AI watch: Washington, Beijing, and Brussels shape AI's future
Spain arrests man suspected of CyberArmy of Russia membership, Predator spyware victims seek €1m each in Greek lawsuit, CISA incident reporting rule expected in Sept., Ransomware exposed student and employee data at Mount Royal University, Accenture confirms breach, much more

Metacurity is the cybersecurity industry's daily reality check—independent, agenda-free coverage that cuts through vendor hype, social media noise, and recycled talking points to explain what matters and why.
Trusted by thousands of cybersecurity professionals, including many of the industry's most influential security leaders, Metacurity delivers the context, analysis, and perspective that busy readers don't have time to assemble themselves.
If you find value in that work, please consider becoming a paid subscriber. Metacurity remains independent because its readers choose to support it.
If there is one common theme in yesterday's AI news relevant to the infosec community, it's that governments are moving from debating AI governance in the abstract to actively intervening in how advanced models are released, accessed, tested, and deployed. At the same time, the AI industry itself is evolving from a research race into a large-scale economic and geopolitical contest involving infrastructure, employment, and national security.
The clearest example came from OpenAI, which announced that GPT-5.6—its flagship "Sol" model, along with lower-tier Terra and Luna models—will become broadly available on Thursday after receiving approval from the Trump administration. The move follows a month-long period in which access was limited to government-approved entities while Commerce Department officials evaluated the model. According to Axios, OpenAI conducted additional testing with the Department of Commerce's Center for AI Standards and Innovation and maintained technical personnel in Washington to address government concerns.
The episode underscores a significant shift in AI governance. Rather than relying on established regulatory frameworks, federal officials are effectively negotiating access to frontier AI systems on a case-by-case basis. OpenAI itself has noted that these decisions are occurring before the release standards envisioned in President Trump's AI executive order have been finalized. The GPT-5.6 approval follows a similar pattern seen with Anthropic, whose Mythos and Fable models recently faced government-imposed restrictions.
A national-security dimension also appeared overseas, where China escalated its conflict with Anthropic. Chinese authorities announced that they had identified what they described as "security backdoor vulnerabilities" in several versions of Claude Code, alleging that the software transmitted user information to remote servers without consent. Anthropic has not yet responded publicly, but the allegations stem from an earlier controversy involving code designed to detect unauthorized access from China.
The dispute reflects a broader technological decoupling that has been building for months. Anthropic has accused Chinese AI labs of model distillation, while simultaneously restricting access to Claude in China on national-security grounds. Chinese firms, meanwhile, continue seeking ways to use leading US models despite those restrictions. What might once have been viewed as a software security controversy is now unfolding in the context of a larger geopolitical struggle over access to advanced AI capabilities. This incident highlights how AI platforms are becoming part of the same trust, supply-chain, and sovereignty debates that have long surrounded telecommunications and cloud infrastructure.
Europe is pursuing a different path. The European Commission unveiled an Action Plan on Cybersecurity and Artificial Intelligence that seeks to integrate AI more deeply into cybersecurity operations while simultaneously strengthening oversight of advanced models. The plan calls for enhanced model evaluations, secure testing environments for critical infrastructure operators, and greater use of AI to identify vulnerabilities and improve defensive capabilities. It also proposes an EU Grand Challenge focused on AI-powered cybersecurity innovation.
The contrast with Washington is notable. While the United States is currently managing frontier-model releases through ad hoc negotiations with individual companies, Brussels is moving toward a more structured framework that combines AI regulation, cybersecurity requirements, and industrial policy. Both approaches reflect growing recognition that AI is no longer merely a technology issue but a core component of national resilience.
The commercial side of the industry is evolving just as rapidly. Anthropic announced plans to lease an entire 16-story office building in Manhattan and double its New York workforce to 1,000 employees this year. The expansion comes amid a broader hiring surge by major AI firms and signals how quickly AI has moved from a Silicon Valley phenomenon into a mainstream economic force. New York is increasingly positioning itself as a center for AI adoption across finance, healthcare, legal services, consulting, and media.
The timing is particularly interesting given ongoing concerns about AI-driven job displacement. While policymakers debate automation risks, the industry's largest firms continue adding employees, opening offices, and investing heavily in infrastructure. Anthropic's expansion follows OpenAI's own New York growth and reinforces the idea that the next phase of AI competition may revolve less around model development and more around enterprise adoption.
Inside OpenAI, however, the organizational evolution remains turbulent. WIRED reported that Chief Futurist Joshua Achiam is leaving after nearly nine years with the company. Achiam was one of OpenAI's most prominent safety-focused leaders and previously led efforts to uphold the company's nonprofit mission. His departure adds to a growing list of exits by researchers and policy specialists associated with AI safety and governance.
The move is notable because OpenAI has increasingly merged its policy, safety, and research functions as it prepares for a future public offering and deeper engagement with governments. While Achiam characterized his departure as a personal decision rather than a protest, the continued turnover among safety-focused leaders highlights ongoing tensions between rapid commercialization and long-term governance concerns.
Finally, one of the more important industry analyses of the day came from Decagon CEO Jesse Zhang, who challenged the common assumption that open-source AI models are undermining frontier AI companies. He argues that frontier models and open-source models are increasingly serving different roles. Expensive state-of-the-art models are used to discover and validate new applications, while cheaper open-source alternatives take over once those use cases mature.
Usage data appears to support that view. Open-source models from DeepSeek and others are processing enormous volumes of tokens, yet companies such as Anthropic continue capturing a disproportionate share of overall spending because premium models command much higher prices. Rather than replacing frontier AI, open-source systems may be creating a two-tier market in which organizations experiment with the most capable models and then transition mature workloads to lower-cost alternatives. (Ashley Gold, Ina Fried / Axios, Raffaele Huang / Wall Street Journal, European Commission, Emma G. Fitzsimmons and Steve Lohr / New York Times, Maxwell Zeff / Wired, Russell Brandom / TechCrunch)
Related: CNBC, Reuters, CNBC, Engadget, Bloomberg, Digital Trends, The Decoder, The Information, Business Standard, Digital Shield, Daily Sabah, Neowin, Implicator.ai, Digit, Reuters, RuntimeWire, Cyber Security News, Blockchain.News, Tech in Asia, Hacker News, r/wallstreetbets, r/OpenAI, r/singularity
Spain's National Police arrested a man who is suspected of being an active member of the CyberArmy of Russia Reborn (CARR) and Z-Pentest, both pro-Russian hacktivist groups.
Although hacktivism typically refers to cyberattacks intended to promote a political or ideological message rather than cause widespread damage, the two groups have been linked to multiple attacks targeting critical infrastructure in the US and Europe.
A recent indictment of another alleged CARR member, Victoria Eduardovna Dubranova, revealed that the hacking group carried out cyberattacks against water and food-processing facilities, creating real safety risks for people in the US.
The US government previously sanctioned two more alleged members of the group, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, who were linked to attacks against the SCADA systems of an American energy firm.
CARR has also been loosely linked to the Russian state-backed threat group APT44, aka “Sandworm,” which is known for masking its activities behind hacktivist collectives. (Bill Toulas / Bleeping Computer)
Related: Spanish National Police, CyberScoop, SC Media, BankInfoSecurity, The Register, Security Affairs, HackRead
Eight victims of a Greek wiretapping scandal have sued the Athens-based surveillance firm Intellexa SA, and individuals believed to be linked to it, seeking €1 million ($1.1 million) each for moral harm, their lawyer said.
The affair, dubbed "Predatorgate," emerged in 2022 after a financial journalist and a center-left political party leader said that they had been subject to state surveillance with the phone malware Predator, Intellexa's flagship spyware product.
The case led to the sacking of the head of the EYP state intelligence service and the prime minister's chief of staff. Traces of Predator were later found in dozens of phones. (Yannis Souliotis / Reuters)
Related: ekathimerini.com, Heise Online, Phile News, The Register
The Cybersecurity and Infrastructure Security Agency expects to finalize a bedrock cybersecurity incident reporting rule in September, requiring critical infrastructure providers to report major hacks directly to the cyberdefense agency, according to the US government's Unified Regulation Agenda.
The Cyber Incident Reporting for Critical Infrastructure Act requires critical infrastructure entities to report substantial incidents to CISA within 72 hours and ransomware payments within 24 hours.
CIRCIA’s underlying measure in Congress first passed in 2022, though the final rule has been delayed for some time. CISA published the first procedural notice for the rule in April 2024 and missed the statutory October 2025 final-rule deadline. Last month, the agency held additional stakeholder town halls to further discuss the directive after a now-resolved shutdown of the Department of Homeland Security in the spring delayed scheduling of those meetings. (David DiMolfetta / NextGov/FCW)
Related: RegInfo.gov, VitalLaw, Meritalk, SC Media, Federal News Network
A recent cyberattack that disrupted Calgary's Mount Royal University’s systems compromised employee and student information in a ransomware attack, the school confirmed.
In an update on its investigation, MRU said an unauthorized actor accessed and took folders on its “H drive,” then deleted the drive’s data. The school’s H drive is a file storage system used by employees and students.
"Our analysis indicates that this incident affected specific folders rather than the entire H drive,” MRU said in a statement.
“We will begin directly notifying employees and students whose H drive folders were compromised within the coming week."
MRU provides its H drive to support its staff's work and students' academics, which could contain personal information.
The actor also deleted MRU’s “J drive,” which contains corporate data about MRU staff, the school said. But they added it has not found evidence indicating the J drive’s data was accessed or copied before it was deleted. (Andrew Jeffrey / CBC News)
Related: The Cyber Express, Live Wire Calgary, Calgary City News, The Canadian Press, Global News, Calgary Herald, CTV News
IT services giant Accenture has confirmed it suffered a security breach after a threat actor claimed to have stolen 35 GB of source code and other data from the company.
"We are aware of this isolated matter, and we have remediated its source. There is no impact to Accenture operations and service delivery," Accenture said.
The statement comes after a threat actor known as "888" claimed to have stolen 35 GB of data from the company in July and began offering the data for sale on a cybercrime forum.
"Today I am selling the Accenture Data Breach, thanks for reading and enjoy!," reads the forum post. (Lawrence Abrams / Bleeping Computer)
Related: Cyber Press, Digital Shield, Cyber Security News, GBHackers

US Bankruptcy Judge Brian Walsh in St. Louis approved a $46.75 million settlement for victims of a 2023 data breach at the genetic testing company 23andMe, which exposed genetic and other personal information of an estimated 6.9 million customers.
Walsh said the settlement was fair and equitable, and in the best interest of a trust overseen by the company's bankruptcy administrator. (Jonathan Stempel / Reuters)
Related: CBS News Chicago, BBC News, The Star, Gizmodo
Researchers at artificial intelligence security company Noma Security disclosed a critical prompt injection vulnerability in GitHub Inc.’s new Agentic Workflows feature that allowed an unauthenticated attacker to siphon data from private code repositories by posting a single crafted issue in a public one.
Named GitLost, it targeted GitHub Agentic Workflows, a feature the Microsoft Corp.-owned company built to automate repository tasks with artificial intelligence. The workflows live in plain Markdown and compile down to GitHub Actions, its system for running jobs when something happens in a repository.
Behind them sits an AI agent that runs on either Anthropic PBC’s Claude or GitHub Copilot. It reads incoming issues and acts on them, and no human signs off first.
GitLost works through indirect prompt injection. An attacker buries hostile instructions in content the agent reads, and the model follows them as though they came from its operator. Pulling it off took no coding skill and no account on the target. The attacker opened an issue in a public repository owned by an organization that runs a vulnerable workflow, then waited. (Duncan Riley / Silicon Angle)
Related: Noma Security, The Register, HackRead

A critical vulnerability in Gitea – a self-hosted, open-source Git service that your developers may quietly be using – is being targeted in the wild.
The Gitea vulnerability, allocated CVE-2026-20896 (CVSS 9.8), was patched on June 17. Attacks came 13 days after the initial issue was released.
Initial probing has come via a ProtonVPN IP, 159.26.98[.]241
That’s according to Michael Clark, from cloud security firm Sysdig’s threat intelligence team. Clark suggests that there may be around 6,200 instances of Gitea indexed on Shodan that could be vulnerable to this issue.
Joshua Martinelle disclosed the bug with Tenable and security researcher Ali Mustafa. The vulnerability stems from the fact that the Gitea Docker images shipped a REVERSE_PROXY_TRUSTED_PROXIES = * default. (The Stack)
Related: Michael Clark on LinkedIn, Cyber Daily, Cybersecurity Agency of Singapore, Security Affairs
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to patch an actively exploited maximum-severity flaw in the Adobe ColdFusion commercial web app development platform by Friday.
The vulnerability (CVE-2026-48282) affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by remote threat actors without privileges in low-complexity attacks to gain code execution on unpatched systems.
Adobe released security updates one week ago to address the security flaw and urged admins to deploy patches immediately, saying that it posed a high risk of exploitation. (Sergiu Gatlan / Bleeping Computer)
Related: CISA, CyberPress, Security Affairs
Discord has acknowledged that a bug in its AI moderation system mistakenly banned more than 8,000 users over the past two months, after harmless images—including spreadsheets, chessboards, game textures, as well as white and gray transparent backgrounds—were incorrectly flagged as harmful content.
The company confirmed that the issue had been affecting accounts since May, with an additional 200 users banned over the weekend before its team identified and fixed the problem. All affected accounts are currently in the process of being restored. (Lauren Forristal / TechCrunch)
Related: r/bannedfromdiscord, Windows Central, Cyber Press, Engadget, Gizmodo, Crypto Briefing
Blank Rome is the latest US law firm to face a proposed class action for allegedly failing to protect clients’ sensitive personal information — including Social Security numbers — after hackers targeted the firm in a May data breach.
The lawsuit, filed Monday in Pennsylvania federal court, was brought by Laura Delapaz, a California resident who said in her complaint, opens new tab, that she was among 57,554 current, former and prospective Blank Rome clients whose personal information was compromised in a May 21 data breach.
Delapaz alleged the firm waited more than a month to disclose the breach to affected clients and that names, birth dates, addresses and taxpayer information numbers were among the compromised data.
Blank Rome said that it experienced a "limited incident" in which a "group that targets law firms" called one of its attorneys posing as the firm’s IT department and misled the lawyer into uploading files to an external file hosting website. (Karen Sloan and Mike Scarcella / Reuters)
Related: Above the Law, Bloomberg Law, Law Fuel, Philadelphia Inquirer, JD Journal, ABA Journal
A new attack that academic researchers have named HalluSquatting has the potential to assemble massive botnets, perform large-scale DDoSes, and infect devices at scale, a first for prompt-injection attacks.
The attack works against AI coding assistants and agents, including Cursor, Cursor CLI, Gemini CLI, Windsurf, GitHub Copilot, Cline, OpenClaw, ZeroClaw, and NanoClaw, which are all susceptible. In the normal course of performing day-to-day activities, these assistants and agents routinely pull code and other resources from repositories and registries.
Short for adversarial hallucination squatting, HalluSquatting is built on an LLM’s inherent tendency to hallucinate the resource identifiers hosted in repositories and registries. It works against coding agents and assistants, which commonly access high-privilege command lines to run code from third-party resources. By predicting the identifiers LLMs are most likely to hallucinate and then registering and seeding them with instructions to install reverse shells or other malicious wares, the attack can indiscriminately infect massive numbers of devices without having to target each one.
“The scalable property of the attack enables the attacker to compromise a large number of users with minimal effort by targeting popular resources, thereby maximizing the likelihood that the squatted resource will be retrieved,” the researchers wrote in a paper. “By exploiting integrated shells and terminals of agentic applications to run scripts and code, attackers can effectively ‘infect’ many independent agentic applications by embedding instructions to install reverse shells in the resources the attackers register.” (Dan Goodin / Ars Technica)
Related: Agentic Botnets

According to a security bulletin from the CERT Coordination Center, a hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel.
The issue remains unfixed because the Chinese maker of the networking equipment couldn't be reached.
CERT/CC says the issue, tracked as CVE-2026-11405, is caused by an undocumented authentication mechanism in the 'login()' function of the '/bin/httpd' web server binary. (Bill Toulas / Bleeping Computer)
Related: kb.cert.org, Tech Times, Security Affairs, Cyber Security News
Japan received reports of 19,417 personal data breach cases in fiscal 2025, the second-highest annual total on record, eclipsed only by the previous year’s 21,007 cases, according to a report by the Personal Information Protection Commission, adopted by the cabinet Tuesday.
Data breaches reported by private-sector entities decreased to 17,139 from 19,056, while breaches at government agencies increased to a record 2,278 from 1,951. (The Japan Times)
Related: Nippon.com
AI is not a cybersecurity strategy.
Organizations with strong security programs will use AI to move faster. Organizations with weak security programs will use AI to create bigger, faster failures.
That's why I wrote The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. The book moves beyond compliance checklists and theory to show how real organizations succeed—or fail—when security fundamentals break down.

If you're trying to build a resilient security program in the age of AI, this book provides a practical roadmap grounded in actual incidents and operational experience.
Greg Barbaccia is stepping down as federal CIO and leaving government at the end of August, he said in an email to the CIO Council.
“I’m writing to share that I’ve made the difficult decision to leave government, and my time as Federal CIO is coming to an end,” Barbaccia wrote to CIOs on the council in his email.
Barbaccia, who joined the Trump administration as its top IT official in January 2025, said his last day in the role will be Aug. 31. (Billy Mitchell / FedScoop)
Related: NextGov
US companies are not blocked from using technology from Hesai Technology, a Shanghai-based lidar manufacturer blacklisted as a national security threat in 2024 by the US Department of Defense, which designated Hesai as a Chinese military entity.
Government officials and security experts say the use of Chinese lidar could open this new, critical infrastructure to cyberthreats with potentially serious consequences and become a backdoor for Beijing to access sensitive data collected by the lidar technology.
David Li, Hesai’s co-founder and CEO, says the narrative that his company poses a threat is fiction.
Despite the federal blacklist designation, Hesai’s reach is growing. Under an expanded partnership between Hesai and Nvidia, Hesai sensors will be one of the options automakers can choose to integrate into Nvidia’s autonomous vehicle platforms, which the chipmaker hopes will power the self-driving vehicle revolution. (Melissa Lee, Paige Tortorelli, Scott Zamost / CNBC)
Related: r/MVIS
Best Thing of the Day: Meta Doing Something That Isn't Abhorrent
Meta is working on a tool called Content Shield to ID images and video created with its new image generation model, Muse Image, that creates a watermark that stays in place even when cropped, compressed, resized, or screenshotted.
Worst Thing of the Day: Meta Doing Something Abhorrent
Meta is testing a prototype of “super sensing” AI glasses that would use cameras and audio recordings to capture a wearer’s every moment, as it pushes into the contentious market for all-seeing, all-hearing devices.
Closing Thought
