Security | The Verge

Severe Linux Copy Fail security flaw uncovered using AI scanning help

2026-05-01T12:55:16-04:00

Nearly every Linux distribution released since 2017 is currently vulnerable to a security bug called "Copy Fail" that allows any user to give themselves administrator privileges. The exploit, publicly disclosed as CVE-2026-31431 on Wednesday, uses a Python script that works across all of the vulnerable Linux distributions, requiring "no per-distro offsets, no version checks, no recompilation," according to Theori, the security firm that uncovered it.

Ars Technica points out this blog post where DevOps engineer Jorijn Schrijvershof explains that what makes Copy Fail "unusually nasty" is the likelihood for it to go unnoticed by monitoring t …

Read the full story at The Verge.

GitHub rushed to fix a critical vulnerability in less than six hours

2026-04-29T06:15:23-04:00

GitHub employees fixed a critical remote code execution vulnerability in less than six hours last month. Wiz Research used AI models to uncover a vulnerability in GitHub's internal git infrastructure that could have allowed attackers to access millions of public and private code repositories.

"Our security team immediately began validating the bug bounty report. Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity," explains Alexis Wales, GitHub chief information security officer. "This was a critical issue that required immediate action."

GitHub's engineering team developed a fix and deployed it jus …

Read the full story at The Verge.

Attack of the killer script kiddies

2026-04-28T08:29:07-04:00

Last August, some of the best cybersecurity teams in the business gathered in Las Vegas to demonstrate the strength of their AI bug-finding systems at DARPA's Artificial Intelligence Cyber Challenge (AIxCC). The tools had scanned 54 million lines of actual software code that DARPA had injected with artificial flaws. The teams were capable enough to identify most of the artificial bugs, but their automated tools went beyond that - they found more than a dozen bugs that DARPA hadn't inserted at all.

Even before the security earthquake that Anthropic delivered this month with Claude Mythos - the new AI model that seems to find vulnerabilities …

Read the full story at The Verge.

Anthropic’s Mythos breach was humiliating

2026-04-23T14:24:56-04:00

Anthropic's tightly controlled rollout of Claude Mythos has taken an awkward turn. After spending weeks insisting the AI model is so capable at cybersecurity that it is too dangerous to release publicly, it appears the model fell into the wrong hands anyway.

According to Bloomberg, a "small group of unauthorized users" has had access to Mythos - whose existence was first revealed in a leak - since the day Anthropic announced plans to offer it to a select group of companies for testing. Anthropic says it is investigating. That's a rough look for a company that has built its brand on taking AI safety seriously while touting the cybersecurity …

Read the full story at The Verge.

Anthropic’s Mythos rollout has missed America’s cybersecurity agency

2026-04-22T13:12:21-04:00

Several US federal agencies are taking up Anthropic's new cybersecurity model to find vulnerabilities, but one is reportedly not getting in on the action: the nation's central cybersecurity coordinator.

On Tuesday, Axios reported that the Cybersecurity and Infrastructure Security Agency (CISA) didn't have access to Mythos Preview, which Anthropic has touted as a powerful tool for finding and patching security vulnerabilities. Meanwhile, other agencies like Commerce Department and National Security Agency (NSA) are reportedly using the model, and President Donald Trump's administration has been negotiating broader access, Axios wrote last w …

Read the full story at The Verge.

Anthropic’s most dangerous AI model just fell into the wrong hands

2026-04-22T05:30:13-04:00

Anthropic's Mythos AI model, a powerful cybersecurity tool that the company said could be dangerous in the wrong hands, has been accessed by a "small group of unauthorized users," Bloomberg reports. An unnamed member of the group, identified only as "a third-party contractor for Anthropic," told the publication that members of a private online forum got into Mythos via a mix of tactics, utilizing the contractor's access and "commonly used internet sleuthing tools."

The Claude Mythos Preview is a new general-purpose model that's capable of identifying and exploiting vulnerabilities "in every major operating system and every major web browser …

Read the full story at The Verge.

Cloud development platform Vercel was hacked

2026-04-20T05:41:50-04:00

Vercel, a major development platform that hosts and deploys web apps, was compromised, and the hackers are attempting to sell stolen data. A person claiming to be a member of ShinyHunters, which was behind the recent hack of Rockstar Games, posted some data online, including employee names, email addresses, and activity time stamps. Vercel confirmed in a post on X that a "security incident" had occurred, and that it impacted a "limited subset" of its customers. Vercel said that a compromised third-party AI tool was the avenue for attack, though it did not specify which third party was involved.

We've identified a security incident that inv …

Read the full story at The Verge.

Rockstar Games says hack will have ‘no impact’

2026-04-12T13:02:24-04:00

Rockstar confirmed on Saturday that some of its data was compromised in a breach of a third-party provider. The group ShinyHunters claimed responsibility, saying it had gained access to the company's Snowflake instances (a cloud-hosting provider popular with enterprise customers) via Anodot, a cost-monitoring and analytics service. The group is demanding a ransom by April 14th, or it will leak the data it has stolen.

In a statement provided to Kotaku, the company said that the compromised data was limited in scope and "this incident has no impact on our organization or our players."

It's unclear exactly which data was compromised, but it …

Read the full story at The Verge.

PSA: Anyone with a link can view your Granola notes by default

2026-04-03T10:48:59-04:00

If you use the AI-powered note-taking app Granola, you might want to double-check your privacy settings. Though Granola says your notes are "private by default," it makes them viewable to anyone with a link, and also uses them for internal AI training unless you opt out.

Granola describes itself as an "AI notepad for people in back-to-back meetings." It integrates with your calendar to capture audio from your meetings, and then uses AI to generate a bulleted list of what you've heard, which it calls a "note." You can edit the AI-generated notes, invite other collaborators to view them, and use Granola's AI assistant to ask questions about y …

Read the full story at The Verge.

Claude Code leak exposes a Tamagotchi-style ‘pet’ and an always-on agent

2026-03-31T18:24:19-04:00

After Anthropic released Claude Code's 2.1.88 update, users quickly discovered that it contained a package with a source map file containing its TypeScript codebase, with one person on X calling attention to the leak and posting a file containing the code. The leaked data reportedly contains more than 512,000 lines of code and provides a look into the inner workings of the AI-powered coding tool, as reported earlier by Ars Technica and VentureBeat.

Users who have dug into the code claim to have uncovered upcoming features, Anthropic's instructions for the AI bot, and insight into its "memory" architecture. Some things spotted by users inclu …

Read the full story at The Verge.