❗️ Pope Leo XIV says AI must be "disarmed" or it will deepen inequality and concentrate power. The warning runs 42,300 words in "Magnifica Humanitas," his first encyclical and the first papal encyclical in history dedicated to artificial intelligence.
Anthropic co-founder Chris Olah was among the presenters at the Vatican Synod Hall release on May 25, alongside Cardinals Víctor Manuel Fernández and Michael Czerny. Leo XIV is the first pontiff to personally present an encyclical.
For those who don’t know: an encyclical is a formal teaching letter from the Pope addressed to bishops, clergy, and the wider Catholic Church, often the entire world. It carries the highest weight of papal doctrine short of an infallible declaration and sets official Church teaching on faith, morals, or social issues.
Anthropic co-founder Chris Olah was among the presenters at the Vatican Synod Hall release on May 25, alongside Cardinals Víctor Manuel Fernández and Michael Czerny. Leo XIV is the first pontiff to personally present an encyclical.
For those who don’t know: an encyclical is a formal teaching letter from the Pope addressed to bishops, clergy, and the wider Catholic Church, often the entire world. It carries the highest weight of papal doctrine short of an infallible declaration and sets official Church teaching on faith, morals, or social issues.
🔥24🤣9❤6😁2💩1🥴1
‼️ Lock ‘em up! Dropshippers are now using Down syndrome and AI-generated content to manipulate buyers into purchasing cheap resin lamps as "handmade" products.
🤣30🤬9
‼️🚨 Over 700 Ghost CMS sites, including Harvard, Oxford, and Auburn, were compromised through an unauthenticated SQL injection (CVE-2026-26980).
Attackers pulled Admin API Keys and turned every site into a ClickFix delivery vector via fake Cloudflare "verify you are human" pages. Patch was out February 19. Most never applied it.
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
Attackers pulled Admin API Keys and turned every site into a ClickFix delivery vector via fake Cloudflare "verify you are human" pages. Patch was out February 19. Most never applied it.
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
🤣7😭2
🚨 A zero-click attack is hijacking WhatsApp accounts on iPhones running iOS 16.
Victims scan no QR code, share no verification code, and see no linked device in the app.
Attackers then message the victim's contacts asking for bank transfers, and the likely chain (CVE-2025-43300 + CVE-2025-55177) is patched in iOS 16.7.12.
https://www.forenser.it/account-whatsapp-compromessi-su-iphone-con-ios-16/
Victims scan no QR code, share no verification code, and see no linked device in the app.
Attackers then message the victim's contacts asking for bank transfers, and the likely chain (CVE-2025-43300 + CVE-2025-55177) is patched in iOS 16.7.12.
https://www.forenser.it/account-whatsapp-compromessi-su-iphone-con-ios-16/
😁5👍3😭1
‼️🚨 Security researcher "Nightmare-Eclipse" has now also been removed from GitLab..
This follows their GitHub being wiped last week after they publicly dropped zero-day PoCs targeting Microsoft products.
The message from major code hosts is clear: drop unpatched exploits in public, lose the platform.
This follows their GitHub being wiped last week after they publicly dropped zero-day PoCs targeting Microsoft products.
The message from major code hosts is clear: drop unpatched exploits in public, lose the platform.
🤬31😁1💩1
‼️🚨 REMARKABLE: A man calling himself "Noah Doe" walked into the NYPD with a USB drive of 39,069 dormant Bitcoin wallets, filed it as "lost property," and got a receipt.
He's now suing in New York to be declared the legal owner of all of it: ~3.8M BTC (~$286B). He says he built an algorithm to find them and is invoking a 1958 NY finders law to claim title.
Wallet #1 is the Mt. Gox hacker's address: ~80,000 BTC stolen in 2011, untouched for 15 years, worth ~$6B today. Every on-chain analyst on earth watches it.
He's now suing in New York to be declared the legal owner of all of it: ~3.8M BTC (~$286B). He says he built an algorithm to find them and is invoking a 1958 NY finders law to claim title.
Wallet #1 is the Mt. Gox hacker's address: ~80,000 BTC stolen in 2011, untouched for 15 years, worth ~$6B today. Every on-chain analyst on earth watches it.
😱20❤6💩4🥴2🤣2😁1
‼️ Microsoft has responded to the recent wave of public zero-day disclosures tied to Nightmare-Eclipse.
In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release.
That claim is contested.
Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming.
Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions.
Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about.
The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates.
It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them.
The case for coordinated disclosure is straightforward.
The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software.
Patch before PoC means defenders get a head start.
PoC before patch hands it to attackers.
That does not make the tension one-sided.
Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts.
Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation.
Microsoft's post does not address that claim directly.
It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation.
Both things can be true at once.
A vendor can have a real duty to treat researchers fairly.
And a researcher can still be wrong to burn the disclosure process in a way that arms criminals.
The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.
SOURCE: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release.
That claim is contested.
Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming.
Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions.
Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about.
The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates.
It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them.
The case for coordinated disclosure is straightforward.
The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software.
Patch before PoC means defenders get a head start.
PoC before patch hands it to attackers.
That does not make the tension one-sided.
Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts.
Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation.
Microsoft's post does not address that claim directly.
It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation.
Both things can be true at once.
A vendor can have a real duty to treat researchers fairly.
And a researcher can still be wrong to burn the disclosure process in a way that arms criminals.
The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.
SOURCE: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
🤬9🤣5❤2
‼️ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories.
The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft.
Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."
Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.
Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft.
Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."
Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.
Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
🔥13❤5
🚨 BREAKING: Anthropic released Claude Opus 4.8 today, just 41 days after 4.7.
The jump in six weeks:
agentic coding 64.3% → 69.2%
knowledge work 1753 → 1890.
It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.
The jump in six weeks:
agentic coding 64.3% → 69.2%
knowledge work 1753 → 1890.
It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.
🔥13👍4💯2💩1
‼️🚨 Hacked Fortinet FortiClient EMS servers are pushing infostealer malware disguised as a Fortinet patch to every managed endpoint.
Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!
Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!
Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
🤯2👍1😁1🤣1