As researchers and As doctors debate the impact new AI models will have on Internet security, Mozilla said Tuesday it used early access to Anthropic’s Mythos Preview to find and fix 271 vulnerabilities in its new Firefox 150 browser release. Meanwhile, researchers identified a group of North Korean hackers who have been moderately successful in using AI for everything from vibe malware to creating corporate websites. fake—who stole up to $12 million in three months.
Researchers have finally cracked the disturbing malware known as Fast16 that predates Stuxnet and may have been used to target Iran’s nuclear program. It was built in 2005 and may have been used by the US or coalition.
Meta is being sued by the Consumer Federation of America, a nonprofit organization, over scam ads on Facebook and Instagram and is accused of misleading consumers about the company’s efforts to combat them. A US surveillance program that allows the FBI to look at the communications of Americans without a warrant is set to be renewed, but lawmakers are deadlocked on the next steps. The new bill aims to address the growing concerns of lawmakers, but lacks substance.
And if you want a deeper dive, WIRED investigated the age-old controversy behind the prominent GrapheneOS mobile operating system for privacy and security. And we looked at the strange story of how China spied on US player Alysa Liu and her father.
And there is more. Each week, we cover security and privacy issues that we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe there.
The Anthropic Mythos preview AI model has been highlighted as a powerful and dangerous tool for detecting security vulnerabilities in software and networks, so powerful that its creator has carefully limited its release. But one group of novice sleuths on Discord has found their own, simple means—no AI hacking required—to gain unauthorized access to the coveted digital prize: Mythos itself.
Despite Anthropic’s efforts to control who can use Mythos Preview, a group of Discord users gained access to the tool through some specific investigative work: They examined data from a recent breach of Mercor, an AI training startup that works with developers, and “made educated guesses about a model’s online environment based on information about Anthropic’s format used by other web models”—a phrase that has been used by other web models URL—according to Bloomberg, which broke the story.
This individual also reportedly took advantage of the permissions he already had to access other Anthropic brands, due to his work for the Anthropic contracting company. As a result of their testing, however, it is said that they were able to access not only Mythos but other unreleased Anthropic AI models, as well. Thankfully, according to Bloomberg, the team that reached Mythos has only used it so far to build simple websites—a decision designed to prevent its discovery by Anthropic—rather than hacking the planet.
Security researchers have long warned that telecom protocols known as Signaling System 7, or SS7, which govern how telephone networks connect to each other and route calls and documents, are vulnerable to abuse that could allow surreptitious surveillance. This week researchers at the digital rights organization, Citizen Lab, revealed that at least two for-profit vendors used that vulnerability — or a similar one in the next generation of telecommunications protocols — to spy on real victims. Citizen Lab found that two surveillance firms acted as rogue phone carriers, using access to three small phone companies—Israeli telecommunications company 019Mobile, British mobile phone provider Tango Mobile, and Airtel Jersey, based on the English Channel island of Jersey—to track the location of targeted calls. Citizen Lab researchers said “high-profile” people were being followed by two surveillance companies, although they declined to name the firms or their targets. The researchers also warn that the two companies they found abusing the protocols are likely not the only ones, and that vulnerabilities in global phone protocols remain a real vector for phone surveillance around the world.
In a sign of growing—if delayed—intrusion by U.S. law enforcement into the growing criminal industry of corporate fraud fueled by human trafficking across Southeast Asia, the Justice Department this week announced indictments against two Chinese men for allegedly helping to run a scam in Myanmar and seeking to open a second base in Cambodia. Jiang Wen Jie and Huang Xingshan were both arrested in Thailand earlier this year on immigration charges, according to prosecutors, and now face charges for allegedly running a massive fraud scheme that lured human trafficking victims to their compound with false job offers and forced them to swindle victims, including Americans, out of millions of dollars in cryptocurrency. The DOJ says it also “frozen” $700 million in the scheme’s money — essentially freezing the money in preparation for the seizure — and also seized a channel on the messaging app Telegram that prosecutors say was used to lure and enslave trafficking victims. The Justice Department’s statement says Huang personally participated in the physical punishment of workers at one location, and that Jiang at one point oversaw the theft of $3 million from one US fraud victim.
Three scientific research institutes were found to be selling the health data of British citizens to Alibaba, the British government and the non-profit organization UK Biobank revealed this week. Over the past two decades, more than 500,000 people have shared their health information—including medical images, genetic information, and health care records—with UK Biobank, enabling scientists around the world to access information for medical research. However, charities say the data leak involves a “breach of a contract” signed by three organisations, with some of the data being sold believed to include the details of half a million research subjects. It did not specify the full types of data that were listed for sale but said it had suspended the Biobank accounts of those allegedly selling the data. Data ads have also been removed.
Earlier this month, 404 Media reported that the FBI was able to obtain copies of Signal messages from the defendant’s iPhone as the contents of the messages, encrypted within Signal, were stored in the iOS notifications database. In this example, copies of the messages were still accessible even though Signal was removed from the phone—although the problem affected all apps that send push notifications.
This week, in response to this issue, Apple released a security update for iOS and iPadOS to fix the bug. “Notifications marked for deletion may be unexpectedly retained on the device,” Apple’s security update for iOS 26.4.2 states. “The logging problem was addressed by data reconfiguration.”
Although the problem has been fixed, the notifications on your device should still change. With the signal you can open the application, go to Settings, Noticesand change notifications to display Name Only or No Name or Content. Another reminder that while apps like Signal are encrypted at the edge, this applies to content as it moves between devices: If someone can physically access and unlock your phone, there’s a chance they can access everything on your device.
