Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.

Today’s NYT Strands puzzle was tough at first, but eventually I figured it out. Some of the answers are difficult to unscramble, so if you need hints and answers, read on.

I go into depth about the rules for Strands in this story. 

If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.

Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far

Hint for today’s Strands puzzle

Today’s Strands theme is: March in June.

If that doesn’t help you, here’s a clue: Month-long event.

Clue words to unlock in-game hints

Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints but any words of four or more letters that you find will work:

• LATE, HALF, PANT, RANT, THEE, DIME, DINE, DINED, GRAD, RIDE, BEAR, BEAT

Answers for today’s Strands puzzle

These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you have all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:

• DRAG, FLAGS, RALLY, PARADE, RAINBOW, CELEBRATION

Today’s Strands spangram

Today’s Strands spangram is PRIDEMONTH. To find it, start with the P that is the first letter on the top row, and wind down and across.

Now that Amazon Prime Day is over, it’s time to start gearing up for Fourth of July sales. Most large retailers pivoted their summer-sale timing to compete head-on with Amazon’s accelerated schedule, but you can still snag great deals this July 4th, particularly in active and outdoorsy categories.

REI has the hottest sale of the weekend as far as the WIRED Reviews team is concerned, but there are notable midsummer sales on other sites we shop, like Backcountry, Home Depot, and Lululemon. Also, make sure you don’t sleep on Duer.

The outdoorsy Canadian clothing brand makes highly functional classics that subtly incorporate performance elements like Tencel fabric and strategic triple-stitching. The No Sweat Relaxed Taper pants have been a weekly wear for me for years; they’re as comfy as sweatpants but look dapper enough to wear to a business meeting, while being durable enough for a weekend camping trip.

Duer rarely has sales, and prices typically hover around $100 for pants and $50 for a shirt. Those aren’t outrageous prices, but most guys I know won’t build a wardrobe primarily from $50 tees. In the run-up to July 4th, you can save around 20 percent on a few of the brand’s most popular pants and up to 35 percent on some styles of shorts and long-sleeve shirts.

For the last few months, I’ve had a handful of Duer garments in rotation: Performance Denim+ Straight, Live Lite Traveller Pant, Air Flow Pique Polo, PurePima Only Tee, and the aforementioned No Sweat Relaxed Taper.

In addition to my beloved No Sweat pants, the pima cotton tee (some styles of which are on sale) is a big winner. It’s soft and still fits great after two trips through the washer and dryer. It’s getting serious consideration for being my new favorite black T-shirt. (I would suggest the brand start claiming it’s the best T-shirt in the world so as to be eligible for our tailor-judged shootout of men’s shirts.)

The pique polo is also great (the Hazy Mauve color is currently discounted), as it’s super breathable, holds an appropriately stiff collar without feeling too rigid, and also keeps its shape perfectly through two washing cycles.

If you’ve got summer travel or a camping trip coming up, this clothing could be nice to bring with you.

Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.

It’s going to be a “messy” summer for security folks, especially when it comes to fixing the open source code that underpins their organizations.

That’s according to Dan Lorenc, CEO and co-founder of Chainguard, a software supply-chain security company leading Athena, a newly formed coalition of about two dozen companies that wants to make the process of finding and fixing open source bugs “as easy to consume as possible.” 

The members have committed to using AI to prevent attacks on open source software. In addition to Chainguard, other founding member companies include BNY, Cisco, Cloudflare, Corridor, DepthFirst, Docker, JPMorganChase, Kyndryl,  LTM, and PwC.  

Many of these member companies are also partners with Anthropic’s Project Glasswing and OpenAI Daybreak, which allow them to try out the pair’s most advanced bug-hunting models. The coalition accepts vulnerability findings generated by all frontier models, according to Lorenc.

Athena has already processed more than 20,000 findings and developed over 2,000 patches across 500 open source projects. 

In about three weeks, the coalition’s first wave of bug disclosures will begin.

“This is going to be a messy summer for everyone,” Lorenc told The Register in a phone interview.

“I know there’s still a percentage of people who think it’s all fake and marketing,” he said, talking about the newest, most advanced frontier models like Anthropic’s Mythos and OpenAI’s GPT‑5.5‑Cyber.

“The stats and data we’re seeing are so scary – if you just keep running scans on the same libraries and same code, it just keeps finding more [vulnerabilities],” Lorenc said. “We haven’t seen that curve start to bottom out yet.”

Chainguard isn’t part of Glasswing or Daybreak, but many of its customers and partners are. 

“Put yourself in the shoes of someone with Glasswing access,” he said. “You get this crazy, new model that can find vulnerabilities everywhere, that no one had seen and you had missed for years with all of your other tooling. You run it on your code, and it finds tons of stuff in your first-party code, the stuff that you’ve written, and you fix all of that.”

After running Mythos Preview on all of your organization’s proprietary code, imagine pointing the model at an application. Most modern apps contain a mixture of code from different sources, mostly third-party. According to Lorenc, 95 percent of the code in any of these codebases is open source.

“When you run [advanced models] at the application level, you find a ton of vulnerabilities in open source code that you can’t fix for yourself the same way you can that first-party code,” Lorenc said. “So then you’re left with: what to do?”

By now, most people are familiar with vulnerability disclosure processes and know they need to report these flaws to open source project maintainers. 

“But when the numbers start getting this large, and you’re finding thousands of these [bugs] at a time, and they’re across tons of projects you didn’t even know you were using before you ran this tool, and you don’t even know how to contact the people, you kind of get stuck,” he said. 

The only guarantee in the entire disclosure process is that attackers are moving quickly and the time to exploit – that’s the time between a CVE’s public disclosure and first confirmed in-the-wild exploitation – has essentially collapsed.

A clearinghouse for bug reports

This may mean that your application is vulnerable to attack even before someone develops a patch. “Then you’re putting yourself at risk – and you were already at risk before you ran these scans, but no one else knew about it,” Lorenc said. “In an unintended way, [AI] has created this pickle for everyone.”

In May, Anthropic said it used Mythos Preview to scan more than 1,000 open-source projects, which also underpin much of its own infrastructure, and found an estimated 6,202 high or critical-severity vulnerabilities in these projects.

“It’s a super awkward, strange world and timeline we are all living in,” Lorenc said. “There’s a ton of pressure because all of the frontier models are getting better, and the open models are getting better, and they’re going to be able to start discovering these at the same time, too. So, that’s what we’re trying to help with: to be that clearinghouse for critical industry.”

Athena coalition members submit vulnerabilities they find in open source code using any frontier model. Sometimes they find these bugs while scanning their own apps. In other cases they discover them after pointing Mythos or GPT‑5.5‑Cyber at a commonly used library, Lorenc said.

The companies submit a full report to Chainguard, which acts as a clearinghouse, deduplicating, correlating, and addressing findings from members in batches across entire libraries, hardening them against classes of vulnerabilities instead of just one bug. 

Affected projects are rebuilt as private, hardened versions available to Athena members through Chainguard Libraries before vulnerabilities are publicly disclosed – and hopefully addressed upstream – a month later. For maintainers that can’t make a permanent fix, Athena acts as a “maintainer of last resort,” according to Lorenc.

On Thursday, the Linux Foundation joined the effort and announced Akrites, an industry coalition to defend open source software against AI-enabled threats, by finding and fixing vulnerabilities. Akrites establishes a shared Security Incident Response Team (SIRT) and a standardized Coordinated Vulnerability Disclosure (CVD) process.

Founding companies include Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, Nvidia, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone, and Zscaler.

“As AI finds more vulnerabilities, the industry will rush to patch them. Without coordination, those fixes will fragment across different patches and forks, and maintainers who are already overwhelmed, unreachable, or haven’t touched a project in years,” Lorenc said, adding that Akrites provides a coordinated way to fix flaws upstream before criminals exploit them.

Plus having a dedicated SIRT gives maintainers a single partner – and disclosure -to work with on remediation instead of a hundred uncoordinated reports.

“Now the work is making sure there’s always someone on the other end to catch them,” Lorenc said. ®

The FBI and CISA have warned that Russian intelligence hackers are now targeting Signal users’ backup recovery keys, an escalation of a phishing campaign that has already compromised thousands of accounts worldwide. The updated advisory, published Thursday, says that handing over the key once gives attackers the ability to restore an account’s backup, read its entire private and group message history, and take over the account.

The key keeps working even after the victim changes phones. If a target creates a new account on the same phone number, the old recovery key can still be used to access future backups, the advisory warns. The only fix is to generate a new key in Signal’s settings, which invalidates the old one for future downloads but cannot recover anything the attacker has already pulled.

The advisory, designated PSA I-062626-PSA, adds two public tracking names the FBI’s March notice did not include: UNC5792 and UNC4221. The bureau ties the activity to multiple Russian Intelligence Services groups, including FSB officers embedded with the FSB Border Guards and others working for the Russian military. The campaign targets both Signal and WhatsApp, though the recovery key tactic is specific to Signal.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The targets are individuals the FBI describes as being of “high intelligence value,” including current and former US and international government officials, military personnel, political figures, journalists, and officials in Ukraine. The March advisory said the broader campaign had already compromised thousands of accounts worldwide.

The phishing messages pose as Signal support. Earlier waves asked for SMS verification codes and account PINs, or used doctored “group invite” links that silently linked an attacker’s device to the victim’s account. The updated version walks targets through turning on Signal backups, opening the recovery key screen, and pasting the key into the chat.

The FBI published two sample messages used in the campaign. One is disguised as a mandatory two-factor authentication rollout, and the other poses as an urgent “data recovery” fix for messages supposedly at risk of being lost. Both are social engineering attacks that exploit trust in a platform’s own interface rather than technical vulnerabilities.

The agencies are clear that none of these techniques break Signal’s encryption or the app itself. The attackers compromise individual accounts through social engineering, then walk in through a legitimate feature. It is a pattern that has become increasingly common across security products, where the weakest link is the person holding the device, not the cryptography protecting the data.

Alongside the advisory, the State Department’s Rewards for Justice programme is offering up to $10 million for information on UNC5792. The activity overlaps with earlier warnings from Dutch intelligence agencies AIVD and MIVD, Germany’s BfV and BSI, and France’s ANSSI. Google’s Threat Intelligence Group first documented UNC5792 abusing Signal’s linked-device feature in early 2025 and later observed the same tradecraft targeting WhatsApp and Telegram.

The campaign is a reminder that end-to-end encryption protects messages in transit but cannot protect users who are persuaded to hand over the keys themselves. Anyone who receives a message inside Signal asking for a recovery key, verification code, or PIN should treat it as hostile, regardless of how convincing the sender appears. Signal does not message users inside the app to request credentials.

AI AND ML

Please state the nature of the medical emergency

NASA researchers are testing an AI clinical decision support system to help astronauts diagnose and treat medical symptoms during deep-space missions.

The Crew Medical Officer Digital Assistant (CMO-DA) is powered by a Red Hat-backed open source tool called RamaLama, designed to simplify how developers run, pull, and serve AI models. While it’s no Star Trek-esque Emergency Medical Hologram (EMH) quite yet, it could be a boon to ailing astros far from home.

Earlier this year, NASA decided to bring Crew-11 back from the International Space Station (ISS) early because of a medical concern. As missions venture further afield – to the Moon, Mars, and beyond – an early return may no longer be practical, while communication delays can rule out real-time consultation with doctors on Earth.

Red Hat says that CMO-DA started life as a proof of concept before moving from a cloud-dependent model to a fully disconnected edge deployment. It currently runs on a terrestrial twin of the HPE Spaceborne Computer aboard the ISS.

Inference is multimodal. “RamaLama provides the engine to run both large language models (LLMs) for complex medical reasoning and Vision Language Models (VLMs) for image-based symptom analysis,” Red Hat stated. “This allows the CMO-DA to process both text and visual data without needing a massive infrastructure footprint.”

CMO-DA runs locally on the device, which means responses do not depend on a connection to Earth.

That said, the system has yet to leave Earth. Testing on the Spaceborne twin allows the system to be refined before any potential deployment to the ISS. “Once validated on Earth, the CMO-DA will be demonstrated to NASA leadership so that they can evaluate its further use,” Red Hat said.

HPE’s Spaceborne project is on its third iteration aboard the ISS. Built from off-the-shelf components, the system is based on HPE Edgeline and Proliant servers and is more than capable of machine learning and AI workloads.

In the future, the team plans to integrate Red Hat Enterprise Linux AI for the next iteration of the CMO-DA.

Sadly, there appears to be no chance of a virtual Robert Picardo turning up to dispense medical advice to stricken astronauts. ®

People in Europe will soon lose access to Studio Canal movies they paid for on the PlayStation Store.