Meta’s AI support agent bound recovery emails to accounts for whoever asked, and SOCs never saw an alert. An authorized agent writes a log of legitimate transactions, so nothing in the detection stack fired. Attackers asked the bot to make the change, took the one-time code it sent, and ran the password reset, 404 Media reported.

No malware, no stolen credentials, and no prompt injection in the sense most security teams drill for. The agent did exactly what Meta built it to do. That is what should keep a security operations leader up at night: The takeover did not break a control; it rode one that was already trusted.

What a SOC needs is a way to walk each recovery path through an audit grid with its AI build team before the next renewal closes. The AI Authority Audit Grid at the end of this article maps every authentication write a support agent can make on the recovery path, what Meta’s incident proved about each one, why it stays dark to the SOC, and the control that closes it.

The agent is an authorized actor, so the SOC reads the takeover as routine traffic

From inside the detection stack, the attack produced no signal the stack could read. The agent binds a new email, then resets the password, and identity and access management logs both writes as an authorized actor, so each lands in the authentication state as a legitimate transaction. No anomalous login, no failed-auth spike, nothing for EDR or DLP, no SIEM rule to match, because nothing in the sequence looks like an attack. The takeover lived inside the trust boundary the stack assumes is safe. There is no foothold to find, because the agent was the foothold, and it was supposed to be there.

The chain was almost insulting in its simplicity. Brian Krebs documented the version pro-Iran hackers posted to Telegram on May 31. The attacker switched on a VPN to appear in the victim’s region, sidestepping Instagram’s location alarms, then asked the support assistant to add a new email and send a verification code, as the BBC confirmed from the same recordings. The bot complied, sending the one-time code straight to the attacker, Gizmodo reported. The reset finished and the owner was locked out, in minutes. The exploit failed against any account with MFA enabled, according to Krebs.

The hijacked accounts were not soft targets. They included Sephora, U.S. Space Force senior enlisted leader Chief Master Sergeant John Bentivegna, researcher Jane Manchun Wong, and a dormant Obama White House handle that briefly posted a defaced image, according to 404 Media. Meta disputes the Obama account, according to TechCrunch, and called claims that leaders’ accounts were breached “completely false,” according to the BBC. The rest stand.

MFA held. The recovery path beside it did not.

The detail that decided who survived was narrow. Krebs reported the attack failed against any account with multifactor authentication, even SMS. The recovery path beside it was the gap. When that path asked for a selfie video, attackers ran the target’s public photos through an AI video generator and submitted the clip, which Meta accepted as valid identity verification, gHacks reported. Either way the failure was the recovery door, not the login door MFA guards.

That makes this an architecture problem, not a Meta problem. MFA gates the login path for owner and attacker alike, but the recovery path runs beside it, built to relax the usual checks because it exists for the moment a user has lost the normal way in. Meta put an agent on that path with write access to authentication state and no deterministic check between a convincing request and a committed change. Authorization cannot live inside the model, because a conversational system can be talked into skipping a check. It has to live outside the model, in a gate the agent cannot reason its way past. Security researchers have a name for this pattern, the confused deputy, a trusted system tricked into spending its privileges on an attacker’s behalf.

This is not the last support agent that will hand over an account. Ian Goldin, a threat researcher at Lumen’s Black Lotus Labs, told Krebs on Security that AI bots are as easy to social engineer as the human agents they replace, and just as eager to help. “AI chatbots create interesting new attack surface, and we’re likely going to see a lot more of these kinds of attacks,” Goldin said. Every enterprise wiring an agent into a recovery, provisioning, or password flow is shipping the same write access Meta did.

Simon Willison, who coined the term prompt injection, put it plainly on his blog. “Meta really did wire their support system into an AI chatbot that had the ability to fast-forward through the entire account recovery process,” he wrote. “This one hardly even qualifies as a prompt infection. Don’t wire your support bot up to allow one-shot account takeovers.” The attacker never tricked the agent. The attacker asked, and the agent had untrusted input, write access, and a way to execute, all at once.

OWASP named this class before Meta shipped it, as Excessive Agency at LLM06 and Identity and Privilege Abuse at ASI03 in the Agentic AI Top 10. The warning label was on the box: Meta pushed the assistant to every Facebook and Instagram account in March, according to 404 Media, with the power to reset passwords and handle recovery, the product page promising “solutions, not just suggestions” under the line “account security and recovery.” Meta gave the agent the power and never built the gate to govern it.

The AI Authority Audit Grid

Security operations leaders need to run this against their own support agent before the next renewal closes. Each row is an authentication write the agent makes on the recovery path, with what Meta proved, why your stack misses it, and the control that closes it.

The fix is not bolting yet another MFA prompt onto the login screen. The people who survived Meta’s incident were the ones who already had that control in place.

The fix is pulling authorization out of the recovery path’s honor system and putting it behind a gate that does not move just because a prompt sounds convincing. Build the agent so the SOC sees every write it makes, and so any write that changes who owns an account cannot commit without a check that the model does not control.

Meta just showed what happens when the most trusting employee on the team is also the one holding the keys. The next agent like that is already reading your intellectual property and financials.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers.

Serv-U is the company’s Windows and Linux file transfer software that offers Managed File Transfer (MFT) and FTP server capabilities, which allow users to securely exchange files via HTTP/HTTPS, FTP, FTPS, and SFTP.

SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch this denial-of-service vulnerability (tracked as CVE-2026-28318) and said it stems from an uncontrolled resource consumption weakness.

“SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate,” the company said.

Remote attackers can exploit the security flaw without privileges in low-complexity attacks that don’t require user interaction.

SolarWinds also advised admins who can’t immediately deploy the patch to limit access to known addresses and to block any POST request containing “content-encoding,” since the vulnerable Serv-U service does not require this functionality.

The Internet intelligence platform Shodan currently tracks over 12,000 Serv-U servers exposed online, and Internet security watchdog Shadowserver just over 3,100, but there is no information on how many have already been patched.

​Days after SolarWinds addressed the vulnerability, CISA flagged it as exploited in the wild and added it to the Known Exploited Vulnerabilities Catalog, ordering all Federal Civilian Executive Branch agencies to patch their servers against ongoing attacks by June 19, as mandated by Binding Operational Directive (BOD) 22-01.

While BOD 22-01 applies only to U.S. government agencies, the cybersecurity agency also urged all network defenders, including the private sector, to secure their networks against ongoing CVE-2026-28318 attacks as soon as possible.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

In recent years, multiple cybercrime and state-backed hacking groups have targeted vulnerabilities in Serv-U to steal sensitive corporate and customer data.

For instance, the Clop ransomware gang exploited a Serv-U remote code execution vulnerability (CVE-2021-35211) to breach corporate networks in a 2021 campaign. DEV-0322 Chinese hackers also deployed CVE-2021-35211 exploits in zero-day attacks starting in July 2021.

More recently, in June 2024, cybersecurity companies GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability (CVE-2024-28995) as actively exploited.

Over the past several years, CISA has tagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks, one of which has also been abused by ransomware gangs.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Deep Robotics just released a video showcasing the enhanced skills of their DR02 humanoid in public. The machine is seen darting across an uneven field of grass, leaping over minor obstructions, bounding up massive concrete steps with little loss of steam, and even standing upright while carrying a fire extinguisher behind it.

The DR02 was created from the ground up by the company’s engineers to be a durable piece of equipment, and it shows. It’s a behemoth, standing 175 centimeters (5′ 7″) tall and weighing 65 kilos (143 pounds). One of the most notable aspects of this design is its IP66 waterproofing, which means it can endure dust and water. So, if you need a robot that can operate in situations that would send a human running for cover, this one has you covered. It can readily withstand rain, humidity, and dusty conditions that would be inconvenient for even the toughest humans, and to give you an idea of how durable it is, the DR02 can function in temperatures ranging from -20 to +55 degrees Celsius.

Unitree R1 Humanoid Robot (Red, R1 Air)

• Three models, one lightweight platform R1 Air (20 DOF, monocular camera), R1 (26 DOF, binocular camera, head+waist joints), and R1 Edu (26 DOF…
• Easy setup – no coding required for basic use Unbox, power on, and start. Manual teaching feature: physically pose the robot, and it replays the…
• More DOF = more expressive movement 26‑DOF models (R1 / R1 Edu) add head and waist articulation for smoother dance and running. For safety reasons…

The DR02 walks at a constant 1.5 meters per second (3.4 miles per hour), but it can quickly accelerate to 4 meters per second (8.9 miles per hour) for a short sprint. The robot can also navigate steep slopes of up to 20 degrees and operate well on uneven terrain. When it comes to lifting, each arm can manage 10 kilograms (22 pounds), which is very respectable, especially when you see it smoothly carrying a decent-sized mounted fire extinguisher.

The DR02 is powered by a small 275 TOPS computer on board that can read data from a LiDAR sensor, depth sensors, and a variety of wide-angle cameras. This enables it to develop real-time maps of its surroundings and change leg placement on the fly, whether it’s switching from grass to concrete or avoiding an unexpected impediment. The machine also features Deep Robotics’ J60, J80, and J100 joints, all of which are totally custom-built to provide a ton of torque and precision while keeping balanced even while carrying a load or scrambling over rough terrain.

One of the DR02’s most appealing features is its modularity, as the arms, legs, and forearms are all simply removable, allowing you to rapidly replace them if a problem arises. There is no need to transport the entire system back to the workshop for repairs; field personnel can do the job on the spot, and as a result, Deep Robotics is eyeing DR02 for real-world applications, including checking high-voltage lines, responding to emergencies, hauling gear in difficult terrain, and mapping out security patrol routes.

Even while it is still a prototype, and a very costly one at $200,000, it’s clear where this thing is going; with each tweak, it progresses from a lab toy to a legitimate tool you can use to get serious work done in places where you wouldn’t want to send a human. We still need to hear back from Deep Robotics on a few critical issues, such as how long the battery will survive and how customizable the design is.
[Source]

Having entered the consumer PC silicon market at Computex 2026 with the RTX Spark superchip, Nvidia CEO Jensen Huang has confirmed the platform extends well beyond its first chip, with successor architectures already in planning under the internal codenames N2X and N3X.

Huang confirmed this during a Q&A session with Tom’s Guide at Computex 2026, where he also clarified that the current chip carries the N1X designation because a smaller companion variant, referred to internally as N1, is also in Nvidia’s product pipeline.

The RTX Spark platform itself launched with considerable hardware ambition, combining up to 20 Arm CPU cores with a Blackwell GPU carrying 6,144 CUDA cores and up to 128GB of unified LPDDR5X memory, a specification that Nvidia has positioned against Apple Silicon and Qualcomm’s Snapdragon X platforms in the premium Windows on Arm segment.

Its new gameplay trailer gives us a glimpse of Anakin Skywalker.

Are you on the hunt for the perfect tech-related gift for your dad ahead of Father’s Day? Annoyingly, this year’s big day (June 21st) falls just before one of Amazon‘s biggest sales of the year.

I’m of course talking about Amazon Prime Day, which has just been officially announced for June 23-26. The annual sale is sure to feature everything from discounts on own-brand devices to cheap laptops, TVs, iPads – you name it.

legal

The bill awaits Gov. Hochul’s signature after passing the state legislature

New York lawmakers have approved a bill imposing new labor, energy, environmental, and community-benefit requirements on datacenters, including a one-year moratorium on certain permits for facilities drawing 20 MW or more.

The bill now heads to New York Gov. Kathy Hochul for a signature. A spokesperson for the governor told the New York Post she would review the legislation, but gave no signal as to whether she would sign it. Hochul has previously said she hoped to leave regulating datacenter construction to the local communities. 

“Today we face an unprecedented wave of proposed large-scale data center development across New York,” the bill’s sponsor Assemblymember Anna Kelles wrote in a statement posted to Instagram. “My legislation seeks to provide New York with the time necessary to fully evaluate the environmental, energy, water, and ratepayer impacts of these facilities and to develop appropriate regulatory safeguards before additional projects move forward.” 

The Assembly approved the bill on Thursday, the same day Anthropic, the AI giant behind Claude, called for a pause on LLM development sprints as developers believe the models could soon be capable of building themselves. In light of that possibility, researchers at Anthropic said the world would benefit from a slowdown in the race to make models more powerful. 

In New York, lawmakers hope to protect consumers from higher energy bills by creating a special classification for datacenter electrical customers and mandating that all necessary infrastructure upgrades, administrative expenses, and operational costs be assigned entirely to the datacenter. 

The bill also outlines electricity-sourcing requirements for datacenters with a peak load of at least 5 MW, requiring a phased shift toward renewable energy, with one-third of electricity coming from renewable sources between 2030 and 2034, two-thirds between 2035 and 2039, and 90 percent from 2040 onward.

For trade workers who are employed to build the facilities and maintain the buildings later, the bill requires the datacenters to meet prevailing wage requirements, unless the workers are operating under a collective bargaining agreement. Additionally, it demands datacenter companies help host communities with renewable energy initiatives, and mitigate the strain on local wastewater treatment facilities. 

Business leaders are urging Hochul to reject the bill, saying it was rushed through at the end of a legislative session and presented without appropriate debate. 

In a statement provided to The Register, Julie Samuels, president and CEO of Tech:NYC, which promotes the state’s technology industry, said a blanket moratorium on datacenters would slow investment in the next generation of infrastructure projects.

“Energy usage, grid capacity, and the community impact of data centers must be addressed, and the Governor’s Public Service Commission is already pursuing the right approach by ensuring data centers pay their fair share for grid upgrades and energy usage,” Samuels wrote in a statement.  

Republican Assemblymember Phil Palmesano argued that datacenters were being unfairly targeted when other technology companies were given tax incentives to build, pointing to the recent groundbreaking of the Micron chip fab in Clay, New York, which is expected to create 50,000 New York jobs throughout construction, and up to 90,000 nationally. 

The bill, approved by the Senate on Friday, includes carve-outs for certain industrial computing applications, including manufacturing.

“If we told Micron they had to power their energy demands strictly using renewable resources, they wouldn’t be here,” Palmesano said, according to the NY Post. 

One of the first drafts of the bill had called for a three-year pause on datacenter construction. ®