Tuesday 28 April 2026

OpenAI Breaks Up With Microsoft — Exclusively

OpenAI severs its exclusive Microsoft cloud tie, the 15-year-old OpenSSH root flaw finally surfaces, and a forgotten malware framework just rewrote the history of cyber sabotage.

Lead story

OpenAI Breaks Up With Microsoft — Exclusively

For five years, Microsoft and OpenAI operated under a deal that was less a partnership and more a marriage of convenience with a very unusual prenup: if OpenAI ever achieved artificial general intelligence, the whole agreement could be torn up. That clause is now dead. On Monday, the two companies announced a sweeping renegotiation that changes almost everything about their relationship — including the bit where OpenAI was basically Microsoft's captive.

The headline change: OpenAI's models can now run on Amazon Web Services. This isn't incidental. OpenAI signed a $50 billion compute deal with AWS earlier this year, and Microsoft had legitimate grounds to challenge it under their original exclusivity terms. The new agreement dissolves that legal exposure. In exchange, Microsoft gets a larger revenue-sharing cut and retains its status as OpenAI's "primary" cloud partner — Azure gets first right of refusal, not a monopoly.

The AGI clause deserves its own moment. Under the old deal, Microsoft's preferred access to OpenAI's technology would have lapsed the moment OpenAI declared it had built AGI. It was a strange incentive structure — one that arguably gave Microsoft reasons to hope AGI never arrived. Dropping it signals that both parties have accepted the partnership needs to be durable regardless of what OpenAI builds next.

Why this matters beyond the two companies: The deal reshapes the AI infrastructure market. AWS and Google Cloud have been watching Anthropic and Gemini eat into Azure's AI-workload dominance. OpenAI landing on Bedrock is a significant win for Amazon and a signal that no single cloud will monopolise frontier AI hosting. For enterprise customers — including the large Australian organisations running OpenAI workloads through Azure today — it means more deployment flexibility and, likely, more competitive pricing over time.

There's also the Musk angle. Elon Musk's lawsuit challenging OpenAI's conversion from a non-profit structure is heading to trial this week, with Musk and Sam Altman set to face off in court. The Microsoft renegotiation hands Altman a cleaner commercial story: OpenAI is a normal tech company now, with a normal (if enormous) commercial partnership, not a captive of one investor. That narrative matters when you're trying to convince a court — and the public — that the organisation hasn't betrayed its founding mission.

What to watch: Whether this triggers similar renegotiations with other hyperscalers. Google has its own deep Anthropic investment; Amazon has Anthropic on Bedrock. The unspoken question is whether any cloud provider can maintain a truly privileged position in the AI stack, or whether the models are becoming infrastructure — commoditised, multi-homed, and increasingly indifferent to whose data centres they run on.

For Australian enterprises navigating multi-cloud strategies and data sovereignty obligations under the Privacy Act, the emerging answer — that major AI models will soon be available across all major clouds — simplifies architecture decisions considerably. It also means vendor lock-in arguments for staying on any single cloud get weaker by the month.

Also today

15-Year-Old OpenSSH Flaw Gave Attackers Full Root Access

A vulnerability lurking in OpenSSH for 15 years has been disclosed, allowing attackers to gain full root shell access on affected systems. The flaw stems from a code reuse issue where comma characters in certificate principals were incorrectly interpreted as list separators — a subtle parsing mistake with catastrophic consequences. OpenSSH is one of the most widely deployed remote access tools on the planet, used across Linux servers, cloud infrastructure, and network devices globally. Australian organisations running self-managed Linux infrastructure should treat patching as urgent. The fix is available in the latest OpenSSH release. Given how broadly OpenSSH is deployed across Australian government and enterprise environments, the ACSC's patch priority guidance is worth watching.

SecurityWeek ↗

Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation

A researcher has uncovered five separate exploitation paths stemming from a single architectural weakness in how Windows handles Remote Procedure Call connections to unavailable services. Dubbed PhantomRPC, the vulnerability lets an unprivileged local user escalate to system-level privileges. The flaw is currently unpatched, meaning it falls into the category of things defenders need to mitigate at the network and endpoint layer rather than patch away. It's a reminder that Windows' legacy RPC architecture — designed decades ago — continues to produce exploitable edge cases. Organisations running Windows in sensitive environments, including Australian government agencies subject to the Essential Eight framework, should monitor for Microsoft's response.

Dark Reading ↗

A Malware Framework That Predates Stuxnet by Five Years

Researchers have uncovered a malware framework called "fast16" that was apparently operational around 2005 — five years before Stuxnet was discovered in 2010 and widely credited as the first major act of digital sabotage against physical infrastructure. The details are scant so far, but the finding rewrites the accepted timeline of state-sponsored cyber sabotage and raises uncomfortable questions about what else may have been running quietly in industrial environments for years. The discovery matters because it suggests the window between "first developed" and "first discovered" in nation-state tooling can be measured in decades, not months.

Dark Reading ↗

PyPI Package With 1.1M Monthly Downloads Hijacked to Steal Credentials

The popular Python package elementary-data — downloaded more than 1.1 million times a month — was compromised to push an infostealer targeting developer credentials and cryptocurrency wallets. The attacker inserted malicious code into a new release, giving it instant access to anyone who updated or freshly installed the package. Supply chain attacks targeting PyPI are increasingly common, but the scale of this one stands out — 1.1 million monthly downloads means widespread exposure across developer toolchains before the malicious version was pulled. Australian software teams using Python-based data tooling should audit their dependency trees and verify package integrity, particularly if automated dependency updates are enabled.

Bleeping Computer ↗

Itron — Which Monitors Utilities for Hundreds of Millions of Homes — Was Hacked

Itron, an American technology company that provides smart meters and energy and water monitoring infrastructure to utilities worldwide, has confirmed it was breached. The company discovered unauthorised access to its systems on 13 April. Itron serves utilities across North America, Europe, and the Asia-Pacific region, making this a critical infrastructure incident worth watching closely. The company has not disclosed the full scope of data accessed or whether operational systems — as distinct from corporate IT — were affected. Australian utilities that use Itron's metering or grid management products should be seeking clarification on whether their data or operational connectivity was within scope.

TechCrunch ↗

China Blocks Meta's $2B Manus Acquisition

Beijing has ordered Meta to unwind its acquisition of Manus, the Chinese-developed AI agent startup, after a months-long regulatory probe. The move is the latest front in the US-China AI rivalry, and it's a notable signal: Chinese authorities are now willing to use their regulatory power to block Chinese-founded AI companies from being absorbed into American tech giants, even when the founders want the deal. For Meta, it's a significant setback to its AI agents ambitions. For the broader industry, it confirms that AI talent and technology have become geopolitical assets — and that cross-border M&A in this space carries regulatory risk from both Washington and Beijing simultaneously.

TechCrunch AI ↗

David Silver's New Lab Raises $1.1B to Build AI That Learns Without Human Data

Ineffable Intelligence, founded just months ago by David Silver — the DeepMind researcher behind AlphaGo and AlphaZero — has raised $1.1 billion at a $5.1 billion valuation. The pitch is a return to Silver's roots: building AI systems that learn through self-play and environment interaction rather than from human-labelled data. It's a direct counterpoint to the dominant paradigm of scaling transformer models on internet text. Whether this approach can produce general-purpose systems, or remains constrained to well-defined game-like environments, is the key question. The fundraise is remarkable for a lab with no product and a team still being assembled.

TechCrunch AI ↗

Google Faces EU Order to Open Android AI to Competitors

European regulators are pushing Google to allow third-party AI assistants to compete on equal terms with Gemini on Android devices. Google, predictably, has called the intervention "unwarranted." The dispute centres on whether pre-loading Gemini as the default AI assistant constitutes anti-competitive behaviour — essentially the same argument that the EU ran successfully against Google Search. The outcome matters well beyond Europe: whatever concessions Google makes under EU pressure tend to become the de facto global standard for how Android handles AI integration. Australia's ACCC has been watching digital platform conduct closely and has its own Mobile Ecosystems inquiry framework to draw from.

Ars Technica ↗

Alleged Silk Typhoon Member Extradited from Italy to Face US Charges

A Chinese national accused of conducting cyberespionage for Beijing's intelligence services has been extradited from Italy to the United States. Xu Zewei is alleged to have been part of Silk Typhoon, the group responsible for breaching thousands of US organisations and stealing COVID-19 vaccine research. Successful extradition of a Chinese state-linked hacker is rare — China does not extradite its own nationals, so cases like this depend on the suspect travelling to a third country. The prosecution is partly symbolic but carries real deterrence value, signalling that exposure outside China creates genuine legal risk. It also adds to the growing public record of Chinese state hacking operations and their targets.

Bleeping Computer ↗

ATO's Moonee Ponds Facility Hit by Physical Security Breach

The Australian Taxation Office is facing scrutiny over physical security and staff safety after a serious incident at its Moonee Ponds office. Details of what occurred remain limited, but the breach has prompted questions about whether the ATO's facility security standards are adequate for an agency that holds sensitive financial data on virtually every Australian. Physical security is often the underdiscussed cousin of cyber security — but for government agencies, an inadequately secured facility can be as consequential as a network intrusion. The incident is likely to attract parliamentary attention and could prompt a review of physical security standards across Commonwealth agencies.

The Mandarin ↗

Australian Public Service Given June 1 Deadline on AI Recruitment Rules

Federal government agencies have been given until 1 June to implement new principles governing the transparent and responsible use of AI in recruitment processes. The directive, issued ahead of what officials are framing as an incoming AI wave in the public sector, requires agencies to document and disclose how AI tools are used when assessing job applicants. It's a modest but concrete step toward governing algorithmic decision-making in high-stakes contexts. The Digital Transformation Agency has separately been dealing with its own embarrassment this week — sending AI regulation information requests to the wrong email address. The June deadline applies regardless.

The Mandarin ↗

Sources consulted