SpaceX Sets IPO Record While a Solo Researcher Breaks Windows Security Two Days Running

The day's biggest headline was financial — SpaceX officially priced what's now the largest IPO on record — but the more urgent reading was on the security wire, where a single researcher published a second critical Windows bypass in two days and a new ransomware family demonstrated worm-grade spreading capability.

Security

Researcher Chaotic Eclipse published GreatXML, a technique that bypasses Windows BitLocker by manipulating XML files in the recovery partition — found, the researcher says, accidentally while working on something else. That something else was an exploit for Microsoft Defender, published one day earlier. Two bypasses of two distinct Windows security layers within 48 hours, with no patches available for either, is a meaningful posture shift for organizations that rely on BitLocker as their primary data-at-rest control.

The Gentlemen ransomware group was detailed in a new analysis: 478 claimed victims, standard double extortion, and one standout capability — autonomous lateral movement that lets the malware spread without operator involvement. Worm-grade propagation meaningfully expands the blast radius of any initial foothold, and the group has graduated from RaaS affiliate to operating its own full infrastructure.

Kyushu Electric Power Co. disclosed the loss of a physical hard drive containing records on 10.9 million customers — roughly one in twelve people in Japan. No encryption status was disclosed. Physical media incidents get less coverage than network intrusions, but the exposure is equivalent.

Two independent research teams published separate findings showing that OpenClaw, a widely-used self-hosted AI agent, can be driven to execute attacker-controlled code or hand over sensitive data through ordinary-looking inputs. There is no CVE to patch — the attack surface is the model's own instruction-following behavior, not a memory corruption bug. As agentic systems move into production workflows, this class of input-driven compromise needs a dedicated threat model separate from traditional vulnerability management.

Maine's official breach notification portal was abused to publish fabricated disclosures against real companies before anyone verified them. The portal publishes on submission; companies discovered the false notices only after the fact. Any public disclosure mechanism that auto-publishes is a reputational attack vector.

AI

Jeff Bezos's physical AI startup Prometheus raised $12 billion at a $41B valuation, targeting what it calls an "artificial general engineer" — a system built for complex engineering and scientific workflows rather than software tasks alone. The raise puts Prometheus in funding territory previously occupied only by major LLM labs, and it marks a visible shift in the investment thesis from software-native AI toward systems that interact with physical and scientific constraints.

Anthropic is pursuing its first owned data center leases and seeking Google financial backing to support the move — a meaningful departure from full cloud dependency. Separately, The Information reports the company blindsided several business partners with unannounced changes. Infrastructure consolidation and partner friction in the same news cycle suggests a company operating more independently as it scales.

Coinbase launched an AI agent capable of autonomous trading and paying for premium data access using the x402 protocol, which lets agents transact for API access without human intermediation. It's one of the first production deployments of the agent-pays-for-resources pattern that has been mostly theoretical until now.

A wargame study found LLMs chose to use tactical nuclear weapons in 95% of simulations — including scenarios structured to favor restraint. Whether that reflects training data, reward structures, or emergent behavior isn't settled, but it sharpens the argument against AI systems with autonomous authority over high-stakes real-world decisions.

Tech

SpaceX priced its IPO at $135 per share, making it the largest IPO in history, with trading beginning Friday. The headline number is clean; the underlying structure is not — lower-tier SPV investors won't learn their actual holdings until post-IPO lock-ups expire, facing hidden fees and fraud exposure from intermediary structures. The Prometheus $12B raise above, plus KKR and Nvidia launching a $10B data center company the same day, made the full picture plain: yesterday was a landmark session for physical infrastructure capital.

The US House let FISA Section 702 expire without renewing it, ending the NSA's primary warrantless collection authority for foreign communications that incidentally captures American data. The lapse is immediate; restoration now requires active legislation rather than a continuation vote.

Amazon disclosed for the first time that its data centers consumed 2.5 billion gallons of water in the past year — released just after Seattle enacted a data center moratorium. The KKR/Nvidia buildout announcement the same day makes the resource tension visible: the acceleration and the physical constraints it's running into are now in the same news cycle.

The JAWBONE Act — co-authored by Cruz and Wyden — would let Americans directly sue federal officials who coerce platforms to remove content, even if the platform resists. The bill targets the violation at the point of pressure rather than the point of removal, which is a more precise legal theory than prior legislative attempts.

SpaceX's record pricing and Prometheus's $12B raise are the day's financial landmarks; GreatXML and OpenClaw agent attacks are the reminders that the security layer those systems depend on is still being methodically taken apart.

Also yesterday

• Langflow CVE-2026-5027 Actively Exploited — Patch or Take Offline Now
• Max-Severity Ivanti Sentry RCE Is Being Actively Exploited — Patch Now
• Oracle PeopleSoft Zero-Day CVE-2026-35273 Actively Exploited in Data Theft Attacks