news aggregator

BrianFagioli shares a report from NERDS.xyz: Plex is raising the price of a new Lifetime Plex Pass from $249.99 to $749.99 on July 1. That's a $500 increase for media server software. Plex says it needs the money for "long-term development" and future features, but a lot of self-hosting folks are already wondering if this is basically a soft way of killing the Lifetime option without officially removing it. At nearly $750, are people just going to move to Jellyfin instead? As for those future improvements, Plex said the roadmap includes better downloads support, restored music and photo library support in mobile apps, NFO metadata support, IPv6 support, playlist editing on mobile, audio enhancements, and transcoding improvements.

Read more of this story at Slashdot.

Google is giving its iconic search box its first major redesign since 2001. The new design incorporates, you guessed it, artificial intelligence, "getting bigger and more interactive so that people can ask even longer questions and upload photographs and videos into queries," reports the New York Times. "In addition, people can ask follow-up questions with a chatbot on Google's main search page." From the report: The company will also offer digital assistants, known as agents, to automate searches so that someone who may be apartment hunting can be notified of a new listing without opening a real estate site like Zillow. The search features will be powered by a new artificial intelligence model, Gemini 3.5 Flash. Google said the model had improved on creating software code and performing autonomous tasks, worked faster and was less expensive to run than comparable models. [...] Google is also bringing one of A.I.'s biggest breakthroughs -- software coding -- to search. When people research complex topics like astrophysics, Gemini can build interactive graphics and simulations behind the scenes to provide a deeper answer than its previous listing of websites. Google said it was introducing an alternative to the agents powered by Anthropic's Claude Code and OpenAI's Codex. Called Gemini Spark, the service is embedded in Gmail, Docs and other Google products, where it can turn meeting notes spread across emails and chats into a single document. It can also read and draft emails. "The open web is on its way out," says Richard Kramer, a financial analyst with Arete Research. "With A.I., Google is reducing everyone to raw data providers."

Read more of this story at Slashdot.

The back-of-house AI system that Pizza Hut has mandated its restaurants to adopt has been so poorly received by some franchisees, that one is using the company for $100 million in losses tied to the technology. Put that in your crust and stuff it! Chaac Pizza Northeast, a franchisee with around 111 Pizza Hut locations in New York, New Jersey, Maryland, Washington DC, and Pennsylvania, filed a complaint in the Business Court of Texas earlier this month accusing the Hut of breaching its franchise agreement by mandating Chaac adopt restaurant management AI from Dragontail, a provider of AI-powered food delivery software. What was supposed to be a platform that would unify multiple kitchen systems under one AI-managed umbrella allegedly turned out to be a disaster for Chaac, which claims it was a leader among Pizza Hut franchises on metrics like delivery speed and rack time (i.e., the time between a pizza leaving the oven and leaving the store for delivery) prior to forced Dragontail adoption. Pizza Hut parent company Yum Brands purchased Dragontail in 2021. “With the intention to improve efficiency and service to the customer, Dragontail did the exact opposite; it caused significant delays and pummeled consumer satisfaction,” the lawsuit filing states. Chaac further alleged that Pizza Hut didn’t provide promised Dragontail support, and refused to allow Chaac to step back its use of the product, “causing cascading operational breakdowns and customer dissatisfaction.” Chaac admits it might be a bit of a special case, however, because of its particular business model: The company’s Pizza Hut locations don’t have a dining room, instead exclusively offering carry out and delivery services. Chaac also doesn’t employ its own drivers, instead relying on DoorDash to handle its deliveries. Before Dragontail’s implementation, staff at Chaac Pizza Huts had to input pickup requests into a DoorDash tablet, according to the lawsuit, which would handle getting the delivery order to a driver. Centralizing all of the order-to-delivery pipeline under one product meant that DoorDash gained visibility into the entire pizza making process. On one side that makes things more efficient, as the complaint explains. “This access allowed DoorDash to know when the pizzas went into the oven and were ready for pick-up, and when other pizza orders would be ready for pick-up,” the suit states - not bad if that means drivers aren’t sitting around waiting. In practice, however, that’s not what happened. Drivers were able to see whether additional orders would be up soon, meaning many of them would grab one order and simply wait 15 minutes for another, meaning the first order was invariably late and cold by the time it got to a customer. DoorDash drivers were also able to see any pre-paid tips on the order and whether an order was paid in cash. In many cases, drivers would decline tipless and cash orders. “These issues, arising out of DoorDash’s visibility, caused a disruption in orderly delivery and significantly slower delivery times,” the suit claimed, adding that the changes ultimately benefited DoorDash at Chaac’s expense. “The damage was not abstract,” the suit continued. “Chaac suffered lost revenue, lost profits, loss in enterprise value, business interruption, and erosion of goodwill and customer relationships” as a result of Dragontail adoption. According to the lawsuit, loss of business and enterprise value due to the forced adoption of kitchen management AI caused is in excess of $100 million, which Chaac is demanding as recompense. It’s not difficult to find examples online of Pizza Hut employees complaining about Dragontail. Multiple Reddit threads from inside the 2020-2024 implementation period contain examples of employees describing dissatisfaction with the software. Several commenters note, as Chaac did in its lawsuit, that Dragontail took control out of the hands of its kitchens and put it in the hands of AI. “Dragontail’s integration with kitchen workflow and aggregator dispatch predictably stripped Chaac’s managers of operational control, introduced delays, and invited stacking and other algorithmic behaviors that slowed production and delivery,” the lawsuit argues. Pizza Hut has been struggling in recent years, with Yum closing hundreds of locations so far this year in the midst of a turnaround effort that included initiatives like adding Dragontail to the struggling brand’s locations; the company didn’t respond to questions for this story. Whether this’ll be another nail in Pizza Hut’s coffin or just a bump in the road will be up to a judge to decide. ®

An anonymous reader quotes a report from Inside Climate News: A proposed merger of the largest utility in the country by market value, NextEra Energy, with the sixth-largest, Dominion, would create a megacompany at a time when data centers and rapid increases in electricity demand are reshaping the industry. The proposal, announced Monday morning and contingent on state and federal regulatory approval, would result in a company that leads in nearly every aspect of the US power and utility industry, including overall electricity generation, natural gas generation, and renewables. The $67 billion deal combines NextEra's size and reach with Dominion's positioning as the local utility for the world's largest concentration of data centers in northern Virginia. But the results are likely bad for consumers and the environment, creating a company with enormous financial and political strength that will be difficult to effectively regulate, according to consumer advocates and analysts. For perspective, only Exxon Mobil and Chevron would be larger based on market value among US-based energy companies. "Mergers are not about consumers; they're about shareholders," said Ari Peskoe, director of the Electricity Law Initiative at Harvard Law School. "For the Dominion shareholders, they are selling their shares at a premium. The executives are getting massive payouts for facilitating this, assuming it all goes through, and obviously NextEra believes the transaction is going to add value to the company. Ratepayers are all an afterthought." The deal makes financial sense for both companies, said Andrew Bischof, an equity analyst for Morningstar. "We view the transaction as allowing NextEra to accelerate its data center ambitions, which had trailed those of its regulated peers, by using Dominion's expertise and relationships to expedite NextEra's data center hub plans," he said in a note to clients. NextEra, based in Juno Beach, Florida, includes Florida Power & Light, the largest regulated electricity utility in the state, and NextEra Energy Resources, a wholesale electricity supplier that owns power plants across the nation. Dominion, based in Richmond, Virginia, includes regulated utilities serving much of Virginia, parts of North Carolina and South Carolina, and other assets across the country. The company would be called NextEra Energy, and NextEra CEO John W. Ketchum would serve in the same role after the deal closes. Robert M. Blue, Dominion's CEO, would be the CEO for regulated utilities for the merged company. The parties said they expect regulatory approvals to take 12 to 18 months. NextEra shareholders would own 74.5 percent and Dominion shareholders would own 25.5 percent, respectively, of the combined company in the all-stock transaction. "We are bringing NextEra Energy and Dominion Energy together because scale matters more than ever -- not for the sake of size, but because scale translates into capital and operating efficiencies," Ketchum said in a statement. Although the companies claim the deal would produce savings, including $2.25 billion in Dominion customer bill credits, former regulator Marissa Paslick Gillett said she was "flabbergasted by the tone deafness," arguing that major utility mergers rarely deliver the promised "synergies" and often create "a behemoth" that is harder to regulate. Others warned that a larger NextEra could use its political power "to the disadvantage of ratepayers," while climate advocates said expanding methane gas plants to serve data centers would worsen pollution and leave vulnerable communities "at the short end of the stick."

Read more of this story at Slashdot.

Sundar Pichai, CEO of Google and doting parent company Alphabet, opened its Google I/O developer conference with a celebration of token and capital expenditures. Tokens are the basic data exchange unit of AI models and Google has vastly increased its token processing to accommodate internal and external demand for AI inference. Two years ago, Pichai said, Google handled 9.7 trillion tokens per month. Last year, it was 480 trillion per month. Currently, the Chocolate Factory handles 3.2 quadrillion tokens per month. "Now some out there might call this tokenmaxxing and there's probably some truth to it," said Pichai. "I still think it tells an important story about our products and how others are building as well, especially our developers." Pichai said over 8.5 million developers are building applications using Google's Gemini model family monthly, using about 19 billion tokens per minute in API calls. And over the past 12 months, more than 375 customers have consumed more than 1 trillion tokens each – an indication there's some demand for AI among businesses. That token processing is possible because of the vast capital expenditures Google has made in datacenters and compute capacity, and TPU hardware. "Supporting all of this at scale for our users while also serving enterprises and developers around the world requires massive investments in infrastructure," said Pichai. "And we've been investing for today and for the future. In 2022, we were spending $31 billion annually in capex. This year, we expect that number to be about six times that, approximately 180 to 190 billion dollars." Demis Hassabis, co-founder and CEO of Google DeepMind, took a turn on stage to provide an update on Google's progress toward AGI – artificial general intelligence – that ill-defined point when AI models perform some set of tasks as well as a human. Gemini Omni, Hassabis suggested, is a step in that direction. It can, he said, "create anything from any input," meaning digital stuff as opposed to atomic replication. "It combines Gemini's intelligence with the best of our generative media models for a new level of world understanding, multimodality and editing," he explained. Gemini Omni combines video, image, and interactive simulation capabilities of models like Veo, Nano Banana, and Genie with physics modeling, so projects accurately depict object interactions involving kinetic energy and gravity. The first model in that family, Gemini Omni Flash, is now available. Pichai returned to announce an expansion of SynthID, Google's AI watermarking technology. Google, he said, will support C2PA content credentials verification across its products, to help people distinguish between content created by AI and by a camera, and to tell whether it has been edited with Google Photos. "We are expanding both SynthID and content credentials verification to Search and Chrome," said Pichai. "You can simply circle to search or right-click in Chrome and ask, 'was this generated with AI?' and you'll get a clear response along with other helpful context." To help make this technology more broadly useful, Google said OpenAI, Kakao and ElevenLabs have decided to adopt SynthID. Pichai went on to announce the next generation of its Gemini model family, Gemini 3.5 Flash. "When compared to 3.1 Pro, Flash is better across the board, in almost all benchmarks," he said, adding that the model has made "huge progress in coding," one of the more remunerative use cases for AI models presently. One of the major selling points of Gemini 3.5 Flash is that it offers comparable performance to other frontier models, but much faster. The model manages about 289 tokens per second, about 4x more than other frontier models, Google claims. Those using Google's coding harness Antigravity can look forward to even greater speed gains. "We've optimized Flash to be not just four times, but 12 times faster in Antigravity," said DeepMind engineer Varun Mohan, adding that the 2.0 release of Antigravity is out now. The other major selling point is price. "Top companies in Google Cloud are processing about 1 trillion tokens a day," said Pichai. "If they shifted 80% of their workloads from other frontier models to 3.5 Flash, they'd save over $1 billion annually." Gemini 3.5 Flash is also making its presence known in the Google Gemini app and in Search through its integration with Gemini Spark, an agent service. "It's your personal AI agent that helps you navigate your digital life, taking action on your behalf and under your direction," Pichai explained. "It runs on dedicated virtual machines on Google Cloud. And it's 24/7." Based on Gemini 3.5 Flash, with an assist from the Antigravity harness, Spark can perform long-running tasks in the background, presumably without incurring a huge token bill. Spark will be able to connect to other tools – Google apps initially like Gmail and Chat, then third-party tools via MCP. Chrome integration, which will enable agentic browsing, is planned for later this summer. Josh Woodward, VP of Google Labs, Gemini and AI Studio, described how he used Spark to arrange a block party, emailing neighbors, recording their responses in a spreadsheet, and creating a slide deck. This is rolling out now to trusted testers and to Google AI Ultra subscribers in the US next week. Spark's arrival coincides with a new $100/month Ultra plan tier and the deflation of the top Ultra tier from $250/month to $200/month. Pichai offered up one of his timeworn phrases – "It's still the early days when it comes to making agents easy to use, super secure, and truly helpful" – to gloss over the security and privacy implications of AI agents acting on user data and applications without supervision. Then he handed off to Liz Reid, VP of Search, who proceeded to detail further AI incursions into Google's Search service. Gemini 3.5 Flash, she said, has become the default model for AI Mode. And the Search box itself has been redesigned to surface AI-based suggestions and to facilitate inputs from modalities other than text, such as images, files, videos, and Chrome tabs. The biggest change is Search Agents, which like Gemini Spark will be accessible from Search and will run while you're away from the keyboard. "You can set information agents to work for you 24/7 in the background," said Reid. "They can find you exactly what you need, exactly when you need it, and help you take action. You can spin up multiple agents in search simultaneously to get updated and make progress on all those things that matter to you." Google is also taking a page from Anthropic by offering code-based interactive widgets or mini-apps on demand. Search users will be able to create dynamic layouts, charts, graphs, and the like through the integration of Gemini 3.5 Flash and Antigravity in a containerized environment. This generative UI capability is rolling out this summer. Expect Google's token expenditures to continue to grow, along with pressure to purchase subscriptions to pay for the agentic labor. ®

OpenAI co-founder Andrej Karpathy has joined rival AI lab Anthropic. "The hire is a major coup for Anthropic in the high-stakes competition for elite AI talent -- and another sign the company is emerging as a magnet for some of the industry's most respected technical minds," reports Axios. From the report: Karpathy will start this week on Anthropic's pre-training team, which is responsible for the massive training runs that give Claude its core knowledge and capabilities, according to Anthropic. Karpathy will help launch a new team focused on using Claude itself to accelerate pretraining research -- an increasingly important frontier as AI companies race to automate parts of AI development. "I think the next few years at the frontier of LLMs will be especially formative. I am very excited to join the team here and get back to R&D," Karpathy said in a post on X. Karpathy is a rare AI figure with credibility across research, industry and education. He was a founding member of OpenAI before serving as Tesla's director of AI, where he led the computer vision team behind Autopilot. Karpathy coined the term "vibe coding" and recently described himself as being in a "state of AI psychosis" since December -- embracing "tokenmaxxing" and aggressively stress-testing frontier models.

Read more of this story at Slashdot.

The London-headquartered lender Standard Chartered announced plans to cut more than 7,000 jobs by 2030, with CEO Bill Winters saying the bank will replace some "lower-value human capital" through automation and AI while offering retraining to affected workers. "It's not cost-cutting. It's replacing in some cases lower-value human capital with the financial capital and the investment capital we're putting in," CEO Bill Winters told reporters. "So, the people that want to reskill, that want to carry on, we're giving every opportunity to reposition," Winters said. Reuters reports: The cuts, alongside higher shareholder return targets announced in a strategy update, come as StanChart is at the tail-end of a decade-long effort to transform itself from a potential takeover target to a steadily profitable lender. Its London-listed shares, which have risen 65% in the last 12 months, fell 0.5% in early trading, as analysts said the new targets were at the conservative end of their expectations. "In a world full of uncertainty, performance may prove more challenging further out," said Ed Firth, analyst at Keefe, Bruyette & Woods, citing how the bank has benefited in recent years from high interest rates and huge wealth flows. StanChart's move to streamline operations and rein in costs comes as more global firms slash jobs by deploying AI to improve efficiency. Japanese lender Mizuho in March unveiled up to 5,000 job cuts over a decade. And banks globally are scrambling to integrate frontier AI models and fend off rising cyber threats. The most affected roles will be in the bank's back-office centres, including those in Chennai, Bengaluru, Kuala Lumpur and Warsaw, according to Winters. "Of course we're using AI along the way and AI will be a huge facilitator and enabler of that," he added, referring to its ongoing revamp to automate more of its core banking system. StanChart said it would deliver over 15% return on tangible equity in 2028, more than three percentage points higher than in 2025, and building to about 18% in 2030. Meta also announced plans to reassign 7,000 employees into AI-related initiatives, just ahead of layoffs expected to affect roughly 8,000 workers.

Read more of this story at Slashdot.

Firefox version 151 is out of beta and trickling out to users, with handy additions, just in case you were thinking of jumping ship from Windows 11 to Linux. Mozilla has officially released Firefox 151, although automatic updates are not yet happening at the time we write this. Its profit-making subsidiary MZLA has also released Thunderbird 151, although its new-feature list has less cool new shiny. The Firefox product announcement trumpets a “fresh new look and feel” for the New Tab page. As we’ve already lightly customized ours, we didn’t see that, but you know how it is – this is the sort of thing marketing folks can understand and sound excited about. Apparently you can customize its wallpaper and add a “Recent Activity” feed, if that’s what you want. (We’ve just added a few more rows of shortcuts to recent pages.) A more useful function, especially if you don’t trust Firefox Sync and you’re thinking of changing to a new OS, is improved handling of Firefox Backup, the built-in tools for backing up and restoring your profile (or profiles, plural, for the truly hardcore). The page in the last link hasn’t changed in the last three weeks, and it still says, “Note: Firefox Backup is currently only available to users on Windows 10 and 11. This feature may be extended to other platforms in future versions of Firefox.” Well, now it has: the release notes say it works on Linux now. We’ve also seen reports that it is now on macOS too, but not on our iMac (This could be because we’ve been using Firefox Sync since the late lamented Xmarks shut down). A key addition is that a profile backed up on one OS can now be restored on a different OS, which sounds like a significant improvement to us. This includes extensions and themes. Last time around, we shared the news that the PDF editor could split multipage PDFs into chunks, including saving out individual pages. In this version, it can now merge multiple PDFs into one, which also sounds handy. It’s the sort of feature we rarely need, but when we do, we really need it. Suffice to say that with recent Firefox versions, we no longer need a standalone PDF viewer. As well as over 30 security fixes and the usual developer changes, this release fixes some more visible bugs: multi-monitor handling has been improved, as has macOS integration. For instance, it can now handle links pasted from iOS using Apple’s Universal Clipboard feature, and dropdown menus on web pages use the native Apple menu style. Firefox’s Enhanced Tracking Protection has been further – er – enhanced, and now conceals more info about you – and much more on macOS. Thunderbird 151 is nigh upon us The closest thing to a universal cross-platform messaging client that the 21st century has to offer us so far has been updated, too. Thunderbird 151 is rolling out, although we haven’t been offered the update yet. The release notes' What’s New section only has three bullet points, and one of those is for the not-yet-public Thundermail service, part of Thunderbird Pro. However, it’s easier to adjust authorization settings for automatically-created accounts, Microsoft Exchange handling has been slightly tweaked, and you can sort tasks by different criteria. Since our task list is about three pages long and never seems to get any shorter, that sounds quite handy. ®

An anonymous reader quotes a report from KrebsOnSecurity: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. On May 15, KrebsOnSecurity heard from Guillaume Valadon, a researcher with the security firm GitGuardian. Valadon's company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn't responding and the information exposed was highly sensitive. The GitHub repository that Valadon flagged was named "Private-CISA," and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets. Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature," Valadon wrote in an email. "I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I've witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices." "Currently, there is no indication that any sensitive data was compromised as a result of this incident," a CISA spokesperson wrote. "While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences." The GitHub account in question was taken offline shortly after CISA was notified about the exposure. However, according to Caturegli, the exposed AWS keys remained valid for another 48 hours. "What I suspect happened is [the CISA contractor] was using this GitHub to synchronize files between a work laptop and a home computer, because he has regularly committed to this repo since November 2025," Caturegli said. "This would be an embarrassing leak for any company, but it's even more so in this case because it's CISA."

Read more of this story at Slashdot.

The US Cybersecurity and Infrastructure Security Agency (CISA) left open a GitHub repository named “Private-CISA” containing plain-text passwords, private keys, tokens, and secrets – with obvious file names like “external-secret-repo-creds.yaml” and “AWS-Workspace-Firefox-Passwords.csv” – for six months. GitGuardian researcher Guillaume Valadon, fresh off a recent talk on Kubernetes secret leaks, found the public repository on May 14, and told The Register that he “quickly understood that the leak was bad and that time was running out. A national agency having 844 MB of production infrastructure material in a public GitHub repository for six months is as serious as a secrets leak gets.” Valadon, who previously spent nine years at France’s CISA equivalent, ANSSI, told us the leak included tokens for CISA's internal JFrog Artifactory, Azure registry keys, AWS credentials, Kubernetes manifests, ArgoCD application files, Terraform infrastructure code, GitHub personal access tokens, and Entra ID SAML certificates. GitGuardian reported the leaky repository to CISA on May 14, and the agency took it down a day later. A CISA spokesperson told The Register that it was aware of the report and is investigating. "Currently, there is no indication that any sensitive data was compromised as a result of this incident.” It’s not a good look for the nation’s infosec agency, which hasn’t had a permanent boss since Trump took office, is facing hundreds of millions of dollars in budgets cuts on top of deep cuts to staff and funding last year, and has suffered its share of embarrassing security snafus in the interim. In a Tuesday blog, Valadon said he initially thought the repo “was a hoax, given how suspicious the directory names (Backup-April-2026/, All Backups/, LZ-Artifactory/, Kubernetes-Important-Yaml-Files/, ENTRA ID - SAML Certificates/ ...), file names (external-secret-repo-creds.yaml, CAWS GitHub Token.txt, Important AWS Tokens.txt, AWS-Workspace-Firefox-Passwords.csv, Kube-Config.txt ...), and their contents (private keys, personal and professional GitHub tokens, AWS secrets, ...) seemed too good to be true,” Valadon wrote. It wasn’t a hoax – “The Cybersecurity and Infrastructure Security Agency is aware of the reported exposure and is continuing to investigate the situation,” but it was a “catalogue of unsafe practices,” he added, containing passwords stored in plain text, backups committed to Git, and an “explicit” how-to guide for disabling GitHub's secret scanning. After initially reporting the leak through the CERT/CC portal, and only receiving an auto-acknowledgement as of the morning of May 15 – a Friday – Valadon alerted security journalist Brian Krebs about the publicly exposed secrets, which seemed to speed up CISA’s processes. By 6 pm EST that night, the feds took down the repository. Valadon told The Reg he gives CISA credit for quickly deleting the repository. “Most of our responsible disclosures take much longer, and many are never fixed,” he said. “Managing to take the repository offline in a day is impressive work.” He doesn’t know if any other parties with less altruistic intentions found the secrets first, although the fact that the repository was never forked (based on public GitHub events) would seem to indicate that it wasn’t widely circulated on the dark web. “The only ones that can answer definitively is GitHub,” Valadon said. GitHub did not immediately respond to The Register’s inquiry. GitGuardian isn’t aware of any of the exposed credentials being abused by unauthorized individuals “Each category of secret in the repository unlocks a specific attack path,” Valadon said. “Stacked together, they cover the full range: from destructive attacks and ransomware extortion to quiet, long-term persistence inside CISA's build and deployment pipeline. That last scenario worried me the most, and it's why I escalated through every channel we had until the repository was taken offline.” Plus, the committer used both a CISA-issued contractor email and a personal Yahoo email across the same commits, and created the repository using a personal GitHub account. “That mixed-identity pattern is one of the hardest surfaces for security teams to cover, and it's where the worst leaks happen,” Valadon said.®

You know about shadow IT. Get ready for the shadow AI surge. Employees using unauthorized personal accounts to access GenAI tools are emerging as a growing insider-risk concern for organizations, new research shows. That means workers who have access to sensitive material could be plugging it into their AI platform of choice more frequently, leaving their organization none the wiser. Of the 45 percent of all professionals using AI in the workplace regularly, 67 percent of those were accessing the platforms using personal accounts that were not authorized by their IT teams, data from Verizon’s annual data breach investigations report (DBIR) [PDF] showed. Verizon said that the proportion of users accessing AI through personal accounts now represents a fourfold increase in non-malicious insider actions detected across this year’s dataset of more than 22,000 breaches globally. We’re not just talking about the Gemini, Claude, ChatGPT, and Grok, but also various vibe coding platforms, AI agents, and other external chatbots that could have access to an organization’s data in some form. Verizon reported that 28 percent of data loss prevention policy violations involved employees entering source code into an AI tool, potentially exposing an organization’s intellectual property. In descending order of prevalence, staff were tossing images, structured data, documents, and PDFs into GenAI platforms as well. In 3.2 percent of cases, workers were uploading proprietary research and technical documentation. This should concern even the most bullish AI adopters, given the volume of potentially sensitive corporate data employees are feeding into unauthorized third-party AI services each day. Verizon said admins should be doing everything they can to prevent users from blindly trusting technology that is putting an increasing number of systems between this potentially sensitive data and the model itself, including by securing all enterprise asset configurations, and ensuring accounts and their permissions are tightly managed. The prevalence of shadow AI has given rise to new thinking around the matter, including by evolving the idea of software bill of materials (SBOMs) to AI-BOMs. You may have come across these already. Cisco open-sourced its AI-BOM earlier this year, for example, and more recently introduced a tool to track AI model provenance. Ian Swanson, VP of AI security products at Palo Alto Networks, told us the other week that AI-BOMs can also play an impactful role in helping incident responders deduce how cyberattacks play out in cases where the attackers use an organization’s own AI against it. AI-BOMs give defenders an idea of what any given AI system’s configurations were at a given time, allowing them to more easily see what changed and when. "If you had understanding of state and understanding of state changes, then you would be able to go back to an AI bill of materials and say: 'What system prompt was used within the ingredients to create the AI application?' And then see it's changed from a prior state to a new state. So we should probably check this and see if there's anything bad that's happening here," Swanson said. "And in that case, you'd be able to catch it." Bugs, bugs, bugs Away from the growing issue of shadow AI, Verizon said the exploitation of software vulnerabilities is once again the leading cause of security breaches, overtaking credential abuse, which is down 13 percent on last year’s results. Organizations’ patching habits aren’t doing much to help the cause here. The percentage of critical vulnerabilities from CISA’s Known Exploited Vulnerabilities (KEV) catalog that were fully remediated was down from 38 to 26 percent in 2025, for example. Verizon also said that the median time to full vulnerability resolution rose by nearly two weeks, from 32 days in 2024 to 43 days last year. That said, defenders have had their work cut out for them, with the number of critical vulnerabilities needing remediation increasing by 50 percent on average. Elsewhere, ransomware featured in nearly half of all breaches covered in the report. Forty-eight percent of them, to be exact, up slightly from 44 percent in the previous year’s dataset. Some bright news to end on, however: Verizon continues to see a downward trend in ransom payments being made – 69 percent of victims refused to pay, while the median ransom payment fell from $150,000 to $139,875. ®

Microsoft is launching three new Intel-powered Surface devices for businesses: the Surface Pro 12, Surface Laptop 8, and a smaller 13-inch Surface Laptop model. These new machines come equipped with newer Intel chips, a few business-focused upgrades, and notably higher starting prices. "The high pricing of these three new Surface devices is a sign of things to come for whatever consumer models Microsoft is planning this year," notes The Verge. From the report: This time around Microsoft is refreshing its Surface Pro and Surface Laptop models with Intel's latest Core Ultra Series 3 processors first, ahead of similar models with Qualcomm's new Snapdragon X2 processors later this year. The new Surface Pro 12, or as Microsoft calls it the Surface Pro for Business 13-inch (12th Edition), will be available for businesses today, starting at an eye-watering $1,949.99. The base model will include an Intel Core Ultra 5 processor, 16GB of RAM, 256GB of storage, and the regular 13-inch PixelSense LCD display. Businesses will have to pay extra for models with Intel's Core Ultra 7 processor, up to 64GB of RAM, and up to 1TB of storage. The top spec Surface Pro 12 with a Core Ultra 7, 64GB of RAM, and 1TB of storage will be priced at $4,399.99, and there are also OLED screen options and models with 5G connectivity. The Surface Pro 12 5G starts at $2,249.99, with a Core Ultra 5, 16GB of RAM, and 256GB of storage. [...] Microsoft is also launching two new versions of the Surface Laptop for businesses today. The Surface Laptop 8, or Surface Laptop for Business 13.8 or 15-inch (8th Edition) as Microsoft calls it, will also be available with a range of Intel's Core Ultra Series 3 chips. It launches alongside a smaller 13-inch model, which is confusingly labeled the Surface Laptop for Business 13-inch (1st Edition). The 13.8-inch model starts at $1,949.99, and includes Intel's Core Ultra 5 processor, 16GB of RAM, and 256GB of storage. While Surface devices for businesses have typically had higher pricing than consumer models, the $1,949.99 starting price for a Surface Laptop 8 is almost double the original price of the Surface Laptop 7. RAMageddon really has come for Microsoft's Surface Pro and Surface Laptop devices, after recent price increases meant the existing consumer models are now $500 more expensive than their original starting price. The max configuration for the 13.8-inch Surface Pro 8 will include a Core Ultra 7, 64GB of RAM, and 1TB of storage for $4,299.99. A similar version of the 15-inch model (with an x7 processor) will be priced at $4,499.99.

Read more of this story at Slashdot.

Airbus has inaugurated new supercomputing infrastructure from Bull to help the firm develop future aircraft, but is being coy about revealing how powerful the overall system is. The European aerospace giant had already taken delivery of the hardware, spread across two sites – at Toulouse in December last year and Hamburg in April this year – but today (Tuesday) marks the official inauguration of the system, with 3x the performance of its previous supercomputer. That’s according to Bull, the high-performance compute biz the French state acquired from Atos a few months ago, as Airbus declined to put forward a spokesperson to answer our questions. The new system is based on a modular design, where kit was pre-assembled inside containers before being shipped to the Airbus sites. It is based on the firm’s BullSequana XH3000 rack infrastructure with a mix of compute blades configured with AMD’s Genoa and Turin versions of the Epyc processors, plus Nvidia GPU blades. Also part of the hardware manifest is IBM Spectrum Scale storage using Storage Scale System appliances from the firm, and the interconnect used is Nvidia’s InfiniBand NDR (Next Data Rate), supporting 400 Gbps per port. However, Bull wouldn’t tell us exactly how much of all this infrastructure it has delivered, as Airbus regards this as confidential information. What it did say is that the supercomputer is being supplied and supported on a “HPC-as-a-service” model, whereby Airbus is paying close to €100 million ($116 million) over five years for an all-inclusive deal. Bull is understood to have won this contract from HPE, which was the previous supplier to Airbus. “So Airbus was a long standing customer of HPE for around 24 years, and they were initiating a procurement to replace their existing system in order to get something like three times more performance of their existing systems, so they did a procurement, which is a classical HPC procurement, and we won on the price-performance agreement,” Bull’s head of HPC, AI and Quantum Computing Bruno Lecointe told The Register. While the hardware is located at two sites, Lecointe says they are connected to function as a single supercomputer, although workloads are not currently split across sites but run on one or the other, with a batch scheduler choosing which is the best based on the available resources. Airbus needed a more powerful supercomputer as it is expecting to use it for “digital twins,” whereby the helicopters and other aircraft it is developing will not only be designed using the system, but the entire airframe will also be simulated on the computer as well. One of the tools it is likely to be using is the CODA computational fluid dynamics (CFD) software, jointly developed by the German Aerospace Center (DLR), the French Aerospace Lab (ONERA), and Airbus itself. Lecointe hinted that Bull is also working with Airbus on some quantum and AI algorithms to meet its compute requirements, but this is “highly confidential.” The inauguration of this fully operational, multi-site supercomputing infrastructure comes just 14 months after contract signature, Lecointe boasted. The heat generated by the system will also be reused to supply neighboring buildings on the Airbus site. ®

Microsoft is turning Azure Linux into a general-purpose, Fedora-based cloud distribution available to all Azure customers, while also productizing Flatcar as Azure Container Linux for immutable container hosts. "When Microsoft joined the Linux Foundation, there was this big conspiracy theory that somehow the Linux Foundation was undermining open source in partnership with Microsoft, and now you announce that you're shipping a Linux distribution," Jim Zemlin, the Linux Foundation's CEO, said in response to Microsoft's surprise announcement. "That's amazing." ZDNet reports: Until now, [Lachlan Everson, Microsoft's Principal Program Manager on Azure's open-source team] noted, "we had Azure Linux only available to third-party customers through AKS specifically, and that was Azure Linux 3.0." Going forward, this will be ACL. Everson emphasized that Azure Linux 4.0 is the culmination of years of internal usage and the evolution of the earlier Mariner distribution. "So we've been running Azure Linux for many years internally, and we got through to 3.0, and we only allowed it on as a container host on AKS. What we've done is make it a general-purpose, so this is all the learnings that we've had in the heritage of Mariner." Under the hood, Azure Linux 4.0 is based on Fedora Linux and is delivered as an open distribution on GitHub. This code is available now. Yes, Red Hat knows that Microsoft has done this. Everson continued, "So, we made a decision to use Fedora as an upstream, so it's using RPMs in the Fedora ecosystem. Microsoft curates the packages and the supply chain to fit Azure's cloud platform." Microsoft also created "it to be purpose-built for Azure, which integrates vertically into all of our infrastructure to give you the best Azure Linux experience on Azure." While Azure Linux will ship as a VM image, Microsoft is already preparing a developer-friendly path onto Windows desktops: "And as of today, we have it as a VM image for your VM host on Azure. We're going to announce WSL images as well." While developers will be able to run Azure Linux locally through WSL, Microsoft is not positioning it as a traditional desktop Linux. Asked whether he could run it on his laptop, Everson said: "I will be able to run it on my laptop, or what have you. Yes, on Windows 11." However, when pressed about a desktop experience, Everson was clear that there are "no plans" for a graphical environment. "It's optimized for server-side in the cloud," he said, adding that even on a developer machine, users should expect a lean environment. "Minimal packages, yeah. The idea is that we offer you a consistent experience to do your development on your machine, and that you can take your workloads as you develop them on your machine and run them with VS Code. You can run your applications on that, and know that the platform is the same that you're running on the cloud, so that you have that kind of consistency between environments." Flatcar itself remains the upstream project, but Microsoft is packaging it for Azure customers. Everson described Flatcar as "purpose-built, immutable, secure by default, production-ready operating system, and Azure Container Linux is the productization of that, but we're still investing in the upstream Flatcar ecosystem and pulling that downstream into a productized exterior experience just for container workloads, so it's a container hosting in AKS." To underscore the immutable model, he added that "Everything's baked in, so there is no package manager. We bake the bits into the immutable, and they're in the immutable version. So Azure Container Linux is the immutable version. So you shouldn't be changing any system packages or any application packages. Anything that you need to change is customer workloads run in containers."

Read more of this story at Slashdot.

If you use Drupal, get ready to patch without delay. The org behind the popular open source content management system is warning of a highly critical vulnerability in Drupal core that is serious enough for it to tell users ahead of Wednesday’s patch release to set aside time to install the fix immediately. The Drupal Security Team’s Monday PSA announcing the imminent patch for Drupal core doesn’t include any specifics, with the PSA noting that Drupal isn’t willing to share additional information until the announcement is made alongside the patch release. That, says Drupal, will happen at some point between 1700 and 2100 UTC on Wednesday, May 20. To reiterate, this vulnerability is found in Drupal core, the bare-bones version of Drupal designed for developers, and not Drupal CMS, the preconfigured version for those who want Drupal but don’t have coding skills. Drupal noted that sites using Drupal Steward, its paid web application firewall service, are protected against known attack vectors, though it still recommends Steward customers update their core instances in case additional exploit methods emerge. “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” the advisory warns. Drupal also recommends users update to the latest supported release prior to Wednesday’s patch “so that you can address any other upgrade issues before the security window." While it won’t get specific on the nature of the vulnerability, Drupal did share its severity score based on NIST’s standard scoring methodology, and it’s not good: The bug scored 20 out of a max of 25 on that scale, as defined by Drupal’s own documentation. More specifically, it’s trivially easy to leverage, doesn’t require any privilege level to exploit, could make all non-public data on an affected site accessible to the attacker, and could allow an attacker to modify or delete whatever they wanted. The only two things preventing it from scoring a perfect 25/25 are the fact that a known exploit doesn’t exist yet and that it doesn’t affect all configurations, only those using “uncommon module configurations.” Drupal noted that security releases will be published on Wednesday for all currently supported core branches (11.3.x, 11.2.x, 10.6.x, and 10.5.x), as well as unsupported Drupal 11.1.x and 10.4.x branches for sites that have not yet upgraded from older 10.x and 11.x releases. Drupal users on 8.9 and 9.5 are also getting patches “given the potential severity of this issue,” though the advisory warns 8.9 and 9.5 users will need to install those updates manually, which “might introduce other bugs or regressions,” leading Drupal to recommend a full upgrade to a supported core branch. “Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files,” the advisory said. Drupal 7 users are safe. Given the fact that not all Drupal core environments will be affected, the advisory recommends all Drupal core users set aside time on Wednesday to determine whether they’re part of the vulnerable class, and take action immediately if so. Drupal’s security team didn’t respond to questions for this story. ®

Gartner has warned that SAP users adopting its AI agents could face spiraling costs as the vendor moves to a new commercial model. Last week, the German ERP giant announced plans for its Autonomous Enterprise, including an AI platform for building and governing a suite of agents that do business work. With the new platform comes a new commercial model in which SAP no longer charges according to how many users are authorized to access the platform, but by the value agents offer by completing "actions." SAP has confirmed to The Register that AI Unit purchases are estimated based on the expected number of "agent actions for an autonomous domain." The company promised to introduce "Autonomous Domain Blueprints" that would help estimate costs in so-called "T‑shirt size guidance" indicative of the customer's scale of deployment. However, a recent paper from Gartner warns: "Depending on how SAP defines an 'action,' the number of events incurring fees risks quickly spiraling upwards. This would lead to unexpectedly increased costs, especially if SAP continues to charge higher unit prices for AI Units used in excess of the customer’s contractual commitment, or if AI agents consume a digital access license. Moreover, the value a customer derives from an executed action might not match how SAP has priced that action." Victoria Rowan, Gartner senior principal analyst, is lead author of the report, "First Take: SAP Moves to Higher-Value-Based AI Pricing, but Potential Cautions Remain." The research outfit has promised to update its analysis as SAP publishes more details about its pricing model. It is also waiting for a response to a fact review from the company. SAP provides ERP (enterprise resource planning) systems that help run some of the world's largest companies, including Walmart and VW Group. Over the past five years, it has been trying to get customers to move to the cloud and off legacy software. More recently, it has made a big push for AI adoption. In its research, Gartner said users need to take care in how they cost AI adoption with SAP, which provides AI Units as a commercial metric. "The AI Units customers purchase are converted to the license metric of the particular SAP Premium AI services they consume. SAP's contracts give SAP the ability to alter the conversion factors, meaning SAP could end up charging more during the term and at the point of contractual renewal," the paper says. An SAP spokesperson said conversion rates were intended to reflect the usage of the applicable AI features. "Any changes to conversion rates would only take effect upon renewal for existing customers, as further described in the applicable AI Units order form." Gartner also pointed out that there was a lack of "clear definitions of how the customer-built agents' work will be measured." While this remains the case, "it will be difficult to predict and control runtime costs." The SAP spokesperson said the runtime metrics for Joule Studio – SAP's agent builder platform – had not yet been disclosed. Announcing SAP's Business AI platform last week, CEO Christian Klein promised customers could unlock new sources of revenue and make "meaningful cost savings." Gartner advises users thinking about adopting SAP's AI platform to review their existing contracts to check whether they have price-protection clauses for their SAP Cloud applications, such as S/4HANA. They should also get a baseline for the conversion of AI Units by obtaining a copy of the current SAP AI Services List from the SAP Trust Center and reviewing the current conversion factors. ®

An anonymous reader quotes a report from the New York Times: Meta told employees on Monday that it was reassigning 7,000 workers to focus on new initiatives around artificial intelligence, the latest change in a company transformation spurred by the powerful technology. Employees will be moved to four new organizations focused on building new A.I. tools and apps, Janelle Gale, Meta's head of human resources, said in an internal memo. The organizations will use "A.I. native design structures" and have fewer managers per employee than other parts of the company, she said, adding that company leaders will send details about the new roles on Wednesday. The restructuring "will make us more productive and make the work more rewarding," Ms. Gale wrote. Meta declined to comment further on the changes. The move comes shortly before Meta begins laying off roughly 8,000 employees, or 10 percent of its work force. Ms. Gale also mentioned Wednesday's layoffs in her memo. "We know days like this are extremely hard, and we appreciate you showing up for each other," Ms. Gale said. According to the NYT, employees have been asked to work remotely that day and emails about the layoffs would be sent at 4 a.m. local time. Employees in the United States will receive 16 weeks of severance pay, along with two extra weeks for every year they worked at Meta.

Read more of this story at Slashdot.

Microsoft has rolled out another round of Surface for Business laptops starting at $1,499 and featuring Intel's latest mobile processors. The new Surface Pro for Business (12th Edition) and Surface Laptop for Business (8th Edition) refreshes, announced on Tuesday, are built around Intel’s latest Core Ultra Series 3 processors and Microsoft’s increasingly relentless Copilot+ PC push. Redmond HQ'd Microsoft is pitching the machines as enterprise-grade AI workhorses capable of running local AI models and Windows “AI experiences” without constantly leaning on the cloud. At the top end, the new 13-inch Surface Pro can be configured with up to 64 GB of RAM, 1 TB of removable SSD storage, optional OLED panels, and 5G connectivity. Microsoft says the onboard NPU can deliver up to 50 TOPS of AI processing performance for local Copilot features, image generation, transcription, and video enhancements. The new Surface Pro does not radically reinvent anything, sticking with the same kickstand-and-detachable-keyboard design Microsoft has been shipping for years. However, the company says the 13-inch PixelSense Flow display now supports HDR, adaptive color, a 120 Hz refresh rate, and up to 600 nits of brightness. The Surface Laptop line now comes in 13-inch, 13.8-inch, and 15-inch configurations, with Microsoft heavily emphasizing battery life, AI-assisted video calls, and hybrid work features. The devices include WiFi 7 support, multiple USB-C ports, haptic touchpads, and optional anti-glare privacy displays, designed to make shoulder-surfing slightly harder for the stranger sitting next to you on the train. Under the hood, the new Surface Laptops can be configured with Intel Core Ultra X7 processors, which Microsoft claims deliver up to 35 percent better graphics performance than Apple’s MacBook Air with M5 silicon and more than 90 percent faster performance than the older Surface Laptop 5. Those figures, naturally, come from Microsoft’s own testing. None of this comes particularly cheap. The new Surface Pro for Business starts at $1,949.99, while maxed-out configurations climb north of $3,000 – and that’s before you buy the keyboard add-on. Surface Laptop for Business systems are a bit less expensive, with the 13-inch model going for $1,499 and a model with 8 GB of RAM due out later this year for just $1,299. That lands barely a month after Microsoft quietly raised Surface pricing amid ongoing memory shortages and broader component cost pressures. Some Surface models jumped by several hundred pounds overnight as RAM pricing continued to spiral upward, driven by AI infrastructure demand outpacing memory supply across the industry. So far, the AI PC era appears to involve rather a lot of expensive laptops and considerably less evidence that customers were asking for them. ®

The Amalgamated Union of Influencers, Trendsetters, Microbloggers, and other professional brand ambassadors is up in arms, and threatening an industry-wide strike (please note: this is not in any strict or meaningful sense true). Elon Musk is tightening the ties that bind, in bad news for enthusiastic social media personalities on X who aren't monetizing successfully enough to pay for it yet. On the site's help page, punitive restrictions on non-paid users are laid out. The current technical limits for accounts now are: Direct Messages (daily): The limit is 500 messages sent per day. Posts: 50 original posts and 200 replies per day for unverified accounts. The daily update limit is further broken down into smaller limits for semi-hourly intervals. Changes to account email: 4 per hour. Following (daily): The technical follow limit is 400 per day. Please note that this is a technical account limit only, and there are additional rules prohibiting aggressive following behavior. Following (account-based): Once an account is following 5,000 other accounts, additional follow attempts are limited by account-specific ratios. We know, and we sympathize. How could anyone cope with being limited to just 50 tweets and 200 replies a day? All the same, some of the Twitterati are not happy. If you are interested in moving up to a premium account, hilariously, at the time of writing the Premium sign-up page compares the benefits of Basic, Premium, and Premium+ accounts with this vivid and enticing description: In case of problems, the help page suggests checking the Status page, which, as the icing on the cake, currently appears to be down: And yes, we checked. Perhaps the site is simply deluged by legions of Digital Storytellers and Tastemakers who are desperately trying to pay to extend their reach. Meanwhile, other social networks remain available. Bluesky has been open to all comers for a couple of years now. Former CEO Jay Graber, who now serves as Chief Innovation Officer, has some enticing rhetoric, such as this post from October: Be warned, though, she does have a strong position against strikes: If Bluesky sounds just a tad corporate, then we suggest the Fediverse, best known through its most famous implementation and site, Mastodon. The Electronic Frontier Foundation has a guide on how to join. ®

An npm account compromise infected 314 npm packages with malware, including size-sensor, echarts-for-react, timeago.js, and packages scoped to @antv, in a 22-minute burst of activity in the early hours of Tuesday morning. The most popular impacted package is size-sensor, downloaded 4.2 million times per month, followed by echarts-for-react (3.8 million), @antv/scale (2.2 million) and timeago.js (1.15 million). The compromised account, i@hust.cc, belongs to a developer based in Hangzhou, China. Security researcher Nicholas Carlini reported the malware on GitHub, and the the hust.cc account closed the issues and marked them as "fixed" within an hour. This means the malware report on this and other repositories is hidden unless a developer looks for closed issues. Some malicious package versions have been deprecated on npm with the message "this version was published in error, please use the latest version instead," while others have been removed. Security biz SafeDep reported on the malware and analyzed the payload, which uses the same structure as that used to compromise SAP packages three weeks ago. The malware reads environment variables and scans files to find credentials for GitHub, npm, cloud platforms including AWS, Microsoft Azure, and Google Cloud, Docker, Stripe, and more. The code also attempts to escape container boundaries. Stolen secrets are exfiltrated to a new GitHub repository. The malware injects settings files into other local projects on a developer machine, for execution by Claude Code or Codex, and further abuses GitHub as a C2 (command-and-control) backdoor via malicious repositories and Python code that downloads and executes content from them. According to SafeDep, "the attacker automated the entire wave using a stolen token." Developers who have installed compromised package versions are advised to rotate all credentials accessible from the build environment, check for unauthorized GitHub repositories, and remove malicious systemd services on Linux. Maintainers and package publishers are at greatest risk as they may find further malicious packages published via their own credentials. This attack comes shortly after another Shai-Hulud incident reported yesterday, and more can be expected. Although other package repositories such as PyPI and RubyGems have also seen malware published to them, npm remains the biggest target and, for now, appears to be the worst affected. npm, owned by Microsoft subsidiary GitHub, has said little about the current wave. In September last year, a post outlining a plan for a more secure npm supply chain was intended to "address a surge in package registry attacks," during what now looks like the early phase of Shai-Hulud, but the actions taken so far have not prevented further incidents. The Register asked GitHub to comment.®