Looking for the most recent Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections: Sports Edition and Strands puzzles.

Wow, today’s NYT Connections puzzle has a really intriguing purple category. Hint: Look for words that use the same exact letters. Read on for clues and today’s Connections answers.

The Times has a Connections Bot, like the one for Wordle. Go there after you play to receive a numeric score and to have the program analyze your answers. Players who are registered with the Times Games section can now nerd out by following their progress, including the number of puzzles completed, win rate, number of times they nabbed a perfect score and their win streak.

Read more: Hints, Tips and Strategies to Help You Win at NYT Connections Every Time

Hints for today’s Connections groups

Here are four hints for the groupings in today’s Connections puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: You won.

Green group hint: Let’s get back to the topic.

Blue group hint: Ghostbusters is a classic.

Purple group hint: Mix up the letters.

Answers for today’s Connections groups

Yellow group: Championship awards.

Green group: Matter at hand.

Blue group: ’80s comedies.

Purple group: Anagrams.

Read more: Wordle Cheat Sheet: Here Are the Most Popular Letters Used in English Words

What are today’s Connections answers?

The yellow words in today’s Connections

The theme is championship awards. The four answers are cup, medal, pennant and ring.

The green words in today’s Connections

The theme is matter at hand. The four answers are concern, focus, point and subject.

The blue words in today’s Connections

The theme is ’80s comedies. The four answers are Airplane, Big, Clue and Twins.

The purple words in today’s Connections

The theme is anagrams. The four answers are enlist, listen, silent and tinsel.

Toughest Connections puzzles

We’ve made a note of some of the toughest Connections puzzles so far. Maybe they’ll help you see patterns in future puzzles.

#5: Included “things you can set,” such as mood, record, table and volleyball.

#4: Included “one in a dozen,” such as egg, juror, month and rose.

#3: Included “streets on screen,” such as Elm, Fear, Jump and Sesame.

#2: Included “power ___” such as nap, plant, Ranger and trip.

#1: Included “things that can run,” such as candidate, faucet, mascara and nose.

What will you miss most about Hacks? Ava (Hannah Einbinder) is furthering the queer agenda? Deborah’s (Jean Smart) sharp tongue? Or the fact that Meg Stalter won’t be as ever-present in our minds unless you’re chronically on Instagram?

Regardless, Hacks season 5 is going down in a blaze of glory. Last week, we saw Deborah on a ‘non-press tour press tour’ — and by that I mean that she appeared everywhere she could without explicitly promoting her Madison Square Gardens show.

Offbeat

Autonomous shuttle’s second passenger trip ends with rear-end collision and a tow truck

A new self-driving bus service in the Swedish city of Gothenburg got off to a rough start this week when one of its vehicles was hit by a tram on its second passenger-carrying trip.

The autonomous bus, running on route 169 between Gothenburg Central Station and Liseberg, opened to passengers on May 25. It was struck from behind shortly after setting off on its second run, resulting in damage to both vehicles and the bus enduring the ignominy of being towed away.

According to reports, the bus braked and was rear-ended by the tram. A spokesperson for Västtrafik, the bus operator, told The Register: “A small number of passengers were on board. No one was seriously injured, and that is the most important outcome. Both the bus and the tram sustained minor damage.”

The autonomous bus project began in 2024, and trials were scheduled to conclude by 2027 [PDF]. At present, a driver is still required, although the controls are not touched during normal operation.

However, someone else driving into it is a whole different challenge. On the rear of the Karsan bus was the warning “Keep your distance! The bus can brake sharply!” but that did not appear to deter the tram. As a rule of thumb, trams tend to have the right of way since they cannot swerve around a suddenly slowing vehicle.

Self-driving public transport remains a challenge. Elon Musk’s Cybercab is beginning to trundle onto the streets after a 2024 announcement, and Waymo’s taxis have been rolling around cities such as San Francisco for a few years now, although it yanked thousands of vehicles off the road over fears they might drive headlong into floods on high-speed roads. 

The UK’s first registered autonomous bus route was unveiled in 2023. However, operators reportedly decided to end the service in 2025 due to a lack of passengers. The service ran over a 14-mile journey in Scotland and also required drivers on board.

As for Gothenburg, the Västtrafik spokesperson told El Reg: “We are now conducting a thorough analysis of the incident together with relevant parties to better understand what happened as soon as possible.”

One of the goals of the project was to “gather and share knowledge about how autonomous mobility works in practice.” To which the answer, at least initially, appears to be: “Great! Until a tram enters the chat.” ®

Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.

Today’s NYT Strands puzzle threw me a bit — the theme seemed clear, but there were so many different words that could serve as answers. Some of the answers are difficult to unscramble, so if you need hints and answers, read on.

I go into depth about the rules for Strands in this story. 

If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.

Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far

Hint for today’s Strands puzzle

Today’s Strands theme is: On the nature trail.

If that doesn’t help you, here’s a clue: Touch some grass.

Clue words to unlock in-game hints

Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints but any words of four or more letters that you find will work:

• DUMP, DARE, SIDE, HEAT, SANG, CORN, THEY, SIDE, DUDE, SLED, CREATE, CAVE, PEAT, RAVE

Answers for today’s Strands puzzle

These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you have all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:

• MOSS, ACORN, DAISY, PUDDLE, FEATHER, PAWPRINT

Today’s Strands spangram

Today’s Strands spangram is SCAVENGERHUNT. To find it, start with the S that is the first letter on the top row, and wind down and over.

Toughest Strands puzzles

Here are some of the Strands topics I’ve found to be the toughest.

#1: Dated slang. Maybe you didn’t even use this lingo when it was cool. Toughest word: PHAT.

#2: Thar she blows! I guess marine biologists might ace this one. Toughest word: BALEEN or RIGHT. 

#3: Off the hook. Again, it helps to know a lot about sea creatures. Sorry, Charlie. Toughest word: BIGEYE or SKIPJACK.

CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited.

Drupal is typically used by large organizations managing massive data structures and multi-site installations, including government entities, educational organizations, major research universities, and high-profile enterprise and media organizations.

Google/Mandiant researcher Michael Maturi discovered this vulnerability (now tracked as CVE-2026-9082) in Drupal’s database abstraction API.

The security flaw can be exploited without authentication, allowing attackers to trigger arbitrary SQL injection on PostgreSQL-powered sites via specially crafted requests. Successful exploitation can potentially lead to information disclosure, privilege escalation, and even remote code execution.

The Drupal security team tagged the flaw as “highly critical” before releasing patches and confirming that exploitation attempts had been detected in the wild.

“Since CVE-2026-9082 was released, Imperva has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries,” cybersecurity firm Imperva warned on May 21. “Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks.”

Internet security watchdog group Shadowserver now tracks nearly 670 unpatched Drupal installations exposed online, most of them from North America (272) and Europe (273).

​On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their systems by midnight on Wednesday, May 27, as mandated by Binding Operational Directive (BOD) 22-01.

Although BOD 22-01 applies only to U.S. federal agencies, CISA advised all defenders, including those in the private sector, to apply CVE-2026-9082 patches as soon as possible to secure their organizations’ devices.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise [..] Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the cybersecurity agency warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Over the last several years, CISA has flagged 5 Drupal vulnerabilities that have been exploited in the wild, two of which have also been abused in ransomware attacks.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.

This guide covers the 6 surfaces you actually need to validate.

Advertisement

Download Now

AI + ML

RUSI warns fake IDs, shell companies, and crypto laundering could soon operate at industrial scale

The future of sanctions evasion appears to involve fewer shady middlemen and considerably more rented GPUs, according to a new RUSI report on how rogue states are using AI to fake identities, automate shell companies, and launder crypto at scale.

The report, “Algorithms of Evasion: The Rise of AI-Enabled Proliferation Financing,” says countries including North Korea and Iran are deploying AI tools to support sanctions evasion and proliferation financing (PF) schemes, ranging from fake passports and corporate paperwork to cryptocurrency laundering and fabricated online personas. 

“AI has the potential to radically increase the scale of PF activities, like sanctions evasion, to levels that overwhelm current PF and sanctions evasion detection and enforcement capabilities,” wrote Dr Aaron Arnold, a Senior Associate Fellow with the Centre for Finance and Security at RUSI, specializing in sanctions and proliferation financing.

Arnold argues that AI is not reinventing sanctions evasion so much as supercharging it. “AI is not necessarily changing PF and sanctions evasion typologies but instead increasing their efficiency and effectiveness,” he wrote.

That includes generative AI systems capable of producing fake passports, bank statements, vessel registrations, invoices, and corporate records, according to the report. RUSI writes that AI “can mass-produce high-quality fraudulent documents” with enough contextual accuracy to fool traditional compliance checks that still rely heavily on manual document verification.

The report also warns that many existing banking identity checks are rapidly becoming unreliable against modern AI tools. “Static biometric checks such as a selfie or voice print are no longer sufficient proof of identity against AI-enabled adversaries,” Arnold wrote, noting that many current systems were designed for human fraudsters rather than synthetic identities and deepfake operators.

The paper highlights North Korea’s growing use of AI-enhanced deception in its overseas IT worker operations. After years of allegedly relying on VPNs and fraudulent documents to secure remote tech jobs abroad, Pyongyang-linked operators have reportedly started using AI-generated CVs and deepfakes during job interviews to obscure their identities.

Crypto, naturally, remains a huge part of the picture. The report points to North Korea’s Lazarus Group and the $1.5 billion Bybit theft in 2025 as evidence that sanctioned states are already deeply embedded in digital asset crime. Arnold warned that AI could make the laundering side even harder to track by constantly shifting transaction patterns to stay ahead of investigators.

Arnold also points to a newer class of threat involving autonomous AI agents capable of handling discrete parts of a sanctions-evasion operation without constant human direction. In theory, he wrote, those systems could manage shell companies, move cryptocurrency through mixers and decentralized finance platforms, or generate deepfake content as needed, potentially making it harder for investigators who traditionally focus on dismantling human networks. 

RUSI’s proposed fixes boil down to fighting automation with more automation. The report calls for clearer rules allowing banks to use AI-powered counter-proliferation tools, updated KYC systems capable of spotting deepfakes and synthetic identities, and new “compute-KYC” obligations forcing cloud providers to pay closer attention to who is renting the GPU power behind large-scale AI operations.

The question now is whether regulators can modernize faster than sanctions evaders can automate. ®

In the last few years, India’s online food delivery market has grown significantly, with both Zomato and Swiggy going public and the number of cloud kitchens increasing. Meanwhile, startups working on home services, such as on-demand household staffing platforms like Urban Company, Snabbit, and Pronto, have gained popularity.

Silicon Valley-based start-up Human Archive is tapping into this trend, partnering with these companies to have workers wear special caps with cameras to collect egocentric (first-person point of view) video data of everyday tasks that could be used to train robots.

Without naming specific partners, the startup said it is working with companies in the home services, hostel, and restaurant sectors to collect egocentric data, and it says it has more than 1,000 active headsets deployed across multiple locations.

On the back of that traction, Human Archive said Tuesday it has raised $8.2 million in funding from Wing Venture Capital, NVP Capital, Y Combinator, and angels from OpenAI, Nvidia, Google, Mercor, AfterQuery, BAIR, SAIL, Brad Boa, and Meta.

The startup was founded by two Berkeley and two Stanford students — Samay Mani, Rushil Agarwal, Shloke Patel, and Raj Patel, the latter two being cousins. (Raj Patel is CEO.) All four have research backgrounds spanning robotics, hardware, and tactile data.

The company’s founding is a direct bet on where the AI industry is heading. As robotics labs and frontier AI companies race to build machines that can perform physical tasks in the real world, they face a critical bottleneck — a shortage of high-quality, real-world training data showing humans doing everyday work. Human Archive’s bet is that the workers staffing India’s booming gig economy represent an untapped and scalable source of exactly that data.

While Human Archive is working with multiple partners, the startup said it was rejected by many Indian home services companies, including Pronto and Urban Company, for a collaboration.

The company’s rejection by major players became public fodder last weekend, when Indian outlet Entrackr reported that Pronto is actively seeking partnerships to collect worker data for robotics training, and that Snabbit had held early discussions with Human Archive before the project fell apart.

Urban Company CEO Abhiraj Singh Bhal responded on X, stating the company would not engage in such arrangements — prompting Patel to fire back that Urban Company would soon be forced to reconsider or risk losing relevance to customer churn. Co-founder Rushil Agarwal was blunter still, posting that Pronto founder Anjali Sardana had laughed at him and called him “stupid” when he raised the idea of a data partnership. Pronto acknowledged the conversations but said it chose not to move forward.

Across the country, other startups are collecting egocentric data from different work environments, including factory floors. To differentiate itself, Human Archive is using and developing additional devices, such as tactile gloves, a full-body motion capture suit, and wrist cameras to capture data including motion, and tactile force, synchronously aligned with RGB-D (color imagery paired in real time with depth information), to sell to AI labs. The startup believes that video data alone is not sufficient, but that pairing it with other sensor data makes it much more valuable.

Initially, Human Archive used makeshift setups or off-the-shelf rigs to capture the data. Now, it is working on custom hardware that works together and captures different kinds of data. It already has more than 50 different devices deployed to collect different data points.

“To capture data, we started with iPhones, then we built our own custom rigs and caps. Now we have more than seven different hardware products that we use interchangeably across different modalities. After data collection from different devices, we worked on synchronizing data from all these different sources,” Patel said in a call.

The company said it is developing ways to fine-tune AI models with its own data and test them on robots to evaluate task effectiveness. By doing this, the startup can demonstrate the quality of its data to potential customers and post-train internal models.

Zach DeWitt, a partner at Wing VC, said the startup has a unique advantage in collecting data from multiple sensors.

“No one else in the world has been able to synchronize and collect headset RGB-D, force feedback, full-body motion capture, and synchronized chest and wrist camera data at scale. They’ve been doing internal model training on this data, and every major lab and university is interested in running experiments on it due to the novelty of the sensors and the scale of the new dataset they are releasing soon,” he told TechCrunch.

Collecting data in India and expansion plans

Despite rejection from notable players in the home services industry, Human Archive teamed up with smaller startups to offer discounted services to customers. When a worker arrives at a home, consumers are offered a choice through the app: pay a discounted price in exchange for consenting to data collection, or pay the full price for an unrecorded visit.

Patel mentioned that customers have been happy to opt for the former, as disputes about service quality are common, and video recordings can help resolve them.

The company pays workers a base rate of $1 per hour for participating in egocentric data collection. A report from the Economic Times suggests that other companies pay ₹250–₹400 per hour (roughly $2.63–$4.20). Patel said competitors pay more than Human Archive, but its on-the-ground presence in India allows it to keep compensation lower.

“Human Archive’s network provides immediate, flexible earning opportunities globally, lowering the barrier to participating in the AI economy. We see this as a critical bridge that funds immediate livelihoods while building the infrastructure for a safer, more productive future,” DeWitt said.

Beyond wage payment, there are privacy concerns around data collection via video recording. It is not clear what information Human Archive gives workers about how their footage is used. The company said that its commercial contracts are compliant with India’s Digital Personal Data Protection (DPDP) Act, as it displays a privacy policy notice, along with consent information detailing the purpose of data collection and how it is processed. The company said all data is anonymized, and faces are blurred from recordings. Last week, Moneycontrol reported that India’s Ministry of Electronics and Information Technology is looking into the consent mechanisms and data collection practices of startups collecting egocentric data through home service workers.

While Human Archive largely collects data in India, it has started expanding into Southeast Asia and the U.S. The company is also building a platform for anyone to participate in data collection and earn money. It also wants to offer customers in the U.S. services like cleaning or cooking in exchange for data collection by participating workers — though these programs are just in an early pilot stage.

Multiple well-funded startups are racing to build physical AI. Doing so requires massive amounts of training data showing humans at work — and Human Archive is one of the players competing to serve that demand. Whether its approach can scale will hinge on the partnerships it strikes and the uniqueness and volume of the data it can collect to satisfy the appetite of physical AI labs.

The Spanish government has issued an order to block the gambling platforms Polymarket and Kalshi, according to a report by The Wall Street Journal. The ban is being instituted as the country investigates the legality of prediction market platforms, as they operate in Spain (and everywhere else) without a gambling license.

The country’s ministry in charge of consumer affairs said it blocked the websites as a precautionary measure pending an official investigation. This investigation will determine if the platforms violate Spain’s gambling laws. It’s set to complete within the next four months and could mandate that these companies require specific administrative licenses to operate.

Kalshi and Polymarket have also been making waves on this side of the pond. Several US states have tried to regulate or outright ban prediction market platforms, with a Minnesota ban set to take place on August 1. Rhode Island, Illinois, Arizona, Connecticut, Nevada and New Jersey have all challenged the legality of such prediction markets.

Minnesota has just become the first state to ban prediction markets.

Gov. Tim Walz has signed a bill that makes operating or advertising prediction markets a felony.

Advertisement

This sets a major precedent for those seeking to regulate or ban Polymarket, Kalshi, and other sites.

— More Perfect Union (@MorePerfectUS) May 20, 2026

However, the federal government isn’t having any of it. The US Commodity Futures Trading Commission (CFTC) has started suing states for attempting to ban or regulate prediction markets. The CFTC believes it has sole jurisdiction to regulate these platforms, and not the states. Also, remember when states rights was a thing?

Who knows why the federal government has become so enamoured with prediction markets. It is worth noting that the platforms have made headlines in recent months after suspicious activity has raised concerns of insider trading in Washington.

To that end, it’s fairly easy for anyone “in the know” to rig a Polymarket or Kalshi bet. Case in point? A US soldier has been charged with using classified information regarding the capture of Venezuela’s Nicolas Maduro to win more than $400,000 via gambling platforms. This is what happens when people gamble on real world events. Sporting events have official organizations and referees, but most real world situations do not.

🇫🇷 Some guy pointed a hairdryer at a weather sensor, bet on the temperature spike on Polymarket, and walked away with $34,000. Twice.

Météo France filed a complaint, Polymarket switched sensors, and the man is probably on a beach somewhere.

Source: PA News pic.twitter.com/Jfy15Nn2j8

Advertisement

— Mario Nawfal (@MarioNawfal) April 24, 2026

People are people and will also influence real world events given half the chance, which is something these platforms most definitely invite. Someone allegedly used a hairdryer to rig Polymarket weather bets in France, with the hairdryer being used to warm up a temperature sensor. 

In any event, Kalshi and Polymarket are making money hand over fist. Kalshi was recently valued at $22 billion and Polymarket was recently valued at $15 billion. 

from the this-is-why-we-can’t-have-nice-things dept

NPR is imposing a new round of buyouts and layoffs as it tries to survive the brutal Trump GOP attacks on public broadcasting. According to NPR, it’s being forced to trim $8 million of its $300-million annual budget because of the illegal (for whatever that word is worth any more) Trump administration attacks on NPR, PBS and their member station funding earlier this year.

The original executive order resulted in Congress obliterating the entire Corporation for Public Broadcasting (CPB) budget of $1.1 billion for fiscal years 2026 and 2027. With no money left to function, the CPB voted to dissolve itself last January. A judge subsequently ruled that the defunding was illegal and violated the First Amendment, but the ruling came too late to save the CPB.

According to NPR, it received $113 million in private donations ($80 million of it coming from Connie and Steve Ballmer) to offset the losses, but that money won’t be used to save the jobs of human beings doing actual reporting. Instead, it can only be spent on “technological innovation” (read: likely given to Microsoft for enterprise services):

“Paradoxically, just prior to the announcement of these cost-cutting measures, NPR received a pair of private gifts totaling $113 million — representing the network’s second- and third-largest in its 56-year history. Most of that money, however, is dedicated to technological innovation.”

While NPR doesn’t really take all that much money from the public anymore (roughly 1% of NPR’s annual budget comes from the government), the CPB distributed over 70 percent of its funding to about 1,500 public radio and TV stations. Much of them providing popular and useful educational programming.

As we’ve noted previously, right wingers, corporations, and authoritarians loathe public broadcasting because, in its ideal form, it can untether public interest journalism from the often perverse financial incentives inherent in our consolidated, billionaire-owned, ad-engagement-based corporate media.

A media, if you hadn’t noticed, that is easily bullied, cowed, and manipulated by bad actors looking to normalize, downplay, or validate no limit of terrible and illegal bullshit (see: CBS, Washington Post, the New York Times, and countless others). In functional countries, taxpayer-funded journalism functions as a public interest firewall from corporatism and authoritarianism.

In the United States, decades of attacks and defunding have left us with outlets like NPR that barely even qualify as a “public broadcaster.” And as NPR became a more traditional, corporate ad-driven outlet you could watch in real time how it became friendlier and friendlier to right wing narratives for fear of being accused of a “liberal bias” (for all the good it wound up doing them).

But after decades of under-funding and attacks, what passes for U.S. public media is a distant shadow of the idea’s full potential. And now even that’s been left reeling. Should we survive authoritarianism, maybe there will be a few useful lessons buried in the rubble.

Filed Under: funding, journalism, media, public broadcasting

Companies: cpb, npr