italian government has fined Cloudflare 14 mllion Euros for defying it’s order to censor Cloudflare’s public DNS resolver, 1.1.1.1.

Cloudflare is appealing the fine, but is also considering abandoning all points of presence in Italy, including the withdrawal of millions of dollars of free cybersecurity services to the Olympics being hosted in Italy next month.

Anthropic Bans OpenCode

Anthropic has implemented new restrictions to prevent the use of their AI models with third-party applications, which means OpenCode – the popular open source coding agent and widely considered to be the most popular third-party AI coding tool.

Controversial developer David Heinemeier Hansson has called the move “Vintage Microsoft evil shit”, noting it is a “Terrible policy for a company built on training models on our code, our writing, our everything.”

The End of 2025 is the End of HP-UX

As of the end of 2025, Hewlett Packard Enterprise (HPE) will no longer support their proprietary Unix, HP-UX.

According to Stromasys:

It was the pioneering Unix operating system that introduced access-control lists for file access permissions. It provides an alternative to the traditional Unix permission system. Additionally, HP-UX OS was one of the early Unix systems to integrate a built-in logical volume manager.

Qualcomm Buys RISC-V Chip Designer

Qualcomm has purchased, Ventana, a RISC-V chip design firm aimed at the datacenter-class processor market.

Ventana holds 48 patents on processor designs, leading to speculation that Qualcomm is interested in IPR defense as they strength their datacenter-class products.

Given Qualcomm’s ongoing legal battle with Arm Limited, this may also signal the company’s pivot away from an unencumbered CPU architecture.

System76 Ships the COSMIC Desktop

System76 has signaled that the COSMIC Desktop has now reached its first stable version, dubbed the COSMIC Desktop Environment Epoch 1, with its inclusion in Pop_OS! 24.04 LTS.

System76 notes that development of the COSMIC Desktop was funded entirely through sales of System76 hardware.

COSMIC is also written in #Rust, giving certain reactionary segments of the tech community another reason to shake their fists at the sky.

GrapheneOS Exiled From France

The GrapheneOS project has announced that they have moved all their server infrastructure (e.g. Mastodon, Matrix) out of France for fear of government prosecution, and that developers for the project should no longer travel to France to avoid arrest. This comes as a reaction to the French interpretation of the European Union Chat Control

#grapheneos #france

Massive NPM Worm Attack

GitLab has discovered an NPM worm that is impacting a massive number of Git repositories and npm projects, ex-filtrating sensitive data such as cloud API keys and other security credentials.

According to Wiz, the scope of the attack is massive:

• 27% of code and cloud environments
• 700 npm packages
• 25,000 git repositories
• 500 GitHub users
• 775 compromised GitHub access tokens
• 373 AWS credentials
• 300 GCP credentials
• 115 Azure credentials

#npm #javascript #git

BentoPDF

The release notes for BentoPDF v1.7.4 contain trojan horse API keys to the OpenAI, Anthropic, and Gemini platforms that link to a RickRoll.