Cybersecurity

Anthropic: AI is advancing too fast to leave unchecked

Whistleblower says IBM and AT&T hid repeated attacks from foreign hackers, Anthropic engineers are embedded in NSA, Hegseth is still determined to block Anthropic, Cloudflare CEO says agentic bots outnumber humans online, New threat group Pink uses voice phishing and fake help-desk calls, much more

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Upgrade my subscription

Anthropic is calling for top artificial intelligence labs to weigh slowing the pace of development, suggesting that AI systems are advancing so rapidly that they may soon be able to improve themselves without human intervention in ways that could pose significant societal risks.

The ability to slow global AI development would “likely be a good thing,” the company said Thursday in a blog post that disclosed internal data documenting how quickly its most advanced models are improving.

The post, written by the head of its internal research institute and a company co-founder, Marina Favaro and Jack Clark, noted that model advances appear to be on a path toward “recursive self-improvement,” when AI systems can improve on their own without human intervention. Some AI insiders have seen that threshold as a potential marker of danger and enormous societal upheaval.

“We believe it would be good for the world to have the option to slow or temporarily pause frontier AI development to enable societal structures and alignment research to keep up with the advance of the technology,” the post says. It proposes a global agreement on how to potentially slow development and a mechanism for verifying that competitors are respecting it.

The post cautions that recursive self-improvement hasn’t yet happened and isn’t inevitable, “but could come sooner than most institutions are prepared for.”

The company, which has emphasized AI safety from its founding, has long faced criticism that its policy work is designed to slow the AI advances of competitors. David Sacks, a venture capital investor and informal adviser to President Trump, has accused Anthropic’s leaders of running a “regulatory capture agenda.”

On a recent podcast, Sacks said the “reg capture agenda” in Washington could lead to an effort to ban so-called open-source models, essentially versions of AI systems that are far cheaper for organizations to use and develop internally.

Others have suggested that Anthropic’s warnings about the dangerous potential of its own tools could also be considered a marketing ploy. Such skeptics point to Anthropic’s decision to limit its release of a powerful “Mythos” cybersecurity model capable of finding bugs and problems as a handy way to tout the capabilities of its products. (Bradley Olson and Sam Schechner / Wall Street Journal)

Foreign hackers repeatedly breached the computer systems of IBM and AT&T, and the companies concealed those intrusions from the US government in violation of the law, according to a lawsuit from a former IBM cybersecurity official.

William Barlow, IBM’s former vice president of threat intelligence, alleged in the complaint that the companies failed to disclose multiple breaches over the years by attackers linked to foreign governments and made false assurances about the security of their systems in order to win and keep federal contracts.

The whistleblower complaint against IBM and AT&T was filed under seal in 2020 and is still pending before a federal court in New York. It was made public this week after the US government declined to intervene in the case and hasn’t been previously reported.

The suit offers a rare account of alleged security failures at two major government contractors. It raises questions about the protection of sensitive information on the networks and about companies’ responsibility to disclose such compromises.

The hackers allegedly breached a massive IBM cloud computing infrastructure that’s widely used by many parts of the US government, including the military. AT&T operates this “Core Network” on behalf of IBM, and the Dallas-based telecommunications company’s systems are part of it, according to the complaint.

The complaint alleges that foreign and unidentified hackers repeatedly infiltrated the network and that the companies sometimes couldn’t determine who got in or what was taken. It also says IBM downplayed or concealed incidents before entering government agreements requiring it to certify that it had no significant unresolved cybersecurity issues.

“This complaint was filed six years ago, and the US Department of Justice declined to intervene,” said IBM spokesperson Adam Pratt. “IBM is confident that our actions followed the letter of the law.” (Jake Bleiberg and Mark Anderson / Bloomberg)

Related: Fortune, Silicon UK, Heise Online

Anthropic is helping the US National Security Agency deploy its powerful Mythos AI model for offensive cyber operations, embedding engineers inside the agency despite an ongoing legal battle with the Pentagon.

The San Francisco-based company had installed about half a dozen staff within the NSA as so-called forward-deployed engineers to guide the use of the technology and customize models for specific applications, two people familiar with the arrangement said.

It remains unclear whether Anthropic’s engineers are assisting the NSA in active operations. However, one person close to the situation said Mythos would be useful for infiltrating the networks of nations such as China or Iran.

“The best way to build a good defense is to build a good attack,” said a person close to Anthropic, who argued that adversaries are probably building their own AI-driven offensive technology. “If [Mythos] is not used to build attack agents, adversaries will find a way to do it.”

The arrangement comes despite the Silicon Valley startup’s legal battle with the defense department, which includes the NSA, over how its technology is used in warfighting. (Cristina Criddle and Demetri Sevastopulo / Financial Times)

Defense Secretary Pete Hegseth has denied Anthropic’s request to reconsider the AI startup’s designation as a national security risk, the Pentagon told the DC Circuit Court of Appeals.

The move clears the way for a three-judge panel to decide the novel questions raised in Anthropic’s lawsuit challenging the Defense Department’s designation and the scope of its powers over domestic companies. Judges raised concerns last month that the courts may have to wait for the Pentagon to handle Anthropic’s reconsideration request before they can take up the case.

The dispute between the leading AI firm and the government began over disagreements over Anthropic’s restrictions on the use of its products in domestic surveillance and autonomous weapons.

The panel, including two appointees of President Donald Trump, indicated during oral arguments in March that it will likely issue a ruling that establishes sweeping authority for the executive branch to label domestic companies as supply-chain risks. The designation has historically been reserved for foreign companies with ties to US adversaries. The judges, though, suggested that subsequent directives barring the military or other agencies from using a company’s products and services may still be challenged in court.

Hegseth wrote in his June 3 decision that the “pre-deployment risks with the Covered Entity’s products and services, the loss of trust, and other risk factors … were and remain sufficient to support the prior Determination.” The Pentagon urged the court to decide the urgent questions raised in the case now that the Defense Department has closed out Anthropic’s request for internal review.

Hegseth also clarified that the initial supply-chain risk designation rested on that loss of trust and other “pre-deployment risks” associated with Anthropic’s Claude, rather than the company’s supposed ability to manipulate the AI model in real time — post-deployment unilaterally. Anthropic has argued that it does not actually possess that capability, saying Hegseth initially relied on a misunderstanding. (Hassan Ali Kanu / Politico)

Related: Court Listener, Benzinga

CEO and co-founder of Cloudflare, Matthew Prince, said that the rapid increase in agentic internet traffic means “bots have now passed human traffic online for the first time in the Internet's history."

“Welp, that happened faster than I predicted,” Prince awkwardly admitted on X, making his previous expectations of the crossover happening sometime in 2027 seem way off the mark.

Cloudflare reckons these AI agents are online doing stuff like reading product pages, checking prices, performing multi-step tasks online like comparing flights, scraping and indexing web content (but for AI models, not search engines), and acting as personal assistants to order food, compare and shop, and handle customer service interactions.

At the time of writing, Cloudflare data suggests that the balance between bot vs. human web traffic (HTTP requests) is already firmly favoring the former, split 57.5 vs. 42.5 percent. A major shift from humans clicking around, being the primary customers of the web, to AI agents doing these tasks has already happened. The rate of change has even taken Prince by surprise. In replies to the embedded Tweet, Prince also noted that the date of the human/bot crossover wasn’t clear as the “data [is] a bit messy.” Nevertheless, we are “clearly on the other side now,” he added.

Researchers at Palo Alto Networks say that a new extortion brand called Pink – which may be a rebrand of BlackFile – uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the victims pay a ransom demand.

Palo Alto Networks' Unit 42 first spotted the gang, which it tracks as cluster CL-CRI-1147, and its data-leak site, which went live on May 31. “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” the threat-intelligence biz said in a LinkedIn post.

Google Threat Intelligence is not so sure it's a new gang, however.

"After retiring the BlackFile brand in May 2026, we assess that the group launched the 'Redact' brand and has now potentially surfaced as 'Pink," Austin Larsen, Principal Threat Analyst at Google Threat Intelligence Group, said. "This new operation exhibits hallmarks of UNC6671, including similar credential-harvesting infrastructure, data leak site (DLS), and recurring messaging that claims to 'improve the security' of victims who pay. Additionally, we attribute the Pink (CL-CRI-1147) domains recently published by Unit42 to UNC6671."

Regardless of whether it's brand new or just a new coat of paint, the tactics are very familiar. Pink is one of many goon squads to use these social-engineering tactics to steal employees’ credentials and bypass multi-factor authentication, using this access to burgle companies’ cloud storage and databases. (Jessica Lyons / The Register)

Pink's leak site. Source: Palo Alto Networks.

Researchers at Check Point report that a recently uncovered, large-scale campaign of fake websites that impersonate well-known tools like Ghidra, dnSpy, and SpiderFoot is secretly routing users through complex traffic distribution networks to deliver dangerous malware.

The attack begins when a user visits a professionally designed site that perfectly mimics an official project repository. Everything appears legitimate, including links that seem to point directly to official GitHub releases.

However, once the user clicks the download button, hidden scripts intercept the action. Instead of directly downloading the expected safe software, the user’s connection is hijacked and passed to a sophisticated Traffic Distribution System (TDS).

This hidden layer allows the attackers to filter and redirect victims based on specific conditions, ultimately funneling them toward malicious payloads.

By early 2026, researchers observed this infrastructure distributing several severe malware families, marking a dangerous evolution in software supply chain attacks. (Varshini / Cyber Press)

Impersonated websites of popular software tools. Source: CheckPoint.

The Senate voted against advancing a long-term reauthorization of a key surveillance power, Section 702 of the Foreign Intelligence Surveillance Act (FISA), raising the odds that Congress could need another short-term patch — or let the spy law lapse entirely.

Senators voted 52-47 against taking up a House-passed three-year deal, which leaders planned to use as a vehicle for a Senate-forged agreement that was circulated earlier this week.

Sen. Mark Warner (D-VA) had been involved in negotiations aimed at reaching an agreement that could pick up support from enough Democrats. But the prospects for a deal evaporated earlier this week after President Donald Trump named close political ally Bill Pulte to be acting director of national intelligence.

Democrats had warned Pulte could “weaponize” the intelligence community against Trump’s perceived political enemies. Sen. John Fetterman of Pennsylvania was the only Democrat who voted to advance the surveillance bill.

Republican Sens. Josh Hawley of Missouri, John Kennedy of Louisiana, Mike Lee of Utah, Rand Paul of Kentucky, Eric Schmitt of Missouri, Rick Scott of Florida and Tommy Tuberville of Alabama voted against taking up the extension of Section 702 of the Foreign Intelligence Surveillance Act, which is meant to target foreigners overseas. (Jordain Carney / Politico)

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

Order your copy and save 20%

Meta has quietly embedded face-recognition technology for its smart glasses into an app downloaded to millions of phones, according to a WIRED analysis of the company's software.

Code discreetly added to Meta’s AI app over multiple updates this year shows that the feature, internally called “NameTag,” identifies people captured by the glasses’ camera and, when activated, alerts the wearer when it recognizes someone.

The discovery of NameTag in the live Meta AI app shows that Meta had begun shipping face-recognition code to users' phones while publicly describing it as something the company was still “thinking through.” In April, Meta said if it were to utilize face recognition, it wouldn't be rolled out without first taking "a very thoughtful approach." But WIRED found that as early as January, core components of the system had been integrated into software distributed to millions of people.

Though not yet enabled, NameTag sits inside a Meta AI companion app that's been downloaded over 50 million times and is necessary for use of key features of its smart glasses, including Ray-Ban and Oakley models. If activated, it will transform faces captured by Meta's glasses into unique biometric signatures, commonly known as faceprints, and check each one against faceprints stored on the user’s phone—a database that’s currently configured to receive updates from Meta. Recognized faces will trigger notifications, while the rest are cropped, indexed, and saved to a folder marked “pending.”

NameTag would revive a type of technology Meta said it had sunsetted in 2021, when the company announced it would delete more than a billion faceprints belonging to Facebook users following years of controversy over its photo-tagging system. Meta ultimately paid $650 million to settle a class-action lawsuit brought by Illinois users and, in 2024, agreed to a separate $1.4 billion settlement with Texas over allegations it had unlawfully collected biometric data from users.

WIRED shared its findings with two outside security researchers who separately examined the app and reproduced key aspects of the analysis: Cooper Quintin, a security researcher and senior public interest technologist with the nonprofit Electronic Frontier Foundation’s Threat Lab, and an independent security and privacy researcher who goes by the pseudonym Buchodi and has spent more than a decade reverse-engineering consumer software and surveillance technologies.

“The feature is not yet exposed to consumers but seems nearly ready to go,” says Quintin. “Despite the billions of reasons not to, Meta seems to have created the capacity to turn their customers into a distributed surveillance machine.”

“The main components of a face-recognition feature are already in Meta's companion app,” Buchodi says. “Not many pieces stand between this and a working feature.” (Dhruv Mehrotra and Dell Cameron / Wired)

Interpol announced that French and Spanish authorities took down an online marketplace selling fake identity documents to migrant smuggling rings operating within the European Union.

On May 27, law enforcement officers arrested one suspect in Alicante, Spain, and seized document-production equipment and approximately 800 counterfeit European identity documents from an apartment rented under a false name.

This investigation began after French authorities identified a website advertising counterfeit identity documents and traced the suspect to Alicante, where he had lived since 2024.

"The suspect is believed to have administered an online marketplace offering forged identity and administrative documents, in both physical and digital formats, to customers across Europe," Europol said. (Sergiu Gatlan / Bleeping Computer)

Related: Europol

Manitoba's ombudsman is criticizing the province's families department for a lack of privacy and security safeguards after the personal information of vulnerable people was accessed in a 2024 cyberattack.

The 1,361 people were clients of Manitoba's Community Living DisAbility Services, the provincial adult disability services program, the ombudsman wrote in a May 28 report.

The compromised information included legal names, addresses, day program details, emergency contacts, social insurance numbers, sources of income, personal health identification numbers, and other medical information, the ombudsman says.

"The exposure of these categories of information creates a heightened risk of financial loss, identity theft, and damage to reputation or relationships," the report says.

The information was accessed through a community-based service provider that detected suspicious activity on its systems on Oct. 8, 2024, the report says. The service provider notified the families department of the suspicious activity the next day. (Ozten Shebahkeget / CBC News)

Related: Ombudsman

Cisco warned of a high-severity, unpatched zero-day in the Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245) actively exploited in attacks enabling root privilege escalation.

The zero-day flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

Cisco said the issue stems from insufficient validation of user-supplied input, and it can allow local attackers with low privileges to execute arbitrary commands as root.

"An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user," the company explained.

"To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods," it added. "Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices."

"For help determining if a Cisco Catalyst SD-WAN Manager has been compromised, customers may open a case with the Cisco TAC," the company added, advising admins first to collect admin-tech files to help with the review. (Sergiu Gatlan / Bleeping Computer)

A new supply-chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware called IronWorm.

The malware targets 86 environment variables (key-value pairs) and 20 credential files that may contain OpenAI, AWS, Anthropic, and npm credentials, vault configuration files, SSH keys, and Exodus cryptocurrency wallet files.

According to researchers at supply-chain and DevOps company JFrog, IronWorm is written in Rust, hides behind an eBPF kernel rootkit, and communicates with the operator over the Tor network.

The Rust-based malware self-propagates by using stolen credentials for publishing on npm; this includes secrets associated with npm's Trusted Publishing workflow.

Once it compromises a developer or CI environment, it can publish trojanized versions of packages owned by the victim, which then infect additional developers and CI systems.

This behavior is conceptually similar to Shai Hulud, which had its code published on GitHub recently. Although JFrog researchers did not find a clear connection between IronWorm and Shai Hulud, they observed the same commit names in both supply-chain attacks.

This opens the possibility that the new malware is an evolution of TeamPCP’s payload, since IronWorm appears to be "a custom, carefully built implant from an operation with its own infrastructure." (Bill Toulas / Bleeping Computer)

Related: JFrog, Dark Reading

Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible.

The password manager provider said fewer than 20 personal user vaults were downloaded before it shut down the operation.

In a campaign that started Sunday, the unknown threat actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane’s programming interfaces for device enrollment, the attackers sent requests to large numbers of existing users’ registered email addresses.

In an update, Dashlane wrote, "The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.

In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults." (Dan Goodin / Ars Technica)

The stolen data included users’ email addresses, usernames, scrambled passwords, IP addresses, and support tickets, according to Have I Been Pwned, which said almost 64,000 accounts were part of the breach.

Ironically, Atlas Menu claimed to offer “secure authentication and enhanced privacy through our advanced encryption techniques,” according to its official site, which is down at the time of writing.

The hacker who claimed responsibility for the breach posted the allegedly stolen data on GitHub. The hacker’s motivation appeared to be revenge against a scammer. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Researchers at Sansec report that a new Magecart campaign is using Stripe's API infrastructure to host the credit card-stealing payload and the data exfiltrated from checkout pages.

The entire malicious activity relies on Google Tag Manager and Stripe domains - googletagmanager.com and api.stripe.com - that are trusted implicitly by online stores.

The new malware family was discovered by researchers at ecommerce security company Sansec, who found that the malicious code is loaded from a Google Tag Manager (GTM) container and executes on every page that loads it.

"Both the payload and the stolen cards move through api.stripe.com. Stores allow that domain by default, so the skimmer slips past Content Security Policy rules and network filters that would otherwise flag traffic to an unknown skimmer domain," Sansec says.

GTM is a management system that allows website owners to add and manage scripts used for analytics, ads, and tracking, without modifying the site's source code. (Bill Toulas / Bleeping Computer)

Related: Sansec

The Trump administration is considering Palantir CTO Shyam Sankar to run the federal civilian cybersecurity agency, according to two sources familiar with the matter.

He has emerged as a lead contender for the long-vacant Cybersecurity and Infrastructure Security Agency (CISA) director role, according to the sources, who requested anonymity to discuss the administration’s search.

Following publication of this story, a White House official disputed the potential selection, saying "at this time this is not accurate."

Sankar, 44, has worked at Miami-based Palantir for more than 20 years and served as the firm’s chief operating officer for nearly 17 years before taking the CTO job in 2023, according to his LinkedIn profile.

CISA has not had a Senate-confirmed chief since Biden-appointee Jen Easterly stepped down in January 2025. Sean Plankey, who was previously nominated for the role, withdrew his name from consideration in April after key senators blocked a confirmation vote for several months. (Martin Matishak / The Record)

Best Thing of the Day: Block Every One of the Suckers

A developer has built the first device-level ad blocker called Filtr that works across all of Apple’s main products — iPhones, iPads, and Macs — and isn’t just limited to the browser.

Worst Thing of the Day: And You Thought China Might Be a Bad AI Adversary

Offers of weaponized and abused AI capabilities have erupted across underground ransomware forums.

Bonus Worst Thing of the Day: Guam Gets the Short End of the Stick, Of Course

Almost two million has been stolen from the lonely government coffers of US territory Guam this year alone, and it faces ongoing threats of a much darker nature.