AI Security Trend Roundup — Jun 05, 2026

Covering May 29 → Jun 05, 2026. 49 new items from 8 tracked sources.

This digest credits every source by name and links directly to each original post. Editorial curation by FixTheVuln — all rights and attribution belong to the original authors.

Academic & Research

• Domain-Conditioned Safety in Frontier Computer-Using Agents: A 793-Episode Browser Benchmark, a Coding-Domain Cross-Reference, and a Reproducibility Audit of Recent Red-Teaming

Source: arXiv cs.CR — Jun 05 arXiv:2606.05233v1 Announce Type: new Abstract: Recent computer-using-agent (CUA) red-teaming papers report prompt-injection attack success rates (ASR) of 42-98%, but these headline numbers cluster on retired models and on the most-vulnerable model in each paper's panel. We ask w

• Search-Time Contamination in Deep Research Agents: Measuring Performance Inflation in Public Benchmark Evaluation

Source: arXiv cs.CR — Jun 05 arXiv:2606.05241v1 Announce Type: new Abstract: Public benchmarks enable fair and reproducible evaluation of LLM reasoning, but they become fragile for deep research agents that actively search the web during inference. Such agents may retrieve public benchmark metadata, question

• Willing but Unable: Separating Refusal from Capability in Code LLMs via Abliteration

Source: arXiv cs.CR — Jun 05 arXiv:2606.05396v1 Announce Type: new Abstract: Producing a labeled vulnerable code at scale is a recurring obstacle for learning-based vulnerability detection: mined corpora carry substantial label noise, and existing LLM-based augmentation propagates these inaccuracies because

• SHIELDS: Automating OS Hardening with Iterative Multi-Agent Remediation

Source: arXiv cs.CR — Jun 05 arXiv:2606.05476v1 Announce Type: new Abstract: Security misconfigurations remain a leading cause of OS-level compromise, and manually keeping systems compliant with standards like Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) is a ted

• ZERO-APT: A Closed-Loop Adversarial Framework for LLM-Driven Automated Penetration Testing under Intelligent Defense

Source: arXiv cs.CR — Jun 05 arXiv:2606.05567v1 Announce Type: new Abstract: LLM-driven automated penetration testing agents are typically evaluated against static targets that neither detect nor respond to attacks, so their behavior under intelligent defense remains untested. The causal consistency of multi

• Dimensionality Reduction for Cyberattack Classification: A Comparative Evaluation of PCA and Linear Predictive Coding

Source: arXiv cs.CR — Jun 05 arXiv:2606.05584v1 Announce Type: new Abstract: High-dimensional feature representations are widely used in machine learning-based cyberattack detection systems. However, they increase computational complexity and may hinder deployment in resource-constrained environments. In thi

• SlotGCG: Exploiting the Positional Vulnerability in LLMs for Jailbreak Attacks

Source: arXiv cs.CR — Jun 05 arXiv:2606.05609v1 Announce Type: new Abstract: As large language models (LLMs) are widely deployed, identifying their vulnerability through jailbreak attacks becomes increasingly critical. Optimization-based attacks like Greedy Coordinate Gradient (GCG) have focused on inserting

• Hybrid CNN-LSTM Framework for Intelligent Cyber Attack Detection and Prevention in U.S. Critical Digital Infrastructure: A Comparative Machine Learning Evaluation on CSE-CIC-IDS2018

Source: arXiv cs.CR — Jun 05 arXiv:2606.05714v1 Announce Type: new Abstract: Digital infrastructure is growing at a rapid pace in the United States, and as a result, exposure to advanced cyber threats to critical sectors including healthcare, finance, transportation, energy and government systems is growing.

• Membrane: A Self-Evolving Contrastive Safety Memory for LLM Agent Defense

Source: arXiv cs.CR — Jun 05 arXiv:2606.05743v1 Announce Type: new Abstract: Despite advances in safety alignment, large language models remain vulnerable to continuously evolving jailbreaks. Existing fine-tuned safety classifiers cannot adapt to these evolving attacks, while adaptive memory-based guardrails

• SentinelRAG: Synthetic Sentinel Knowledge for RAG Database Copyright Protection

Source: arXiv cs.CR — Jun 05 arXiv:2606.05787v1 Announce Type: new Abstract: Protecting proprietary RAG databases from unauthorized redistribution is challenging: existing watermarking methods either inject fabricated relations between real entities, polluting the knowledge base with misinformation, or embed

Prompt Injection & LLM Security

• Quoting Andreas Kling

Source: Simon Willison — Jun 05 We will no longer accept public pull requests. [...] A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds. [...] Whether code was typed by hand is beside the point. What matters is who is resp

• AI enthusiasts are in a race against time, AI skeptics are in a race against entropy

Source: Simon Willison — Jun 04 AI enthusiasts are in a race against time, AI skeptics are in a race against entropy Charity Majors neatly captures the dynamic between AI enthusiasts and AI skeptics, both of whom are trying to build great software, often in the same teams: The enthusiasts are not wrong. We are

• Quoting Emanuel Maiberg, 404 Media

Source: Simon Willison — Jun 04 After this story was published Google's spokesperson reached out and asked us to publish a slightly different version of that statement. The new statement no longer stated that "it's critical that we maintain humans in the loop." — Emanuel Maiberg, 404 Media, Google Employe

• Uber Caps Usage of AI Tools Like Claude Code to Manage Costs

Source: Simon Willison — Jun 03 Uber Caps Usage of AI Tools Like Claude Code to Manage Costs I wrote the other day about Uber blowing its 2026 AI budget in four months, and how that wasn't particularly surprising given they would have set that budget in 2025, before anyone could have predicted how popular token

• Microsoft's new MAI models

Source: Simon Willison — Jun 02 Microsoft announced two new text LLMs this morning - MAI-Thinking-1 (reasoning, 1T parameters, 35B active, available to "select early partners") and MAI-Code-1-Flash (137B Parameters, 5B active, "purpose-built for GitHub Copilot and VS Code to deliver high performance and lower c

• datasette-agent-micropython 0.1a0

Source: Simon Willison — Jun 02 Release: datasette-agent-micropython 0.1a0 I want Datasette Agent to be able to generate and execute Python code safely. This alpha is looking promising so far. GPT-5.5 has so far failed to break out of the sandbox! Tags: python, sandboxing, datasette, webassembly, datasette-agen

• micropython-wasm 0.1a1

Source: Simon Willison — Jun 02 Release: micropython-wasm 0.1a1 Fixes for some limitations that emerged while I was trying to use this to build datasette-agent-micropython. Tags: python, sandboxing, webassembly

• California Brown Pelican

Source: Simon Willison — Jun 02 California Brown Pelican, in Fort Mason, CA, USI'm at the Microsoft Build conference today, held at Fort Mason in San Francisco. There are California Brown Pelicans diving into the water directly behind venue! Tags: microsoft, ai, generative-ai, llms, llm-release

• Pasted File Editor

Source: Simon Willison — Jun 02 Tool: Pasted File Editor I really like how you can paste a large volume of text into claude.ai (or the Claude desktop/mobile apps) and it will detect it as a large paste and turn it into a file attachment instead. I decided to have Codex desktop build me a version of that as a pr

• micropython-wasm 0.1a0

Source: Simon Willison — Jun 02 Release: micropython-wasm 0.1a0 My latest sandboxing experiment: This alpha package bundles a lightly customized WASM build of MicroPython with a wrapper to execute code in it via wasmtime. Tags: python, sandboxing, webassembly

• Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked

Source: Simon Willison — Jun 01 Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked I had trouble believing this story was true, but I've seen it verified from multiple sources now: One video shows a hacker starting a conversation with Meta’s AI support bot and asking

• May 2026 newsletter

Source: Simon Willison — Jun 01 I just sent out the May edition of my sponsors-only monthly newsletter. If you are a sponsor (or if you start a sponsorship now) you can access it here. This month: Al got expensive, and Anthropic had a really good month The model releases were a little disappointing Conferences

• datasette 1.0a32

Source: Simon Willison — May 31 Release: datasette 1.0a32 A minor bugfix release. Fixes a bug with INSERT ... RETURNING queries via the new /db/-/execute-write endpoint and a bunch of base_url issues which showed up when I was experimenting with Service Workers yesterday. Tags: datasette, annotated-release-note

• The solution might be cancelling my AI subscription

Source: Simon Willison — May 31 The solution might be cancelling my AI subscription I find this post by David Wilson very relatable. David lists 16+ projects he's spun up with AI tooling, and concludes: I didn't mean to build most of these things. Usually the Claude session started with something like "write a

• Quoting Karen Kwok for Reuters Breakingviews

Source: Simon Willison — May 31 Anthropic defines “run-rate revenue” in two parts. Use the last 28 days of sales ⁠from customers charged on a consumption basis and multiply it by 13. Then, multiply the monthly subscription take by 12, ​and add the two together. — Karen Kwok for Reuters Breakingviews, citi

• How we contain Claude across products

Source: Simon Willison — May 30 How we contain Claude across products A complaint I often have about sandboxing products is that they are rarely thoroughly documented, and in the absence of detailed documentation it's hard to know how much I can trust them. Anthropic just published a fantastic overview of how t

• I Am Retiring from Tech to Live Offline

Source: Simon Willison — May 30 I Am Retiring from Tech to Live Offline I've seen a lot of posts on forums from people threatening to quit their careers over AI. This is not one of those: Chad Whitacre is taking concrete steps, starting with this typewritten, scanned letter I'm retiring from tech. Well, "retiri

• Quoting Daniel Jalkut

Source: Simon Willison — May 30 My take on AI is, essentially, everybody who’s against it is too against it and everybody who’s for it is too for it. — Daniel Jalkut, via John Gruber Tags: ai, john-gruber

• Running Python ASGI apps in the browser via Pyodide + a service worker

Source: Simon Willison — May 30 Research: Running Python ASGI apps in the browser via Pyodide + a service worker Datasette Lite is my version of Datasette that runs entirely in the browser using Pyodide in WebAssembly. When I first built it four years ago I used Web Workers and code that intercepts navigation o

Community Signal

• Leak Reveals Microsoft Wants Its AI to Be 'Addictive'

Source: Hacker News (AI Security) — Jun 05 Article URL: https://kotaku.com/microsoft-ai-scout-addictive-satya-nadella-404-media-copilot-2000702924 Comments URL: https://news.ycombinator.com/item?id=48413924 Points: 43 # Comments: 16

• Ask HN: What is your (AI) dev tech stack / workflow? (June 2026)

Source: Hacker News (AI Security) — Jun 05 Hello, happy Friday!I am looking to do some in-person "developer boot-up" workshops, and seek your suggestions for "modern tooling".The background of the participants range from motivated newbie ("I heard you can make your own app with AI!") to existing software developers who wa

• Ask HN: Is the web for machines (/llm.txt) the one we wished we had as humans?

Source: Hacker News (AI Security) — Jun 05 I got really tired, as a human, of parsing the standard marketing heavy web we have today. I've always loved the simplicity of gopher and gemini web.Recently I found myself manually adding /llm.txt to most websites I visit because I find the content for LLMs strait to the point

• Show HN: Lowfat – pluggable CLI filter that saved 91.8% of my LLM tokens

Source: Hacker News (AI Security) — Jun 05 Hi HN,Not sure if anyone would be interested.But, just wanted to share that I've been maintaining my small tool called 'lowfat' that helps me filters some of my verbose CLI output.It's a single binary, works as an agent hook or a shell wrapper. It has a plugin system to customize

• Satya Nadella 'Not Sure' Who Said Microsoft Wanted to Make Addictive AI

Source: Hacker News (AI Security) — Jun 05 Article URL: https://www.404media.co/satya-nadella-not-sure-who-said-microsoft-wanted-to-make-addictive-ai-is-looking-for-guy-who-did-this/ Comments URL: https://news.ycombinator.com/item?id=48408581 Points: 22 # Comments: 6

• Fine-tuning an LLM to write docs like it's 1995

Source: Hacker News (AI Security) — Jun 05 Article URL: https://passo.uno/fine-tuning-docs-llm/ Comments URL: https://news.ycombinator.com/item?id=48408442 Points: 154 # Comments: 55

• The Pentagon is running an AI propaganda mill targeting Latin America

Source: Hacker News (AI Security) — Jun 05 Article URL: https://theintercept.com/2026/06/02/la-tilde-propaganda-latin-america-pentagon/ Comments URL: https://news.ycombinator.com/item?id=48408031 Points: 88 # Comments: 89

• CEO to staff: You're not getting a raise. We're spending on AI instead

Source: Hacker News (AI Security) — Jun 05 Article URL: https://www.businessinsider.com/teradata-pauses-raises-employee-compensation-ai-budget-2026-6 Comments URL: https://news.ycombinator.com/item?id=48407401 Points: 39 # Comments: 17

• Open Code Review – An AI-powered code review CLI tool

Source: Hacker News (AI Security) — Jun 05 Article URL: https://github.com/alibaba/open-code-review Comments URL: https://news.ycombinator.com/item?id=48406358 Points: 239 # Comments: 66

• South Korean Forums Will Need to Scan Every Images with AI Censorship Tools

Source: Hacker News (AI Security) — Jun 04 Article URL: https://discuss.privacyguides.net/t/south-korean-online-communities-will-need-to-scan-every-images-with-ai-censorship-tools/38341 Comments URL: https://news.ycombinator.com/item?id=48406198 Points: 167 # Comments: 122

• AI will consume as much water in 2030 as 1.3B people

Source: Hacker News (AI Security) — Jun 04 Article URL: https://english.elpais.com/technology/2026-06-03/ai-will-consume-as-much-water-in-2030-as-13-billion-people.html Comments URL: https://news.ycombinator.com/item?id=48404658 Points: 35 # Comments: 21

• Anthropic's open-source framework for AI-powered vulnerability discovery

Source: Hacker News (AI Security) — Jun 04 Article URL: https://github.com/anthropics/defending-code-reference-harness Comments URL: https://news.ycombinator.com/item?id=48403980 Points: 489 # Comments: 138

• Anthropic Urges Global Pause in AI Development, Flags 'Self-Improvement' Risk

Source: Hacker News (AI Security) — Jun 04 Article URL: https://www.wsj.com/tech/ai/anthropic-urges-global-pause-in-ai-development-flags-self-improvement-risk-99cefb73 Comments URL: https://news.ycombinator.com/item?id=48403827 Points: 21 # Comments: 7

• Airlines Uses AI to Fake Empathy Rather Than Fix Problems: Passenger Sent Prompt

Source: Hacker News (AI Security) — Jun 04 Article URL: https://viewfromthewing.com/airlines-are-using-ai-to-manufacture-empathy-instead-of-solving-problems-one-passenger-was-sent-the-prompt-by-mistake/ Comments URL: https://news.ycombinator.com/item?id=48401973 Points: 41 # Comments: 14

• When AI Builds Itself: Our progress toward recursive self-improvement

Source: Hacker News (AI Security) — Jun 04 Article URL: https://www.anthropic.com/institute/recursive-self-improvement Comments URL: https://news.ycombinator.com/item?id=48400842 Points: 490 # Comments: 655

• Google employees internally share memes about how its AI sucks

Source: Hacker News (AI Security) — Jun 04 Article URL: https://www.404media.co/google-employees-internally-share-memes-about-how-its-ai-sucks/ Comments URL: https://news.ycombinator.com/item?id=48400311 Points: 165 # Comments: 104

• The LLM warnings Google fired Timnit Gebru over have all come true

Source: Hacker News (AI Security) — Jun 04 Article URL: https://www.tumblr.com/dreaminginthedeepsouth/817865966907228160/darren-oconnor-timnit-gebru-was-fired-from Comments URL: https://news.ycombinator.com/item?id=48400213 Points: 117 # Comments: 109

• KVarN: Native vLLM backend for KV-cache quantization by Huawei

Source: Hacker News (AI Security) — Jun 04 Article URL: https://github.com/huawei-csl/KVarN Comments URL: https://news.ycombinator.com/item?id=48399974 Points: 142 # Comments: 15

• AI, Ashby Engineering, and the future

Source: Hacker News (AI Security) — Jun 04 Article URL: https://www.ashbyhq.com/blog/engineering/ai-ashby-engineering-and-the-future Comments URL: https://news.ycombinator.com/item?id=48399528 Points: 59 # Comments: 50

• I built a vulnerable app and spent $1,500 seeing if LLMs could hack it

Source: Hacker News (AI Security) — Jun 04 Article URL: https://kasra.blog/blog/i-spent-1500-seeing-if-llms-could-hack-my-app/ Comments URL: https://news.ycombinator.com/item?id=48392343 Points: 394 # Comments: 214

---

Source List

All sources tracked in this roundup, credited to their original authors/organizations:

• OWASP GenAI Security Project — feed: https://genai.owasp.org/feed/
• Simon Willison — feed: https://simonwillison.net/atom/everything/
• arXiv cs.CR — feed: http://export.arxiv.org/rss/cs.CR
• Protect AI — feed: https://protectai.com/blog/rss.xml
• Google Project Zero — feed: https://googleprojectzero.blogspot.com/feeds/posts/default
• CISA Cybersecurity Advisories — feed: https://www.cisa.gov/cybersecurity-advisories/all.xml
• NIST Cybersecurity News — feed: https://www.nist.gov/news-events/cybersecurity/rss.xml
• Hacker News (AI Security) — feed: https://hnrss.org/newest?q=%22AI+security%22+OR+%22prompt+injection%22+OR+%22LLM+vulnerability%22&points=20