Apple Sues OpenAI Over Stolen Hardware Secrets
The day's biggest story put two of tech's most powerful companies on opposite sides of a federal complaint, while the firmware layer took on new urgency and AI's growing ambitions ran into both legal and public resistance.
Security
Six newly disclosed vulnerabilities in U-Boot — the open-source bootloader embedded in hundreds of millions of Linux-powered devices, from routers to industrial controllers — could let attackers execute arbitrary code during the boot sequence before the OS loads, according to BleepingComputer. The exploit path is particularly nasty: code injected at this stage runs before secure boot validations or OS-level defenses have initialized, making detection and remediation extremely difficult. Firmware-level persistence is the prize every sophisticated attacker wants, and U-Boot's ubiquity makes these bugs high-priority for any organization running embedded Linux.
On the ransomware front, two stories arrived that read like dark comedy. A 34-year-old Armenian national pleaded guilty to operating Ryuk ransomware attacks against U.S. companies, facing up to 15 years — one of the more concrete law enforcement wins against the ecosystem. But the richer story is the ransomware negotiator sentenced to six years for secretly working for the attackers while ostensibly representing victims. He exfiltrated clients' negotiating positions to the threat actors, letting them hold firm and extract maximum ransoms. The betrayal compounds the original crime in a way that sets a useful precedent: the criminal umbrella now extends to supposed intermediaries who flip sides.
CISA admitted to Congress that when it was itself hit by a security incident, it had no incident response playbook and had to write one in real time during the breach. For the agency tasked with defending federal civilian infrastructure, this is a remarkable admission — and a reminder that security organizations routinely prioritize external guidance over internal hygiene.
Finally, a 29-year-old bug in Squid proxy — now being called "Squidbleed" — can leak HTTP requests handled by the proxy. Squid is widely deployed in enterprise and government environments. The age of the bug is a reminder that popular infrastructure software carries long-tail risk that never gets audited at the same cadence as user-facing applications.
AI
Apple has sued OpenAI, alleging that former Apple employees who moved to the AI company brought hardware trade secrets with them — and that the theft was actively directed by OpenAI's senior leadership. Multiple outlets confirmed the filing, with Apple's complaint describing "a pattern of theft" of proprietary technology. The Verge notes that Apple specifically names long-time former employees now at OpenAI as the conduit. The lawsuit is striking for several reasons: Apple and OpenAI have had a publicly complicated relationship — Apple integrated ChatGPT into iOS 18 and then distanced itself — and this allegation targets OpenAI's leadership directly rather than just rogue employees. The outcome will shape how aggressively AI companies can recruit from incumbent hardware firms.
Also in the personnel-conflict category: Elon Musk has directed Tesla staff to shift from internal AI tools to Grok, the xAI model. Tesla has substantial in-house AI infrastructure, and the mandate raises questions about where xAI's commercial interests end and Tesla's operational needs begin — a conflict that shareholders have flagged repeatedly.
Meta killed "Muse", a freshly launched Instagram feature that let users generate AI images based on any public account just by tagging it. Creators and public figures discovered within days that they could be turned into deepfake imagery without consent. Meta announced the feature, absorbed the backlash, and pulled it — all within the same week. The speed of reversal signals genuine reputational exposure rather than routine iteration.
In more speculative territory, OpenAI published a claimed proof of the Cycle Double Cover Conjecture, attributed to GPT-5.6 Sol Ultra. The conjecture is an unsolved problem in graph theory dating to the 1970s. Formal verification is ongoing, and the mathematical community will need time to validate the work — but if it holds, it would represent the most significant automated mathematical discovery to date.
Tech
SK Hynix executed the largest foreign IPO in U.S. history, raising $26.5 billion at $170 per share — surpassing Alibaba's 2014 record. SK Hynix supplies the HBM memory inside Nvidia's AI accelerators, making this offering essentially a public bet that AI infrastructure spending has years of runway left. The Verge noted that legislators are already pushing the South Korean firm to build U.S. fabs as a condition of sustained market access.
China's state-owned space company successfully recovered its first orbital rocket booster after launch. Ars Technica reported that the recovery method differs from SpaceX's approach. The milestone closes a capability gap that was widely assumed to be years away and raises the stakes on the emerging strategic competition in reusable orbital launch.
The FCC moved against a cluster of companies suspected of being DJI fronts established to skirt the U.S. ban on DJI equipment. Brands like Xtra and Skyrover were apparently selling repackaged DJI drones under different names. The gray-market demand is clearly strong enough to have supported an entire industry of workarounds.
A Philips firmware update bricked an unknown number of Hue Bridge Pro devices, prompting free replacements. Philips is handling the logistics, but affected users still lose all saved lighting configurations. It is a straightforward reminder that smart-home devices with auto-update infrastructure can fail in ways dumb devices cannot.
The Apple-OpenAI lawsuit and the ransomware negotiator conviction are the two stories with the most durable tail — one reshaping how AI companies recruit from hardware incumbents, the other extending criminal liability into the supposed defender class.
Also yesterday
- Injective Labs npm SDK Hijacked to Steal Crypto Wallet Keys
- WP-SHELLSTORM Is Actively Backdooring WordPress Sites at Scale
- Hackers Actively Exploiting Critical Auth Bypass in Gitea Docker Image
- New U-Boot flaws could enable stealthy firmware attacks
- Ryuk ransomware member pleads guilty in the US, faces 15 years in prison
- Ransomware negotiator hired to represent victims was working for the attackers
- US cyber agency CISA had to build its incident playbook during the incident, agency reveals
- Friday Squid Blogging: “Squidbleed” Vulnerability
- Apple sues OpenAI over alleged trade secret theft
- Apple sues OpenAI for allegedly stealing hardware secrets
- Exclusive: Elon Musk Tells Tesla Staff to Move to Using Grok
- Meta turns off the Instagram feature that let users make AI deepfakes of public accounts
- GPT-5.6 Sol Ultra produces proof of the Cycle Double Cover Conjecture [pdf]
- SK Hynix raises $26.5B in the biggest foreign IPO in US history, is urged to build new US fabs
- Nvidia’s biggest RAM supplier just had a trillion-dollar debut on Wall Street
- China is catching up to Elon Musk’s reusable rockets
- China recovered its first reusable rocket and showed a new way to do it
- The FCC is cracking down on DJI tech that dodged the foreign drone ban
- Firmware update bricks Hue Bridge Pro devices; Philips gives free replacements
Synthesized by Claude · sanity-checked before publish.