Tesla Robotaxis have crashed at least twice since July 2025 while a teleoperator was remotely driving the vehicles, according to newly unredacted information submitted to the National Highway Traffic Safety Administration (NHTSA).

Both crashes happened in Austin, Texas and occurred at low speeds. In each case, there was a safety monitor behind the wheel and no passengers were onboard.

The new information comes just a few months after Tesla told lawmakers that it allows remote operators to pilot one of the company’s vehicles as long as they stay under 10 miles per hour. “This capability enables Tesla to promptly move a vehicle that may be in a compromising position, thereby mitigating the need to wait for a first responder or Tesla field representative to manually recover the vehicle,” the company said at the time.

Tesla, like other companies working on autonomous vehicle technology, is required to submit detailed information about any crashes to NHTSA. Unlike most of those other companies, though, Tesla had always redacted the descriptions of its crashes, claiming they were confidential business information.

It’s not clear why, but Tesla changed course this week, and the latest version of the data released by NHTSA now provides a narrative description for all 17 crashes Tesla has recorded since last year with its nascent Robotaxi network.

In July 2025, shortly after Tesla first started operating the network in Austin, the company’s automated driving system (ADS) apparently had trouble moving forward while stopped on a street. The safety monitor requested help from Tesla’s remote assistance team, and a teleoperator “took over vehicle control and gradually increased vehicle speed and turned the Tesla ADS left toward the left side of the street.”

The teleoperator then drove “up the curb and made contact with a metal fence.”

A similar sequence played out in January 2026. The Tesla ADS was driving the vehicle straight on a street, when the safety monitor “requested support to assist with vehicle navigation.”

“The teleoperator took over vehicle control when the ADS was stopped and proceeded straight on the street. The Tesla vehicle made contact with a temporary barricade fora. construction site at approximately 9MPH, scraping the front-left fender and tire,” according to the data submitted to NHTSA.

Similar to other autonomous vehicle companies like Waymo, most of the other newly unredacted crashes involve Tesla Robotaxi vehicles being crashed into instead of causing crashes.

But at least two of them involve a Tesla Robotaxi clipping its mirrors on other vehicles. In one crash, from September 2025, the Tesla ADS was unable to avoid hitting a dog that ran into the street. (Tesla reported the dog was able to run away.)

In another September 2025 crash, a Tesla Robotaxi made an unprotected left turn into a parking lot and ran into a metal chain. (NHTSA recently closed an investigation into the occasional tendency of Tesla’s Full Self-Driving software to crash into parking lot bollards, chains, and gates. Waymo also issued a recall last year related to a similar problem.)

While other robotaxi companies like Waymo and Zoox have reported more crashes than Tesla, Elon Musk’s company is operating at a fraction of the scale. The details that were revealed this week in the newly un-redacted data may help explain why Tesla is scaling up its nascent autonomous ride-hailing network so slowly. Musk himself admitted last month that “making sure things are completely safe” is the biggest limiting factor to Tesla expanding the network, saying the company is being “very cautious.”

​During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations.

The Pwn2Own Berlin 2026 hacking competition takes place at the OffensiveCon conference from May 14 to May 16 and focuses on enterprise technologies and artificial intelligence.

Security researchers can earn over $1,000,000 in cash and prizes by hacking fully patched products in the web browser, enterprise applications, cloud-native/container environments, virtualization, local privilege escalation, servers, local inference, and LLM categories.

According to Pwn2Own’s rules, all targeted devices run the latest operating system versions, and all entries must compromise the target and demonstrate arbitrary code execution. Vendors have 90 days to patch their software and hardware after the zero-days are disclosed at Pwn2Own.

The highlight of the second day was Cheng-Da Tsai (also known as Orange Tsai) of DEVCORE Research Team earning $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange.

Siyeon Wi also collected $7,500 after exploiting an integer overflow bug to hack Windows 11, and Ben Koo of Team DDOS escalated privileges to root on Red Hat Enterprise Linux for Workstations to earn a $10,000 cash prize, while 0xDACA and Noam Trobishi used a use-after-free bug to exploit the NVIDIA Container Toolkit.

In the AI category, Le Duc Anh Vu of Viettel Cyber Security hacked the Cursor AI coding agent for $30,000, Sina Kheirkhah of Summoning Team demoed an OpenAI Codex zero-day ($20,000), and Compass Security exploited Cursor ($15,000).

On the first day, Orange Tsai earned another $175,000 after chaining 4 logic bugs for a Microsoft Edge sandbox escape, while Valentina Palmiotti (chompie) of IBM X-Force Offensive Research collected $20,000 for rooting Red Hat Linux for Workstations and $50,000 for an NVIDIA Container Toolkit zero-day.

Windows 11 was also hacked three times on day one by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Kentaro Kawane of GMO Cybersecurity, and Marcin Wiązowski, each earning $30,000 in cash rewards for demonstrating new privilege-escalation zero-days.

On the third day of Pwn2Own, the hackers will target Microsoft Windows 11, VMware ESXi, Red Hat Enterprise Linux, Microsoft SharePoint, and several AI coding agents.

The full schedule for the second day and the results for each challenge are available here, while the complete schedule for Pwn2Own Berlin 2026 is available here.

During last year’s Pwn2Own Berlin contest, TrendMicro’s Zero Day Initiative awarded 1,078,750 for 29 zero-day flaws and some bug collisions.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Advertisement

Download Now

Bolt Technology, the Estonian ride-hailing company that has spent roughly $180 million building a dominant position in South Africa, has struck a deal with China’s Dongfeng Motor Group to roll out an electric-vehicle fleet in the country. The partnership will start in Cape Town, with Dongfeng’s Box hatchback and its more premium 007 sedan available to riders through Bolt’s platform. A fleet management company called Yugo Rides will operate the vehicles.

The deal is a bet on two converging forces: rising global demand for Chinese electric vehicles and the economic pressure that elevated fuel prices, driven in part by the Iran conflict, are placing on ride-hailing drivers across emerging markets. Simo Kalajdzic, who manages Bolt’s South African operations, said the company is taking a phased approach to the rollout because of infrastructure constraints, particularly the need for sufficient charging stations.

Why South Africa matters to Bolt

Bolt claims more than 50% of the ride-hailing market in Africa’s largest economy, a figure that, if accurate, would make South Africa one of the few markets globally where Uber is not the leading platform. The company has invested about $180 million in building out the local business and says South Africa consistently ranks among its top 10 markets worldwide. Kalajdzic described the country as a “strong strategic priority.”

That investment is part of a broader expansion that now spans more than 50 countries and 850 cities. Bolt, which offers ride-hailing, food delivery, and scooter rentals, earned a €7.4 billion valuation in a 2022 funding round after raising €628 million from Sequoia Capital, Fidelity Management, and other investors. It has since moved into East Asia by launching in Taiwan and entered Canada under a sub-brand called Hopp. It also launched scooters in Washington, DC.

The EV calculus for ride-hailing

The logic behind electrifying a ride-hailing fleet in South Africa is straightforward but not simple. Fuel costs are among the largest expenses for drivers on any ride-hailing platform, and the oil price increases linked to the Iran conflict have made that burden heavier. Electric vehicles offer substantially lower per-kilometre running costs, which in theory should improve driver earnings and make the platform more attractive to new drivers.

The constraint is infrastructure. South Africa’s charging network remains sparse compared with those in Europe or China, and the country’s electricity grid has historically been unreliable, though load-shedding has eased in recent months. Bolt’s phased approach, starting in Cape Town, which has better charging infrastructure than most South African cities, suggests the company is aware that scaling an EV fleet will take time.

Dongfeng, for its part, gains a distribution channel in a market where Chinese manufacturers are increasingly competitive but have not yet established the consumer brand recognition that BYD and others have built in Europe and Southeast Asia. Partnering with a ride-hailing platform lets Dongfeng put its vehicles in front of millions of riders without needing to build a retail network from scratch.

The IPO question

The South Africa deal arrives as Bolt weighs an initial public offering. Kalajdzic said the company will “consider options, when market conditions are right,” a formulation that venture-backed companies typically use when an IPO is being planned but not yet committed to. Bolt’s €7.4 billion private valuation dates from 2022, and market conditions for ride-hailing IPOs have shifted considerably since then, not least because Uber’s own stock has demonstrated the difficulty of sustaining high multiples in the sector.

The Dongfeng partnership could serve a dual purpose in that context. Demonstrating the ability to electrify its fleet in a key market would strengthen Bolt’s narrative for public investors, particularly those focused on environmental, social, and governance criteria. It would also help differentiate Bolt from the company whose shadow it has always operated in: Uber has invested heavily in autonomous vehicles but has been slower to electrify its conventional fleet in emerging markets.

Whether the economics work at scale remains to be seen. The deal is small, a phased rollout of two Dongfeng models in a single city, and Bolt has not disclosed the financial terms of the partnership or the number of vehicles involved. But it signals a strategic direction that, if it succeeds, could be replicated across Bolt’s African and emerging-market footprint. For a company that built its position by being cheaper and faster than Uber in markets the American company treated as secondary, electrification is a logical next step.

Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm.

The node-ipc package is a Node.js module that enables various processes to communicate through all forms of sockets, including Unix, Windows, UDP, TLS, and TCP.

Despite the maintainer publishing in March 2022 weaponized versions that targeted Russia and Belarus-based systems with a data-overwriting module, in protest to the Russian invasion of Ukraine, the package still has more than 690,000 weekly downloads on npm.

The recent supply-chain attack was detected by multiple application security companies, including Socket, Ox Security, and Upwind, who confirmed the following three versions as malicious:

• node-ipc@9.1.6
• node-ipc@9.2.3
• node-ipc@12.0.1

The malicious code hides inside the CommonJS entrypoint (node-ipc.cjs) and executes automatically whenever applications are loaded.

The malware is heavily obfuscated and fingerprints infected systems, collects environment variables and sensitive local files, compresses the stolen data into archives, and exfiltrates it through DNS TXT queries.

The latest compromise appears to be the work of an external actor who compromised the account of an inactive maintainer named ‘atiertant.’

According to the researchers, the infostealer injected in the new node-ipc versions collects the following types of information from compromised systems:

• Cloud credentials from AWS, Azure, GCP, OCI, DigitalOcean, and others
• SSH keys and SSH configs
• Kubernetes, Docker, Helm, and Terraform credentials
• npm, GitHub, GitLab, and Git CLI tokens
• .env files and database credentials
• Shell histories and CI/CD secrets
• macOS Keychain files and Linux keyrings
• Firefox profile and key database files (on macOS)
• Microsoft Teams local storage and IndexedDB paths

The malware skips files larger than 4 MiB and avoids scanning .git and node_modules directories to increase efficiency and reduce operational noise on the host.

A notable operational characteristic is the use of DNS TXT queries instead of conventional HTTP-based command-and-control (C2) traffic for data exfiltration. The attackers use a fake Azure-themed domain (sh[.]azurestaticprovider[.]net:443) as a bootstrap resolver, transmitting the data to ‘bt[.]node[.]js’ with query prefixes like xh, xd, and xf.

According to Socket, exfiltrating a 500 KB compressed archive could generate roughly 29,400 DNS TXT requests, helping the traffic blend into normal DNS activity.

Prior to submission, the malware stores collected data in temporary compressed tar.gz archives, which are deleted after exfiltration to reduce forensic traces.

The malware does not establish persistence or download any secondary payloads, so the operation appears focused on rapid credential theft and exfiltration.

Potentially impacted developers should immediately remove the affected versions, rotate exposed secrets and credentials, and inspect lockfiles and npm caches.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Advertisement

Download Now

Lenovo has introduced a new budget gaming monitor in China under its Lecoo branding, and on paper, it looks like serious value for money.

The new Lecoo N2757Q combines a high refresh rate and 1440p resolution with a relatively low price tag, targeting gamers who want smooth performance without spending much.

At the centre of the package is a 27-inch Fast IPS panel with a 2560 × 1440 resolution and a native 200Hz refresh rate. The refresh rate can even be pushed slightly higher to 210Hz via overclocking, putting it firmly in competitive gaming territory. This is especially true for fast-paced FPS and RTS titles where frame smoothness matters more than anything else.

Lenovo also claims a 1ms (GTG) response time, aiming to reduce motion blur during high-speed gameplay. Colour performance sits in the mid-to-upper range for a budget display with 121% sRGB coverage and 96% DCI-P3; decent for everyday gaming and content consumption, but it’s not aimed at professional colour work.

Brightness peaks at 400 nits, which allows the monitor to meet the HDR400 standard. That won’t deliver true HDR impact compared to higher-end panels, but it should still offer a noticeable boost in contrast and highlights over standard SDR displays. Lenovo is also highlighting built-in game modes, designed to optimise visuals for different genres like shooters and strategy games.

On the connectivity side, there’s nothing flashy, but the monitor is practical. It includes two DisplayPort 1.4 ports and two HDMI 2.1 ports. This allows multiple devices to stay connected at the same time without constant swapping.

Elsewhere, the Lecoo N2757Q comes with an adjustable stand, VESA mount support, and a fairly minimal design. It keeps things simple rather than aggressive or overly “gamer-focused”.

The most striking part of the package, though, is the price. Lenovo has launched the Lecoo N2757Q in China at CNY 799 (around $118). This undercuts many 1440p high-refresh monitors currently on the market.

There’s no word yet on international availability, and given the Lecoo branding’s limited global presence, it’s unclear if this ultra-budget 200Hz monitor will ever leave China. Still, on specs alone, it’s one of the more aggressive value plays in the gaming display space right now.

OpenAI is rolling out a preview of a new personal finance feature inside of ChatGPT. Starting today, Pro users in the US can connect their financial accounts to ChatGPT in order to get more personalized advice from the chatbot.

To hear OpenAI tell it, every month more than 200 million users already turn to ChatGPT for guidance on managing their money. By building a framework that allows those people to connect their accounts to its servers, ChatGPT can go from offering generic advice to helping those same users take actions that more directly improve their lives. The integration is made possible through a partnership OpenAI has signed with Plaid, which offers connections to more than 12,000 financial institutions, including banks like Citi and Chase, in addition to services like Affirm and Robinhood.

To begin using the new integration, find the “Finances” section inside of ChatGPT’s sidebar or write a prompt along the lines of “@Finances, connect my accounts.” ChatGPT will guide you through the process of importing your financial information through Plaid. The chatbot will then start building a visual dashboard, like the one you see in the screenshot OpenAI provided. The process of generating a visual representation of your finances may take a few minutes. From there, you can select one of the starter prompts or ask your own questions.

Understandably, some people may be hesitant to share their financial information with ChatGPT. OpenAI is looking to address those concerns by limiting the scope of what its chatbot can see. According to the company, ChatGPT can only read your balances, transactions, investments and liabilities through Plaid. It cannot see full account numbers or make changes to your accounts through the system.

Additionally, the company says users can disconnect their financial accounts from ChatGPT at any time, and any memories the chatbot saves about your financial situation can be seen or deleted directly from the Finances section of the app. ChatGPT cannot access these memories when using the temporary chats feature. Lastly, OpenAI’s data controls settings apply to the new experience, so if you’ve already dug into those, your prompts and other information won’t be used by the company to train future models.

According to an OpenAI spokesperson, work on the feature began before the company’s recent acquisition of fintech startup Hiro, which offered an AI-powered financial planning tool for consumers. The company hopes to bring this new experience to more users, including Plus subscribers, in the future. “We’re starting with a preview to a smaller group so we can learn from real-world use, improve the experience, and expand thoughtfully,” OpenAI said.