AI News Digest — 2026-05-16

Highlights

Anthropic’s $900B valuation eclipses OpenAI: Anthropic is raising another $30B just three months after a same-size round, with annualized revenue approaching $45B and surpassing OpenAI’s valuation for the first time.
Microsoft MDASH pits 100+ AI agents against each other to hunt Windows zero-days: Microsoft’s adversarial agent system uncovered 16 vulnerabilities (four critical) on a single Patch Tuesday, signaling defensive AI now matters at OS scale.
ArXiv moves to ban authors who upload AI-slop preprints: Papers with hallucinated references or leftover LLM “meta-comments” will trigger author bans, marking the strongest action yet by a major preprint server against unchecked LLM output.
TanStack supply-chain attack reaches OpenAI employee devices: A Mini Shai-Hulud npm-style compromise hit two corporate devices at OpenAI; the company says no production systems or user data were touched but is rotating signing certificates.
OpenAI plugs ChatGPT into your bank account via Plaid: Pro users in the US can now connect 12,000+ financial institutions to GPT-5.5 Thinking for personalized financial guidance — pushing agentic AI into a heavily regulated, high-trust domain.

News

AI Security

The Boring Stuff is Dangerous Now (Dark Reading): AI agents that discover and exploit obscure vulnerabilities are emerging alongside floods of AI-generated code, forcing defenders to rethink the attack surface.
Microsoft pits 100+ AI agents against each other to find Windows vulnerabilities (The Decoder): MDASH uncovered 16 flaws (four critical) on one Patch Tuesday; Microsoft won’t say which models power it.
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices (The Hacker News): Mini Shai-Hulud-style attack reached corporate macOS endpoints; OpenAI says no user data or production systems were affected.
Bypassing On-Camera Age-Verification Checks (Schneier on Security): Researchers fooled AI-based video age verification with a fake mustache — a cheap demonstration that production biometric AI is still brittle.
Popular node-ipc npm package compromised to steal credentials (BleepingComputer): Credential-stealing malware injected into newly published versions of the widely used IPC package.
Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own (BleepingComputer): Researchers earned $385,750 demonstrating 15 zero-days across Windows 11, Exchange, and RHEL at Pwn2Own Berlin 2026.
Microsoft warns of Exchange zero-day flaw exploited in attacks (BleepingComputer): High-severity XSS-based RCE in Outlook on the web under active exploitation; mitigations published.
Turla Turns Kazuar Backdoor Into Modular P2P Botnet (The Hacker News): Russian FSB-linked group reworks Kazuar into a peer-to-peer botnet engineered for stealth and persistence.
Inside the REMUS Infostealer: Session Theft and MaaS (BleepingComputer): Authentication-token theft is overtaking password theft; REMUS scales the MaaS model around browser session hijacking.
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence (The Hacker News): Cyera disclosed “Claw Chain,” four chainable flaws letting attackers establish footholds and plant backdoors in agent runtime OpenClaw.
Funnel Builder WordPress plugin bug exploited to steal credit cards (BleepingComputer): JavaScript skimmers injected into WooCommerce checkout pages via a critical Funnel Builder flaw.
Avada Builder WordPress plugin flaws allow site credential theft (BleepingComputer): ~1M install base affected by arbitrary-file-read and DB extraction bugs.
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV (The Hacker News): Critical authentication-bypass in Cisco Catalyst SD-WAN Controller added to the Known Exploited Vulnerabilities catalog.
Microsoft backpedals: Edge to stop loading passwords into memory (BleepingComputer): After previously calling it “by design,” Microsoft is removing clear-text password loading on Edge startup.
Taiwan Bullet Train Hack Highlights Cybersecurity Gaps in Rail Systems (Dark Reading): A student with software-defined radio gear shut three bullet trains down for almost an hour.
Congress Puts Heat on Instructure After Canvas Outage (Dark Reading): House Homeland Security letter lands the same day Instructure says it reached an “agreement” with the ShinyHunters group.

USA

Anthropic’s $900B valuation would make it more valuable than OpenAI (The Decoder): $30B round, $45B ARR, fivefold revenue jump since end-2024.
OpenAI keeps shuffling its executives in bid to win AI agent battle (The Verge): Greg Brockman becomes formal lead of all products as OpenAI re-orgs around its agent-first 2026 strategy.
OpenAI launches ChatGPT for personal finance with bank account connection (TechCrunch): Plaid-mediated dashboard shows portfolio, spending, subscriptions, and upcoming payments — initially US Pro users on GPT-5.5 Thinking.
OpenAI now wants ChatGPT to access your bank accounts (The Verge): Trust test for agentic finance — 12,000 institutions including Schwab and Fidelity are reachable through Plaid.
Anthropic frames AI competition with China as a now-or-never moment for Washington (The Decoder): Policy paper lays out a binary 2028 scenario: US locks in compute lead or authoritarian regimes define the rules.
The Musk v. Altman trial wraps up (TechCrunch): Closing arguments circled “can we trust the people running AI?” against the backdrop of an impending SpaceX IPO.
Microsoft pulls Claude Code licenses, pushes developers to GitHub Copilot CLI (The Decoder): Thousands of internal developers lose Claude Code access as Microsoft consolidates around its own coding agent.
x.AI plays catch-up with Grok Build, its first terminal-based coding agent (The Decoder): xAI enters the CLI coding-agent fight against Claude Code, Codex, and Copilot CLI.
OpenAI brings Codex to iOS and Android (The Decoder): Codex now drivable from the ChatGPT mobile app, no PC required.
ArXiv will ban researchers who upload AI-slop papers (The Verge): Authors with hallucinated references or leftover LLM meta-comments face publication bans.
AI research papers are getting better — and that’s a big problem (The Verge): AI-assisted citations and quasi-plausible methods sections are corroding peer review even when output looks competent.
Google updates spam rules to include attempts to “manipulate” AI (The Verge): Manipulation of AI Overview / AI Mode now formally treated as search spam.
Google busts the myth that AI search needs its own SEO playbook (The Decoder): “Generative engine optimization” is just SEO; tactics like LLMS.txt files don’t influence AI rankings.
Runway started by helping filmmakers — now it wants to beat Google at AI (TechCrunch): Runway bets video generation is the path to world models, framing outsider status as an advantage.
AI radio hosts show why AI can’t be trusted alone (The Verge): Andon Labs runs four unattended AI-DJ stations (Claude, ChatGPT, Gemini, Grok) — the failure modes are illustrative.
Microsoft Research clarifies “LLMs Corrupt Your Documents When You Delegate” (Microsoft Research Blog): Follow-up post addressing debate around the paper’s claims on long-horizon delegated workflows.
Silicon Valley’s vacationland needs a new energy provider as AI drives prices up (TechCrunch): Lake Tahoe faces higher utility prices as AI demand reshapes Western grids.
Americans would rather live next to a nuclear plant than an AI data center (The Decoder): Gallup: 71% oppose nearby AI data centers vs. 53% for nuclear — water, energy, and utility costs dominate concerns.
Osaurus brings local and cloud AI models to your Mac (TechCrunch): Mac app combines local and cloud inference while keeping memory and files on-device.
How Chinese short dramas became AI content machines (MIT Technology Review): Bite-sized, smutty smartphone dramas are increasingly produced fully by AI pipelines.

Japan (AI & Tech)

Runway opens a Tokyo office with a 60-oku-yen Japan investment (ITmedia AI+): Runway’s CEO calls Japan the world’s most sophisticated creative industry as the company sets up a Japan business lead and commits ~$40M.
“Claude for Small Business” launches in Japan, integrating with various SaaS (ITmedia AI+): Anthropic’s Claude Cowork now offers a small-business plan that drives connected SaaS workflows.
Kioxia prepares U.S. shares after riding AI boom to big profit (Japan Times): Booming hyperscaler demand for memory is fueling Kioxia’s meteoric rise and US listing plans.
Apple M5 MIE bypassed in first public memory-corruption demonstration (Gigazine): Security firm Calif used AI-assisted exploitation to defeat Apple’s Memory Integrity Enforcement on an M5 Mac, the first public bypass of MIE.
Fanuc partners with Google to control industrial robots with an AI agent (ITmedia MONOist): Japan’s industrial-robot leader builds a physical-AI control stack with Google.
Toyota files to build $2B assembly plant in Texas (Japan Times): Adds 2,000 jobs, deepens Toyota’s US footprint amid shifting manufacturing economics.
Alphabet sells biggest yen bond on record by a foreign issuer (Japan Times): ¥576.5B raise underlines competition to finance data-center and AI infrastructure.
DwarfStar 4 — compact native inference engine purpose-built for DeepSeek V4 Flash (Gigazine): Redis creator Salvatore Sanfilippo open-sources a local engine targeting DeepSeek’s V4 Flash on consumer PCs.
Image-gen model “Anima” reaches official release (Gigazine): CircleStone Labs ships an SDXL/Illustrious-class model with combined tag and natural-language prompting that runs locally.
Google expected to announce new Gemini at I/O 2026 (Gigazine): Gemini Spark BETA leak suggests a new tier just below the GPT-5.5 “Mythos” frontier.
Chinese 1T-parameter open model Ring-2.6-1T beats GPT-5.4 and Gemini 3.1 Pro on select benchmarks (Gigazine): Ant Group / inclusionAI release a trillion-parameter open weights model that posts surprising benchmark numbers.
Zyphra releases ZAYA1-8B-Diffusion-Preview, first diffusion LM trained on AMD AI chips (Gigazine): An autoregressive-to-diffusion conversion training pipeline on AMD silicon, signaling vendor diversity in the LM stack.
Codex gains mobile-side instruction from the ChatGPT app (Gigazine): Mobile ChatGPT can now orchestrate Codex coding/PC-control tasks without opening a laptop.
xAI releases beta of Grok Build coding-agent CLI (Gigazine): Japan-time launch of xAI’s terminal coding assistant.
Asahi and Nikkei sue Perplexity in Tokyo over unauthorized article use (ITmedia News): First oral arguments in a ¥4.4B copyright case that frames AI search as systematic infringement.
OpenAI consulting law firms over Apple partnership friction (Gigazine): OpenAI reportedly weighing legal options against Apple, dissatisfied with reach and recognition from the Apple Intelligence deal.
OpenAI supply-chain breach: 170+ packages affected, macOS users urged to update by June 12 (ITmedia News): Japanese-language coverage of the TanStack/Shai-Hulud incident with details on certificate rotation.
Meta Ray-Ban Display adds neural handwriting input (Gigazine): Finger-trace text entry and on-display recording arrive on Meta’s display-equipped smart glasses.
NGINX remote code execution vulnerability discovered (Gigazine): CVE-2026-42945 — a memory-corruption RCE that sat in NGINX’s heap buffer overflow path for nearly 18 years.

Research Papers

Benchmarks & Evaluation

ExploitBench: A Capability Ladder Benchmark for LLM Cybersecurity Agents: Reframes exploitation as a capability ladder (trigger → reusable primitives → control), arguing current benchmarks that treat “crash = success” collapse the hard part of offensive AI evaluation.
Workspace-Bench 1.0: Benchmarking AI Agents on Workspace Tasks with Large-Scale File Dependencies: Evaluates agents on realistic multi-file workspaces with implicit dependencies, exposing the gap between toy file tasks and real-world worker environments.

Security & Adversarial

MetaBackdoor: Exploiting Positional Encoding as a Backdoor Attack Surface in LLMs: Demonstrates a content-trigger-free backdoor that fires from positional encoding alone — no malicious string ever appears in user input.
The Great Pretender: A Stochasticity Problem in LLM Jailbreak: Argues that popular adversarial-attack methods from major labs post inflated ASR numbers driven by stochasticity, calling into question current jailbreak leaderboards.
WARD: Adversarially Robust Defense of Web Agents Against Prompt Injections: New guard model for web-browsing agents addressing high false-positive rates, latency, and weak generalization in current prompt-injection defenses.
RLCracker: Evaluating the Worst-Case Vulnerability of LLM Watermarks with Adaptive RL Attacks: Introduces an adaptive RL adversary and a formal “adaptive robustness radius” metric, showing existing watermark evaluations overstate security.
Talk is (Not) Cheap: A Taxonomy and Benchmark Coverage Audit for LLM Attacks: Builds a STRIDE-grounded 4×6 attack taxonomy from 932 security papers to audit whether benchmark suites cover the threat surface.

Compliance & Regulation

The Compliance Trap: How Structural Constraints Degrade Frontier AI Metacognition Under Adversarial Pressure: Introduces SCHEMA, an evaluation showing that rigid compliance scaffolding can collapse a model’s metacognition (knowing what it doesn’t know) precisely when adversarial pressure is highest.
Position: Behavioural Assurance Cannot Verify the Safety Claims Governance Now Demands: Position paper arguing that red-teaming and behavioral evals are being asked to substantiate claims (hidden objectives, loss-of-control resistance) they can’t actually verify, given 2019–2026 governance frameworks.

Alignment & Safety

GradShield: Alignment Preserving Finetuning: Gradient-based filter that detects and removes both explicitly and subtly harmful samples during finetuning before they degrade alignment.
Auditing Agent Harness Safety: Output-level evaluations miss harness-level violations (unauthorized resource access, context leaks across components); proposes trajectory-level safety auditing for agent runtimes.
From Sycophantic Consensus to Pluralistic Repair: Why AI Alignment Must Surface Disagreement: Argues that pluralistic alignment-as-aggregation is incomplete — RLHF assistants collapse to sycophantic consensus and must instead surface and repair disagreement.

Applications

RxEval: A Prescription-Level Benchmark for Evaluating LLM Medication Recommendation: Moves clinical-LLM evaluation from coarse admission-level prediction to per-prescription decisions — capturing dose, route, and timing as a patient’s condition evolves.
CounselBench: A Large-Scale Expert Evaluation and Adversarial Benchmarking of LLMs in Mental Health Question Answering: 100-expert evaluation plus adversarial test suite for mental-health Q&A, where multiple-choice benchmarks have left open-ended responses unmeasured.

Guardrails & Robustness

EVA: Editing for Versatile Alignment against Jailbreaks: Targeted weight editing as a lightweight defense against textual and visual jailbreaks, avoiding the utility cost of broad safety fine-tuning or external filters.

Key Themes

Agentic AI security is now a first-order operational concern. Microsoft’s MDASH agents, the OpenClaw “Claw Chain” disclosures, the TanStack supply-chain hit on OpenAI, ExploitBench, and the WARD / Auditing Agent Harness Safety papers all converge on the same question: when agents have shells, tools, and credentials, behavioral evaluation isn’t enough.
Trust is the new product surface. OpenAI plugging ChatGPT into bank accounts, the Musk v. Altman closing arguments, ArXiv banning AI-slop authors, and Asahi/Nikkei suing Perplexity all turn on the same question of who is accountable for what an AI produces or accesses.
The benchmark-vs-reality gap is widening. RLCracker exposes overstated watermark robustness; “The Great Pretender” calls out inflated jailbreak ASR; the Compliance Trap and Behavioural Assurance position paper argue current safety evals can’t carry the weight governance is putting on them.
Compute and energy politics are catching up with model politics. Anthropic’s “now or never” China memo, Alphabet’s record yen bond, Gallup’s 71% NIMBY result for AI data centers, and Lake Tahoe’s electricity squeeze make clear that frontier-AI competition has fully crossed into infrastructure policy.
Japan is buying into the frontier stack on its own terms. Runway opening Tokyo, Claude for Small Business localizing in Japan, Kioxia’s US listing, Fanuc-Google robotics, and homegrown projects like DwarfStar 4 and Anima show a coordinated push to participate in (not just consume) frontier AI.

For detailed summaries of selected research papers, see papers.md.