The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Wednesday 3 June 2026

Trump's AI Executive Order Is Mostly a Handshake — and That Might Be the Point

Trump signs a watered-down AI executive order, Anthropic opens its most powerful model to 150 critical infrastructure operators, and a one-line Microsoft code flaw put billions of Android downloads at risk.

Lead story

Trump's AI Executive Order Is Mostly a Handshake — and That Might Be the Point

After weeks of drafts, rewrites, and last-minute cold feet, President Trump has signed an executive order on AI oversight — and if you were expecting a sweeping regulatory framework, you'll need to recalibrate. What emerged is a voluntary pre-release review programme: AI companies are invited, not required, to share frontier models with the federal government for up to a month before public launch. The whole thing is framed around "secure innovation," not restriction.

The original draft, which reportedly had teeth, was softened after sustained industry lobbying. What's left looks more like a trust-building exercise than a checkpoint. Companies that participate get to say they've been vetted; the government gets early eyes on what's coming. There's no enforcement mechanism that bites if you decline.

The order does contain one substantive thread worth watching. It instructs agencies to factor AI security risk into critical infrastructure protection — meaning the connection between powerful AI systems and, say, power grids or water treatment is now at least formally on the federal agenda. Any company doing AI work in those sectors will face questions about compliance, even if the order itself doesn't mandate much yet.

Why this matters beyond Washington: The EU AI Act is already live and binding. The UK is finalising its own framework. Australia's approach — built around voluntary principles, the DIGI code of practice, and a Department of Industry AI Safety consultation — looks increasingly similar to what Trump just signed. That's either reassuring (regulatory convergence with a major ally) or worrying (two large democracies both opting for the soft path while the technology keeps accelerating).

Anthropic's timing was notable. The same day the order dropped, the company announced it's expanding Project Glasswing — its security vulnerability programme using the Claude Mythos model — from roughly 50 organisations to 150, spanning critical infrastructure in 15 countries including power, water, healthcare, and communications. EU security agency ENISA is also joining. The model has reportedly already surfaced thousands of vulnerabilities across its early cohort.

That's a genuine signal. Anthropic is building a case that its most capable, most restricted model is a net positive for security rather than a net risk. The timing alongside the executive order — which explicitly mentions AI's role in strengthening critical infrastructure cybersecurity — was almost certainly not accidental.

What to watch: Whether the voluntary review programme develops real participation (and what happens to the first company that skips it), how ENISA's involvement shapes EU expectations of AI safety transparency, and whether Australia's own AI governance review takes cues from the Trump order or quietly continues its own path. The Cyber and Infrastructure Security Centre (CISC) will be watching closely — several of the critical infrastructure sectors named in Anthropic's expansion map directly onto Australia's SOCI Act obligations.

Also today

One Line of Code Put Billions of Microsoft Android Downloads at Risk

A single misconfigured development setting in Microsoft's Android apps left account authentication tokens exposed to unauthorised access — potentially affecting billions of installations across apps like Outlook, Teams, and OneDrive. The flaw bypassed Android's protections designed to prevent inter-app token theft. Microsoft has since patched it, and there's no confirmed evidence of exploitation in the wild. The finding is a sharp reminder that enterprise-grade apps can carry consumer-grade oversights, and that the attack surface for Microsoft's ecosystem extends well beyond Windows. Australian organisations heavily reliant on Microsoft 365 mobile deployments should confirm they're running patched versions.

SecurityWeek

Red Hat npm Supply Chain Attack Hits 32 Packages, 117,000 Weekly Downloads

Attackers compromised a GitHub account belonging to Red Hat's cloud services team and used it to inject credential-stealing malware — dubbed 'Miasma', a variant of the Shai-Hulud worm — into 32 packages under the @redhat-cloud-services namespace. The poisoned versions were downloaded roughly 117,000 times a week before Red Hat pulled them. The attack sidestepped npm's trusted publishing defence by using a legitimately stolen token rather than a fake publisher identity. Any developer or CI/CD pipeline pulling these packages should rotate credentials immediately. Supply chain attacks against trusted open-source namespaces are accelerating, and Red Hat's brand carried an implicit trust that made this particularly effective.

The Record

Dashlane Brute-Force Attack Cracked 2FA, Stole Encrypted Vaults

Password manager Dashlane has disclosed that an external attacker brute-forced the two-factor authentication on a small number of personal accounts — fewer than 20 — and downloaded their encrypted vaults. The company says the vaults remain encrypted and that master passwords were not exposed in the attack, but the disclosure is uncomfortable for an industry whose entire value proposition is that your credentials are safe there. Brute-forcing 2FA implies either weak rate-limiting controls or a novel bypass technique — Dashlane hasn't been specific. For affected users, the practical risk depends entirely on the strength of their master password. The incident echoes the LastPass breach playbook: encrypted vaults look safe until someone patient starts cracking them offline.

The Hacker News

Gamaredon Exploits WinRAR Flaw to Hit Ukraine With GammaWorm and GammaSteel

Russia-linked Gamaredon has been weaponising a path traversal vulnerability in WinRAR (CVE-2025-8088) to deliver a chain of malware against Ukrainian targets. The attack sequence starts with a booby-trapped archive that launches an HTML Application payload called GammaPhish, which then retrieves GammaWorm for lateral propagation and GammaSteel for data exfiltration. The campaign is ongoing. WinRAR remains one of the most widely installed utilities on Windows machines globally — including across Australian government and enterprise environments — making this particular vulnerability class consistently high-value for nation-state actors. Organisations that haven't patched WinRAR recently should treat this as urgent.

The Hacker News

CISA Adds Two-Year-Old Oracle WebLogic Flaw to Active Exploitation List

CISA has added CVE-2024-21182 — a high-severity Oracle WebLogic Server vulnerability patched two years ago — to its Known Exploited Vulnerabilities catalogue after confirmed active exploitation in the wild. The flaw lets unauthenticated attackers with network access take full control of affected servers, with a CVSS score of 7.5. Federal agencies have been ordered to patch within the standard KEV deadline. WebLogic is common middleware in large enterprise and government environments, and the fact that a two-year-old patch is now being actively weaponised suggests opportunistic scanning for unpatched legacy deployments. Australian government agencies running Oracle middleware should cross-check their patch status against the ASD's Essential Eight guidance.

Bleeping Computer

Google Patches 124 Android Flaws Including Actively Exploited Zero-Day

Google's June 2026 Android security update addresses 124 vulnerabilities, the most notable being CVE-2025-48595 — a privilege escalation flaw in the Android Framework with a CVSS score of 8.4 that has been used in limited, targeted attacks. No user interaction is required to exploit it, which puts it firmly in the high-urgency tier. Google says exploitation has been targeted rather than widespread, suggesting a sophisticated actor rather than mass opportunism. Android is the dominant mobile platform in Australia, and with no user interaction required for exploitation, prompt patching from device manufacturers and carriers matters more than it usually does.

Bleeping Computer

Microsoft Walks Back Legal Threat Against Zero-Day Researcher

After days of public backlash from the security community, Microsoft has quietly dialled back its legal rhetoric against anonymous researcher 'Nightmare Eclipse', who published a series of significant Windows vulnerabilities including a BitLocker bypass. Microsoft had initially threatened legal action; it now says vulnerability researchers are not in its legal crosshairs. The reversal came after widespread condemnation from the infosec community, with many warning it would deter responsible disclosure. The episode mirrors the dynamic that surfaced in our briefing last week around Microsoft's earlier researcher dispute — and suggests the company hasn't yet settled on a coherent policy for handling researchers who go public without coordinating first.

The Register

Microsoft Build 2026: Scout, MAI-Thinking-1, Majorana 2, and a Lot of Agent Talk

Microsoft's Build 2026 keynote was a dense one. The headline launches include Scout — an always-on personal assistant woven into Microsoft 365, designed to handle calendars, email, and expense reporting autonomously — and MAI-Thinking-1, Microsoft's first in-house advanced reasoning model, which the company claims matches leading models on software engineering benchmarks. There's also Majorana 2, the next generation of Microsoft's topological quantum chip, which the company says meaningfully shortens the timeline to useful quantum computing (physicists remain sceptical). The through-line is agentic AI: Microsoft is betting that the next productivity wave isn't better apps, it's AI that runs tasks without being asked.

The Verge

Uber Hit a Full Year's AI Budget in Four Months — Then Capped It

Uber has introduced spending limits on employee AI tool usage after burning through its entire annual AI budget in just four months. The company had previously encouraged staff to use AI as liberally as possible, apparently without pricing what that encouragement would actually cost at scale. The episode is a useful data point in the broader enterprise AI conversation: adoption curves are outpacing the financial modelling that was meant to govern them. It also raises a governance question that hasn't been answered cleanly — when employees are told AI is free and then suddenly it isn't, what happens to the workflows and habits that built up in the meantime?

TechCrunch

Telstra and Google Cloud Strike Mutual Network Capacity Deal

Telstra and Google Cloud have announced a reciprocal network capacity arrangement covering both terrestrial and subsea infrastructure. The deal gives each company capacity on the other's network, deepening the strategic relationship between Australia's largest telco and one of the world's largest cloud providers. The timing is notable: Alphabet is simultaneously planning an $80 billion capital raise to fund AI infrastructure buildout, and Telstra has been accelerating its own AI strategy — this week appointing Dayle Stevens to a company-wide AI leadership role. For Australian enterprises, the arrangement potentially improves the latency and resilience profile of Google Cloud workloads routed through Telstra's backbone.

iTnews

Google's Android Anti-Impersonation Feature Is a Direct Response to Deepfake Scams

Google is rolling out a new feature to its Phone app that detects when an incoming call appears to come from a number already in your contacts but may be spoofed or AI-deepfake-assisted. When the system flags a mismatch — a 'confirmation signal' fails to verify the caller's identity — users are warned before they answer. It's available on Android 12 and later via Google Dialer. The feature is a direct response to the growing tactic of scammers spoofing trusted numbers and using voice-cloning AI to impersonate family members, employers, or authority figures. Australians are among the heaviest targets of phone-based scams globally; the ACCC's Scamwatch data consistently ranks phone impersonation among the highest-loss categories.

WIRED

Sources consulted