• A proposed New York bill would ban AI chatbots from providing legal or medical advice
• The legislation would allow users to sue companies if their chatbots impersonate licensed professionals
• Lawmakers say the measure is meant to protect the public as AI tools become more widely used

AI chatbots have spent the past few years answering nearly every kind of question imaginable, but New York lawmakers are preparing to draw a firm line around at least a couple of categories of conversation. A bill advancing through the state legislature would prohibit AI chatbots from providing legal or medical advice and would allow users to sue the companies behind those systems if they cross that boundary.

The proposal, Senate Bill S7263, would apply to AI chatbots that mimic or impersonate licensed professionals such as lawyers or physicians. The heart of the bill applies the same principle about how individuals cannot practice law or medicine without the appropriate licenses to AI. That rule is meant to ensure that people receive guidance from trained professionals who can be held accountable for their advice.

The acquisition of Promptfoo, which counts more than 125,000 developers and 30-plus Fortune 500 companies among its users, is OpenAI’s most direct move yet into AI application security. Its technology will go into Frontier, the company’s enterprise agent platform launched just a month ago.

When Ian Webster was leading the LLM engineering team at Discord, shipping AI products to 200 million users, he noticed something the security industry had not yet caught up with: the tools his team relied on to keep those products safe were built for a different era. Traditional vulnerability scanners could not reason about prompt injection. Static analysis had nothing to say about a model that promised a user something it had no authority to deliver. The testing infrastructure for AI applications, he concluded, simply did not exist.

So he built it himself, nights and weekends, as an open-source project. That project became Promptfoo. On Monday, OpenAI announced it is acquiring the company.

The deal, terms of which were not disclosed, will see Promptfoo’s technology integrated into OpenAI Frontier, the enterprise agent management platform that OpenAI launched in early February. In a post on X, OpenAI said the acquisition would “strengthen agentic security testing and evaluation capabilities” within Frontier, and pledged that Promptfoo would remain open source under its current licence, with continued support for existing customers.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

Promptfoo, which Webster co-founded with Michael D’Angelo – a former VP of engineering and head of AI at identity verification firm Smile Identity – launched commercially in 2024 with $5 million in seed funding from Andreessen Horowitz. The seed round attracted backing from a notable roster of angels, including Shopify CEO Tobi Lütke, Discord CTO Stanislav Vishnevskiy, and Okta co-founder Frederic Kerrest. By July 2025, the company had raised an $18.4 million Series A led by Insight Partners, with a16z again participating. Total funding ahead of the acquisition was approximately $23.4 million.

At the time of the Series A, Promptfoo said it had more than 125,000 developers using its open-source framework and over 30 Fortune 500 companies running its enterprise platform in production. Customers span retail, telecoms, financial services, and media, sectors with acute exposure to the regulatory and reputational risks of AI failures.

The product works by acting as an automated adversary. Rather than relying on manual penetration testing, Promptfoo’s platform talks directly to a customer’s AI application, through its chat interface or APIs, using specialised models and agents that behave like users, or specifically like attackers. When an attack succeeds, the platform records it, analyses why it worked, and iterates through an agentic reasoning loop to refine the test and expose deeper vulnerabilities. Risks the platform targets include prompt injection, data leakage, jailbreaks, and what Webster has called “application-level” failures: AI systems that promise users things they cannot deliver, or that reveal database contents to a customer service query, or that stray into political opinion in a homework tutor.

It is precisely those application-level risks that make Promptfoo’s acquisition a strategic fit for OpenAI’s current direction. Frontier, which OpenAI has described as an attempt to create “AI coworkers” for the enterprise, is designed to give AI agents access to production systems, CRM platforms, data warehouses, internal ticketing tools, and to execute workflows with real-world consequences. Agents operating at that level of access create a correspondingly enlarged attack surface. Early customers named by OpenAI for Frontier include Uber, State Farm, Intuit, and Thermo Fisher Scientific: organisations for whom a misbehaving agent is not an inconvenience but a liability.

OpenAI has been building out Frontier at speed. Since launching the platform on 5 February, the company has announced Frontier Alliances with Accenture, Boston Consulting Group, Capgemini, and McKinsey, enlisting the consulting firms to drive enterprise deployment. Separately, the company has been rolling out Codex Security, an AI-powered application security agent for software repositories, formerly known internally as Aardvark, which entered wider availability on the same day as the Promptfoo acquisition announcement.

Promptfoo is not the only AI security product entering broader availability this month. Anthropic launched Claude Code Security in February, targeting similar vulnerability scanning use cases. The convergence suggests that as AI agents move into production at scale, the question of who secures them, and how,  is fast becoming one of the defining commercial battlegrounds in enterprise AI.

For Promptfoo’s open-source community, OpenAI’s commitment to keeping the project open source under its current licence will be the line to watch. The project has over 248 contributors, and its adoption by developers at companies across the AI industry – including, according to Promptfoo’s own website, teams at Anthropic and Google – was built on the premise that the tool belonged to the developer community rather than to any one vendor. That promise now sits alongside a commercial integration into one of the most powerful enterprise AI platforms in the market.

Hackers contacted employees at financial and healthcare organizations over Microsoft Teams to trick them into granting remote access through Quick Assist and deploy a new piece of malware called A0Backdoor.

The attacker relies on social engineering to gain the employee’s trust by first flooding their inbox with spam and then contacting them over Teams, pretending to be the company’s IT staff, offering assistance with the unwanted messages.

To obtain access to the target machine, the threat actor instructs the user to start a Quick Assist remote session, which is used to deploy a malicious toolset that includes digitally signed MSI installers hosted in a personal Microsoft cloud storage account.

According to researchers at cybersecurity company BlueVoyant, the malicious MSI files masquerade as Microsoft Teams components and the CrossDeviceService, a legitimate Windows tool used by the Phone Link app.

Using the DLL sideloading technique with legitimate Microsoft binaries, the attacker deploys a malicious library (hostfxr.dll) that contains compressed or encrypted data. Once loaded in memory, the library decrypts the data into shellcode and transfers execution to it.

The researchers say that the malicious library also uses the CreateThread function to prevent analysis. BlueVoyant explains that the excessive thread creation could cause a debugger to crash, but it does not have a significant impact under normal execution.

The shellcode performs sandbox detection and then generates a SHA-256-derived key, which it uses to extract the A0Backdoor, which is encrypted using the AES algorithm.

The malware relocates itself into a new memory region, decrypts its core routines, and relies on Windows API calls (e.g., DeviceIoControl, GetUserNameExW, and GetComputerNameW) to collect information about the host and fingerprint it.

Communication with the command-and-control (C2) is hidden in DNS traffic, with the malware sending DNS MX queries with encoded metadata in high-entropy subdomains to public recursive resolvers. The DNS servers respond with MX records containing encoded command data.

“The malware extracts and decodes the leftmost label to recover command/configuration data, then proceeds accordingly,” explains BlueVoyant.

“Using DNS MX records helps the traffic blend in and can evade controls tuned to detect TXT-based DNS tunneling, which may be more commonly monitored.”

BlueVoyant states that two of the targets of this campaign are a financial institution in Canada and a global healthcare organization.

The researchers assess with moderate-to-high confidence that the campaign is an evolution of tactics, techniques and procedures associated with the BlackBasta ransomware gang, which has dissolved after the internal chat logs of the operation were leaked.

While there are plenty of overlaps, BlueVoyant notes that the use of signed MSIs and malicious DLLs, the A0Backdoor payload, and using DNS MX-based C2 communication are new elements.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Advertisement

Download The Report

For good reason, Dr. Robby (Noah Wyle) is on the verge of quitting again in The Pitt season 2. He’s already due to go on a three-month sabbatical when this hellish Fourth of July shift ends, but now that’s starting to feel like a permanent leave of absence.

In his defence, I don’t blame him. The ER is currently under digital lockdown to prevent a cyber attack, meaning no computer records can be accessed, the number of patients practically doubles every five seconds, and replacement Dr. Al-Hashimi (Sepideh Moafi) isn’t making life easier for anyone.

The organisation is aiming to tap into the growing demand for autonomous agents.

Tech giant Microsoft has announced plans to launch Copilot Cowork, which is a tool based on Anthropic’s popular Claude Cowork. Reportedly, it is part of a larger initiative to take advantage of the growing demand for autonomous agents.

The news comes two months after Anthropic launched its Cowork model, which it described as a “simpler version of Claude Code”. This prompted concerns among those heavily invested in ‘traditional’ software companies resulting in a strong sell-off in US and European software. According to Reuters, Microsoft’s own shares fell nearly 9pc in February.

Currently, ​Copilot Cowork is in the testing phase and will be ​available to early-access ⁠users in later March. The organisation has not disclosed the pricing structure, but has revealed that some usage would be included ​in its $30-per-user, per-month M365 Copilot offering for enterprises.

Jared Spataro, the chief marketing officer of AI at Work at Microsoft said: “Frontier transformation starts with a simple idea: AI must do more than optimise what already exists. It must unlock new levels of creativity, innovation, and growth. And it must show up inside real work, grounded in real context and solve real problems for people and organisations. 

“We’ve found that to do this, the two most important elements are intelligence and trust. Intelligence ensures AI is contextual, relevant and grounded. Trust ensures AI can scale safely, securely and responsibly. Our announcements today (9 March) show how intelligence and trust together turn AI from experimentation into durable, enterprise-wide value.”

Following the reveal of Microsoft’s Copilot Cowork, Forrester vice-president and principal analyst JP Gownder said: “Microsoft’s launch of Copilot Cowork signals a strategic shift in its AI approach, showing the company moving Copilot away from reliance on OpenAI alone and toward a multi-model architecture that includes partners such as Anthropic. 

“The move also highlights the current limitations of Microsoft’s existing Copilot agents: while the company has talked extensively about autonomous ‘agents’, they have so far struggled to take meaningful action compared with newer agentic systems such as Anthropic’s. 

“At the same time, Copilot Cowork clearly taps into the growing hype around Anthropic’s Claude Cowork concept, but significantly extends it by embedding the capability across Microsoft 365 applications rather than keeping it as a desktop-centric tool.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

People can block the xAI’s Grok chatbot from creating modifications of their uploaded images on social network X. Neither X or xAI, both Elon Musk-owned businesses, have made a public announcement about this feature, which users began noticing on the iOS app within the image/video upload menu over the past few days.

This option is likely a response to Grok’s latest scandal, which began at the start of 2026 when the addition of image generation tools to the chatbot saw about 3 million sexualized or nudified images created. An estimated 23,000 of the images made in that 11-day period contained sexualized images of children, according to the Center for Countering Digital Hate. Grok is now facing two separate investigations by regulators in the EU over the issue.

The positive side of the recent feature addition is that X and xAI have taken a step toward limiting inappropriate uses of Grok. This block is a simple toggle and it hasn’t been buried in the UI. So that’s nice.

The negative side, however, is that this token gesture that doesn’t amount to any serious improvement to how Grok works or can be used. It’s great that the chatbot won’t alter the file uploaded by one person, but as reported by The Verge, the block only limits tagging Grok in a reply to create an image edit. There are plenty of workarounds for those dedicated individuals who insist on being able to use generative AI to undress people without their consent or knowledge.

Hopefully xAI has more powerful protective tools in the works. The limitations Grok on putting real people in scanty clothing that X announced in January seem to have had only partial success at best. If this additional and narrow use case is all the company offers, then the claims of being a zero-tolerance space for nonconsensual nudity are going to ring hollow. Especially since, as we noted at the time, xAI could stop allowing image generation at all until the issue is properly and thoroughly fixed.

More than half a century after astronauts last left footprints on the lunar surface, humanity is preparing to return to the moon. The excitement surrounding NASA’s Apollo program once captivated the world, and now NASA hopes to rekindle that same sense of wonder with its modern lunar effort, the Artemis program.

NASA’s Artemis II launch is scheduled for the first week of April. It’ll be the first human mission to the moon since 1972, and it should be quite the achievement for the Artemis program. Now, NASA has released a new tool that lets the public track Artemis II in real time.

The Artemis program is NASA’s long-term effort to return humans to the moon and establish a sustained presence there for the first time since the Apollo program. The program aims to land astronauts near the lunar south pole, develop new technologies for long-term exploration and use the moon as a stepping stone for future missions to Mars.

The Artemis Real-time Orbit Website, dubbed AROW, is already available to the public, although there isn’t much to see since the launch is still a few weeks away. It’s also available directly from the NASA app if you’re using a mobile device. The site lets the public visualize data collected by sensors on Orion and sent to the Mission Control Center at NASA’s Johnson Space Center in Houston.

The website is simple to navigate. You’ll see a visual representation of Artemis II’s progress, including its speed, distance from Earth and distance to the moon. Mobile app users get all of the above, along with an extra augmented reality tracker that lets you point your phone at the sky and see where Artemis II is relative to your position on Earth. It works much like Google Star Map and other stargazing apps that use similar technology. 

According to NASA, tracking will be available once the Orion capsule separates from the rocket’s upper stage, which is expected about 3 hours after the upcoming April launch. The site will then update its information in real time for the entire 10-day mission.

NASA is also making flight data available for download so that people interested in creating their own content, such as visualizations or tracking apps, can do so. The data will include all sorts of things, including state vectors, which are data that “describe precisely where Orion is located and how it moves.” That same data will be used by NASA to study Orion and make improvements for future Artemis missions. 

An exact launch date for Artemis II hasn’t been set, but the agency plans on launching the mission no earlier than April 1. The launch was originally scheduled for February, but it was delayed multiple times due to a hydrogen leak and a helium flow issue. NASA says it has since fixed both issues.

from the such-a-waste-of-time dept

On Wednesday of last week, I wrote a post about how the Trump administration had quietly given up defending its unconstitutional executive orders targeting law firms. The DOJ was dropping its appeals, the firms that fought had won, and the firms that capitulated—led by Paul Weiss and their nearly $1 billion in groveling pro bono commitments—were left holding a very expensive bag.

What I did not realize, because this administration launches new absurdities faster than any human being can reasonably track them, was that the day before I published that piece (but about the time I was writing it), the DOJ had already filed a motion to take back its voluntary dismissal. And then, by Friday, the DOJ had filed a full appellate brief seeking to overturn all four district court rulings that struck down the executive orders.

So, to recap the timeline here: On Monday, the DOJ told the DC Circuit it was voluntarily dropping its appeals. All four law firms agreed. Done deal. On Tuesday, the DOJ filed a motion to withdraw its own voluntary dismissal. On Wednesday, I published an article mocking the administration for giving up. On Friday, the DOJ filed a 97-page opening brief arguing that the executive orders were “well within the Presidential prerogative.”

My only defense for coming in a day late is that covering this administration in anything close to real time is effectively impossible.

Let’s start with the procedural absurdity before we get to the substance—because the procedural absurdity is really something.

The motion to withdraw the voluntary dismissal is a remarkable document, mostly for how little it says. The entire operative section is barely over a hundred words. After all parties had agreed to the dismissal, the DOJ simply asked to take it back, offering no explanation whatsoever. The law firms’ collective response, included in the filing itself, was about as polite as you’d expect:

“Plaintiffs-Appellees oppose the government’s unexplained request to withdraw yesterday’s voluntary dismissal, to which all parties had agreed. Under no circumstances should the government’s unexplained about-face provide a basis for an extension of its brief.”

“Unexplained.” That word does a lot of heavy lifting. The DOJ’s motion doesn’t even try to explain why it changed course. There’s no “upon further reflection” or “new developments have arisen.” Just: forget what we agreed to yesterday, the court hasn’t formally granted the dismissal yet, so we’d like to un-dismiss please.

As of this writing, the court hasn’t ruled on that motion. But the DOJ apparently decided not to wait around and went ahead and filed its full appellate brief on Friday anyway.

The opening paragraph of the DOJ’s appellate brief is genuinely one of the more audacious things I’ve read in a legal filing, and I say that as someone who reads a lot of legal filings:

Courts cannot tell the President what to say. Courts cannot tell the President what not to say. They cannot tell the President how to handle national security clearances. And they cannot interfere with Presidential directives instructing agencies to investigate racial discrimination that violates federal civil rights laws.

Let’s focus on those first two sentences, because they reveal something important about how the administration is framing this case—and how badly they’re getting the First Amendment backwards.

“Courts cannot tell the President what to say. Courts cannot tell the President what not to say.”

Well, sure. In the most general sense, that’s true. The president can stand at a podium and say whatever he wants. He can say mean things about law firms. He can call them names on social media. He can go on television and express his displeasure with their client choices. That’s all government speech, and it’s all fine.

But that’s… not what happened here. What happened here is that the president issued executive orders imposing concrete sanctions on specific law firms—revoking security clearances, directing the termination of government contracts, restricting access to federal buildings, banning the hiring of their employees—because those firms represented clients the president didn’t like and employed lawyers who had been involved in investigations the president found personally disagreeable.

The brief tries to frame the courts’ injunctions as an attempt to “silence” the president. But nobody is trying to silence the president. The president can talk about these law firms every day from now until the world ends. What the courts said—four separate times—is that the president cannot use the machinery of government to punish law firms for their constitutionally protected legal advocacy. There’s a rather fundamental difference between speech and sanctions, and pretending not to understand that difference is doing a lot of work in this brief.

This gets at something we talk about regularly here at Techdirt: the First Amendment is a restraint on government power. It prevents the government from using its authority to suppress or punish private speech. When the DOJ frames this as courts trying to control the president’s speech, they’ve got the vector of the First Amendment claim pointing in exactly the wrong direction. The law firms aren’t saying the president can’t talk. They’re saying the president can’t retaliate against them for their own protected speech and advocacy. Those are two wildly different things.

The brief actually cites NRA v. Vullo, the 2024 Supreme Court case that we’ve written about a few times. For those unfamiliar, that case involved New York’s former superintendent of financial services, who was accused of using her regulatory power to coerce financial institutions into cutting ties with the NRA because she disagreed with the NRA’s advocacy. The Supreme Court held—unanimously—that government officials using their regulatory authority to punish or suppress disfavored private speech can violate the First Amendment, even if the official frames their actions in terms of legitimate regulatory interests.

The DOJ cites Vullo in the context of arguing that the district courts went too far in enjoining “future actions” based on Section 1 of the executive orders, quoting the district court’s ruling in favor of one of the law firms (Jenner & Block) favorably:

Significantly, even the district court in Jenner recognized this. That court declined to “enjoin future actions taken pursuant to Section 1,” because “Section 1 does not direct any action.” JA2205–06. But “shorn of its enforcement mechanisms, Section 1 is nothing more than the Executive Branch ‘saying what it wishes.’” Id. (quoting Nat’l Rifle Ass’n of Am. v. Vullo, 602 U.S. 175, 187 (2024)). “Jenner has no more right to silence the Executive Branch than the Executive Branch has to silence Jenner.” Id. That is because Section 1 is “government speech.” Id. Despite Jenner’s repeated request to enjoin Section 1 in the abstract, the district court correctly recognized that “[n]either standing doctrine nor equity generally permits such judicial prophylaxis.” JA2207. Thus, “[w]hether best viewed as a shortcoming of standing, ripeness, or” the lack of any basis in equity, “the guesswork entailed in enjoining all future uses of the sentiments expressed in Section 1 would exceed the Court’s proper role.”

The problem is that Vullo actually undercuts their entire argument. The point of the Vullo framework is that when government speech is coupled with government action designed to punish disfavored private expression, the combination can be unconstitutional coercion. The administration wants to unbundle its speech from its sanctions and defend each in isolation—”Section 1 is just government speech.” That’s precisely the move Vullo says you can’t get away with.

Meanwhile, I have to call out that the same people who argued in the Murthy v. Missouri case that any government speech criticizing private companies constituted a de facto First Amendment violation are now arguing “well, this paragraph was just speech, not retaliatory, so leave it alone.”

The brief also contains a line that should make Paul Weiss and others in the capitulation crowd feel especially great about their choices:

In recognition of those problems, many law firms agreed to address their practices and commit to providing pro bono work in the public interest.

The brief then helpfully lists them in a footnote in case anyone forgot which capitulating law firms to shun:

Allen Overy Shearman Sterling, Cadwalader, Kirkland & Ellis, Latham & Watkins, Milbank, Paul Weiss, Simpson Thacher, Skadden, and Wilkie Farr & Gallagher.

The DOJ is literally using the capitulation of those firms as evidence that the executive orders were reasonable and justified. “See? These firms agreed with us!” The firms that folded bought themselves a supporting role in the government’s brief arguing for the constitutionality of retaliating against law firms. Congratulations! Great job lawyering, guys.

Meanwhile, the four firms named in the brief who fought—Perkins Coie, Jenner & Block, WilmerHale, and Susman Godfrey—are named as parties who “instead filed suit.” See? Capitulating is the only proper move to this DOJ. Standing up for your own constitutional rights deserves punishment.

The heart of the filing is that opening framing. “Courts cannot tell the President what to say.” And the response to that is simple: nobody’s trying to. What courts can do—what they’re required to do under the First Amendment—is tell the president he cannot use executive power to punish private parties for their constitutionally protected advocacy. The fact that the DOJ appears unable or unwilling to understand this distinction tells you everything about the strength of their legal position.

As I noted last week, the administration’s decision to initially drop these appeals suggested that even a DOJ willing to argue almost anything looked at these cases and concluded it couldn’t win. The un-dropping and subsequent brief don’t change that calculus. While the DOJ offered no explanation for its reversal, the timing strongly suggests someone higher up didn’t like the press coverage of them folding and decided the political upside of continuing to threaten the legal profession outweighed the legal downside of losing again. Which, if you think about it, proves exactly what the law firms argued from the start: this was always about intimidation, never about law.

The firms that folded will keep being cited in government briefs as proof that the intimidation campaign was justified.

That’s the tax you pay for cowardice: your surrender becomes someone else’s evidence.

Filed Under: 1st amendment, doj, free speech, law firms, vullo

Companies: jenner and block, kirkland & ellis, latham and watkins, milbank, paul weiss, perkins coie, skadden, susman godfrey, wilkie farr, wilmerhale