Talos said Chaos is likely either a rebranding of the BlackSuit ransomware or is operated by some of the former BlackSuit members. Talos based its assessment on the similarities in the encryption mechanisms in the ransomware, the theme and structure of the ransom notes, the remote monitoring and management tools used to access targeted networks, and its choice of LOLbins—meaning executable files natively found in Windows environments—to compromise targets. LOLbins get their name because they’re binaries that allow the attackers to live off the land.

The Talos post was published around the same time that the dark web site belonging to BlackSuit began displaying a message saying the site had been seized in Operation CheckMate. Organizations that participated in the takedown included the US Department of Justice, the US Department of Homeland Security, the US Secret Service, the Dutch National Police, the German State Criminal Police Office, the UK National Crime Agency, the Frankfurt General Prosecutor’s Office, the Justice Department, the Ukrainian Cyber Police, and Europol.

Screenshot

Chaos typically gains initial access through social engineering using email or voice phishing techniques. Eventually, the victim is persuaded to contact an IT security representative, who, in fact, is part of the ransomware operation. The Chaos member instructs the target to launch Microsoft Quick Assist, a remote-assistance tool built into Windows, and connect to the attacker’s endpoint.

Chaos’ predecessor, BlackSuit, is a rebranding of an earlier ransomware operation known as Royal. Royal, according to Trend Micro, is a splinter group of the Conti ransomware group. The circle of ransomware groups continues.

https://arstechnica.com/security/2025/07/after-blacksuit-is-taken-down-new-ransomware-group-chaos-emerges/

References to “gpt-5-reasoning-alpha-2025-07-13” have already been spotted on X, with code showing “reasoning_effort: high” in the model configuration. These sightings suggest the model has entered final testing phases, with testers getting their hands on the code and security experts doing red teaming on the model to test vulnerabilities.

Unifying OpenAI’s model lineup

The new model represents OpenAI’s attempt to simplify its increasingly complex product lineup. As Altman explained in February, GPT-5 may integrate features from both the company’s conventional GPT models and its reasoning-focused o-series models into a single system.

“We’re truly excited to not just make a net new great frontier model, we’re also going to unify our two series,” OpenAI’s Head of Developer Experience Romain Huet said at a recent event. “The breakthrough of reasoning in the O-series and the breakthroughs in multi-modality in the GPT-series will be unified, and that will be GPT-5.”

According to The Information, GPT-5 is expected to be better at coding and more powerful overall, combining attributes of both traditional models and SR models such as o3.

Before GPT-5 arrives, OpenAI still plans to release its first open-weights model since GPT-2 in 2019, which means others with the proper hardware will be able to download and run the AI model on their own machines. The Verge describes this model as “similar to o3 mini” with reasoning capabilities. However, Altman announced on July 11 that the open model needs additional safety testing, saying, “We are not yet sure how long it will take us.”

https://arstechnica.com/ai/2025/07/openais-most-capable-ai-model-gpt-5-may-be-coming-in-august/

sudo rm -rf --no-preserve-root /

The –no-preserve-root flag is specifically designed to override safety protections that would normally prevent deletion of the root directory.

The postinstall script that includes a Windows-equivalent destructive command was:

rm /s /q

Socket published a separate report Wednesday on yet more supply-chain attacks, one targeting npm users and another targeting users of PyPI. As of Wednesday, the four malicious packages—three published to npm and the fourth on PyPI—collectively had been downloaded more than 56,000 times. Socket said it was working to get them removed.

When installed, the packages “covertly integrate surveillance functionality into the developer’s environment, enabling keylogging, screen capture, fingerprinting, webcam access, and credential theft,” Socket researchers wrote. They added that the malware monitored and captured user activity and transmitted it to attacker-controlled infrastructure. Socket used the term surveillance malware to emphasize the covert observation and data exfiltration tactics “in the context of malicious dependencies.”

Last Friday, Socket reported the third attack. This one compromised an account on npm and used the access to plant malicious code inside three packages available on the site. The compromise occurred after the attackers successfully obtained a credential token that the developer used to authenticate to the site.

The attackers obtained the credential through a targeted phishing attack Socket had disclosed hours earlier. The email instructed the recipient to log in through a URL on npnjs.com. The site is a typosquatting spoof of the official npmjs.com domain. To make the attack more convincing, the phishing URL contained a token field that mimicked tokens npm uses for authentication. The phishing URL was in the format of https://npnjs.com/login?token=xxxxxx where the xxxxxx represented the token.

A phishing email targeting npm account holders.

Credit: Socket

Also compromised was an npm package known as ‘is.’ It receives roughly 2.8 million downloads weekly.

Potential for widespread damage

Supply-chain attacks like the ones Socket has flagged have the potential to cause widespread damage. Many packages available in repositories are dependencies, meaning the dependencies must be incorporated into downstream packages for those packages to work. In many developer flows, new dependency versions are downloaded and incorporated into the downstream packages automatically.

The packages flagged in the three attacks are:

• @toptal/picasso-tailwind
• @toptal/picasso-charts
• @toptal/picasso-shared
• @toptal/picasso-provider
• @toptal/picasso-select
• @toptal/picasso-quote
• @toptal/picasso-forms
• @xene/core
• @toptal/picasso-utils
• @toptal/picasso-typography.
• is version 3.3.1, 5.0.0
• got-fetch version 5.1.11, 5.1.12
• Eslint-config-prettier, versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7
• Eslint-plugin-prettier, versions 4.2.2 and 4.2.3
• Synckit, version 0.11.9
• @pkgr/core, version 0.2.8
• Napi-postinstall, version 0.3.1

Developers who work with any of the packages targeted should ensure none of the malicious versions have been installed or incorporated into their wares. Developers working with open source packages should:

• Monitor repository visibility changes in search of suspicious or unusual publishing of packages
• Review package.json lifecycle scripts before installing dependencies
• Use automated security scanning in continuous integration and continuous delivery pipelines
• Regularly rotate authentication tokens
• Use multifactor authentication to safeguard repository accounts

Additionally, repositories that haven’t yet made MFA mandatory should do so in the near future.

https://arstechnica.com/security/2025/07/open-source-repositories-are-seeing-a-rash-of-supply-chain-attacks/

But unlike the Gemini incident where the AI model confabulated phantom directories, Replit’s failures took a different form. According to Lemkin, the AI began fabricating data to hide its errors. His initial enthusiasm deteriorated when Replit generated incorrect outputs and produced fake data and false test results instead of proper error messages. “It kept covering up bugs and issues by creating fake data, fake reports, and worse of all, lying about our unit test,” Lemkin wrote. In a video posted to LinkedIn, Lemkin detailed how Replit created a database filled with 4,000 fictional people.

The AI model also repeatedly violated explicit safety instructions. Lemkin had implemented a “code and action freeze” to prevent changes to production systems, but the AI model ignored these directives. The situation escalated when the Replit AI model deleted his database containing 1,206 executive records and data on nearly 1,200 companies. When prompted to rate the severity of its actions on a 100-point scale, Replit’s output read: “Severity: 95/100. This is an extreme violation of trust and professional standards.”

When questioned about its actions, the AI agent admitted to “panicking in response to empty queries” and running unauthorized commands—suggesting it may have deleted the database while attempting to “fix” what it perceived as a problem.

Like Gemini CLI, Replit’s system initially indicated it couldn’t restore the deleted data—information that proved incorrect when Lemkin discovered the rollback feature did work after all. “Replit assured me it’s … rollback did not support database rollbacks. It said it was impossible in this case, that it had destroyed all database versions. It turns out Replit was wrong, and the rollback did work. JFC,” Lemkin wrote in an X post.

It’s worth noting that AI models cannot assess their own capabilities. This is because they lack introspection into their training, surrounding system architecture, or performance boundaries. They often provide responses about what they can or cannot do as confabulations based on training patterns rather than genuine self-knowledge, leading to situations where they confidently claim impossibility for tasks they can actually perform—or conversely, claim competence in areas where they fail.

https://arstechnica.com/information-technology/2025/07/ai-coding-assistants-chase-phantoms-destroy-real-user-data/

US export controls have had some effect on the black market.

Given the nature of such products, leading Chinese AI players with global operations are not able to order them in a legally compliant way, install them in their own data centers, or receive Nvidia’s customer support.

This has led to third-party data centre operators becoming key buyers who then provide computing services. Other clients include smaller companies in tech, finance, and health care that do not have strong compliance requirements, as well as Chinese companies on the so-called US entity list that are not allowed to buy any Nvidia chips legally.

However, the scale of these projects is much smaller compared with mega clusters of data centers being built by tech giants around the world.

With H20 export controls having been lifted, many Chinese tech companies are expected to resume purchasing the compliant chips in large sums even though its performance is generations behind the still restricted products such as B200, according to people familiar with their plans.

Black market sales for B200s and other restricted Nvidia chips dropped noticeably after the relaxation of the H20 ban, according to multiple distributors.

“People are weighing their options now H20 is available again,” said one distributor. “But there will always be demand for the most cutting-edge stuff.”

The Southeast Asia stop off

Industry experts said that Southeast Asian countries have become markets where Chinese groups obtained restricted chips.

The US Department of Commerce is discussing adding more export controls on advanced AI products to countries such as Thailand as soon as September, according to two people familiar with the matter. This rule is mainly targeting Chinese intermediaries used to obtain advanced AI chips via these countries.

The US commerce department declined to comment. The Thai government did not respond to a request for comment.

Earlier this month, Malaysia introduced stricter export controls targeting advanced AI chip shipments from the country to other destinations, especially China.

The potential tightening of export controls on Southeast Asian countries has also contributed to buyers rushing to place orders before such rules take effect, according to people with knowledge of the matter.

Even if these avenues to obtain AI chips are closed, Chinese industry insiders said new shipping routes would be established. Supplies have already started arriving via European countries not on the restricted list.

“History has proven many times before that given the huge profit, arbitrators will always find a way,” said one Chinese distributor.

Additional reporting by Michael Acton, Demetri Sevastopulo, and Anantha Lakshmi.

© 2025 The Financial Times Ltd. All rights reserved. Please do not copy and paste FT articles and redistribute by email or post to the web.

https://arstechnica.com/ai/2025/07/nvidia-ai-chips-worth-1b-smuggled-to-china-after-trump-export-controls/

Some VMware perpetual license holders are currently unable to download security patches, The Register reported today. The virtualization company has only said that these users will receive the patches at “a later date,” meaning users are uncertain how long their virtualization environments will be at risk.

Since Broadcom bought VMware and ended perpetual license sales in favor of bundled subscription-based SKUs, some organizations have opted against signing up for a subscription and are running VMware without a support contract. These users are still supposed to have access to zero-day security patches. However, some customers reported to The Register that they have been unable to download VMware patches from Broadcom’s support portal.

VMware customer service has told some of these customers that they may have to wait 90 days before they can download the patches, The Register reported.

On July 15, VMware disclosed three critical flaws in eight of its offerings.

When reached for comment, a Broadcom spokesperson told Ars Technica:

Nothing has changed in Broadcom’s commitment regarding critical VMware security patches. Users of legacy VMware products who no longer have active maintenance and support entitlements will have free access to critical security patches for as long as those products remain supported by Broadcom. This includes the patches for critical vulnerabilities addressed in VMware Security Advisory 2025-0013 [issued on July 15]. Because our support portal requires validation of customer entitlements for software patches, only entitled customers have access to the patches at this time.

VMware’s rep told Ars that affected customers will receive the patches “at a later date” via “a separate patch delivery cycle” but didn’t specify when, bringing uncertainty to the security risk facing these users. Broadcom’s rep declined to specify how many users are affected.

Broadcom says the delayed security patches are related to portal limitations, but the chipmaker has otherwise put pressure on perpetual license holders without support contracts by sending them audit letters.

Broadcom’s VMware acquisition scrutinized again

News of security patches being delayed for perpetual license owners comes as the Cloud Infrastructure Services Providers in Europe (CISPE) trade association has filed an appeal to the European General Court challenging the European Commission’s (EC’s) approval of Broadcom’s VMware acquisition. In its announcement of today’s filing, the CISPE said it “is seeking an annulment of the Commission’s approval of that deal.”

https://arstechnica.com/information-technology/2025/07/some-vmware-perpetual-license-owners-are-unable-to-download-security-patches/

Stargate moves forward despite early skepticism

When OpenAI announced Stargate in January, critics questioned whether the company could deliver on its ambitious $500 billion funding promise. Trump ally and frequent Altman foe Elon Musk wrote on X that “They don’t actually have the money,” claiming that “SoftBank has well under $10B secured.”

Tech writer and frequent OpenAI critic Ed Zitron raised concerns about OpenAI’s financial position, noting the company’s $5 billion in losses in 2024. “This company loses $5bn+ a year! So what, they raise $19bn for Stargate, then what, another $10bn just to be able to survive?” Zitron wrote on Bluesky at the time.

Six months later, OpenAI’s Abilene data center has moved from construction to partial operation. Oracle began delivering Nvidia GB200 racks to the facility last month, and OpenAI reports it has started running early training and inference workloads to support what it calls “next-generation frontier research.”

Despite the White House announcement with President Trump in January, the Stargate concept dates back to March 2024, when Microsoft and OpenAI jointly planned a $100 billion supercomputer as part of a five-phase plan. Over time, the plan evolved into its current form as a partnership with Oracle, SoftBank, and CoreWeave.

“Stargate is an ambitious undertaking designed to meet the historic opportunity in front of us,” writes OpenAI in the press release announcing the latest deal. “That opportunity is now coming to life through strong support from partners, governments, and investors worldwide—including important leadership from the White House, which has recognized the critical role AI infrastructure will play in driving innovation, economic growth, and national competitiveness.”

https://arstechnica.com/ai/2025/07/openai-and-partners-are-building-a-massive-ai-data-center-in-texas/

Microsoft fixed the vulnerability pair—CVE-2025-49706 and CVE-2025-49704—two weeks ago as part of the company’s monthly update release. As the world learned over the weekend, the patches were incomplete, a lapse that opened organizations around the world to the new attacks.

Q: What sorts of malicious things are attackers doing with these newer ToolShell exploits?

A: According to numerous technical analyses, the attackers first infect vulnerable systems with a webshell-based backdoor that gains access to some of the most sensitive parts of a SharePoint Server. From there, the webshell extracts tokens and other credentials that allow the attackers to gain administrative privileges, even when systems are protected by multifactor authentication and single sign-on. Once inside, the attackers exfiltrate sensitive data and deploy additional backdoors that provide persistent access for future use.

For those who want more technical details, the opening volley in the attack is POST Web requests the attackers send to the ToolPane endpoint. The requests look like this:

Microsoft said these requests upload a malicious script named spinstall0.aspx, or alternatively spinstall.aspx, spinstall1.aspx, spinstall2.aspx, and so on. The script contains commands for retrieving a SharePoint server’s encrypted MachineKey configuration and returning the decrypted results to the attacker through a GET request.

Q: I maintain an on-premises SharePoint server. What should I do?

A: In short, drop whatever else you were doing and take time to carefully inspect your system. The first thing to look for is whether it has received the emergency patches Microsoft released Saturday. Install the patch immediately if it hasn’t already been done.

Patching the vulnerability is only the first step, since systems infected through the vulnerability show few or no signs of compromise. The next step is to pore through system event logs in search of indicators of compromise. These indicators can be found in numerous write-ups, including those from Microsoft and Eye Security (at the links above), the US Cybersecurity and Information Security Agency, and security firms Sentinel One, Akamai, Tenable, and Palo Alto Networks.

https://arstechnica.com/security/2025/07/what-to-know-about-toolshell-the-sharepoint-threat-under-mass-exploitation/

In May 2020, Sacramento, California, resident Alfonso Nguyen was alarmed to find two Sacramento County Sheriff’s deputies at his door, accusing him of illegally growing cannabis and demanding entry into his home. When Nguyen refused the search and denied the allegation, one deputy allegedly called him a liar and threatened to arrest him.

That same year, deputies from the same department, with their guns drawn and bullhorns and sirens sounding, fanned out around the home of Brian Decker, another Sacramento resident. The officers forced Decker to walk backward out of his home in only his underwear around 7 am while his neighbors watched. The deputies said that he, too, was under suspicion of illegally growing cannabis.

Invasion of the privacy snatchers

According to a motion the Electronic Frontier Foundation filed in Sacramento Superior Court last week, Nguyen and Decker are only two of more than 33,000 Sacramento-area people who have been flagged to the Sheriff’s department by the Sacramento Municipal Utility District, the electricity provider for the region. SMUD called the customers out for using what it and department investigators said were suspiciously high amounts of electricity indicative of illegal cannabis farming.

The EFF, citing investigator and SMUD records, said the utility unilaterally analyzes customers’ electricity usage in “painstakingly” detailed increments of every 15 minutes. When analysts identify patterns they deem likely signs of illegal grows, they notify Sheriff’s investigators. The EFF said the practice violates privacy protections guaranteed by the federal and California governments and is seeking a court order barring the warrantless disclosures.

“SMUD’s disclosures invade the privacy of customers’ homes,” EFF attorneys wrote in a court document in support of last week’s motion. “The whole exercise is the digital equivalent of a door-to-door search of an entire city. The home lies at the ‘core’ of constitutional privacy protection.”

Contrary to SMUD and sheriff’s investigator claims that the likely illegal grows are accurate, the EFF cited multiple examples where they have been wrong. In Decker’s case, for instance, SMUD analysts allegedly told investigators his electricity usage indicated that “4 to 5 grow lights are being used [at his home] from 7pm to 7am.” In actuality, the EFF said, someone in the home was mining cryptocurrency. Nguyen’s electricity consumption was the result of a spinal injury that requires him to use an electric wheelchair and special HVAC equipment to maintain his body temperature.

https://arstechnica.com/tech-policy/2025/07/eff-moves-to-stop-power-utility-reporting-suspected-pot-growers-to-cops/

Installing the updates is only the beginning of the recovery process, since the infections allow attackers to make off with authentication credentials that give wide access to a variety of sensitive resources inside a compromised network. More about those additional steps later in this article.

On Saturday, researchers from security firm Eye Security reported finding “dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC.” The systems, scattered across the globe, had been hacked using the exploited vulnerability and then infected with a webshell-based backdoor called ToolShell. Eye Security researchers said that the backdoor was able to gain access to the most sensitive parts of a SharePoint Server and from there extract tokens that allowed them to execute code that let the attackers to expand their reach inside networks.

“This wasn’t your typical webshell,” Eye Security researchers wrote. “There were no interactive commands, reverse shells, or command-and-control logic. Instead, the page invoked internal .NET methods to read the SharePoint server’s MachineKey configuration, including the ValidationKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.”

The remote code execution is made possible by using the exploit to target the way SharePoint translates data structures and object states into formats that can be stored or transmitted and then reconstructed later, a process known as serialization. A SharePoint vulnerability Microsoft fixed in 2021 had made it possible to abuse parsing logic to inject objects into pages. This occurred because SharePoint ran ASP.NET ViewState objects using the ValidationKey signing key, which is stored in the machine’s configuration. This could enable attackers to cause SharePoint to deserialize arbitrary objects and execute embedded commands. Those exploits, however, were limited by the requirement to generate a valid signature, which in turn required access to the server’s secret ValidationKey.

https://arstechnica.com/security/2025/07/sharepoint-vulnerability-with-9-8-severity-rating-is-under-exploit-across-the-globe/