Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.

The backdoor has been attributed to a threat actor that Cisco Talos tracks internally as UAT-4356, known for cyberespionage campaigns, including ArcaneDoor.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC) believe that the adversary obtained initial access by exploiting a missing authorization issue (CVE-2025-20333) and/or a buffer overflow bug (CVE-2025-20362).

In one incident at a federal civilian executive branch agency, CISA observed the threat actor first deploying the Line Viper malware, a user-mode shellcode loader, and then using Firestarter, which enables continued access even after patching.

“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency notes in an alert.

Line Viper is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices.

Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed.

Once Firestarter nests on the devices, it maintains persistence across reboots, firmware updates, and security patches. Furthermore, the backdoor relaunches automatically if terminated.

Persistence is achieved by hooking into LINA, the core Cisco ASA process, and using signal handlers that trigger reinstallation routines.

A joint malware analysis report from the two cybersecurity agencies explains that Firestarter modifies the CSP_MOUNT_LIST boot/mount file to ensure execution on startup, stores a copy of itself in /opt/cisco/platform/logs/var/log/svc_samcore.log, and restores it to /usr/bin/lina_cs, where it runs in the background.

Cisco Talos also published its analysis of the malware, saying that the persistence mechanism is triggered when a process termination signal is received, also known as a graceful reboot.

The researchers noted in the Firestarter report that the backdoor used the commands below to set persistence for itself:

The implant’s core function is to act as a backdoor for remote access, while it can also execute attacker-provided shellcode.

This is done through a mechanism in which Firestarter hooks into LINA by modifying an XML handler and injecting shellcode into memory, creating a controlled execution path.

This shellcode is triggered by a specially crafted WebVPN request, which, after validating a hardcoded identifier, loads and executes attacker-supplied payloads directly in memory.

However, CISA did not provide any details on the specific payloads observed in attacks.

Cisco published a security advisory about Firestarter that contains mitigations and workarounds for removing the persistence mechanism, as well as indicators of compromise for discovering the Firestarter implant.

The vendor “strongly recommends reimaging and upgrading the device using the fixed releases,” which covers both compromised and non-compromised cases.

To determine a compromise, administrators should run the ‘show kernel process | include lina_cs’ command. For any resulting output, the device should be considered compromised.

If device re-imaging is not currently possible, Cisco says that a cold restart (disconnecting the device power) removes the malware. However, this alternative is not recommended as it carries the risk of database or disk corruption, leading to boot problems.

CISA has also shared two YARA rules that can detect the Firestarter backdoor when applied to a disk image or a core dump from a device.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Advertisement

Claim Your Spot

In short: X-Energy raised $1.02 billion in the largest nuclear IPO on record, pricing at $23 (21% above range) on the Nasdaq, with shares surging 31% on opening to imply a $12 billion market cap. The offering was 15x oversubscribed. The same company failed to close a $1 billion SPAC in 2023. The difference is AI-driven data centre power demand: Amazon committed to 5 GW by 2039, Dow Chemical and Centrica signed on, and the SMR offtake pipeline doubled to 45 GW in 18 months.

In October 2023, X-Energy and Ares Acquisition Corporation mutually terminated a SPAC merger that had valued the nuclear reactor developer at $1.05 billion. The deal collapsed because public market conditions were, in the company’s words, “persistently volatile.” Ares liquidated. X-Energy went back to raising private capital. On Thursday, eighteen months later, X-Energy began trading on the Nasdaq under the ticker XE after pricing an upsized initial public offering at $23 per share, 21% above the top of its marketed range. It raised $1.02 billion, the largest nuclear public offering on record. The IPO was 15 times oversubscribed. One-third of institutional orders received zero allocation. Shares opened at $30.11, a 31% pop, and traded as high as $31.33 during the session. The implied market capitalisation exceeded $12 billion. What changed between the failed SPAC and the oversubscribed IPO was not the reactor. The Xe-100 existed in 2023. What changed was that the world discovered it needed the power.

The reactor

The Xe-100 is a Generation IV high-temperature gas-cooled reactor using a pebble-bed design. Each unit produces 80 megawatts of electrical power, cooled by helium gas, fuelled by proprietary TRISO-X particles, tri-structural isotropic coated uranium enriched to below 20%. The fuel is encased in spheres of ceramic and carbon designed not to melt under any postulated condition, retaining more than 99.99% of fission products. The reactor requires no large water supply, no active safety systems, and no emergency diesel generators to prevent fuel damage. It can ramp from 40% to full power in 12 minutes, a load-following capability that makes it suited to pairing with the variable demand profiles of data centres. The design uses four operator-controlled variables. A conventional nuclear plant uses hundreds.

X-Energy’s TRISO-X fuel fabrication facility in Oak Ridge, Tennessee, received a 40-year special nuclear material licence from the Nuclear Regulatory Commission, the first new fuel fabrication licence in approximately 50 years and the first for a Category II facility. The construction permit application for X-Energy’s flagship project, a four-unit Xe-100 plant at Dow Chemical’s Seadrift operations site in Texas, was accepted by the NRC in May 2025, with an 18-month review timeline. The Department of Energy selected X-Energy alongside Bill Gates’s TerraPower for its Advanced Reactor Demonstration Programme in 2020, committing approximately $1.2 billion to the Xe-100 and TRISO fuel development. The technology has been in development for over a decade. The capital to commercialise it arrived only when the customers did.

The customers

Amazon led X-Energy’s $500 million Series C-1 funding round in October 2024 and signed a binding agreement to purchase up to five gigawatts of nuclear power from the company by 2039. The first project under that agreement is the Cascade Advanced Energy Facility, a four-unit 320-megawatt installation in Washington state developed with the public utility Energy Northwest, expandable to 12 units and 960 megawatts. Amazon’s nuclear strategy extends beyond X-Energy: it acquired Talen Energy’s data centre campus adjacent to the Susquehanna nuclear plant in Pennsylvania for $650 million and secured a 1,920-megawatt power purchase agreement through 2042. It is exploring a 300-megawatt SMR project with Dominion Energy in Virginia. Amazon needs reliable, carbon-free baseload power for AI data centres that renewables cannot provide around the clock, and rising energy costs are threatening cloud infrastructure globally as geopolitical instability reshapes the economics of electricity.

Dow Chemical’s Seadrift project will replace ageing fossil fuel infrastructure with four Xe-100 units supplying both electricity and industrial steam, with Fluor as engineering partner. Centrica signed a six-gigawatt joint development agreement for the United Kingdom’s first advanced reactor fleet. X-Energy’s total customer pipeline exceeds 11 gigawatts, equivalent to roughly 144 Xe-100 units. The IEA reported this week that AI data centre electricity consumption will triple by 2030 and that the pipeline of conditional offtake agreements between data centre operators and SMR projects has nearly doubled from 25 gigawatts at the end of 2024 to 45 gigawatts today. AI companies are racing to secure data centre capacity, with Mistral alone raising $830 million to build a single 44-megawatt facility near Paris. The power to run those facilities is the constraint. Nuclear is the only carbon-free source that runs at full output regardless of weather, time of day, or season.

The market

X-Energy is the third advanced nuclear company to reach the public markets, after NuScale Power and Oklo. NuScale holds the only NRC design certification for a small modular reactor in the United States but has struggled commercially after the cancellation of its flagship project with Utah Associated Municipal Power Systems. Its stock has been volatile. Oklo, backed by Sam Altman, trades at a market capitalisation of approximately $8.9 billion on revenues that remain minimal, with its stock up 248% over six months on the strength of the AI-nuclear narrative and its Aurora microreactor design. Kairos Power, backed by Google, secured the first NRC construction permit for a Generation IV reactor in December 2023 for its Hermes test facility but remains private. TerraPower, Gates’s venture, is building its Natrium sodium-cooled fast reactor with ARDP funding alongside X-Energy but has not announced IPO plans.

X-Energy’s $12 billion market capitalisation on its first day of trading reflects neither its current revenue, approximately $163 million, nor its reactor’s commercial readiness, which is still years from first power. It reflects the market’s assessment that nuclear is no longer a regulatory burden to be tolerated but a strategic asset to be owned. Massive private capital is flowing into nuclear energy across both fission and fusion, with Proxima Fusion seeking two billion euros for a fusion test facility in Germany and record funding pouring into nuclear energy startups across Europe. The World Economic Forum published an article this month titled “This energy crisis is ushering in a global nuclear renaissance,” citing the Strait of Hormuz disruption and AI power demand as twin catalysts. The 15-times oversubscription of X-Energy’s IPO is consistent with that thesis. Whether the thesis is correct is a different question.

The gap

The Xe-100 has not produced a watt of commercial electricity. The Seadrift construction permit is under NRC review. The Energy Northwest project is in early development. The Centrica agreement is a framework, not a signed power purchase contract. X-Energy’s TRISO-X fuel facility has a licence but is not yet producing fuel at commercial scale. The company’s $1.02 billion in IPO proceeds and approximately $1.8 billion raised privately will fund development through the next phase, but advanced nuclear projects routinely experience delays and cost overruns that dwarf initial estimates. NuScale’s history is instructive: it received NRC design certification in 2023, lost its anchor customer in the same year, and has spent the time since searching for a replacement. Regulatory approval does not guarantee commercial viability. It only guarantees that the regulatory question has been answered.

The gap between X-Energy’s market valuation and its commercial reality is not unique to nuclear. It is the same gap that exists across the AI infrastructure supply chain, from Nvidia’s forward-looking multiples to CoreWeave’s debt-funded expansion to alternative approaches to powering AI infrastructure that include data centres in orbit. The market is pricing the future demand for AI compute as a near certainty and the supply of energy to run that compute as the binding constraint. X-Energy sits on the supply side of that constraint with a reactor design that has government backing, a fuel licence that took 50 years to issue to anyone, an 11-gigawatt customer pipeline anchored by Amazon, and a share price that assumes all of it will work. The failed SPAC valued the company at $1 billion when nobody needed the power. The IPO valued it at $12 billion because everybody does. The reactor has not changed. The bet is that the need will not change either.

The flagship smartphone race has become a little too polite, especially when it comes to mobile photography. There was a time when the conversation revolved around megapixel counts, sensor count, and wild zoom numbers. But over the last few years, that energy has cooled.

The biggest brands no longer behave like they are trying to shock the market. Companies like Apple and Samsung now focus more on refining image processing and fine-tuning the formula than on pushing camera hardware into genuinely outrageous territory.

Then a phone like the Oppo Find X9 Ultra shows up and reminds you what old-school flagship ambitions used to look like.

And yes, it is as ridiculous as it sounds. There are not one, but two 200MP cameras here. The phone packs a 200MP main camera, a 200MP 3x telephoto, a 50MP 10x optical telephoto, and a 50MP ultrawide, all wrapped in Hasselblad branding and a camera-first design that only adds to the whole overkill appeal.

Excitement is an expensive commodity now, and the Find X9 Ultra is loaded

The Oppo Find X9 Ultra lands as unapologetically excessive in a market that has become increasingly careful. This is the first phone to bring back a 10x optical zoom since the Samsung Galaxy S23 Ultra. And the best part is that you are not sacrificing shorter zoom performance either, because Oppo also throws in a massive 200MP 3x telephoto. This is one of the most aggressive hardware plays we have seen in smartphone photography in years.

Apple and Samsung still make reliable camera phones. Their flagships are built around consistency, broad appeal, and careful decision-making. Oppo’s phone feels like it was built by people who simply wanted more. More character, more hardware, and more of a reason to get excited. The Hasselblad tuning, the special filters, and the overall shooting experience all push it closer to the feel of using an actual camera instead of just another polished flagship phone.

Add in the accessories, and the phone just becomes absurdly cool. Oppo built an entire Hasselblad Earth Explorer Kit around the idea that this phone should behave like a real camera. With the Oppo Hasselblad 300mm Explorer Teleconverter attachment, the 3x telephoto turns into a 300mm equivalent focal length, which works out to roughly 13x optical zoom.

This is what we’re missing

Would I like every flagship phone to come with this kind of camera ambition? Absolutely. Is that realistic? Probably not. And honestly, it does not need to be.

Oppo clearly built this for enthusiasts. But after using the Find X9 Pro, one thing that really stood out to me about these camera-first phones is the experience they create. It starts with one quick shot, and before long, you are taking pictures of everything around you. You start noticing light differently. You start framing ordinary things like they matter more.

And the brand understands this.

Oppo acts like smartphone photography has room for obsession. Room for niche advantages. Room for a phone that goes harder on zoom, harder on sensor size, and harder on sheer camera bravado than the mainstream brands are willing to attempt.

It definitely won’t click with everyone, but the magic is there if you’re willing to try. The Find X9 Ultra feels ambitious, a little unreasonable, and fully committed to the idea that flagship photography should still feel like a race.

This weekend’s watchlist has two psychological thrillers that will mess with your head in completely different ways, and one animated series that has no business being this good.

Whether you are in the mood for small-town dread, generational trauma wrapped in Southern Gothic atmosphere, or a Big Pharma conspiracy told through some of the most distinctive animation on television right now, there is something here for you. All three are on HBO Max, criminally underrated, and at least one of them will stick with you long after the credits roll.

We also have guides to the best new movies to stream, the best movies on Netflix, the best movies on Hulu, the best free movies, and the best movies on Amazon Prime Video.

Sharp Objects (2018)

Based on Gillian Flynn’s debut novel, this is eight episodes of psychological tension that never lets up. Amy Adams plays a troubled journalist who returns to her suffocating hometown to cover the murders of two young girls, only to find herself unraveling alongside the investigation.

What makes Sharp Objects special is that it is less of a murder mystery and more a study of inherited trauma, toxic motherhood, and the damage small towns do to the people who grow up in them. Patricia Clarkson is quietly terrifying as Adora. The ending hit me like a freight train. Stick through the final credits of the last episode, seriously!

You can watch Sharp Objects on HBO Max.

The Outsider (2020)

It looks like a crime drama on the surface, but The Outsider has a much stranger agenda. A young boy is found murdered in a small Georgia town, and the evidence overwhelmingly points to one man. However, that same man has an airtight alibi and that central impossibility becomes the hook that drives the whole show.

The character, Ralph Anderson, played by Ben Mendelsohn, is excellent as the detective unwilling to accept what he is seeing. But it is Cynthia Erivo as investigator Holly Gibney who completely steals the show. She walks in around episode 3, and the whole series changes gear. Fair warning, the pace is deliberate and the finale is divisive. But if you enjoy atmospheric slow burns with great performances, this one is worth your time.

You can watch The Outsider on HBO Max.

Common Side Effects (2025)

It is an animated TV series, and a lot of people have slept on it, but I highly recommend it. Two former high school friends discover a mushroom that can cure every known disease, and immediately find themselves hunted by Big Pharma, the DEA, and international corporations determined to bury it.

I know it sounds absurd, and it kind of is, but the show handles its conspiracy thriller premise with real wit and surprising emotional depth. Co-created by the team behind Scavengers Reign and produced by Greg Daniels of The Office fame, it holds a perfect 100% on Rotten Tomatoes. The animation style is distinctive and takes an episode to get used to, but once it clicks, you will not want to stop.

You can watch Common Side Effects on HBO Max.

During Operation Lunar Peek in November 2024, attackers gained unauthenticated remote admin access — and eventual root — across more than 13,000 exposed Palo Alto Networks management interfaces. Palo Alto Networks scored CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. NVD scored the same pair 9.8 and 7.2 under CVSS v3.1. Two scoring systems. Two different answers for the same vulnerabilities. The 6.9 fell below patch thresholds. Admin access appeared required. The 9.3 sat queued for maintenance. Segmentation would hold.

“Adversaries circumvent [severity ratings] by chaining vulnerabilities together,” Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, told VentureBeat in an exclusive interview on April 22, 2026. On the triage logic that missed the chain: “They just had amnesia from 30 seconds before.”

Both CVEs sit on the CISA Known Exploited Vulnerabilities catalog. Neither score flagged the kill chain. The triage logic that consumed those scores treated each CVE as an isolated event, and so did the SLA dashboards and the board reports those dashboards feed.

CVSS did exactly what it was designed to do. Score one vulnerability at a time. The problem is that adversaries do not attack one vulnerability at a time.

“CVSS base scores are theoretical measures of severity that ignore real-world context,” wrote Peter Chronis, former CISO of Paramount and a security leader with Fortune 100 experience. By moving beyond CVSS-first prioritization at Paramount, Chronis reported reducing actionable critical and high-risk vulnerabilities by 90%. Chris Gibson, executive director of FIRST, the organization that maintains CVSS, has been equally direct: using CVSS base scores alone for prioritization is “the least apt and accurate” method, Gibson told The Register. FIRST’s own EPSS and CISA’s SSVC decision model address part of this gap by adding exploitation probability and decision-tree logic.

Five triage failure classes CVSS was never designed to catch

In 2025, 48,185 CVEs were disclosed, a 20.6% year-over-year increase. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, projects 70,135 for 2026. The infrastructure behind the scores is buckling under that weight. NIST announced on April 15 that CVE submissions have grown 263% since 2020, and the NVD will now prioritize enrichment for KEV and federal critical software only.

1. Chained CVEs that look safe until they aren’t

The Palo Alto pair from Operation Lunar Peek is the textbook. CVE-2024-0012 bypassed authentication. CVE-2024-9474 escalated privileges. Scored separately under both CVSS v4.0 and v3.1, the escalation flaw filtered below most enterprise patch thresholds because admin access appeared required. The authentication bypass upstream eliminated that prerequisite entirely. Neither score communicated the compound effect.

Meyers described the operational psychology: teams assessed each CVE independently, deprioritized the lower score, and queued the higher one for maintenance.

2. Nation-state adversaries who weaponize patches within days

The CrowdStrike 2026 Global Threat Report documented a 42% year-over-year increase in vulnerabilities exploited as zero-days before public disclosure. Average breakout time across observed intrusions: 29 minutes. Fastest observed breakout: 27 seconds. China-nexus adversaries weaponized newly patched vulnerabilities within two to six days of disclosure.

“Before it was Patch Tuesday once a month. Now it’s patch every day, all the time. That’s what this new world looks like,” said Daniel Bernard, Chief Business Officer at CrowdStrike. A KEV addition treated as a routine queue item on Tuesday becomes an active exploitation window by Thursday.

3. Stockpiled CVEs that nation-state actors hold for years

Salt Typhoon accessed senior U.S. political figures’ communications during the presidential transition by chaining CVE-2023-20198 with CVE-2023-20273 on internet-facing Cisco devices, a privilege escalation pair patched in October 2023 and still unapplied more than a year later. Compromised credentials provided a parallel entry vector. The patches existed. Neither was applied.

Sixty-seven percent of vulnerabilities exploited by China-nexus adversaries in 2025 were remote code execution flaws providing immediate system access, according to the CrowdStrike 2026 Global Threat Report. CVSS does not degrade priority based on how long a CVE has gone unpatched. No board metric tracks aging KEV exposure.

That silence is the vulnerability.

4. Identity gaps that never enter the scoring system

A 2023 help desk social engineering call against a major enterprise produced more than $100 million in losses. No CVE was assigned. No CVSS score existed. No patch pipeline entry was created. The vulnerability was a human process gap in identity verification, sitting entirely outside the scoring system’s aperture.

“A pro needs a zero day if all you have to do is call the help desk and say I forgot my password,” Meyers said.

Agentic AI systems now carry their own identity credentials, API tokens, and permission scopes, operating outside traditional vulnerability management governance. Merritt Baer, CSO at Enkrypt AI, has argued on record that identity-surface controls are vulnerability equivalents belonging in the same reporting pipeline as software CVEs. In most organizations, help desk authentication gaps and agentic AI credential inventories live in a separate governance silo. In practice, nobody’s governance.

5. AI-accelerated discovery that breaks pipeline capacity

Anthropic’s Claude Mythos Preview demonstrated autonomous vulnerability discovery, finding a 27-year-old signed integer overflow in OpenBSD’s TCP SACK implementation across roughly 1,000 scaffold runs at a total compute cost under $20,000. Meyers offered a thought-experiment projection in the exclusive interview with VentureBeat: if frontier AI drives a 10x volume increase, the result is approximately 480,000 CVEs annually. Pipelines built for 48,000 break at 70,000 and collapse at 480,000. NVD enrichment is already gone for non-KEV submissions.

“If the adversary is now able to find vulnerabilities faster than the defenders or the business, that’s a huge problem, because those vulnerabilities become exploits,” said Daniel Bernard, Chief Business Officer at CrowdStrike.

CrowdStrike on Thursday launched Project QuiltWorks, a remediation coalition with Accenture, EY, IBM Cybersecurity Services, Kroll, and OpenAI formed to address the vulnerability volume that frontier AI models are now generating in production code. When five major firms build a coalition around a pipeline problem, no single organization’s patch workflow can keep pace.

Security director action plan

The five failure classes above map to five specific actions.

Run a chain-dependency audit on every KEV CVE in the environment this month. Flag any co-resident CVE scored 5.0 or above, the threshold where privilege escalation and lateral movement capabilities typically appear in CVSS vectors. Any pair chaining authentication bypass to privilege escalation gets triaged as critical regardless of individual scores.

Compress KEV-to-patch SLAs to 72 hours for internet-facing systems. The CrowdStrike 2026 Global Threat Report breakout data, 29-minute average and 27-second fastest, makes weekly patch windows indefensible in a board presentation.

Build a monthly KEV aging report for the board. Every unpatched KEV CVE, days since disclosure, days since patch availability, and owner. Salt Typhoon exploited a Cisco CVE patched 14 months earlier because no escalation path existed for aging exposure.

Add identity-surface controls to the vulnerability reporting pipeline. Help desk authentication gaps and agentic AI credential inventories belong in the same SLA framework as software CVEs. If they sit in a separate governance silo, they sit in nobody’s governance.

Stress-test pipeline capacity at 1.5x and 10x current CVE volume. Gamblin projects 70,135 for 2026. Meyers’s thought-experiment projection: frontier AI could push annual volume past 480,000. Present the capacity gap to the CFO before the next budget cycle, not after the breach that proves the gap existed.

Apple has recently announced that Tim Cook, its current CEO who has overseen the launch of plenty of new hardware and software, is moving to a new role as Executive Chairman. 

John Ternus, Cook’s direct report, has been announced as Apple’s new CEO and will start his new role from September 1st 2026 – presumably in time for the annual iPhone hardware launch which usually takes place in September, and could reveal the iPhone Fold. 

But who is John Ternus and what has his career looked like?

We explain everything we know about John Ternus, from his career with Apple to being mentored by Tim Cook himself.

Two companies that launched last year with plans to create gene-edited babies have already shut down, citing money issues and internal conflict.

One of them, Manhattan Genomics of New York, closed abruptly shortly after announcing a team of scientific advisers in October that included a prominent fertility doctor, a data scientist who worked for de-extinction company Colossal Biosciences, and a scientist who pioneered a “three-parent” IVF technique. The other, California-based Bootstrap Bio, said it ceased operations in late 2025, as first reported by Mother Jones.

Manhattan Genomics and Bootstrap Bio had ambitions to edit DNA in human embryos with the goal of preventing serious disease in babies. Known as germline editing, the idea is highly controversial because any changes made at the embryo level would be passed on to future generations. It’s different from gene-editing treatments currently being tested on patients, which only affect the treated individual.

The safety and efficacy of germline editing is also unproven. One concern is that the technology can result in unintended, potentially harmful “off-target” edits. Many researchers worry that permitting embryo editing to address serious diseases will inevitably lead to it being used for enhancement purposes, such as appearance or intelligence, to make “designer babies.” It’s currently prohibited in the US and many other countries to initiate a pregnancy with an edited embryo.

There are three known children who were gene-edited as embryos as a part of a now infamous 2018 experiment conducted by Chinese scientist He Jiankui. The revelation shocked the international scientific community, and a Chinese court sentenced He to three years in prison for illegal medical practices. Once taboo, the prospect of gene-edited babies has been recently revived by biotech entrepreneurs, futurists, and Silicon Valley investors. But the path to a viable gene-edited baby business is apparently presenting some challenges.

“We ran out of money. We had some promising results in the lab but I couldn’t get enough investors interested for us to keep our operation going,” Bootstrap Bio CEO and cofounder Chase Denecke told WIRED via email. The company still exists but isn’t actively operating, he added.

Bootstrap has had other problems. In August 2025, federal officers arrested the company’s chief science officer at the time, Qichen Yuan, and charged him with attempted sex trafficking of a child, as Mother Jones reported. Yuan is now set to appear in federal court in Boston. When reached via email, Yuan’s lawyer declined to comment.

Denecke told WIRED that he didn’t know about the charges until after the company “ceased active operations.” Yuan worked as a contractor for Bootstrap Bio in 2024 and 2025 until the company shut down, according to Denecke. “We would have let him go earlier if we had known,” Denecke said over email.

Bootstrap Bio had early interest from investors. In a 2024 LinkedIn post announcing the formation of the startup, for example, Denecke mentioned that a venture capitalist flew him out to Honduras.

Manhattan Genomics, which also went by Manhattan Project, planned to pursue human embryo editing for disease prevention. In a since deleted X post from March, cofounder Cathy Tie said the startup shut down due to a “cofounder conflict.” At the same time, she publicly announced the formation of a new company, Origin Genomics, to advance germline gene correction.

Manhattan Genomics’ cofounder Eriona Hysolli told WIRED that she and Tie parted ways due to “fundamental disagreements stemming from the coexistence of a Cayman-based entity with the same name with separate governance by my cofounder, and which confounded the open and transparent mission of Manhattan Genomics.”

Pronto, an Indian instant house-help startup, is finalizing a funding round led by tech investor Lachy Groom that would value the fast-growing company at about $200 million after investment, TechCrunch has learned.

The deal is expected to bring in about $20 million in fresh capital and would mark a sharp jump from the $100 million valuation at which the company raised $25 million in a Series B round led by Epiq Capital in early March, doubling its valuation in a matter of weeks, two people familiar with the matter said.

Bengaluru-based Pronto completed about 500,000 orders last month and is currently handling around 24,000–25,000 orders daily, up from about 18,000 daily bookings in March and roughly 1,000 last year.

Founded in 2025, Pronto connects households with on-demand domestic help for services such as cleaning and chores, promising quick turnaround times through a managed network of workers.

In March, Pronto founder Anjali Sardana told TechCrunch the startup had expanded from one city to 10 — including Delhi NCR, Bengaluru, and Mumbai — and from five to more than 150 micromarkets. However, much of its activity remains concentrated in a handful of markets, with the National Capital Region accounting for about half of total bookings.

The startup has over 4,500 active professionals on its platform, around 99% of whom are women, Sardana said last month, adding that demand continued to outpace onboarding of new workers as bookings grew about 20% week over week.

Before this funding, Pronto had raised about $40 million in total. Its investors include Epiq Capital, Glade Brook Capital, General Catalyst and Bain Capital Ventures.

Pronto and Groom did not respond to requests for comment.