Kategorie

Anthropic appears to be preparing for the public rollout of the Mythos model, which was announced in April as a restricted model that poses major security risks to private and public software. [...]

** Externí baterie smíte přepravovat výhradně v příručním zavazadle ** Kapacita powerbanky nesmí překročit 100 Wh a povoleny jsou dva kusy ** Na palubě platí zákaz aktivního nabíjení i používání powerbank

Monday recap. Same mess, new week. A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times. Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). [...]

Chinese AI startup DeepSeek has announced a steep price cut for its recently launched flagship AI model, V4-Pro. The company has reduced pricing for the model by 75%, just a month after unveiling the V4 generation, which includes V4 Pro and V4 Flash.

Earlier, usage costs ranged from $0.0145 for one million tokens (cache hit) to $3.48 for one million output tokens. Following the revision, the V4 Pro will now cost starting at $0.003625 per million tokens and going up to $0.87 per million tokens, respectively. The Deepseek V4 Pro model API pricing will be officially adjusted to 1/4 of the original price after the 75% discount promotion ends on 2026/05/31 15:59 UTC, said the company.

“V4-Pro was engineered to cut the cost of long-context inference, reportedly running at roughly a quarter of the single-token compute and a tenth of the memory footprint of its predecessor at very long context. This is why the price cut is permanent rather than promotional. It is not a discount. It is an efficiency gain being passed through,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.

DeepSeek narrows gap with Western AI rivals

Almost a year after introducing its R1 reasoning model offering performance and cost efficiency, DeepSeek released the preview of V4 LLM. Similar to the earlier models, even V4 is open source, which allows developers to download the code to run it locally and even modify it. The new models were optimized for use with popular agent tools such as Anthropic’s Claude Code and OpenClaw.

“From a pure capabilities perspective, DeepSeek V4-Pro has effectively closed the performance gap on critical tasks like complex math and reasoning, while aggressively leading the market on openness and inference costs. Its specialized reasoning modes and architectural enhancements make it a formidable alternative to Western frontier models,” said Neil Shah, vice president at Counterpoint Research. However, its primary limitations aren’t found in its raw intelligence; rather, it lags behind Western rivals on broader ecosystem adoption, global support structures, clear IP provenance, and the deep and secure hyperscaler integrations natively offered by AWS, Microsoft, and Google, he added.

Lower costs, better ROI

As inference costs remain one of the biggest barriers to scaling pilots into organization-wide deployments, DeepSeek’s aggressive discounts could translate into substantial savings for enterprises, say experts.

The first wave of enterprise AI was full of impressive demonstrations and uncomfortable invoices. CIOs learnt quickly that the cost of AI was never just the model call but included retrieval, orchestration, and more, added Gogia.

However, the 75% cut is meaningful only if CIOs can actually access it at scale.

“For most enterprises, the relevant comparison is not DeepSeek’s direct API but the cost of running a local deployment versus using any external inference provider. If a CIO can host DeepSeek V4-Pro on their own infrastructure, inference costs drop dramatically, and many projects that were previously uneconomical at scale become viable. That includes always-on copilots, bulk document review, code generation, L1 support, and multi-agent workflows,” explained Amit Jaju, senior managing director at Ankura Consulting. He added that if the model is consumed through third-party providers, the effective rate may be higher and the ROI benefit smaller.

AI pricing pressure to intensify

DeepSeek’s discounted pricing strategy is likely to intensify pressure on major AI vendors whose models often command premium enterprise pricing. This could lead vendors such as OpenAI, Anthropic, and Google to respond with better packages.

Shah noted high-margin, high-consumption token pricing models from Anthropic and OpenAI are becoming harder to justify for many enterprise workloads and workflows. The presence of a viable open-weights alternative gives enterprise buyers decent leverage. This will likely prompt these premium flagship Western AI labs to gradually shift from basic consumption-based pricing toward more defensible, outcome-oriented or value-based monetization models.

Consequently, CIOs will also adopt a multi-model AI strategy, similar to migration to multi-cloud architectures. “This will result in an AI portfolio architecture where premium models will be for high-stakes work, domain models for specialist tasks, smaller models for repeatable execution, and an orchestration layer to route, log, govern, and monitor the whole estate,” added Gogia.

CIOs must proceed cautiously

Despite the cost advantages DeepSeek offers, CIOs should remain cautious when evaluating Chinese-origin AI models and carefully assess risks around sensitive data exposure, regulatory compliance, and geopolitical dependency.

Jaju added that the primary risk is data sovereignty and cross-border exposure. If CIOs rely on external APIs hosted in China, prompts, documents, embeddings, logs, and telemetry can leave the enterprise perimeter and traverse jurisdictions with different legal regimes.

Another big risk is IP leakage as developers may paste source code, product designs, legal drafts, M&A material, or incident data into model workflows. If the model is external, that data can be stored, used for training, or exposed through logs or plugins, he added.

Jaju highlighted that the third risk is regulatory defensibility. CIOs need clarity on where data is processed, what is retained, who can access it, what contractual protections exist, whether the model can be self-hosted, and how outputs can be audited.

Experts warn that the safest way will be to host DeepSeek locally or in a sovereign cloud under enterprise control, with encryption, access controls, and audit trails.

The article originally appeared on InfoWorld.

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Last week, the US government announced $2 billion in investments in quantum computing companies, allocating $100 million each to a range of startups in exchange for equity in the companies. Those could be make-or-break investments for many companies that are likely years away from a product that could see widespread use. But a member of the US Congress is now arguing that those deals are illegal, as Congress did not allocate the money for this purpose—instead, it was meant to support public research in semiconductors.

But the biggest chunk of money would go to a company that likely wouldn't exist if it weren't for the government's backing. Anderon will be set up with a billion dollars each from IBM and the government and will inherit personnel and IP from IBM. It will serve as a foundry for fabricating quantum processing units and will contract its services out to IBM and any other company that wants access to cutting-edge hardware.

Is any of this legal?

Zoe Lofgren (D–Calif.), the ranking member of the House Science, Space, and Technology Committee, made it clear that she is not happy with how the government is using its money to support this technology.

Read full article

Comments

Robots could well be the next trillion-dollar tech opportunity, in no small part thanks to AI. Not surprisingly, that’s led to race by a variety of robotics companies to build industrial and humanoid robots to help (or replace) humans.

And to help orient those devices visually in the real world, robot brains are being fed Youtube videos. The idea is to help them understand the environment in which they would work and to spur physical AI.

Kate Shen, co-founder of startup Anaxi Labs, is following a different approach to training robot brains. She is crowdsourcing and supplying videos of people performing tasks, which she then shares with robotics makers.

Human-scale video, she argues, is critical to train robots because it more accurately captures how robots should perform their tasks, depending on the circumstances around them. More broadly, the technique can also provide a clearer roadmap for physical AI. 

With that in mind, Computerworld spoke recently with Shen about Anaxi Labs’ physical AI initiatives and how they differ from what other companies are doing.

Kate Shen, co-founder of startup Anaxi Labs.

Anaxi Labs

Tell me about your company and why you started it. “This is very much a … [Carnegie Mellon University] startup. We started this company [when] we realized that when it comes to AI-building [large language models] (LLMs), everybody knows that there are two things on the infra level, chips and data. The same things were happening to robotics as we moved from digital to physical AI. 

“Except this time…, everybody is aware of [the] difficulty, everybody’s using infrastructure. But when it comes to data, we have to build the data infrastructure from scratch, because unlike LLM, the training data for robots can’t be from the internet. 

“We realized that it would become a [barrier] sooner or later, and it will turn into a major, major industry. And that’s how we started the company.”

Isn’t physical AI data mostly collected from YouTube? What are you doing differently as a company? “You mentioned two approaches, one,using YouTube video, and two, using a simulation. And unfortunately, the two paths were [taken] back then because [of a] lack of better paths. The sheer volume of data needed to train physical AI far exceeds what’s available on the internet, and it needs physical interaction many, many times for each scenario [more] than can be found on YouTube. 

“We realized, by talking to pretty much all the industry [players] since last year, [there is a] shift to egocentric, meaning like human-based training videos, data. We started investing heavily in building a world-scale data pipeline. We started working with industrial- dense regions…who usually have business covering multiple scenarios — for example, construction, logistics, and especially factory floors. 

“And the second pipeline is, we can use [a] community model for this and tap into this worldwide [pool of] individuals, consumers who are wanting to upload videos for training purpose[s]. We’re launching, starting this summer, our data collection and annotation app.”

What exactly are you trying to collect from the videos? ”The data we collect is simply exactly the task our clients want their robots to do — [an] egocentric view, basically like the two hands in the video doing exactly the same thing, sorting the packages and [having] their barcode scanned. In general, there are about 20 general steps, most commonly seen in industrial factory floor settings, and we’re doing all of them. Increasingly, we’re seeing household scenarios, like cleaning the kitchen, cleaning up the bedroom. 

“In order for the models to be able to understand [the videos], the second most important thing is annotation. At the early beginning, they only wanted segmentation, captioning and contact point[s]. 

“But now, in order to have the robot really understand the how and the why behind the scene, they’re increasingly demanding captioning in the format of almost like the chain of [thought]. 

“For example, a robot sees a slipper. And then we’re going to identify this is what happened, and then you’ve got to grip harder. And that’s the result.”

What is your assessment of physical AI, and how does it impact jobs? ”One is surrounding the safety, and the second one is [the] impact on [the] job market. As compared to LLM, in the early LLM days everybody just [got] as much data as possible from the internet. But [for] physical AI, when they place the order, there is a specific category called [failure] and recovery cases, meaning what if something goes wrong, what should the robot do in each scenario. This is a huge difference from the LLM days. Definitely, all the physical AI companies realized that, and they’re building this into their model since the beginning. 

“[On jobs,] right now, at least at this stage, we’re seeing mostly the upside. There are a lot of small robotic companies making a lot of money by working with the companies affected by [labor shortages]. We’re seeing those demands coming from factories who are struggling with shortage of labor, factories who have a problem hiring because their tasks are too dangerous.”

Ask a cybersecurity pro about Network Detection and Response (NDR) and you might still hear "Noisy," "Too much data." But ask the teams running NDR that includes agentic AI capabilities and you'll hear they're actually using it to catch threats earlier, triage faster, and chase fewer false positives. The old complaint lingers in part because reputations are sticky, and because NDR has evolved [email protected]

Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations. RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader. "DPAPILoader decrypts and Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential-stealing malware. The campaign, codenamed TrapDoor, spans more than 34 malicious packages across over 384 versions. The earliest activity was recorded on May 22, 2026, at 8:20 p.m. UTC, with new packages published to the ecosystems in waves from a cluster of

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. [...]

A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages. [...]

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation. Called staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation. Called staged publishing, the feature is now generally available on npm. It mandates that a human maintainer pass a two-factor authentication (2FA) challenge to approve Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the affected packages were all Composer packages, the malicious code was not added to composer.json," Socket said. "Instead, it was inserted into package.json, targeting projects that ship JavaScript

A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the affected packages were all Composer packages, the malicious code was not added to composer.json," Socket said. "Instead, it was inserted into package.json, targeting projects that ship JavaScript Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Italian authorities have dismantled a piracy ecosystem centered around the CINEMAGOAL app that provided access to various streaming platforms, including Netflix, Disney+, and Spotify. [...]

Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the world since the cybersecurity initiative went live last month. Project Glasswing is a defensive effort launched by the artificial intelligence (AI) company to secure critical global software