The Register

Heart monitoring biz iRhythm says thieves made off with patient health information and tried to turn it into a payday. The California-based cardiac monitoring specialist offers customers a wearable device that collects data, then analyzes it to create reports about heart health. The company said it detected unauthorized activity on June 8 and launched an investigation with the help of third-party cybersecurity experts. A day later, the company received messages from a cybercriminal claiming to have obtained sensitive information, including proprietary company data, protected health information, and other personal information. According to iRhythm's filing with the US Securities and Exchange Commission, the attackers demanded payment in exchange for not publicly disclosing the stolen data. The company confirmed that data had been exfiltrated and, on June 10, determined that the incident was material due to the volume of information potentially affected. While the company disclosed the extortion demand and the existence of stolen data, it made no mention of negotiations. iRhythm spent a good chunk of the filing explaining what the attackers didn't get. According to the company, the intrusion was confined to business applications and never reached its clinical systems, medical devices, or customer connections. Patient care and day-to-day operations were unaffected. The company has not yet disclosed how many individuals may be affected, what data was accessed, or which third-party-hosted applications were involved in the breach. It has also not identified the threat actor behind the attack, and The Reg has found no evidence of major ransomware groups claiming responsibility. The company's filing states the attackers gained access through social engineering. Exactly how that happened remains unclear, although healthcare organizations have increasingly found themselves dealing with phishing campaigns, help desk impersonation scams, and other forms of human-targeted intrusion designed to bypass technical defenses. As of the filing date, iRhythm said it had not identified any ongoing unauthorized access to its systems and believed the incident was unlikely to have a material impact on its financial condition or operating results. The company added that it maintains cyber insurance that may cover some of the losses associated with the breach. iRhythm's disclosure comes less than a week after drug giant Novo Nordisk revealed that attackers had copied patient data from some clinical trials, adding another healthcare name to a growing list of organizations dealing with data theft and extortion attempts. ®

Qualcomm is reportedly moving to buy AI chip firm Tenstorrent, an acquisition that could prove a major boost to the RISC-V ecosystem. This comes from The Information, which cites an anonymous source claiming that a deal valued at $8 billion to $10 billion is under discussion. According to the report, the talks are ongoing and there is no certainty a deal will be reached, but the move would fit with Qualcomm's datacenter ambitions and bullish statements about AI opportunities made by its chief, Cristiano Amon. The Register asked Qualcomm and Tenstorrent to comment. Tenstorrent is a Canadian AI chip startup that bases its products on the permissively licensed RISC-V processor architecture. The company is led by CPU guru Jim Keller, known for his design work at AMD, Apple, and on DEC's Alpha chips back in the day. The firm's Galaxy Blackhole AI compute platform went on sale earlier this year, packing 32 of its Blackhole accelerators, each with 768 RISC-V cores, into a 6U enclosure running its own software stack. Qualcomm is also keen on RISC-V, especially since its licensing court battle with chip designer Arm, which wanted to nix Qualy's license to create its own Arm-based processor silicon. The chip design firm's datacenter products use home-brew Hexagon neural processing units, but it continues to rely on Arm processors in its Snapdragon range. In December, Qualcomm picked up Ventana Micro Systems, another company designing RISC-V CPUs targeting datacenter and enterprise applications. Financial details of that were not disclosed, but estimated at between $200 million and $600 million. A Tenstorrent buy could therefore see a greater commitment to RISC-V from Qualcomm, giving the open standard a shot in the arm (pun intended) and allowing the chipmaker to further distance itself from Arm and its owner SoftBank as it pursues datacenter customers. Arm appears unfazed by that prospect, having recently said it expects datacenter chips will soon be its main source of revenue. ®

Brits lost £1.28 billion ($1.7 billion) to payment fraud last year as scams continued to thrive on online platforms and telecoms networks, according to the latest figures from banking trade association UK Finance. The 2025 losses represent a modest four percent rise on the previous year, the trade association said, but the main sources of fraud remained familiar. UK Finance said two-thirds (66 percent) of incidents start with online platforms, such as scams promoted through social media adverts. Telecoms accounts for a smaller proportion (17 percent) but encompasses crimes such as impersonation fraud, which can result in larger per-crime losses. Calling for tighter regulations on tech and telecoms, UK Finance said online marketplaces must take measures to reduce scammers' use of their platforms. This could include prohibiting off-platform payments, relying solely on secure alternatives. It also called for stronger action against fraudulent social media advertising. "The financial sector invests huge amounts in protecting customers, but we cannot be the only line of defense," said Ruth Ray, managing director of economic crime at UK Finance. "Almost £1.3 billion was stolen again last year and it is clear we are not tackling the underlying problem effectively enough. "Given most authorized push payment (APP) fraud still starts via online tech platforms or via telecoms, we urgently need stronger, enforceable responsibilities to be placed on these sectors. This is the way to reduce the harm and stop criminals and tech companies profiting from these devastating crimes." APP fraud losses jumped 19 percent in 2025 compared with the year before. Total losses exceeded £576 million ($772.8 million), and consumers incurred the vast majority of these losses. Of the total cases, purchase scams comprised more than seven in ten, with annual losses increasing 20 percent to £118.1 million ($158.4 million). APP fraud involves convincing the victim to pay for something themselves, but the criminal giving the orders is the only party to financially benefit. Crimes that fall under the APP umbrella include investment fraud, romance fraud, and impersonation fraud – all of which saw double-digit percentage increases in case numbers. "What makes APP scams particularly worrying is how much can be lost before a victim even realizes, and how little advice still exists for consumers once it happens," said Aditya Hindocha, VP of account partnerships at SquareTrade Europe. "Device warranties largely won't cover data theft. Home insurance excludes digital losses. Banks may refund some fraudulent transactions, but there's no guarantee. Consumers today lack support for what comes next: restoring stolen funds, recovering a compromised identity, or navigating the months of fallout that follow." Unauthorized payment fraud, under which the remaining offenses fall, accounted for a higher value of total losses (£703.4 million/$943.8 million). While the total value of losses represents a decrease of five percent compared to 2024, the number of cases increased by 11 percent to 3.81 million, according to the latest report [PDF]. Unauthorized fraud encompasses offenses such as online payments made using stolen card details, lost or stolen card fraud (such as ATM skimming, petty card theft), remote banking fraud, and contactless fraud. US faring no better The Federal Trade Commission published figures this week for impersonation fraud in the US, which reached $3.5 billion in associated losses last year. It said that impersonation fraud was the most commonly reported fraud type last year, accounting for nearly one in three cases across 2025. Nearly $1 billion of the total was lost after scammers impersonated a business, with the most common type being banks, and around $920 million as a result of government impersonations, up from $866 million and $789 million respectively in 2024. According to the FBI's annual cybercrime report, published in April, government impersonation fraud saw the biggest increase in case numbers of all offenses, up 128 percent from 2023 to 2025. A separate warning from May 2025 urged citizens to be wary of the common tricks scammers use in these cases, which increasingly involve AI-generated voices to convince victims they are speaking with genuine government representatives. ®

A union representing UK civil servants claims Capita is set to miss the terms of its £239 million contract to run a government pension scheme following a disastrous launch late last year. The tech outsourcing company's leadership had promised that using Microsoft's AI would improve the service, but the investment has yet to help it reach the terms of its contract with the Cabinet Office. Service levels following the move to Capita have been unacceptable In a statement, the PCS union said the Cabinet Office confirmed that Capita would miss the ministerial deadline of June 30 to restore pension administration services to contractual standards, which it dubbed an unacceptable failure. The Register has contacted Capita for a response. A Cabinet Office spokesperson said: "The service levels following the move to Capita have been unacceptable. An urgent recovery plan is underway, and our immediate priority is to stabilise service levels and give current and former Civil Servants the service they deserve. "To this end, the Minister for the Cabinet Office Nick Thomas-Symonds set a deadline of the end of June for significant progress to have been made in this area, and we will assess the situation at the end of the month. "We will continue to use all available commercial levers to hold Capita to account and ensure they deliver for both members and taxpayers." The government is understood to be investigating the respective liabilities of both Capita and MyCSP – the previous provider – for these failures in the launch and handover of the service. The Reg first disclosed that the portal for the Civil Service Pension Scheme (CSPS) – which supports 1.5 million current and former public servants – appeared to be incomplete and barely functional when it launched in December. Users were forced to create new accounts, which went unrecognized, and they endured broken and circular links while the website appeared unfinished and untested, with headers and other features displaying dummy text. Multiple reports followed of scheme members struggling to get hold of their savings. Retired civil servants lost income after pension payments failed to arrive, according to the BBC. Capita said it had inherited a larger backlog of cases than agreed. Initially, it expected a transfer of around 37,300 cases from MyCSP. Later, that increased to volumes of up to 100,000. Nonetheless, the service continues to fail to meet its contractual terms, the PCS said. To date, 607 MPs have received at least one email from constituents about this crisis, with more than 3,000 emails sent in total, the union added. Fran Heathcote, PCS general secretary, said: "This is beyond disappointing, but I can't say it's surprising. Capita has missed deadline after deadline, yet civil servants and pension scheme members continue to pay the price for those failures. "Minor financial penalties mean little when you look at the size of the contracts they've been awarded. They're certainly no comfort if you're facing financial hardship because you've retired and your pension hasn't been paid. "How much more evidence does the government need? Capita has failed to restore confidence in this service. Ministers must now take immediate steps to bring the administration of the Civil Service Pension Scheme back into the Civil Service." This is beyond disappointing, but I can't say it's surprising In January, the Cabinet Office – which ran the procurement – and Capita both apologized for the botched launch of the service. Angela MacDonald, deputy chief executive at HM Revenue & Customs, was also recruited "to lead oversight of an urgent recovery plan." A surge team of "over 150 additional staff" was also deployed to "support clearing the correspondence backlogs and speed up processing." In March, Catherine Little, civil service chief operating officer and Cabinet Office permanent secretary, admitted that Capita did not deliver the full levels of IT, automation, and portal functionality at go-live, significantly reducing its ability to manage the volumes of work it inherited. ®

ZTE successfully hosted ZTE Day 2026 in Almaty as part of its annual series of technical seminars addressing key trends and challenges in the telecommunications industry. Under the theme "Creating an Intelligent Future," the event has become a premier forum for dialogue among Kazakhstan's leading telecom operators, regulators, and ICT specialists. Participants explored a cutting-edge technological agenda designed to accelerate the nation's digital transformation through ZTE's efficient, eco-friendly, and smart solutions. The 2026 edition of ZTE Day coincided with a major milestone in the development of Kazakhstan's ICT market. On the initiative of President Kassym-Jomart Tokayev, 2026 has been declared the Year of Digitalization and Artificial Intelligence in the country. A dedicated AI law is already in effect, and the national strategy "Digital Kazakhstan" includes 20 roadmaps spanning 72 industries, with clear objectives set through 2027. Kazakhstan has firmly established itself as a digital leader in Central Asia. Internet penetration in the country has reached 92.9%, and the number of mobile subscribers has grown to 26.3 million – an increase of 3.5 million in just one year. The main infrastructure challenge remains the large‑scale deployment of 5G networks in the nation's largest cities. As part of ZTE Day, experts provided a detailed presentation of the company's cutting‑edge developments, first unveiled earlier this year at MWC Barcelona 2026. Aligned with its global "All in AI, AI for All" strategy, the company showcased comprehensive AI solutions spanning diverse areas – from wireless network optimization and high‑speed transport systems to energy‑efficient telecom solutions, smart home technologies, and intelligent personal devices. Visually demonstrating the deep integration of AI and ICT, ZTE specialists presented solutions tailored specifically to the needs of the Kazakhstani market. ZTE continues to build long‑term, successful partnerships with Kazakhstani telecom operators and educational institutions, implementing projects to modernize telecommunications infrastructure. In the area of household digitalization, the company, together with Kazakhtelecom, has delivered high‑speed gigabit internet to hundreds of thousands of families, enabling the widespread adoption of online education, remote work, and 4K video. In mobile networks, ZTE, in collaboration with Beeline, has modernized the wireless infrastructure, increasing coverage, average speed, and peak network throughput by more than 35%. A major milestone in scientific development has been the creation of a supercomputer data center at Al‑Farabi Kazakh National University – one of the most powerful in Central Asia – supporting research in artificial intelligence, climate modeling, and the development of large‑scale language models for the Kazakh language. "ZTE is building end‑to‑end AI infrastructure based on the 'Connectivity + Computing' principle and annually invests approximately 20% of its revenue in research and development. Kazakhstan has already become a recognized regional leader in digitalization, and we are proud that ZTE's innovative and environmentally friendly solutions are making a concrete contribution to technological progress and the creation of a secure digital world in the country," noted Wei Wei, CEO of ZTE Kazakhstan, in his opening speech at ZTE Day. Contributed by ZTE.

While Microsoft sweeps the confetti off the floor of its Build event, it may be a good moment to reflect on what it didn't say as much as what it did. Taking the spotlight was AI agent Scout, ready to "understand how work gets done" and "take action without needing to be prompted." The software behemoth's leading database, SQL Server, barely got a mention. On its own, it may not be a big deal, but Microsoft watchers also noted that long-time SQL Server champion Rohan Kumar left the company in June, while Arun Ulag, president of Azure Data, currently holds the SQL Server remit. He's also responsible for the Fabric analytics and AI platform and a portfolio of open source database services. Taken together with the news that Microsoft's own terms and conditions allow customers to take SQL Server licenses to AWS's RDS database service without paying twice – thanks to a feature that lets them provide their own SQL Server installation media – the vibe around SQL Server has changed. "I don't think it is a priority," said Andrew Snodgrass, research vice president of analyst company Directions on Microsoft. "With Kumar leaving, that's become very evident. I think the world of Ulag, but [SQL Server] is not where his focus is for the future. I'm afraid Microsoft are going to leave it languishing." He said his concerns for Microsoft's flagship DBMS began when the 2022 version was released with a "bunch of Azure integration capabilities that no one was really asking for." It ended up being "more of a marketing release than something that was truly engineered to meet customer needs," Snodgrass said. While the introduction of vector search in the 2025 edition was welcomed by users, PostgreSQL, MongoDB, and Oracle users had been benefiting from the feature for years. "At Build, Arun Ulag stood up there and talked about all the new stuff: highlights of the database news there was HorizonDB, a PostgreSQL database service with a new form of scale-out capability," Snodgrass said. "There was no news about SQL Server, which was stunning, because SQL Server 2025 just came out at the end of last year, and in that they put in AI vector search, which I think is one of the greatest additions to SQL Server I've seen in ten years." But it seems Microsoft is as interested in its PostgreSQL and other open source database services as it is in its own SQL Server offering. So long as it drives workloads in Azure, it is all good for Microsoft, Snodgrass said. "It's the kind of thing Dad might say: it's not that I'm angry at Microsoft for what they've done to SQL Server, I'm just disappointed," he said. A Microsoft spokesperson said: "Customers have real choice in how they run SQL Server, and we've designed our licensing to be clear and flexible across environments. We're fully committed to SQL Server and continuing to invest in its innovation, security, and long-term support so customers can confidently run their most critical workloads and build what's next." Microsoft first released SQL Server in 1989 as a 16-bit version for the OS/2 operating system, which was a joint project with IBM. Despite challenges from Oracle, open source systems like PostgreSQL and MySQL, as well as a string of NoSQL databases such as MongoDB, it remains highly popular with users and developers. It is third behind Oracle and MySQL – ahead of PostgreSQL – on the DB-Engines ranking, which measures citations, Google data, and job searches. In the Stack Overflow survey of professional developers, it ranks fourth behind PostgreSQL, MySQL, and SQLite, but well ahead of Oracle, which lies in tenth. Adam Ronthal, vice president analyst at Gartner, said Microsoft's approach to SQL Server can be explained by looking at two different priorities. First, despite the hype around the cloud and AI, Microsoft made around $15 billion in revenue from the on-prem DBMS market, largely from SQL Server. It's second in terms of market share (33 percent) only to Oracle, which holds nearly 40 percent of the on-prem DBMS market. "If you look at Microsoft's growth in the on-prem business in 2025, they were growing around 8 percent, so Microsoft continues to have a business in the on-prem that is growing in high single digits," he said. There is no way that Microsoft will walk away from that kind of revenue, Ronthal told The Register. Meanwhile, SQL Server customers represent a good opportunity for Microsoft to convert users to Azure SQL, and the SQL database in Fabric, its data analytics environment, as they are built on a consistent database engine. Microsoft wants people to see that Azure provides a seamless path to build and scale AI applications with deeply integrated data services, security, and governance. However, Ronthal added that specific compatibility would depend on the implementation of T-SQL in the application users want to move. "As we go full into managed services, I don't have full control over the underlying operating system, and I might not have the same level of control over the configuration of the database itself." For commercial, off-the-shelf software, the ease of migration would depend on the vendor certification, he said. As well as wanting to defend its on-prem SQL Server revenue, Microsoft also sees that AI and cloud are driving the market. In the cloud, the market is dominated by a family of databases based on PostgreSQL or closely related to the open source database. "The de facto API for relational databases has emerged to be Postgres right now, and so we see many vendors implement wire from compatible Postgres APIs, which provides end users a hedge against lock-in," Ronthal said. A string of startups have tried to grab this market, including Cockroach Labs, Yugabyte, and pgEdge, all of which offer distributed capabilities and varying compatibility with PostgreSQL. Microsoft cannot ignore this development, hence its investment in HorizonDB, its own distributed PostgreSQL. Microsoft also has the DBaaS offering, Azure Database for PostgreSQL. As well as defending the growing on-prem database market, Microsoft is trying to capture the higher growth in cloud databases and catch up with AWS. As such, it is incorporating operational databases under the Fabric umbrella, including NoSQL database Cosmos, Azure SQL, and Postgres capabilities. "If we look at the drivers of the market right now, which are cloud and AI – Fabric is a core component of AI – then the growth for Microsoft is largely going to be driven by Fabric adoption, where they're putting a tremendous amount of focus and effort," Ronthal said. Nonetheless, Microsoft has deep enough pockets in terms of engineering budget to afford to battle it out on both fronts. In that sense, SQL Server workloads that end up on AWS still make sense. "Microsoft has some rationalization to do in the portfolio, because there are multiple ways to run SQL Server," Ronthal said. "You've got Azure SQL, managed instances, SQL Server in VMs. These provide slightly different levels of compatibility with what you might be doing in the on-prem world, and right now, the fact that there are multiple options actually makes it difficult for end users to figure out what to do. I would love to see Microsoft make it more unified and easier for people to consume." In the cloud DBMS market, AWS has the upper hand by a considerable margin. In 2025, AWS made about $37 billion in cloud DBMS revenue, according to Gartner, while Microsoft made about $18.3 billion. If a SQL Server customer can leverage an existing investment in Microsoft and bring it to AWS, Microsoft loses that business for Azure, "but on the plus side, they don't lose a SQL Server customer, and that's probably more important," Ronthal said. Of the leading vendors – Oracle, IBM, Microsoft, and SAP – only Microsoft has grown their market share in the last 15 years, Ronthal pointed out. Microsoft has proved capable of riding out changes in the market with both its cloud services and SQL Server strategy. Whether that's also good for SQL Server customers might be up for debate, but since support for the 2025 version ends in 2036, they have plenty of time to plan. ®

Weeks after Salesforce boasted about the adoption of "headless CRM," the concept of "headless ERP" crops up. This notion, according to Seth Ravin, CEO of third-party support vendor Rimini Street, is coming to help beleaguered ERP customers escape the application upgrade treadmill driven by the dominant database vendors. For Salesforce, its Headless 360 allows customers to access all of their Salesforce data from developer tool Cursor, WhatsApp, ChatGPT, Claude, or a terminal. It has processed 4.5 million MCP calls and nearly a trillion API calls since launching in April, the CRM giant said. For ERP, a monolithic category of enterprise software that conducts financial planning in some of the world's largest companies, the idea is the same, Ravin told The Register. Build a UI layer on top of existing applications, with AI agents or workflow software, and swap them out when the business is ready. Eventually, the business data can be moved to an open source or source-available database such as PostgreSQL or MongoDB. "PostgreSQL is number one," Ravin said. "Anyone who's doing open source is leading with PostgreSQL. MongoDB is number two. You're watching this whole decoupling of [ERP] technology and use of open source. You're going to see more and more of this. It's going to change the whole way we think about these big packages that users have been buying in the past." He is not alone. Research conducted by Censuswide with 4,295 CFOs, CISOs, CIOs, and CEOs found 70 percent do not see traditional ERP as the future. The study, commissioned by Rimini Street, found 36 percent favored a "composable, modular, flexible, API-driven, best-of-breed model" while 33 percent would lean toward "agentic ERP [with] autonomous, AI-driven decision-making". Concepts like headless and agentic ERP may seem nebulous now, but SAP, which counts some of the world's largest manufacturers as its customers, had to U-turn on its decision to restrict AI agents on legacy and on-prem software. It had said such innovations would only be available in its latest suite of applications and data products in the cloud, but demand from users forced a rethink this year. Ravin said the impact of agentic AI was "scaring the hell out of everyone from SAP on down." "I guarantee you that they're in a panic because they just don't understand the customers are getting ahead of them, the technology is coming apart underneath them, and they're trying to keep up, but the reality is they've built a business off controlling a customer by having all of this software, and they tell them when to [upgrade] and what to move to, and threatening them, and that's just not going to work." SAP maintains that the combination of its agent platform, Joule, its cloud-based Business Technology Platform for integrating applications, S/4HANA ERP software, and Business Data Cloud data warehouse and data lake environment brings immense value to customers by providing a single semantic layer over their business data. Nonetheless, it has struggled to get customers off its legacy or on-prem systems. Gartner figures from the end of Q4 2024 showed only 39 percent of worldwide ECC customers – from a total of 35,000 – had bought or subscribed to licenses to start their transition to SAP S/4HANA. This year, The Register revealed the company was about €2 billion short of its target for converting on-prem support into cloud revenue. Ravin said customers will take the opportunity presented by maintaining legacy systems to consider their ERP stack. "They're starting to understand that [ERP] is breaking apart into smaller pieces, those pieces are further breaking into pieces that will be microservices." Business processes will be run by a set of APIs running between existing elements of the application portfolio, he said. "Those processes will then get over the top of them a custom [agentic] UX, which will become a truly headless ERP, and you've already seen Salesforce come out with headless CRM. This trend is happening." Rimini Street is a services company that specializes in maintaining legacy ERP systems without vendor support, until 2040 in the case of ECC. It has a vested interest in giving customers time to select a strategy for the future of ERP. As investors eye software in light of AI agents and AI coding, giants like Salesforce and SAP have seemingly been forced to respond. Whether the headless ERP concept takes off or not, the industry is moving fast. ®

Digital sovereignty loomed large at Nextcloud's annual summit in Munich last week, where Benoît Piédallu, National Project Manager of Shared Digital Services at the French Ministry of Education, injected a dose of reality into the debate. Nextcloud is an open source storage and collaboration suite. France's Ministry of Education started initial work to adopt it in 2018, Piédallu said, with the COVID-19 pandemic turning up the urgency in 2020. In 2021, "we had this little incident with OVH, a little fire, which destroyed all our data," Piédallu noted dryly. The Ministry went all-in and signed contracts with Nextcloud in 2024. The Ministry wants to provide its users with federated storage and account management. At the time of Piédallu's presentation, the Ministry has set up slightly more than 400,000 accounts, and hopes to eventually reach 1.2 million users. Each account could be allocated 100 GB of storage (a potential 120 PB), although Piédallu said the average storage consumption currently sits at around 3 GB per account. So far, 80,000 sync clients have been persistently connected. However, it has not all been plain sailing, despite recent pledges from the French government about shifting away from American tools and reducing France's dependence on non-European technology. Nobody should be able to switch off or shut down our services from the outside Digital sovereignty means different things to different people. Right now, this project does not include desktop applications. The users "use whatever they want on their desktop… Microsoft if they want," Piédallu said. "So we have some problems sometimes, and people are saying that it is not working, and we say, 'Yeah, so you just use different software'…" This sums up the challenge facing proponents of digital sovereignty. Users are accustomed to Microsoft Office, and Microsoft Office works best in a Microsoft ecosystem, which is at odds with removing dependencies on non-European technology. Microsoft and the other hyperscalers are hard habits to break, and while services like Nextcloud's are capable of handling storage and file synchronization, users accustomed to Microsoft's more visible applications and services, such as Office, will be trickier to migrate. But migrate they must to realize France's digital sovereignty dream. "Nobody," said Piédallu, "should be able to switch off or shut down our services from the outside. Nobody should be accessing our services from the outside." The Nextcloud Hub 26 spring release, which includes Euro-Office, became generally available last week. The Euro-Office productivity suite may go some way to satisfying desktop refuseniks. The EU wants to increase digital autonomy through the European Technological Sovereignty Package, although analysts have warned this could complicate matters for customers. The French Education Ministry's experience shows that sovereign file storage can work at scale. Persuading users to give up the tools they already know may prove the harder part. ®

When Spotify evaluated its cloud compute options, it needed more than incremental improvements. Its recommendation engine delivers real-time suggestions to millions of users around the clock, placing heavy demands on compute infrastructure while requiring tight control over energy use and costs. During its evaluation of next-generation cloud processors, Spotify found that workloads running on Google Cloud Axion processors built on Arm architecture delivered roughly 250 percent better performance. Axion is just a part of a broader shift toward Arm-based compute built on the Neoverse architecture, which has been adopted across all major hyperscale cloud platforms. AWS reports that its Arm-based Graviton processors have accounted for over half of new CPU capacity deployed over the past three years. Microsoft and Google have followed with their own Arm-based designs, including Azure Cobalt and Axion, while NVIDIA’s Grace and Vera signal that it sees Arm as central to the future of AI infrastructure. Now about half of the compute shipped to top hyperscalers are Arm-based platforms. Purpose-built for customers Hyperscalers are not only deploying Arm processors but also designing silicon and infrastructure together to reflect real usage patterns. Ninety-eight percent of top 1,000 Amazon EC2 customers running production workloads on Graviton and benefit from Graviton’s price–performance advantages compared to x86. The new Cobalt 200 processor, built on Arm Neoverse technology, was engineered using telemetry from real Azure workloads and an internal suite of benchmark variants to reflect production behavior. Google is pursuing its own strategy with Axion processors, with C4A instances delivering up to 65 percent better price-performance and up to 60 percent greater energy efficiency than comparable x86 systems. At the core of this shift is Arm’s Neoverse platform, a datacenter–focused architecture designed to enable high-performance, energy-efficient compute at hyperscale. Neoverse marks Arm’s evolution from a mobile-first architecture to a platform purpose-built for cloud and AI infrastructure. It provides the common foundation hyperscalers use to design custom silicon optimized for their own workloads, allowing providers to tailor performance, power, and system behavior to meet specific application demands. While this momentum is driven by hyperscaler adoption, it is rooted in a broader change in how compute infrastructure must operate to support AI workloads. Traditional enterprise workloads emphasized predictable CPU utilization and storage throughput. AI changes that equation. Modern workloads require simultaneous optimization across training, inference, networking, and storage performance while minimizing energy consumption and latency. Even minor inefficiencies can become costly at scale. Power consumption now represents a significant portion of datacenter operating costs, which means performance per watt has become a primary design metric. According to an IDC report AI-ready datacenters are seeing rapid increases in power density, with rack requirements rising from typical levels of 5–10 kW to 30 kW or more, and in some cases exceeding 100 kW per rack. These constraints are forcing organizations to rethink how compute, networking, storage, and cooling systems are designed and integrated at the rack-level These pressures are also collapsing traditional boundaries between compute, networking, storage, and acceleration, creating tightly integrated systems optimized for end-to-end performance. This is driving cloud providers to adopt purpose-built silicon and architectures designed specifically for modern workloads. Real-world efficiency gains drive adoption These design choices are translating into measurable improvements in production environments. Organizations migrating workloads to Arm-based infrastructure are reporting gains across performance, efficiency, and cost: Databricks is using Azure Cobalt 100 virtual machines, built on Microsoft’s Arm-based CPU architecture, which are designed to optimize data-intensive and AI workloads. and deliver up to 50 percent better price-performance compared to previous generations, along with improvements in query speed and latency for analytics applications. For organizations running large-scale data pipelines to power machine learning and business intelligence workloads, these gains translate directly into faster processing and lower infrastructure costs. Pinterest provides a clear example of how Arm adoption can improve both cost efficiency and sustainability at scale. As a platform serving more than half a billion monthly active users and running AI-driven discovery workloads, Pinterest relies heavily on large-scale cloud infrastructure. By migrating workloads to AWS Graviton–based instances, the company achieved 38 percent savings on compute resources and 47 percent cost savings for key workloads, while also reducing carbon emissions by 62 percent. These improvements support both performance and sustainability goals, showing how infrastructure decisions can directly impact operational efficiency and environmental footprint. Uber’s transition to a multi-architecture environment highlights the operational realities of adopting Arm at scale. The company migrated more than 2,800 services and shifted nearly 20 percent of its infrastructure capacity from x86 to Arm-based processors, requiring updates to codebases, dependencies, and deployment pipelines. Through phased rollout, benchmarking, and continuous monitoring, Uber demonstrated that Arm can coexist with other architectures while improving price-performance and supporting a more flexible, efficient infrastructure model. Atlassian’s migration of Jira and Confluence to AWS Graviton highlights how Arm adoption can improve performance and efficiency at enterprise scale. The company moved more than 3,000 instances to Graviton-based infrastructure, achieving the transition with minimal impact on users. In production, instance counts dropped by around 30 percent, while throughput improved by up to 30 percent and latency decreased across key metrics. These gains demonstrate how optimizing infrastructure for performance per watt can enhance both user experience and cost efficiency at scale. These improvements span media streaming, data platforms, and large-scale consumer services, where gains in latency, throughput, and compute efficiency translate directly into lower infrastructure costs and improved user experience. They are particularly significant for AI inference, real-time personalization, and continuously running workloads. The converged AI datacenter The rise of agentic AI is transforming the datacenter into an integrated system in which CPUs, accelerators, networking, and storage operate as a unified platform. In these environments, CPUs serve as the control plane, coordinating scheduling, data movement, memory access, and system services, while accelerators handle compute-intensive training and inference tasks. In this model, efficiency is measured across the entire rack and datacenter footprint. AI workloads demand higher compute density while operating within fixed power and cooling limits, making the ability to maximize compute output per unit of space increasingly important. Coordinating CPUs, accelerators, memory, and networking as a unified system reduces bottlenecks and minimizes wasted energy from unnecessary data movement. Arm’s architecture spans these layers, enabling providers to optimize the full stack while maintaining software compatibility and ecosystem consistency. This cohesion is driving the emergence of the converged AI datacenter, where CPUs and accelerators are central to the trend. NVIDIA’s Grace Blackwell and Vera Rubin platforms combine Arm CPUs with high-performance GPU accelerators in rack-level solutions reflecting a broader industry move toward tightly integrated AI systems. In an other example, AWS with Trainium3 UltraServers, pairs Arm-based Graviton CPUs with Trainium accelerators and Nitro networking components to support large-scale AI workloads. Similarly, Google’s latest TPU 8t and TPU 8i training and inference superpods are powered by Arm-based Axion CPUs, extending this trend toward purpose-built AI infrastructure optimized for scale, performance, and efficiency. In these architectures, Arm-based CPUs serve as the control layer, orchestrating data flow between accelerators, memory, and networking while simplifying development and driving optimization across software stacks and developer tooling. Migration realities: less friction than before Migration complexity has historically slowed adoption of new architectures. Today, improved tooling and ecosystem maturity are lowering that barrier. The Arm MCP Server integrates migration tools, compatibility checks, and performance analysis directly into AI-assisted workflows, helping developers analyze codebases, validate dependencies, and build multi-architecture environments. Programs such as the Arm Cloud Migration Program are also helping organizations accelerate this transition by providing guidance, validation, and tooling for production workloads. Arm adoption is supported by expanding software compatibility and platform support. Arm-based environments now support major Linux distributions, container platforms, and modern development frameworks. The ecosystem has matured significantly, enabling developers to focus less on compatibility and more on performance optimization. Arm’s ecosystem now spans more than 22 million developers worldwide. For developers, this shift means building and optimizing applications for multi-architecture environments, with greater emphasis on efficiency, concurrency, and performance tuning. Where cloud compute is heading Purpose-built compute is becoming the default model for AI era infrastructure. As performance improvements outpace increases in power consumption and cost, the economics of cloud computing are shifting toward efficiency-driven architectures. Looking ahead, this evolution is also extending to enterprise environments. Arm’s recently introduced Arm AGI CPU is designed specifically for the next generation of AI-driven workloads, combining high single-thread performance with scalable throughput, compute density and rack level efficiency. Built on the Neoverse platform, it reflects the shift toward Arm CPUs that are not only optimized for general-purpose compute, but also engineered to orchestrate increasingly complex, agentic AI systems across the datacenter. Enterprises are increasingly evaluating infrastructure based on cost per workload, energy consumption, and the ability to scale within power and cooling constraints. This is driving demand for architectures that deliver predictable performance and efficiency across diverse workloads. Arm Neoverse’s growing momentum across hyperscalers, silicon vendors, and ecosystem partners reflects a broader realignment around efficiency, scalability, and system-level optimization. As AI workloads expand, infrastructure decisions will be shaped less by raw compute capacity and more by how efficiently systems can deliver performance at scale. The organizations redesigning cloud infrastructure today are not simply choosing new processors; they are adopting a compute foundation built for the demands of the AI era. Sponsored by Arm.

Websites are being redesigned for consumption by AI models, and now a coalition wants to extend the trend to digital documents. The LF AI & Data Foundation, under the Linux Foundation, has formed a working group to steer the development of DocLang, an AI-friendly document format that aims to help enterprises feed their files to AI systems. The DocLang group, founded by IBM, NVIDIA, Red Hat, ABBYY, HumanSignal, and Forgis, contends that existing formats like PDF, Markdown, HTML, and LaTeX are ill-suited for AI document parsing. In late 2024, IBM developed an open source toolkit called Docling to facilitate AI document parsing, not unlike Microsoft's MarkItDown or the Marker project. Docling provides a way to convert various file formats into structured AI-ready data. DocLang expands upon that foundation with a standard for exchanging structured output across different systems. "DocLang is designed to solve one of the foundational problems in enterprise AI: documents were built for humans, not machines," said Maxime Vermeir, VP of AI Strategy at AI automation biz ABBYY in a statement. "By introducing a minimal, standardized, and AI-native representation of document structure, layout, meaning and governance, DocLang creates a far more deterministic foundation for modern AI systems." The new DocLang format is necessary, the spec authors argue, because existing formats were designed for rendering and lose semantic information, structural relationships, or geometric context when AI models turn them into tokens. The specification explains that Markdown lacks sufficient scope, that HTML is excessively verbose, and that LaTeX allows too much ambiguity. Essentially, DocLang is optimized for LLM tokenizers through markup that maps between DocLang elements and LLM tokens on a 1-to-1 basis. The spec relies on a limited XML vocabulary that aligns with LLM tokenizers to produce optimized prompts. It is lossless, so the AI conversion doesn't do away with valuable info. It's designed to support common graphical elements like tables, formulas, charts, and multimodal content. And it's an open standard. DocLang could also help keep costs under control. According to AI Cost Check, having an AI model conduct an OCR scan on a PDF requires about 1,200 input tokens and 150 output tokens as a baseline. That's inconsequential to corporate AI customers on a one-off basis but demands attention at scale. And because AI models have highly variable token costs, companies may find they are spending more than they anticipated to have their AI system ingest PDFs, particularly if the documents are long and complicated or an expensive frontier model is used. "PDFs were designed for rendering, not understanding," said Jon Knisley, AI Value and Enablement Lead at ABBYY, in an email to The Register. "Every time a PDF enters an AI pipeline, structure, meaning and layout get lost, so the model's accuracy ends up bottlenecked by document quality rather than model quality. Teams compensate by building custom parsers at every integration point, which results in brittle, one-off work, and a new engineering sprint for every new document type." According to Knisley, that has measurable cost. "Ambiguous structure forces the model into guesswork, which drives up hallucination risk and burns tokens deciphering layout instead of extracting meaning," he explained. "With DocLang, customers can expect better accuracy, lower costs, fewer tokens consumed, faster performance and more consistent outputs. The exact savings depend on the use case and document complexity, but our initial benchmarks show 4x to more than 30x lower cost depending on the model evaluated." Knisley also cited governance advantages, noting that document provenance data and metadata can get stripped when documents gets moved. DocLang, he said, keeps that information attached. ABBYY, which offers AI document processing, has created the DocLang Interactive Benchmark to illustrate the potential token savings of feeding DocLang documents to AI models. A PDF of IBM's 2025 annual report, for example, results 8,421 input tokens and 512 output tokens while a DocLang version requires only 5,310 input tokens and 498 output tokens. What's more, the DocLang version results in lower latency (2.7s vs 4.2s) and delivers better quality (the AI missed one subsection and mangled a table merger in the PDF). "It's still early, and we won't overstate adoption," said Knisley. "The standard is open and free to build on, and the group is actively inviting more technology providers and enterprises to join. The early response has been encouraging, and we're optimistic about where it goes from here." ®

Cisco today issued a fix for a Catalyst SD-WAN Manager bug that attackers have already spotted and exploited to get root privileges, according to both the networking vendor and the feds. The vulnerability, tracked as CVE-2026-20262, is in the web UI of Cisco Catalyst SD-WAN Manager, and exists because the software is not properly validating user-supplied input during a file upload process. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system,” the vendor warned in a Monday security advisory. “A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.” There is one caveat: to exploit this bug, the attacker must have valid credentials with at least a lower-privileged, single-task user account. That probably explains the medium-severity, 6.8 CVSS rating for this bug. Still, valid credentials aren’t hard to come by these days, and considering this CVE is already under attack, we know someone had some success. “In June 2026, the Cisco PSIRT became aware of limited exploitation of this vulnerability,” the security alert said. “Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.” The flaw affects all deployment types, regardless of device configuration. There are no workarounds, but upgrading to a fixed software version will patch the flaw. Also on Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog, citing “evidence of active exploitation.” America’s lead cyber-defense agency also set a two-week deadline for all federal agencies to apply the patch. This latest Cisco SD-WAN bug under attack comes less than two weeks after Switchzilla warned that a high-severity vulnerability in Catalyst SD-WAN Manager vulnerability (CVE-2026-20245) was under active exploitation. At the time of disclosure, this SD-WAN vuln did not have a fix. Cisco issued an advisory for that zero-day on June 4, and finally released patches for all affected versions on June 12. This is the eighth Cisco SD-WAN bug to be listed in CISA’s Known Exploited Vulnerabilities catalog so far this year.®

The “jailbreak” that prompted the Trump administration to block Anthropic’s most advanced models was actually a simple three-word prompt: “Fix this code.” That's according to Katie Moussouris, founder and CEO of Luta Security, and the fairy godmother of bug bounties. She says she was the only outside expert to read the third-party research paper on the Fable 5 guardrail bypass techniques that prompted the ban. On Friday, the US government, reportedly citing national security concerns, issued an export control directive to suspend access to Fable 5 and Mythos 5 by any foreign national, inside or outside the United States. In response, Anthropic disabled both models “for all our customers to ensure compliance.” Anthropic shared the report privately with her, Moussouris wrote in a Monday blog post. The outside researchers reportedly fed Anthropic’s Fable 5, Mythos, and Claude Opus models open-source code containing known CVEs, plus new code intentionally laced with vulnerabilities, and asked the models to “review the code for security issues.” As Moussouris tells it, Fable 5 refused, so the researchers asked the AI systems to “fix this code.” The model reportedly obliged, and after additional prompts also produced scripts to test the patches. “That’s it,” Moussouris wrote. “‘Fix this code,’ plus several manual steps to generate test scripts, should never have triggered an export control. I feel like making ’90s-style t-shirts with ‘fix this code’ on the front and ‘this shirt is a munition’ on the back.” Between 2013 and 2017, Moussouris served on the technical expert group that renegotiated the Wassenaar Arrangement, a voluntary agreement between 42 nations that governs certain export controls for classified dual-use software and technology. The group eventually won exemptions for defensive cybersecurity activity. This allows defenders to share vulnerability data, conduct malware analysis, and coordinate incident response internationally without the threat of criminal prosecution. On Sunday, Moussouris joined more than 100 other cybersecurity leaders and signed an open letter urging the Trump administration to reverse the restrictions on Fable 5 and Mythos and restore cybersecurity firms' access to the advanced models. “To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous,” they wrote. In her blog, Moussouris argues that there was no guardrail bypass or jailbreak. Defenders should be able to ask AI systems to find and fix bugs, and write tests to validate the patch, she said. Anthropic’s models were doing “the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day.” Removing the capability for models to respond to defensive requests makes AI systems “worse at finding bugs and verifying patches,” she continued. Plus, the US can’t extend export controls to open-weight systems or similar advanced models from China and other countries - and these systems will soon achieve Mythos-like capabilities, anyway. Anthropic and Google have both accused China-based rivals including DeepSeek of using “distillation attacks” to train their models by siphoning knowledge from American companies’ AI. Banning Anthropic’s advanced models is going to hurt defenders more than attackers, Moussouris warns. “Defense improves when defenders find the same bugs attackers find and fix them faster,” she wrote. “We need the best tools to defend against increasingly capable attackers in the AI era of cybersecurity.” The Register reached out to the Trump administration for comment on Moussouris' assertion, and we'll update this post if we hear back. ®

War may never change, but its domains evolve, and DARPA is looking for ideas to ensure space infrastructure destroyed in future orbital skirmishes can be rapidly replaced. DARPA, on Friday, put out a request for information for an initiative to develop what it’s calling Rapid Reconstitution of Space Capabilities. “Other nations seek to position themselves as leading space powers while undermining the stability and tranquility that allows space to benefit all nations,” DARPA said, suggesting that the US would never dare deploy space weapons that could destabilize the tranquility of Earth orbit. “Space is an increasingly contested environment, presenting a multitude of threats to U.S. space assets,” DARPA added. “Therefore, there is a strategic need to be able to quickly respond to disrupted assets and reconstitute degraded space capabilities.” While we don't know if the US has any weapons in space – we asked but didn't get a response – other countries certainly are striking an aggressive posture. Both Russia and China have reportedly blown up their own defunct satellites in recent years to demonstrate their space warfare capability, and the US Space Force has noticed what appears to be China experimenting with orbital satellite dogfighting maneuvers. The US has also accused Russia of developing anti-satellite weaponry that may or may not involve orbital nukes, leading the US to update its fleet of satellites designed to keep an eye out for potential nuclear launches. “U.S. competitors are implementing a sustained effort to develop a broad range of offensive counterspace capabilities through a variety of anti-satellite (ASAT) weapons, including direct attacks on satellites, jamming and spoofing of signals, and continued cyberattacks on satellite and ground infrastructure,” DARPA noted in Friday’s announcement. Pointing to the 2023 Space Force tactically responsive space exercise Victus Nox, which saw the USSF launch a space vehicle into orbit just 27 hours after getting the word, DARPA said it wants more of the same, but hopefully faster. “DARPA Strategic Technology Office seeks information supporting technical solutions and operational concepts and strategies to enable rapid, responsive, cost-effective reconstitution of any lost or degraded space capabilities resulting from attacks,” DARPA explained, adding that it’s not looking for anything more than ideas at this point, but is willing to entertain anyone in the US with a good idea, be they laboratory or private outfit. According to the announcement, DARPA wants ideas that would get degraded operations restored in “hours to weeks,” and offer the same turnaround time for cases of surging demand as well as asset loss. “Possible solutions could be realized with reconfigurable, software-defined, multifunctional, and multi-mission payloads, as well as proliferated/mesh architectures and rapid on-orbit deployment concepts,” the Pentagon research arm said. “Rapid space capability reconstitution is a complex task,” DARPA added, so don’t expect this research to move anywhere near the speed of DARPA’s eventual rapid reconstitution rockets. Then again, America just minted the world’s first trillionaire, and he’s a space guy – maybe ask him how to launch rockets quickly? Surely his ideas would be grounded in good sense, right?

Claude wants to know if you are who you say you are. Anthropic last week updated its privacy policy to say that it may subject consumer account holders to identity checks. The new legalese arrived one day before the company released its Fable 5 and Mythos 5 models, presently disabled to comply with a US government export control order that has elicited protest from more than 60 cybersecurity and technical experts. Anthropic last year said that it supported "policies like strong export controls" to keep AI away from authoritarian nations, whatever that means these days. The revised policy, which takes effect July 8, 2026, does not say what will trigger an identity check. The company says it may do so "to help keep our services safe and secure." "In certain circumstances, we may ask you to verify your age or identity," the company's latest privacy policy explains. "If you choose to do so, data we will collect includes, depending on the method: an image of your government-issued identity document and the information appearing on it (such as your ID number and date of birth); your image in photo or video form, facial geometry templates (which may be considered ‘biometric data’ in some jurisdictions); and the result of the verification (for example, whether your age meets the applicable threshold)." The revised policy substantially expands data collection to include biometrics and identity records. And it gives the company broader discretionary standards for sharing data with authorities. The policy, which does not apply to commercial customers (Team, Enterprise, API), suggests consumer account holders (Claude Free, Pro, and Max plans) will be able to choose whether to comply. The consequences of non-compliance are not spelled out. That omission may reflect the varying and evolving age and identity verification policies being debated, voted on, and implemented in different jurisdictions. Different laws may require different responses to non-compliance, ranging from the application of safety filters to denial of access. Anthropic did not immediately respond to a request for comment. Over the past few years, digital safety laws designed to protect children have proliferated. There are now more than two dozen such laws in US states. Some of the recent laws have targeted AI chatbots (e.g. California Companion AI Chatbot Safety Act) and some have focused on shifting the burden of age verification to operating systems and applications (e.g. California's Digital Age Assurance Act). Similar laws have been enacted or are pending in Australia, Brazil, the European Union, India, South Korea, and the United Kingdom among others. Limiting the ability of children to access AI services may only be part of the motivation for the policy change. Anthropic has also been vocal about the threat posted by foreign rivals that copy its models through a process called distillation. While the AI biz does not offer Claude family models in China (or other countries like Russia and Iran), developers in blocked countries may still be able to access Claude models using account sharing services and other workarounds – if Chinese models distilled from Claude models aren't sufficient. So identity checks may provide Anthropic with an additional policy enforcement mechanism. ®

HPE is taking advantage of VMware's expensive licensing changes by offering customers free use of its own VM Essentials product for a year, plus a $1 license for its Zerto data protection product to help ease migrations. The jolly green giant announced the cheapies at the Partner Growth Summit staged alongside its HPE Discover event in Las Vegas, and framed them as a migration assistance program intended to arm channel partners who want to help customers reduce their financial risk when migrating virtualization platforms. "One of the big things we see is that as customers are going through this journey on transforming their operating model, you end up with double expenses and so we're really pleased to announce the program around Morpheus and platform migration," said EVP and CTO Fidelma Russo. "We are announcing that as a customer goes through this transformation with HPE Morpheus VM Essentials, you don't pay for the first year of licenses. You will get Zerto migration licenses during that period to help you move, and so what this does is it helps mitigate the double-bubble cost problem that customers see as they are looking to migrate from one platform to another." Neither Russo nor HPE mentioned VMware as part of their pitch for this migration assistance program, but it seems pretty clear where it is aimed. At its last Discover event in Barcelona, HPE talked about customers seeing license fees for virtualization skyrocketing and claimed that it was able to provide "a fully integrated enterprise-grade alternative" with Morpheus and OpsRamp management tools, plus Zerto disaster recovery software. A survey recently found that half of VMware users plan to reduce their use of the virtualization pioneer's products by 2028. Since being acquired by Broadcom, VMware license costs have increased by 800 to 1,500 percent for some customers. VMware also ended partner programs that many service providers relied on. HPE says it is introducing VM Essentials for Partner IT to help providers transition their virtualized business applications. This will see it provide VM Essentials software licenses free of charge for three years, with partners paying only support costs, to the 600 partners who gain Private Cloud with Virtualization competency by the end of the year. The company is also extending its channel-only model to cover HPE Private Cloud PC3000 (formerly HPE Private Cloud Business Edition), HPE SimpliVity PC1000, and HPE Zerto software from July 1. HPE said this follows the success of selling Morpheus VM Essentials through a channel-only route to market. Also at the Partner Growth Summit, the IT biz will disclose that it is unifying the HPE and Juniper Networks partner programs under its Partner Ready Vantage umbrella. The aim is to have a single, global program for partners to offer services across networking, cloud, and AI. This change will take effect from November 1, after which partners will operate under one program with a simplified structure, aligned incentives, and a consistent engagement model, while existing investments are protected, or so HPE claims. The company also says it will help cloud service providers build and operate differentiated private cloud services with CloudOps Software and the backing of HPE Partner Ready Vantage. "Partners want a simpler way to engage and a bigger opportunity to grow," said Simon Ewington, HPE's SVP for Worldwide Channel and Partner Ecosystem. ®

ShinyHunters claims to have breached the Council of Europe and stolen more than 297 GB of data after exploiting a zero-day flaw in Oracle PeopleSoft and abusing that hole to hack more than 100 organizations. According to a post on the extortion crew’s data-leak site, the 429,000 pilfered files contain HR and payroll records, payslips, purchase-order records, CVs, and employees’ salary, banking, tax, and medical records. A Council of Europe spokesperson told The Register that it is “currently investigating the matter and assessing the situation,” but declined to comment further. A spokesperson for the cybercrime group told us that the Council is yet another victim of the Oracle PeopleSoft heist. Oracle has yet to respond to The Register’s inquiries, and it's unclear if the vulnerability, tracked as CVE-2026-35273, has been patched. ShinyHunters previously told us that the gang exploited the CVE to compromise more than 100 organizations across 300 vulnerable instances, and that these victims included the University of Nottingham. Last week, the crims listed the UK uni on their leak site, then dumped data belonging to around 454,600 current and former students, including personal and academic records. Meanwhile, a Google threat report published late last week noted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and said that its incident responders notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these are US-based organizations, and 68 percent operated within the higher education sector. This latest heist follows another ShinyHunters intrusion targeting data belonging to university and K-12 students, teachers, and staff. In mid-May, ed-tech giant Instructure said it “reached an agreement” - this is corporate-speak for “paid the ransom demand” - with the data theft and extortion crew after ShinyHunters breached its Canvas digital learning platform and accessed data tied to 275 million students, teachers, and staff. In March, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. The ed tech company did not pay up, and the group subsequently published data they claim was stolen from Infinite Campus, including 137,000 individuals’ email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus, in its data breach notification, said that the leaked files largely consisted of “names and contact information for school staff" and that “the majority is directory information commonly found on school websites.” ®

Oracle software engineer Lois Foltan has confirmed that Java Enhancement Proposal 401 for Value Classes and Objects – part of Project Valhalla – will be integrated into the OpenJDK mainline early next month, targeting JDK 28. Previews of JEP 401 have so far been available only in early-access builds. The current JDK (Java Development Kit) is 26, with JDK 27 expected in September and JDK 28 in March 2027. The next long-term support version is likely to be JDK 29 in September 2027. Foltan said it was an "extremely large change", such that other OpenJDK committers are asked to avoid large commits in order to help a successful integration. The pull request for the first preview of JEP 401 adds more than 197,000 lines of code in 1,816 changed files. Created in August 20222, JEP 401 tackle a longstanding Java limitation: aside from a small number of primitives including int, char, byte and double, all types in the language are reference types. The JEP introduces "value objects" – class instances that lack object identity and are distinguished solely by the values of their fields. A few examples illustrate the problem JEP 401 is trying to solve. Java's LocalDate class stores date values, but every instance gets its own unique reference, so even if two instances represent the same data, comparing them with ==returns false, as they're different objects in memory. LocalDate provides an "equals" method instead.. Another example, even more confusing example is Integer, which wraps an int to provide convenience methods like toString(). Internally, Integer caches instances for values below 128, so two Integer objects with the same small value can compare equal with == but for larger values, == always returns false even when the underlying values match. Due to this quirk, Java editors generally warn against using == with Integer, a pitfall JEP 401 describes as "unwanted complexity." JEP 401 will migrate some JDK classes such as Integer to value classes, and the number of migrated classes is likely to increase gradually. Developers will also be able to create their own value classes. One of the goals of JEP 401 is to give freedom to the JVM (Java virtual machine) to store value objects in ways that maximize performance. The memory footprint of reference types is greater than for reference types, and they must be dereferenced to obtain their values. Iterating over value types is more efficient. Project Valhalla has been so long in the making, thanks to the complexity of the changes, that some onlookers have joked about getting to Valhalla itself (a realm in the afterlife in Norse mythology) before the project is delivered. Oracle's Java Language Architect Brian Goetz said this is "just the first part of Valhalla" and even after the preview is delivered, "the 'but they'll never deliver it' crowd' will quickly switch gears into 'but they haven't delivered the most important part' soon enough.'" Goetz said "there are many things that force us to treat objects with reference semantics. JEP 401 knocks down the first level of these, by taking identity off the table, which exposes a lot of new optimizations, especially for smaller objects. But fully treating objects with value semantics requires giving up more: nullity and atomicity-safety-under-race (ASUR). Lots of languages have, or are working on, ways to get there, (such as C# structs.) "The main challenge is how to package it in the user model so that it doesn't fight with our own preconceived notions of object integrity and encapsulation; classes are, for better and worse, a very effective abstraction barrier." He said that Valhalla will introduce deliberate breaking changes to Java, such as that "code that synchronizes on Integer objects now fails with an exception." Goetz added JEP 401 will still likely be in preview in the next LTS release of the JDK. "Hoping for it to exit preview for 29 seems … optimistic. Vector API should be able to exit incubation when it rebases on the underlying VM primitives from Valhalla ... don’t hope for a shorter-than-usual preview window." ®

US legislation covering federal datacenters is set to expire in September and it appears that the Trump administration is simply going to allow it to lapse without replacement. The Federal Data Center Enhancement Act (FDCEA) of 2023 covers certain standards that are to be adhered to for facilities that are wholly or partially owned, operated, or maintained by a federal agency. It includes requirements relating to availability and uptime of the facility; the use of sustainable energy sources; protection against power failure; protections against physical intrusion and natural disasters; plus IT security protections. We understand that the legislation will sunset on September 30, 2026, and according to Wired, neither the US Congress nor the Trump administration appears to be making any move to extend the act, or put alternate legislation in place. The danger is that if the FDCEA is not renewed or superseded by similar legislation, then federal agencies across the US may cease to follow the requirements and simply act as they see fit when procuring new datacenter infrastructure. We asked the White House and Congress for comment. According to implementation guidance issued by the Office of Management and Budget (OMB) under the previous administration, agency datacenters “must provide secure and highly available computing infrastructure to enable reliable access to Federal information and information systems.” It notes that the "needs of the federal government with respect to data access and data processing systems have evolved since 2014,” when the Federal Data Center Consolidation Initiative (FDCCI) was established, and hence the latter was not renewed but replaced by the FDCEA. The OMB states that effective operation of datacenters requires regular monitoring, and optimization of resources by operators, and directs agencies to incorporate automated tools into the management of all new facilities, including tools that monitor metrics such as electrical consumption. It also states that the “cost, scarcity, and environmental impact of energy and water consumption necessitates that agencies evaluate datacenters against resource consumption metrics and best practices when making their decisions” regarding new datacenter builds. Perhaps most importantly, it requires that federal facilities “must be able to meet the reliability and resiliency needs of their hosted information and information systems through implementation of the appropriate information security and physical security protections.” It is widely known that the Trump administration does not look kindly on regulations, especially those relating to environmental protection. Instead, policy has focused on fast-tracking the federal permitting process for datacenters, particularly those dedicated to training and developing AI models. A recent report from Politico stated that the Trump administration was not inclined to set nationwide environmental requirements or recommendations for the datacenter industry. Instead, Environmental Protection Agency (EPA) Administrator Lee Zeldin said that while there are technologies and practices that reduce air pollution and water usage, individual states and communities know what works best for them. At the same time, opposition to datacenter construction is growing across the US, precisely because of public fears over factors such as air pollution, water usage, and the prospect of spiking energy bills. A recent survey found more than 70 percent of respondents said that they would be against the construction of an AI datacenter in their neighborhood. ®

It’s been more than a quarter century since the Y2K bug threatened to disrupt the not-so-modern world, and while the patching efforts of global IT heroes prevented a millennial mess, the problem persists as a Dutch dev just found a new instance of the numeric nightmare. While working on an emulator for the venerable Programmed Data Processor (PDP) series of “minicomputer” systems manufactured between the 1950s and 1990s, Folkert van Heusden spotted an unpatched Y2K bug in the Network Time Protocol daemon in BSD 2.11. To be fair, it’s not like van Heusden stumbled onto a potentially devastating issue that’s simply waiting to cause chaos: Not only was the bug specific to the PDP-11/70, a system that entered service in 1975, but it also requires a Precision Standard Time, Inc.(PSTI) receiver manufactured by defunct hardware maker Traconex used to pick up time signals broadcast by short wave radio stations managed by the US National Institute of Standards and Technology. Even at that point, the bug won't instantly break network time, as a would-be attacker must take several steps to configure the ancient mahicnes in a way that causes the error. Van Heusden’s writeup explains how to trigger the flaw. “I'm writing a PDP emulator,” van Heusden told The Register in an email. “I'm also very much interested in time keeping on computers. That combined, I dove into the NTP-implementation on the PDP. When adding emulation for the PSTI-device, I suddenly noticed 19126 for the year.” Unsurprisingly, when the PSTI receiver actually produces the correct output, the system throws an error that the time offset between the PDP emulator and the emulated PSTI device is a bit “excessive.” Only by 17,000 years, give or take a couple centuries. Luckily, van Heusden has coded a fix that’ll bring the times back in sync, eliminating what may be one of the few remaining Y2K bugs still floating around in the wild - after all, when’s the last time you heard of a forgotten (or, in this case, overlooked due to technological obsolescence) Y2K bug being patched? If you want to tinker with a 50-year old emulated system running a 35-year old operating system, the good news is that the PDP and its 16-but CPU ran at 5MHz and needed just 4 MB main memory - a spec that van Heusden’s PDP-11/70 emulator can easily run on modest hardware like a Raspberry Pi Pico, and it’s available on GitHub. Just be sure you patch that Y2K bug if you plan to tinker with time keeping. ®

We've all seen it: an unexpected management meeting that turns up in your calendar. It could mean HR wants a quiet and perhaps terminal word, or, in the case of NASA, something altogether different. During a chat with Space.com, NASA astronaut Bob Hines explained that the meeting was engineered to ensure all five Artemis III astronauts would be in the same room together and introduced face-to-face. The process space NASA uses to select astronauts has long been shrouded in mystery. The first American man in space, Alan Shepard, recalled in Light This Candle that his assignment to the Mercury 7 – the first batch of NASA astronauts – came from a caller who said, "We'd like you to join us. Are you still willing to volunteer?" Shepard later learned he would be the first American man in space during a meeting with fellow astronauts Gus Grissom and John Glenn, plus the Director of the Space Task Group, Bob Gilruth. Gilruth said, "Alan Shepard will make the first suborbital flight." Several factors went into that decision, including the seven Mercury astronauts rating their peers. In his memoir, Riding Rockets, Space Shuttle astronaut Mike Mullane recalled receiving a summons, along with four crewmates, to the office of then Director of Flight Operations, George Abbey. In that meeting, Abbey apparently asked: "We've been looking at the mission manifest, and think it's time to assign some more crews. I was wondering if you would be interested in STS-41D?" The whys and wherefores were unimportant. The astronauts were just delighted to get an assignment. These days, an unannounced management meeting with invitees a person might not normally see on a request is apparently how things are done. How those invitees are picked, however, remains a little opaque. With luck, NASA has sorted out the Outlook problem that bedeviled Artemis II, in which an astronaut plaintively told controllers, "I have two Outlooks, and neither one of those is working." Artemis III is, after all, set to be a very complicated mission, and, if all goes to plan, the crew will have fewer than 18 months to train. That is considerably less than the three years the Artemis II crew spent preparing for their mission to the Moon. The crew of four – three NASA astronauts and one European Space Agency astronaut (with Bob Hines as back-up) – will ideally rendezvous with two commercial spacecraft to check out docking operations and, in the case of Blue Origin, enter the vehicle. All this will take place in Low Earth Orbit as a precursor to the Artemis IV mission, which NASA expects will land humans on the Moon for the first time since the final Apollo mission in 1972. The meeting reportedly happened two weeks before the public announcement of the crew, and NASA's chief astronaut, Scott Tingle, told the group, "Look around. This is your Artemis 3 crew." Hines told Space.com, "That was a really, really cool way to find out." Certainly better than being presented with a pink slip by HR and a box to pack your possessions. ®