Running out of storage on a Mac is common, but Apple’s built-in storage tools are not always great at showing what is actually taking up space. You usually get broad categories, but finding the exact folders, downloads, app files, or old projects causing the problem can still take some work.

Radix is a free, open-source Mac app that tries to make that process clearer. It is a disk space analyzer that scans a folder, drive, or volume and displays the results in an interactive sunburst chart. Rather than digging through folders manually, you get a visual overview of how storage is being used across your drive.

What does Radix actually show?

Radix uses a circular chart where each ring represents another layer of folders. Larger sections take up more space, so it is easier to spot the files or directories that are using the most storage. You can click into sections to drill down, hover for more details, and sort or filter files by size, name, date, or type.

The app is built with Swift and SwiftUI, and its developer, Colin Kim, says it uses native macOS APIs to keep scanning fast. In a Reddit post, Kim said Radix uses under 100MB of RAM on launch and is designed to handle large scans efficiently.

How does it compare with other Mac tools?

Radix is entering a category with several existing options. DaisyDisk is probably the best-known polished version, but it costs $9.99. GrandPerspective and Disk Inventory X are older free alternatives, while SquirrelDisk is open-source but has not been maintained since early 2023, according to Kim.

Radix’s main draw is that it is free, open-source, and more modern-looking than many older disk analyzers. It also supports Quick Look, file metadata inspection, and search across either the current folder or the full scan tree. Everything runs locally, with no account, telemetry, or data collection. Radix supports macOS 14.0 or later.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a data leak dubbed “FortiBleed.”

This warning comes after threat actors used compromised credentials to target internet-accessible Fortinet devices across government and private-sector organizations worldwide.

“CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” it said.

“This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”

The agency called on affected FortiGate appliance owners to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement.

CISA also advised Fortinet customers to store admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, and to restrict firewall management interfaces from public internet access and remove any unauthorized accounts to reduce the attack surface as much as possible.

Credentials for over 73K firewalls exposed

The FortiBleed data leak was uncovered by security researcher Volodymyr “Bob” Diachenko, who discovered a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords for 73,932 firewall URLs worldwide.

The exposed data also includes each organization’s industry, revenue, and employee count, which Diachenko said appeared to be compiled to assist in planning future attacks.

Threat intelligence company Hudson Rock, which also analyzed the dataset, described it as one of the largest known collections of compromised Fortinet credentials, spanning 21,632 unique domains and 194 countries.

​Among the organizations represented in the dataset are Samsung, Mercedes-Benz, Foxconn, Chevron, Comcast, AT&T, and Toyota, along with many government agencies and critical infrastructure operators across telecommunications, healthcare, financial services, and manufacturing industry sectors.

The highest number of affected devices were from India, the United States, Taiwan, Mexico, Turkey, Thailand, Colombia, Malaysia, Chile, and the United Arab Emirates.

Data leak linked to Russian-speaking threat group

Diachenko also said the operation was conducted by a Russian-speaking threat group that allegedly carried out approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets to intercept SSL VPN authentication hashes. The source of the configuration data remains unknown.

Cybersecurity expert Kevin Beaumont has also independently confirmed the authenticity of some credentials and noted that most affected devices remain online.

“The data is legit. It is around 75k devices. Almost all are still online, and Fortinet devices. It appears to be recent data,” Beaumont said, adding that the leaked data appears to have originated from Fortinet configuration files.

However, the source of the data remains unknown, and it is unclear whether it was stolen through exploitation of previously disclosed Fortinet vulnerabilities, a newly discovered security flaw, or another method.

Hudson Rock has also created a free FortiBleed lookup tool to help organizations check whether they are affected.

On Monday, threat intelligence company Defused also reported that several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform are now exploited in attacks. In total, CISA tracks 26 Fortinet security flaws that have been exploited in the wild in recent years, 13 of which were abused in ransomware attacks.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

Over the last several years, fusion power has gone from the butt of jokes — always a decade away! — to an increasingly tangible and tantalizing technology that has drawn investors off the sidelines.

The technology may be challenging to master and expensive to build today, but fusion promises to harness the nuclear reaction that powers the sun to generate nearly limitless energy here on Earth. If startups are able to complete commercially viable fusion power plants, then they have the potential to upend trillion-dollar markets.

The bullish wave buoying the fusion industry has been driven by three advances: more powerful computer chips, more sophisticated AI, and powerful high-temperature superconducting magnets. Together, they have helped deliver more sophisticated reactor designs, better simulations, and more complex control schemes.

It doesn’t hurt that, at the end of 2022, a U.S. Department of Energy lab announced that it had produced a controlled fusion reaction that produced more power than the lasers had imparted to the fuel pellet. The experiment had crossed what’s known as scientific breakeven, and while it’s still a long ways from commercial breakeven, where the reaction produces more than the entire facility consumes, it was a long-awaited step that proved the underlying science was sound.

Founders have built on that momentum in recent years, pushing the private fusion industry forward at a rapid pace.

Commonwealth Fusion Systems

Commonwealth Fusion Systems (CFS) has raised about a third of all private capital invested in fusion companies to date. Its latest round, which closed in August, added $863 million to its coffers, bringing its total raised near $3 billion.

CFS’s Series B2 came four years after its $1.8 billion Series B, which helped catapult the company into the pole position. Since then, the startup has been hard at work in Massachusetts building Sparc, its first-of-a-kind power plant intended to produce power at what it calls “commercially relevant” levels. 

Sparc’s reactor is a tokamak design, which resembles a doughnut. The D-shaped cross section is wound with high-temperature superconducting tape, which, when energized, generates a powerful magnetic field that will contain and compress the superheated plasma. Heat generated from the reaction is converted to steam to power a turbine. CFS designed its magnets in collaboration with MIT, where co-founder and CEO Bob Mumgaard worked as a researcher on fusion reactor designs and high-temperature superconductors.

The Massachusetts-based CFS expects to have Sparc operational in late 2026 or early 2027. Later this decade, the company says it will begin construction on Arc, its commercial power plant that will produce 400 megawatts of electricity. The facility will be built near Richmond, Virginia, and Google has agreed to buy half its output.

CFS is backed by a long list of investors, including Breakthrough Energy Ventures, The Engine, Bill Gates, and others.

TAE Technologies

Founded in 1998, TAE Technologies (formerly known as Tri Alpha Energy) was spun out of the University of California, Irvine by Norman Rostoker. It uses a field-reversed configuration, but with a twist: after the two plasma shots collide in the middle of the reactor, the company bombards the plasma with particle beams to keep it spinning in a cigar shape. That improves the stability of the plasma, allowing more time for fusion to occur and for more heat to be extracted to spin a turbine. 

In December 2025, TAE announced that it would merge with President Donald Trump’s social media company, Trump Media & Technology Group. The all-stock transaction would value the combined company at $6 billion. TAE would receive $200 million plus another $100 million upon filing paperwork with the Securities and Exchange Commission. TAE CEO Michl Binderbauer will serve as co-CEO of the combined company alongside Devin Nunes, who had been sole CEO of Trump Media.

The fusion startup had previously raised $150 million in June from existing investors, including Google, Chevron, and New Enterprise. Before the merger, TAE had raised a total of $1.79 billion, according to PitchBook.

Helion

Of all fusion startups, Helion has the most aggressive timeline. The company plans to produce electricity from its reactor in 2028. Its first customer? Microsoft.

Helion, based in Everett, Washington, uses a type of reactor called a field-reversed configuration, where magnets surround a reaction chamber that looks like an hourglass with a bulge at the point where the two sides come together. At each end of the hourglass, the reactor spins the plasma into doughnut shapes that are shot toward each other at more than 1 million mph. When they collide in the middle, additional magnets help induce fusion. When fusion occurs, it boosts the plasma’s own magnetic field, which induces an electrical current inside the reactor’s magnetic coils. That electricity is then harvested directly from the machine.

The company most recently raised $465 million in June in a Series G that valued the company at $15.5 billion. Its previous round, announced in January 2025, totaled $425 million. Altogether, Helion says it has raised $1.5 billion. Investors include Sam Altman, SoftBank Vision Fund 2, Reid Hoffman, KKR, BlackRock, Peter Thiel’s Mithril Capital Management, and Capricorn Investment Group.

Pacific Fusion

Pacific Fusion burst out of the gate with a Series A that topped $1 billion, the startup has told TechCrunch. That’s a whopping sum even among well-funded fusion startups. The company will use inertial confinement to achieve fusion, but instead of lasers compressing the fuel, it will use coordinated electromagnetic pulses. The trick is in the timing: All 156 impedance-matched Marx generators need to produce 2 terawatts for 100 nanoseconds, and those pulses need to simultaneously converge on the target.

The company is led by CEO Eric Lander, the scientist who led the Human Genome Project, and president Will Regan. Pacific Fusion’s funding might be massive, but the startup hasn’t gotten it all at once. Rather, its investors will pay out in tranches when the company achieves specified milestones, an approach that’s common in biotech.

Shine Technologies

Shine Technologies is taking a cautious — and possibly pragmatic — approach to generating fusion power. Selling electrons from a fusion power plant is years off, so instead, it’s starting by selling neutron testing and medical isotopes. More recently, it has been developing a way to recycle radioactive waste. Shine hasn’t picked an approach for a future fusion reactor, instead saying that it’s developing necessary skills for when that time comes.

The company has raised a total of $1 billion, according to PitchBook. Investors include Energy Ventures Group, Koch Disruptive Technologies, Nucleation Capital, and the Wisconsin Alumni Research Foundation. The company most recently raised a $240 million round in February led by NantWorks with participation from investors including Deerfield Management, Fidelity Management & Research Company, Oaktree Capital Management, Pelican Energy Partners, and the Sumitomo Corporation of Americas.

General Fusion

Now in its third decade, General Fusion has raised over $600 million. The Richmond, British Columbia-based company was founded in 2002 by physicist Michel Laberge, who wanted to prove a different approach to fusion known as magnetized target fusion (MTF). Investors include Jeff Bezos, Temasek, BDC Capital, and Chrysalix Venture Capital.

In a General Fusion’s reactor, a liquid metal wall surrounds a chamber in which plasma is injected. Pistons surrounding the wall push it inward, compressing the plasma inside and sparking a fusion reaction. The resulting neutrons heat the liquid metal, which can be circulated through a heat exchanger to generate steam to spin a turbine.

General Fusion hit a rough patch in spring 2025. The company ran short of cash as it was building LM26, its latest device that it hoped would hit breakeven in 2026. Just days after hitting a key milestone, it laid off 25% of its staff. CEO Greg Twinney penned an open letter pleading for funding from investors. 

In August, they delivered somewhat, injecting $22 million in a pay-to-play round that one investor called “the least amount of capital possible” to keep General Fusion afloat. Then in November, securities filings in Canada revealed that the company had raised $51.1 million in SAFE notes from nearly 70 investors, the Globe and Mail reported. Altogether, it has raised $612 million, according to PitchBook.

In January, General Fusion said it would go public via a reverse merger with a special purpose acquisition company. Assuming the deal closes as planned, General Fusion could bring in an additional $335 million.

Inertia Enterprises

Only one fusion experiment, the National Ignition Facility (NIF), has surpassed scientific breakeven, and the chief scientist of that endeavor, Annie Kircher, is part of Inertia Enterprises founding team. She’s joined by Mike Dunne, a Stanford professor, and Jeff Lawson, who co-founded Twilio and currently owns The Onion. In April, the startup signed three agreements to commercialize the technology developed at the NIF.

Inertia plans to use lasers to bombard fusion fuel pellets, an inertial confinement design that echoes the one Kircher successfully used at the NIF. Inertia Enterprises emerged from stealth in February with $450 million in Series A funding in a round led by Bessemer Venture Partners with participation from GV, Modern Capital, Threshold Ventures, and others.

Focused Energy

Germany-based Focused Energy is another fusion startup that traces its lineage to the National Ignition Facility (NIF). In addition to using laser pulses to compress a fuel target, the company has hired Debbie Callahan as its chief strategy officer. Callahan helped design the fuel target at NIF. Her job at Focused Energy will be to figure out how to turn the NIF’s painstakingly crafted fuel target into something that can be mass manufactured at a rate of nearly 1 million per day.

Focused Energy raised an oversubscribed $240 million Series A in June, bringing its total private capital raised to $400 million. The company has also received $200 million in grants. Investors include the German Federal Agency for Breakthrough Innovation (SPRIND), Prime Movers Lab, and the utility RWE, which has granted Focused Energy access to a decommissioned nuclear fission power plant it operates.

Tokamak Energy

Tokamak Energy takes the usual tokamak design — the doughnut shape — and squishes it, reducing its aspect ratio to the point where the outer bounds start resembling a sphere. Like many other tokamak-based startups, the company uses high-temperature superconducting magnets (the rare earth barium copper oxide, or REBCO, variety). Since its design is more compact than a traditional tokamak, it requires less in the way of magnets, which should reduce costs. 

The Oxfordshire, U.K.-based startup’s ST40 prototype, which looks like a large, steampunk Fabergé egg, generated an ultra-hot, 100-million degree Celsius plasma in 2022. Its next generation, Demo 4, is currently under construction and is intended to test the company’s magnets in “fusion power plant-relevant scenarios.” Tokamak Energy raised $125 million in November 2024 to continue its reactor design and expand its magnet business. In April, the startup said it would be supplying magnets for the U.K.’s STEP Fusion program, a government program that is working toward a spherical tokamak-based power plant.

In total, the company has raised $336 million from investors, including Future Planet Capital, In-Q-Tel, Midven, and Capri-Sun founder Hans-Peter Wild, according to PitchBook.

Zap Energy

Zap Energy isn’t using high-temperature superconducting magnets or super-powerful lasers to keep its plasma confined. Rather, it zaps the plasma (get it?) with an electric current, which then generates its own magnetic field. The magnetic field compresses the plasma to about 1 millimeter, at which point ignition occurs. The neutrons released by the fusion reaction bombard a liquid metal blanket that surrounds the reactor, heating it up. The liquid metal is then cycled through a heat exchanger, where it produces steam to drive a turbine.

The startup announced a partial pivot in April, saying it will pursue a hybrid power plant that employs both nuclear fusion and fission. It also hired a new CEO, Zabrina Johal, who has expertise in the fission industry. Zap claims the move will help it bring in revenue earlier than fusion alone.

The Everett, Washington-based company has raised $327 million, according to PitchBook. Backers include Bill Gates’ Breakthrough Energy Ventures, DCVC, Lowercarbon, Energy Impact Partners, Chevron Technology Ventures, and Bill Gates as an angel.

Type One Energy

Stellarator startup Type One Energy is planning to build a fusion reactor on the site of a retired Tennessee Valley Authority (TVA) coal power plant. The magnetic confinement device is expected to generate 350 megawatts of electricity, and the company hopes to bring it online by the mid-2030s.

Unlike other fusion startups, Type One plans to sell key technology to organizations like the TVA, allowing them to build, own, and operate the equipment, similar to how many fossil fuel power plants are developed today. Type One has raised $269 million to date, including an $87 million equity round in advance of a $250 million Series B that the company is currently raising.

Proxima Fusion

Most investors have favored large startups that are pursuing tokamak designs or some flavor of inertial confinement. But stellarators have shown great promise in scientific experiments, including the Wendelstein 7-X reactor in Germany.

Proxima Fusion is bucking the trend, though, having attracted a €130 million Series A that brings its total raised to more than €185 million. Investors include Balderton Capital and Cherry Ventures.

Stellarators are similar to tokamaks in that they confine plasma in a ring-like shape using powerful magnets. But they do it with a twist — literally. Rather than force plasma into a human-designed ring, stellarators twist and bulge to accommodate the plasma’s quirks. The result should be a plasma that remains stable for longer, increasing the chances of fusion reactions.

Kyoto Fusioneering

With all the startups pursuing fusion power, it was perhaps inevitable that another would pop up to develop components that round out a power plant. The so-called balance of plant, or the parts that sit outside the reactor, range from gyrotrons that heat plasma to heat extraction systems to harvest power from fusion reactions to turn it into electricity. 

Kyoto Fusioneering has made an early bet that if even one fusion startup succeeds in generating enough power to sell to the grid, that the industry will need a supplier for the balance of plant and the expertise to integrate it into whichever fusion technologies win out.

Venture capitalists appear to agree, having invested $191 million in Kyoto Fusioneering. Investors include 31Ventures, In-Q-Tel, JIC Venture Growth Investments, Mitsubishi, and Sumitomo Mitsui Trust Investment.

Marvel Fusion

Marvel Fusion follows the inertial confinement approach, the same basic technique that the National Ignition Facility used to prove that controlled nuclear fusion reactions could produce more power than was needed to kick them off. Marvel fires powerful lasers at a target embedded with silicon nanostructures that cascade under the bombardment, compressing the fuel to the point of ignition. Because the target is made using silicon, it should be relatively simple to manufacture, leaning on the semiconductor manufacturing industry’s decades of experience.

The inertial confinement fusion startup is building a demonstration facility in collaboration with Colorado State University, which it expects to have operational by 2027. Munich-based Marvel has raised a total of $162 million from investors including b2venture, Deutsche Telekom, Earlybird, and HV Capital with Taavet Hinrikus and Albert Wenger as angels.

Thea Energy

Thea Energy is betting its pixel-inspired magnets will help it build a stellarator for less money. Stellarators can keep plasmas burning for long periods of time — a boon when it comes to running a commercial power plant — but to do so, they require twisty magnetic fields. Most stellarators build magnets that mimic that complex shape, but Thea Energy thinks that by wreathing its doughnut-shaped reactor in dozens of smaller magnets, it can use control software to create the necessary kinks.

In May, Thea raised $100 million in a Series B led by the U.S. Innovative Technology Fund, just over two years after a $20 million Series A. Across all rounds, the startup has raised $130 million in private capital. Other investors include Prelude Ventures, Lowercarbon Capital, Hitachi Ventures, and Emerald Technology Ventures.

First Light Fusion

Unlike many other fusion startups, First Light Fusion doesn’t use magnets to generate the conditions necessary for fusion. Instead, it follows an approach known as inertial confinement, in which fusion fuel pellets are compressed until they ignite. 

But even then, First Light doesn’t hew to orthodoxy. Most attempts at inertial confinement use lasers to do the dirty work, following the lead of the National Ignition Facility, which produced a groundbreaking experiment in 2022. Rather, First Light fires a projectile at a target using a two-stage gun; the first stage uses gunpowder to fire a plastic piston that compresses hydrogen to 145,000 psi, which then launches the projectile. The target is designed to amplify the force of the impact so it compresses the fuel to the point of ignition.

In March 2025, First Light announced that it would not pursue building its own power plant, instead offering its core technologies to other companies to build one. A spokesperson for First Light said that it is planning to build “pulsed power capability that would act as our demonstrator plant but would have other science and defense applications.” In other words, the company was dropping its plans for a power plan in a quest for revenue.

Based in Oxfordshire, U.K., First Light has raised $108 million from investors including Invesco, IP Group, and Tencent, according to PitchBook.

Xcimer

Though nothing about fusion can be described as simple, Xcimer takes a relatively straightforward approach: follow the basic science that’s behind the National Ignition Facility’s breakthrough net-positive experiment and redesign the technology that underpins it from the ground up. The Colorado-based startup is planning to build a 10-megajoule laser system, 5x more powerful than the NIF setup that made history. Molten salt walls surround the reaction chamber, absorbing heat and protecting the first solid wall from damage. In June, Xcimer turned on Phoenix, a prototype system that it says is the most powerful privately owned laser in the world.

Founded in July 2022, Xcimer has raised $100 million from investors, including Hedosophia, Breakthrough Energy Ventures, Emerson Collective, Gigascale Capital, and Lowercarbon Capital.

This story was originally published in September 2024 and will be continually updated.

Companies that pushed hardest to adopt generative AI are now contending with a problem the technology was supposed to prevent: their work is getting worse. Two articles published by Harvard Business Review this month describe a feedback loop in which AI-generated low-quality output degrades the information companies rely on to make decisions, a phenomenon the authors call “knowledge decay.”

The June 2026 HBR article, written by Oxford operations management professor Matthias Holweg and Babson College professor Thomas Davenport, argues that the damage goes beyond individual errors. When employees use AI to produce work that looks polished but contains mistakes or lacks substance, colleagues downstream waste time verifying, correcting, or redoing it. As those errors compound across teams and departments, the organisation’s collective knowledge base deteriorates.

The term for this low-quality AI output already has a name. BetterUp Labs and Stanford’s Social Media Lab coined “workslop” in a September 2025 HBR article to describe AI-generated content that masquerades as good work but lacks the substance to advance a task. Their survey of 1,150 US full-time workers found that 41 percent had received workslop in the preceding month, with each incident requiring an average of one hour and 56 minutes to sort out.

The financial cost is significant. Using respondents’ self-reported salaries and time estimates, the researchers calculated that workslop costs roughly $186 per worker per month. For a company of 10,000 employees, that translates to more than $9 million annually in lost productivity, a figure that does not account for the downstream effects on morale and trust.

Those social costs may matter more than the financial ones. In the BetterUp-Stanford survey, 53 percent of workers who received workslop said they were annoyed, 42 percent viewed the sender as less trustworthy, and roughly half considered the colleague less creative, capable, or reliable than before. A third said they were less likely to want to work with that person again.

The broader productivity picture is no more encouraging. A July 2025 MIT Media Lab report found that 95 percent of organisations saw no measurable return on their generative AI investments, despite billions in spending. Goldman Sachs reached a similar conclusion in March 2026, finding no meaningful relationship between AI adoption and productivity gains at the economy-wide level, even as 70 percent of S&P 500 management teams discussed AI on earnings calls.

The knowledge decay problem is distinct from the familiar complaint that AI hallucinates. Hallucinations are factual errors in AI output. Knowledge decay describes what happens to an organisation when those errors, and the broader pattern of low-effort AI-generated work, accumulate over months.

Workers stop trusting internal documents. Processes built on unreliable information produce unreliable results. Institutional memory thins as employees lean on AI rather than developing expertise themselves.

Holweg and Davenport warn that the hiring process has been particularly damaged. AI-generated resumes flood recruiters, AI-generated job listings mislead candidates, and AI-powered screening tools filter out qualified applicants. The result, as HBR puts it, is that trust in the hiring process has sunk to “all-time lows for both job seekers and recruiters.”

The worker backlash is already measurable. A 2026 survey of 2,400 workers across the US, UK, and Europe found that 29 percent admit to actively sabotaging their employer’s AI strategy by ignoring guidelines, refusing training, or deliberately skewing performance data. Among Gen Z workers, that figure rises to 44 percent, driven largely by fear of job displacement.

This resistance sits alongside a broader pattern of AI-justified layoffs that often lack clear evidence that AI systems actually replaced the eliminated roles. The tech sector recorded more than 95,000 job cuts across 247 events in 2026, with nearly half attributed to AI, even though analysts have questioned whether many of those companies had mature AI implementations capable of absorbing the work.

The irony is that fixing the workslop problem requires exactly the kind of labour AI was supposed to reduce. Business leaders must now invest in verification processes, quality standards, and human oversight to ensure AI-generated content meets the bar, work that consumes the time of actual employees. HBR’s prescription amounts to building a new layer of human checking around AI output, which undermines the efficiency argument that justified adoption in the first place.

Both HBR articles draw a distinction between indiscriminate AI mandates and targeted use. The June article notes that proprietary models trained on company-specific data can add genuine value, while public LLMs applied to tasks they are poorly suited for produce “generic prose that often contains mistakes.” Companies that froze hiring citing AI productivity gains are now discovering that the gains may be illusory if the quality of the work degrades faster than the headcount shrinks.

The knowledge decay concept reframes the AI productivity debate. The question is no longer just whether AI makes individual tasks faster, but whether the cumulative effect of widespread AI use makes an organisation’s decision-making better or worse. HBR’s answer, for companies that adopted AI without quality controls, is that it makes it worse.

Holweg and Davenport’s credentials lend the argument weight, but it is worth noting that the knowledge decay framework has not yet been tested through controlled empirical studies. The concept synthesises existing evidence rather than presenting new data, and the BetterUp-Stanford workslop survey relies on self-reported estimates of time lost. How accurately workers gauge time spent on rework is an open question.

Still, the pattern is consistent across multiple sources. Goldman Sachs, MIT, BCG, and now two separate HBR articles from different research teams arrive at variations of the same conclusion: most companies are not getting what they expected from generative AI, and the ones that pushed hardest may be paying the highest hidden cost.

Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that exposes API keys, OAuth tokens, and detailed system configuration data to anyone who sends a single unauthenticated HTTP request. Wordfence, the WordPress security firm owned by Defiant, says it has blocked more than 17 million exploit attempts targeting the flaw since activity began in early May 2026. The plugin is installed on approximately 100,000 WordPress sites.

The vulnerability, tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all versions of Gravity SMTP through 2.1.4. A patch was released in version 2.1.5 on 17 March 2026, but exploitation did not begin until roughly two months later, suggesting attackers reverse-engineered the fix or discovered the flaw independently after the patch drew attention to it.

The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback function that unconditionally returns true. That means no authentication check runs before the server processes the request. When an attacker appends the query parameter ?page=gravitysmtp-settings, the plugin’s register_connector_data() method populates internal connector data, and the endpoint returns approximately 365 KB of JSON containing the site’s full system report.

The exposed data includes API keys, secrets, and OAuth tokens for every email integration configured in the plugin. Gravity SMTP supports Amazon SES, Google, Mailjet, Resend, and Zoho, and credentials for any of these services appear in the response if they have been configured. An attacker who obtains those credentials can send email on behalf of the compromised site, a capability that is useful for phishing campaigns and business email compromise.

The system report also contains the WordPress version, PHP version and loaded extensions, the web server version, the document root path, the database server type and version, all active plugins with their version numbers, the active theme, and database table names. That information gives attackers a detailed map of the site’s software stack, significantly reducing the reconnaissance effort required to plan follow-on attacks against known vulnerabilities in specific plugin or server versions.

“The exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site,” Wordfence researchers wrote in their advisory.

Exploitation volume spiked sharply around 6 June 2026, with Wordfence blocking more than 4 million requests in a single day on 7 June. The attack traffic has originated primarily from a cluster of IP addresses that Wordfence published for administrators to add to blocklists. The key indicator of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in web server access logs, particularly those containing the ?page=gravitysmtp-settings query parameter.

CrowdSec, the open-source threat intelligence platform, independently corroborated the timeline. It deployed detection for CVE-2026-4020 on 22 May and observed the first real-world exploitation on 27 May. By 1 June, the activity had been classified as background noise, indicating it had been integrated into automated scanning routines that sweep WordPress sites at scale.

The speed at which exploitation was industrialised reflects a broader pattern in WordPress plugin security. The flaw requires no authentication, targets a widely installed plugin, and returns high-value data in a single GET request, making it trivial to automate. WordPress’s plugin ecosystem has faced repeated supply chain compromises in 2026, including an attack in which 30 plugins purchased on Flippa were backdoored and lay dormant for eight months before activation.

The Gravity SMTP vulnerability is distinct from those supply chain attacks in that it does not involve malicious code injected by a compromised developer. It is a straightforward coding error, a permission callback that should have verified the requesting user’s credentials but instead returned true for every request. The simplicity of the flaw makes its survival through development, review, and release notable.

The exposure of API credentials is particularly dangerous because those credentials often persist even after the plugin is updated. Updating to version 2.1.5 closes the vulnerable endpoint, but it does not revoke or rotate the API keys that may have already been harvested. Credential theft through software flaws is an accelerating problem across the industry, with recent research showing that exposed API credentials are exploited within minutes of discovery.

Wordfence’s advisory urges site owners running a vulnerable version of Gravity SMTP who have configured third-party email integrations to assume compromise. The recommended remediation is to update the plugin to version 2.1.5 or later, then immediately rotate all API keys, secrets, and OAuth tokens configured in the plugin’s email connectors. Administrators should also review server log files for requests from the published attacker IP addresses.

The CVE was published on 31 March 2026, two weeks after the patch shipped. Despite the three-month window between patch availability and peak exploitation, many sites remain vulnerable. The gap between when patches become available and when organisations deploy them is one of the most persistent problems in software security, and WordPress plugins are especially prone to it because many site operators do not monitor plugin changelogs or enable automatic updates.

Wordfence also issued a separate advisory this week for CVE-2026-8713, a critical unauthenticated arbitrary file-deletion vulnerability in the Avada Builder plugin, which is installed on approximately one million WordPress sites. That flaw allows attackers to delete files on the server through a path traversal bug, and deleting wp-config.php can revert a site to its initial setup state, potentially enabling a full takeover.

A patch for the Avada Builder flaw is available in version 3.15.4, and no active exploitation of CVE-2026-8713 has been observed yet.

Wordfence did not attribute the Gravity SMTP exploitation to a specific threat actor or group. The pattern of mass scanning from a small cluster of IP addresses is consistent with opportunistic credential harvesting rather than targeted intrusion, though the stolen credentials could be sold or shared with more sophisticated operators for follow-on attacks.

Recorded from the show floor at AXPONA 2026, Lenny Coco of Mobile Fidelity Distribution discusses why vinyl still holds relevance in a digital first world, and how it fits alongside modern streaming habits. The conversation avoids framing the formats as competitors and instead looks at how each serves a different role for listeners, with Coco offering his perspective as both an industry insider and music fan. In the end, the focus stays on what matters most: the connection to the music, regardless of how it is delivered.

Sponsors: Thank you SVS for sponsoring this episode, along with Audeze for supplying all guests LCD-S20 Headphones, and Loewe and T10 Bespoke for sharing lounge space at AXPONA 2026.

This episode was recorded on April 12, 2026 (the third day of AXPONA 2026).

Where to listen:

On the Panel:

AXPONA 2026 Podcasts:

Related Links:

Credits:

• GPD launches Panther Lake Mini PC with powerful integrated graphics
• Core Ultra X7 358H delivers near RTX 3050M graphics performance
• MCIO 8i connection brings high-bandwidth external GPU expansion support

GPD has introduced its new Panther Lake Mini PC with Intel’s Core Ultra processors, combining compact dimensions with desktop-focused connectivity options.

The base configuration uses the Core Ultra 7 356H processor, while the step-up variant deploys the Core Ultra X7 358H CPU with a superior Arc B390 integrated graphics.

Japan and Tunisia lock horns in a Group F-defining World Cup 2026 match at Estadio BBVA in Monterrey, Mexico. Tunisia find themselves staring down the barrel after a bitter opening round defeat that led to an emergency replacement in the dugout, while Japan seek to get on the front foot early.

A new coach in the middle of a high-stakes tournament is never good news, but the Tunisian FA had seen enough with a 5-1 loss to Sweden to replace Sabri Lamouchi with former Saudi Arabia boss Herve Renard. The Eagles of Carthage went undefeated in the CAF qualifiers, scoring 22 goals without conceding a single one, but now face an uphill task if they’re to make it out of the group for the first time.

First look: Microsoft is sticking with smaller, incremental Windows 11 updates, and its next release will follow the same pattern. There’s no major feature rollout tied to Windows 11 26H2. Like version 25H2, it will arrive as an enablement package that toggles changes already present in the OS. On PCs already running Windows 11 24H2 or 25H2, the upgrade should be a quick enablement download, a single reboot, and a few minutes of install time, with no obvious changes on the desktop.

This approach dates back to Windows 11 24H2, released in October 2024, which marked the last traditional feature update. Since then, Microsoft has kept new versions on the same underlying platform. In practice, 25H2 and now 26H2 mostly exist to extend support timelines rather than add new capabilities.

New features are no longer tied to these annual releases. Instead, Microsoft is delivering them through monthly cumulative updates, allowing changes to roll out continuously. Recent updates have added a Low Latency Profile, with support for a movable taskbar expected in an upcoming Patch Tuesday release.

As a result, the annual “feature update” now acts more like a maintenance marker than the main way new features arrive.

Microsoft has positioned this update model as a way to reduce disruption, particularly for enterprise environments where stability is critical. “The next annual update for Windows 11 is coming soon… continues our focus on delivering a predictable, low-disruption update experience for organizations and IT professionals,” the company said in recent documentation.

Enablement packages are small, often under 500KB, and work by activating dormant code already present in the OS. Because the platform itself doesn’t change, installation is faster and tends to be less disruptive than a full upgrade.

That shift also changes what a version number represents. Moving from 24H2 to 26H2 doesn’t bring a new feature set; it keeps the same codebase while advancing the support timeline for that installation.

For 26H2, support runs through October 2028 for Home, Pro, Pro EDU, and Pro for Workstations. Enterprise, Education, and IoT Enterprise versions will receive updates until October 2029, in line with Microsoft’s standard lifecycle model.

Hardware requirements remain unchanged. Any system capable of running Windows 11 24H2 or 25H2, which requires at least 4GB of RAM, 64GB of storage, and a 64-bit dual-core processor, will support the new version.

A separate release, Windows 11 26H1, is tied to newer silicon platforms such as Nvidia N1 and Snapdragon X2. It’s based on a different platform baseline and doesn’t introduce exclusive user-facing features, so for most users, it isn’t a meaningful upgrade.

The broader shift is that Windows is now evolving through steady, incremental updates rather than periodic overhauls. The most meaningful changes arrive through monthly patches, while annual releases serve primarily to maintain and extend the platform.

Microsoft hasn’t said whether this model will continue beyond 2026, and didn’t confirm if the same approach will apply to a future 27H2 release. For now, though, the company appears committed to a cadence built around smaller updates and more predictable deployment.

The Mac lock screen has always felt a little underused. You see the time, your wallpaper, and not much else. macOS already supports desktop widgets, but once your Mac is locked, that extra information disappears.

WidgetScreen is trying to fix that in a pretty simple way. The free Mac app, made by UK computer science student Sam Cook, adds glassy widgets to the lock screen so you can quickly check things like the weather, clock, calendar, battery, music playback, countdowns, and system information.

The app is intentionally limited to the lock screen. The widgets appear when the Mac is locked and disappear when the user signs in, so they do not compete with macOS desktop widgets.

What does WidgetScreen actually do?

WidgetScreen is built for quick glances. You can arrange widgets on a grid, resize them, choose frosted or clear glass styles, change units and time format, and decide which display they appear on.