Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted.

The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices.

“The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out,” said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. He said using the exploit code Google prematurely published would be “pretty easy,” although scaling it to wrangle large numbers of devices into a single network would require more work. In the thread of Rebane’s disclosure to Google, two developers said in separate responses that it was a “serious vulnerability.” Its severity was rated S1, the second-highest classification.

Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, he learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code. Google representatives didn’t immediately respond to an email asking how and why it published the vulnerability and if or when a fix would become available.

Red Hat Enterprise Linux has introduced the goose command for power users. Goose is an optional CLI AI assistance with model context protocol (MCP) integration. There is also improved visual output via color output enhancements. As for their rationale with the new AI integration: “The business value: Faster problem resolution, and a quicker path for new administrators to become proficient. This translates into higher developer productivity and accelerated project timelines.”

GitHub has announced on X that their internal repositories have been breached through a compromised VS Code Extension on an employee’s workstation. Bleeping Computer reported that the attack is linked to TeamPCP who have been in the news for a recent campaign affecting Checkmarx, Trivy, SAP, TanStack, and Bitwarden. The group appears to be attempting to sell the stolen code on cybercrime forums.

A coalition of thirteen major publishers has won a massive $19.5 million default judgment against shadow library Anna’s Archive. A New York federal judge fully approved the publishers’ requests, issuing a broad permanent injunction that orders more than twenty specific global registries, hosts, and service providers to immediately disable the site’s remaining domains. […] At first glance, the damages award is the headline figure. Judge Rakoff granted the maximum statutory damages of $150,000 for each of the 130 “Works in Suit.” This brings the final damages bill amount to a staggering $19,500,000. However, as with the $322 million judgment won by the music industry against Anna’s Archive in the related Spotify case, it’s highly unlikely that this money will be recouped.

For now, the operators of Anna’s Archive remain strictly anonymous, which doesn’t help either. The default judgment (PDF) addresses this and requires the operators to unmask their identities and provide a sworn statement with valid contact information to the court within 10 days. However, since the operators have previously stated they hide their identities to avoid “decades of prison time,” it is safe to assume that the operators will simply ignore this request. The true power of this default judgment lies in the permanent injunction. Anna’s Archive is known to evade enforcement and change domain names when needed, so the injunction targets the technical intermediaries that keep the site online.

Specifically, the injunction orders “all domain name registries and registrars of record” to permanently disable access to Anna’s Archive’s domains and prevent their transfer to anyone other than the publishers or the music industry plaintiffs in the related case. In addition to domain name services, the order also extends to international hosting providers, who are also ordered to stop working with the site. Leaving no room for interpretation, the order specifically names more than twenty companies and organizations. This includes familiar names like Cloudflare, Njalla, and DDOS-Guard, as well as the domain name registries of the site’s current active domains […]. The names include some intermediaries that were already listed in the Spotify default judgment, as well as new ones.

Memory chip stocks have soared in recent months as a flood of AI investing has sent demand soaring, with the chips a key part of the AI buildout in data centers. Chip production cycles stretch over many quarters for a single unit, and investors are increasingly wary of how long the leading memory makers can capture demand. CME Group is launching a new futures market for semiconductors, enabling more traders to lock in prices and hedge against the rising prices of computing power.

At Monday’s conference, Mosely also addressed the “very long lead times” and maintaining predictability with its clients. “We know what’s coming out a year from now,” he said. “And we’ve basically gone to the customers and said, ‘Look, if you want to plan this really well, which it should be for your data centers, we know what’s coming out. You can buy this stuff up to a certain period.’ And so we want to keep that four or five quarters of visibility very, very solid for what’s being built. But the demand is significantly higher than that.”

The outcome could reverberate across the industry. Because many of today’s popular smart TV operating systems are Linux-based, the case may help determine how much control many owners have over their sets. Access to the full code would allow users to make meaningful changes to how their TVs work, including limiting ads or deactivating automatic content recognition.

[…] The Software Freedom Conservancy argues it has the right to Vizio OS’s source code because it owns several Vizio TVs and because the operating system is based on Ubuntu, a Linux distribution. (SFC employees bought seven Vizio TVs from 2018 to 2021 after getting complaints about Vizio not sharing its TVs’ source code, according to the complaint.) In general, the Linux kernel is provided under the terms of GPLv2, as noted by kernel.org, which is run by the Linux Kernel Organization.

SFC’s lawsuit alleges that Vizio breached GPLv2 and LGPLv2.1 by failing to make available the complete source code for Vizio OS. The case is currently in the Orange County Superior Court of the State of California. The lawsuit targets Vizio specifically, but the impact could extend to other Linux-based smart TV OSes such as LG’s webOS, Samsung’s Tizen, and Roku’s Roku OS. “We expect all companies who distribute Linux and other software using right-to-repair agreements like the GPL in their products would comply with these agreements,” Denver Gingerich, the director of compliance at SFC, told Ars. […] SFC expects a ruling within three to six months of the conclusion of the trial, which is currently scheduled for August 10.

Each year, the Commonwealth Foundation, a nongovernmental organization in London, awards its short story prize to one writer in each of five regions: Africa, Asia, Canada and Europe, the Caribbean, and the Pacific. One overall winner is then selected from that short list. Regional winners take home [about $3,350], while the top winner, to be announced next month, claims [about $6,700]. On May 12, the respected UK literary magazine Granta published the top five 2026 entries — all previously unpublished, per the rules of the contest — on its website. (It has hosted the winning submissions for the prize since 2012.) Within days, however, one entry aroused suspicion. “The Serpent in the Grove,” a story by Jamir Nazir of Trinidad and Tobago, which had taken honors for the Caribbean region, struck a few people as bearing the stylistic tells of AI-generated text.

“Well, this is a first: a ChatGPT-generated story won a prestigious literary prize,” wrote researcher and entrepreneur Nabeel S. Qureshi, a former visiting scholar of AI at the Mercatus Center at George Mason University, in a post on X on Monday. "‘Not X, not Y, but Z’ sentences everywhere, the ‘hums’ trope, and plenty of other obvious markers of AI writing. A major milestone for AI, at any rate…” “They say the grove still hums at noon,” Nazir’s mysterious and atmospheric tale begins. In his screenshot of the opening paragraphs, Quereshi highlighted the second line as what he considered to be a signature example of AI syntax: “Not the bees’ neat industry or the clean rasp of cutlass on vine, but a belly sound — as if the earth swallows a shout and holds it there.”

As the literary community undertook a closer read of Nazir’s story, many criticized its language and metaphors as nonsensical, wondering how the Commonwealth judges could have seen any merit to them. Others shared screenshots showing that the AI-detection tool Pangram flagged “The Serpent in the Grove” as 100 percent AI-generated, a result that WIRED independently confirmed. (While no AI-detection software is perfect, third-party analysis has consistently determined Pangram to be the most accurate, with a near-zero rate of false positives.)

[…] Besides Nazir, two more winning authors have drawn allegations of using AI in their work. Pangram finds that “The Bastion’s Shadow,” by Maltese writer John Edward DeMicoli, winner for the Canada and Europe region, is fully AI-generated; it scans “Mehendi Nights,” by Indian writer Sharon Aruparayil, winner for the Asia region, as partly AI-generated. Neither DeMicoli nor Aruparayil immediately returned requests for comment when reached through their respective social media accounts. The other two short-listed stories, by Holly Ann Miller of New Zealand and Lisa-Anne Julien of South Africa, deliver “fully human-written” results from Pangram.

The AI coding boom is now coming directly for Android app development. On Tuesday at Google IO 2026, the company announced new native Android app creation capabilities in its web-based Google AI Studio, shrinking a process that takes weeks of setup and coding down to minutes. The company also said that consumers will be able to use Gemini AI to find the apps they need, both on the Play Store and the web, expanding opportunities for developers to have their apps discovered.

Google says the new capabilities could make sense for anyone from a seasoned developer looking to prototype a new app quickly to a first-time creator. […] The apps are built with the Kotlin programming language using Google’s Jetpack Compose toolkit and with support integration with hardware sensors like GPS, Bluetooth, and NFC, the company says. However, the resulting creations, for now, are only meant to be used personally, as publishing for family and friends is still on the roadmap. The company suggests the technology could be used for the creation of personal utilities and simple social apps, hardware-enabled experiences, or AI-powered experiences.

A reader alerted The Register to what appears to be a new crackdown on long-standing G Suite Legacy accounts, with similar complaints now piling up on Reddit from users accused of violating Google’s non-commercial use policy, despite insisting they use the accounts only for family email and personal domains. Reports have been stacking up on Reddit’s r/gsuitelegacymigration subreddit from users who say their long-running personal G Suite Legacy accounts are suddenly being classified as “commercial use” accounts and pushed toward paid Google Workspace plans by May 2026. A lot of users have been through this before. Google spent part of 2022 trying to wind down free G Suite Legacy accounts, then changed course after users running family domains made enough noise. Now some of those same users are being told they have fallen outside Google’s rules after all.

Emails seen by The Register warn users their accounts have been “identified as being used for commercial purposes” and say Google may start suspending Gmail, Calendar, Drive, Meet, and other Workspace services if they do not either win an appeal or begin paying for Workspace subscriptions. “Please upgrade to a paid Google Workspace subscription to continue using your services. Look out for a notification regarding the appeal process in Google Admin console or email,” the email reads. “If you don’t take action during your 45-day appeal period, Google will begin suspending your Google Workspace core services, including Gmail, Calendar, Drive, and Meet. As a result, you will lose access to these core services and data.”

In a paper published in the journal Nature, a team of scientists led by Kimihiko Nakajima, an astronomer at Kanazawa University, Japan, describes how they used the telescope to study a part of the deep universe and discovered a faint galaxy called LAP1-B. “LAP1-B establishes a ‘fossil in the making,’ a direct high-redshift progenitor of the ancient ultra-faint dwarf galaxies observed in the local universe,” they wrote. Because the galaxy is so small and distant, it would normally be impossible to see. However, it was spotted due to a phenomenon known as gravitational lensing, in which a massive cluster of closer galaxies acts like a giant magnifying glass, boosting the light from LAP1-B by 100 times.

The scientists realized that most of the light from the galaxy wasn’t coming from the stars, but from glowing clouds of gas. They analyzed this light by splitting it into a spectrum and studying the emission lines, which revealed the chemical composition of the gas. They found that the galaxy contains almost no heavy elements, and its oxygen abundance is about 240 times lower than the sun’s, making it one of the most primitive star-forming galaxies ever observed. The emission lines also revealed intense ionizing radiation, which is what scientists expect to see from the first generation of stars.

The team also measured an elevated carbon-to-oxygen ratio. This matches the predicted chemical signature for the first star explosions in history from Population III stars, the first stars to exist in the universe. The stars we see today are Population I stars, which formed later and contain more heavy elements. Another fascinating finding is that, after measuring the gas’s motion and speed, the researchers concluded that the galaxy is held together by a massive cloud of invisible dark matter.

Minnesota Gov. Tim Walz has signed the nation’s first law banning prediction market sites from operating in the state, and in response, the Trump administration has sued, teeing up a legal battle over the most far-reaching crackdown on popular services like Kalshi and Polymarket. It comes as states confront a growing standoff with the Trump administration over how to regulate the industry, which allows people to bet on virtually anything.

The new state law makes it a crime to host or advertise a prediction market, which it defines as a system that lets consumers place a wager on a future outcome, like sports, elections, live entertainment, someone’s word choice and world affairs. The prohibition extends to services supporting prediction markets, like virtual private networks, that could allow consumers to disguise their location and get around the ban. It would force prediction market sites like Kalshi and Polymarket to leave the state, or face possible felony charges. The law takes effect in August.

The law has a carve-out for event contracts that serve as an insurance policy in the event of “harm, or loss sustained” and for the purchase of securities and other commodities. The Commodity Futures Trading Commission’s lawsuit seeks to block the law before it starts, arguing the prediction market industry should be exclusively regulated by federal officials. “This Minnesota law turns lawful operators and participants in prediction markets into felons overnight,” said CFTC Chairman Michael Selig.

“Minnesota farmers have relied on critical hedging products on weather and crop-related events for decades to mitigate their risks. Governor Walz chose to put special interests first and American farmers and innovators last.” An updated version of the prediction market bill allows trading on weather, an exception that followed pushback from the agricultural industry, which has historically used futures trading on weather as a hedge against storms and other inclement weather that can affect a harvest. Walz is expected to sign it soon.

Plex is raising the price of a new Lifetime Plex Pass from $249.99 to $749.99 on July 1. That’s a $500 increase for media server software. Plex says it needs the money for “long-term development” and future features, but a lot of self-hosting folks are already wondering if this is basically a soft way of killing the Lifetime option without officially removing it. At nearly $750, are people just going to move to Jellyfin instead?

The company will also offer digital assistants, known as agents, to automate searches so that someone who may be apartment hunting can be notified of a new listing without opening a real estate site like Zillow. The search features will be powered by a new artificial intelligence model, Gemini 3.5 Flash. Google said the model had improved on creating software code and performing autonomous tasks, worked faster and was less expensive to run than comparable models.

[…] Google is also bringing one of A.I.‘s biggest breakthroughs — software coding — to search. When people research complex topics like astrophysics, Gemini can build interactive graphics and simulations behind the scenes to provide a deeper answer than its previous listing of websites. Google said it was introducing an alternative to the agents powered by Anthropic’s Claude Code and OpenAI’s Codex. Called Gemini Spark, the service is embedded in Gmail, Docs and other Google products, where it can turn meeting notes spread across emails and chats into a single document. It can also read and draft emails.

A proposed merger of the largest utility in the country by market value, NextEra Energy, with the sixth-largest, Dominion, would create a megacompany at a time when data centers and rapid increases in electricity demand are reshaping the industry. The proposal, announced Monday morning and contingent on state and federal regulatory approval, would result in a company that leads in nearly every aspect of the US power and utility industry, including overall electricity generation, natural gas generation, and renewables. The $67 billion deal combines NextEra’s size and reach with Dominion’s positioning as the local utility for the world’s largest concentration of data centers in northern Virginia. But the results are likely bad for consumers and the environment, creating a company with enormous financial and political strength that will be difficult to effectively regulate, according to consumer advocates and analysts.

For perspective, only Exxon Mobil and Chevron would be larger based on market value among US-based energy companies. “Mergers are not about consumers; they’re about shareholders,” said Ari Peskoe, director of the Electricity Law Initiative at Harvard Law School. “For the Dominion shareholders, they are selling their shares at a premium. The executives are getting massive payouts for facilitating this, assuming it all goes through, and obviously NextEra believes the transaction is going to add value to the company. Ratepayers are all an afterthought.” The deal makes financial sense for both companies, said Andrew Bischof, an equity analyst for Morningstar. “We view the transaction as allowing NextEra to accelerate its data center ambitions, which had trailed those of its regulated peers, by using Dominion’s expertise and relationships to expedite NextEra’s data center hub plans,” he said in a note to clients.

NextEra, based in Juno Beach, Florida, includes Florida Power & Light, the largest regulated electricity utility in the state, and NextEra Energy Resources, a wholesale electricity supplier that owns power plants across the nation. Dominion, based in Richmond, Virginia, includes regulated utilities serving much of Virginia, parts of North Carolina and South Carolina, and other assets across the country. The company would be called NextEra Energy, and NextEra CEO John W. Ketchum would serve in the same role after the deal closes. Robert M. Blue, Dominion’s CEO, would be the CEO for regulated utilities for the merged company. The parties said they expect regulatory approvals to take 12 to 18 months. NextEra shareholders would own 74.5 percent and Dominion shareholders would own 25.5 percent, respectively, of the combined company in the all-stock transaction.

Karpathy will start this week on Anthropic’s pre-training team, which is responsible for the massive training runs that give Claude its core knowledge and capabilities, according to Anthropic. Karpathy will help launch a new team focused on using Claude itself to accelerate pretraining research — an increasingly important frontier as AI companies race to automate parts of AI development. “I think the next few years at the frontier of LLMs will be especially formative. I am very excited to join the team here and get back to R&D,” Karpathy said in a post on X.

Karpathy is a rare AI figure with credibility across research, industry and education. He was a founding member of OpenAI before serving as Tesla’s director of AI, where he led the computer vision team behind Autopilot. Karpathy coined the term “vibe coding" and recently described himself as being in a “state of AI psychosis” since December — embracing “tokenmaxxing” and aggressively stress-testing frontier models.