作者: Editor Lucky

A critical vulnerability called “BadHost” (CVE-2026-48710) has been discovered in Starlette, an open-source Python framework that receives 325 million downloads per week. This affects FastAPI, vLLM, LiteLLM, and thousands of other projects that depend on Starlette.

The bug allows attackers to bypass path-based authorization by injecting a single character into the HTTP Host header. Since Starlette is the routing core of FastAPI and powers many MCP servers that store credentials for AI agent external connections, the exposure includes sensitive user databases, email accounts, and other resources.

Security researchers from X41 D-Sec rated it as “critical severity” (higher than the official 7/10 CVE rating) because it can lead to authentication bypass, SSRF exploits, and in some cases remote code execution. The vulnerability affects all Starlette versions prior to 1.0.1.

X41 D-Sec partnered with Nemesis to create an online scanner to check if servers are vulnerable. Researchers strongly recommend anyone running FastAPI, vLLM, or LiteLLM run the scanner immediately and upgrade to Starlette 1.0.1 or later.

Source: https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/

Federal intelligence agencies and domestic law enforcement are circulating reports identifying “anti-technology extremists” as an emerging domestic threat category, according to over 1,000 pages of unpublished reports from DHS, FBI, and fusion centers obtained by WIRED.

This new focus follows President Trump’s National Security Presidential Memo 7, which instructs targeting of “anti-American,” “anti-Christian,” and “anti-capitalism” beliefs. A New York Intelligence Bureau report warns that AI adoption could fuel “large-scale protests that devolve into civil unrest and anti-tech violent extremist activity,” especially in major urban areas.

The reports also describe threats linked to extreme rationalists like Ziz Laota, whose ideology focused on existential AI risk. Meanwhile, 80 fusion centers across the country are gathering “intelligence” about alleged threats to data centers, flagging activities like photography and surveillance observation as suspicious.

Civil rights experts warn that overly broad categories like “anti-tech extremism” could ensnare peaceful protesters and AI skeptics, similar to the surveillance of Black Lives Matter and environmental movements in recent decades.

Source: https://arstechnica.com/ai/2026/05/us-law-enforcement-warns-of-anti-tech-extremism-as-ai-hatred-grows/

YouTube is moving beyond voluntary AI disclosure to automatic detection and labeling of AI-generated content. Starting this month, the platform will use “new internal signals” to flag videos showing “significant photorealistic AI use.”

The system detects C2PA metadata indicating AI sources and Google watermarked tools like Veo. Creators can appeal incorrect labels, but those two triggers are permanent and non-appealable.

Previously, AI labels were hidden deep in video descriptions. Now they appear prominently: landscape videos show the tag below the player, while Shorts display an overlay at the bottom of the video.

However, animated AI content and videos with only minor AI elements will still only show labels in the expanded description. As AI video generation becomes more realistic, distinguishing real from synthetic content is becoming increasingly critical.

Source: https://arstechnica.com/google/2026/05/youtube-to-begin-automatically-labeling-ai-videos/

Illinois has become the first US state to pass a comprehensive AI safety law, requiring frontier AI companies to submit safety plans, undergo independent testing, and report critical incidents within 72 hours (24 hours for imminent threats).

The landmark bill SB 315 was signed by Governor J.B. Pritzker despite opposition from the Trump administration. Both OpenAI and Anthropic support the law, saying it establishes a needed baseline for AI safety testing.

The law will be enforced starting January 2027, with the Big Four accounting firms (Deloitte, EY, KPMG, PwC) expected to serve as independent auditors. Civil penalties will apply for violations.

Critics warn the law could create a patchwork of state regulations, while supporters say federal inaction has left states with no choice but to act.

Source: https://arstechnica.com/tech-policy/2026/05/trump-loses-more-control-over-ai-regulation-as-illinois-passes-landmark-law/

Apple is trying to distill Google’s massive Gemini model onto the iPhone to power the next Siri – but cloud offloading means your data leaves the device.

According to The Information, Apple’s Gemini-powered Siri will run both on-device AND in the cloud, relying on Google and Nvidia infrastructure. Apple has long touted on-device AI as a privacy advantage, but the reality is phone hardware simply cannot handle multi-trillion parameter models.

The approach: distillation – making smaller models mimic larger ones. This works for basic tasks, but complex queries still go to the cloud via Nvidia’s Confidential Computing platform.

Bottom line: your Siri conversations will leave your phone. Once data leaves your device, it is no longer “on-device” AI.

Source: https://arstechnica.com/ai/2026/05/apple-reportedly-trying-to-distill-googles-multi-trillion-parameter-gemini-ai-to-run-on-iphone/