If someone on your leadership team needs to see this, forward it their way.

If your organization uses AI tools, runs Windows, or sells into Europe, all three of this week's stories touch you. A key piece of AI infrastructure is being actively exploited — the patch has existed since May, but plenty of companies hadn't installed it, and that's who's getting hit. A new Windows attack works on fully patched machines, with no fix available yet. And the EU just set an August deadline for labeling AI-generated content. The thread running through all of it: knowing about a risk and actually closing it are two very different things.

What Happened

If the name LiteLLM sounds familiar, it should. In March, we covered the supply chain attack that pushed malicious versions of this library out to thousands of companies and cost Mercor, a $10 billion AI startup, four terabytes of stolen data. This is a different problem in the same tool — and it's just as serious.

First, what LiteLLM actually is: it's a behind-the-scenes connector that routes your company's requests to whatever AI services you use — OpenAI, Anthropic, Azure, and so on. Most organizations running it don't think about it much. It just sits in the middle and passes traffic. That position is exactly what makes this dangerous.

On June 8, CISA — the federal cybersecurity agency — confirmed that attackers are actively exploiting a flaw in LiteLLM and added it to its official "patch this now" list. The fix has been available since May 8. The catch is that researchers found a way to combine this flaw with a second one, which lets an attacker break in with no password and no credentials at all. Once in, they get control of the server and, more importantly, every API key it holds — the digital keys to all the AI services your company connects through it. From there they can reach further into connected systems. Federal agencies have until June 22 to patch, and the Qilin ransomware group has already been tied to active attacks.

(If you want to pass this on to your cybersecurity team: the flaw is CVE-2026-42271, and the authentication bypass it chains with is CVE-2026-48710 in the Starlette framework. Both are confirmed by Horizon3.ai and CISA.)

Why It Matters

→ The fix was available for five weeks before the attacks started. This wasn't a surprise attack with no warning. Companies had over a month to install the update. The ones getting hit right now are simply the ones that hadn't gotten around to it. If it routinely takes your organization more than a few weeks to apply urgent security fixes, that delay is exactly where the damage is happening.

→ Where this tool sits makes the damage worse than a normal break-in. When most servers get compromised, the attacker gets whatever happens to be on that one machine. When LiteLLM gets compromised, the attacker gets the keys to every AI service your company uses — and a trusted spot inside your network to use them from. The fallout reaches your AI operations, not just one server's worth of data.

→ This is the second time in three months LiteLLM has been attacked. That's not bad luck. It's a sign that companies are adopting AI tools faster than they're securing them. The connectors that move AI traffic between your systems are attractive targets, and they deserve the same attention you'd give any other critical piece of your infrastructure. Most organizations haven't started treating them that way.

If you're running LiteLLM, the action is straightforward: update it to the latest version right away, and assume the API keys and credentials it was holding may already be exposed — so have your team rotate them. If you don't know whether LiteLLM is even in your environment, that's the first question to ask your development or IT team today, because it often gets installed underneath other tools without much fanfare. (For the technical team: upgrade to 1.83.7 or later, and block external access to the MCP test endpoints /mcp-rest/test/connection and /mcp-rest/test/tools/list.)

What Happened

On June 10, just hours after Microsoft released its monthly batch of security fixes — its largest ever, covering nearly 200 problems — a researcher who goes by Nightmare Eclipse published a brand-new attack that those fixes didn't cover. They call it RoguePlanet.

Here's what it does. It targets Windows Defender, the security software built into every modern Windows machine, and uses a timing flaw to hand an ordinary user complete administrator-level control of the computer. That means a low-privilege account — or anyone who gets access to one — can take full ownership of the machine. The catch that makes this notable: it works on Windows 10 and 11 computers that are completely up to date. Applying every available update doesn't protect you, because there is no fix for this one yet. The security firm ThreatLocker reproduced the attack and confirmed it works, though their own controls blocked it.

What makes this a pattern worth your attention is the timing. This is the third month in a row that this researcher has released a new, unpatched Windows attack within hours of Microsoft's monthly update. It's deliberate. They're in an ongoing feud with Microsoft over how the company handles and pays for vulnerability reports — so each month Microsoft patches their last attack, and they immediately publish a new one. They've now released seven of these since April. Microsoft keeps removing them from code-sharing sites; the researcher keeps reposting from new accounts.

Why It Matters

→ "Just keep your machines updated" usually works. Here it doesn't. The standard advice for almost every Windows security problem is to apply the latest updates. This attack is specifically built to defeat that advice — it runs on fully updated machines. Until Microsoft ships a fix, the usual playbook doesn't close this gap, and it's worth knowing that before you assume your patched computers are covered.

→ The recurring pattern matters more than any single attack. One unpatched flaw is a problem you can wait out. A researcher who finds new ones faster than Microsoft can fix them is a different kind of issue — it means this is likely to keep happening month after month until the underlying dispute gets resolved. Plan for the pattern, not just this one instance.

→ There's a saving grace, for now: it doesn't work every time. The attack succeeds reliably on some machines and inconsistently on others, which makes it harder for criminals to use at massive scale today. That's a reason not to panic — but not a reason to ignore it, because the weakness it exploits is still there whether or not this particular version runs cleanly.

There's no patch to apply yet, so this is about limiting exposure in the meantime. The practical steps are ones your IT team will recognize: tighten who has administrator rights, limit access to shared drives and USB devices, and make sure your security monitoring is watching for ordinary accounts suddenly gaining administrator control. If your organization uses an "allowlisting" approach — where only pre-approved software is allowed to run — this attack was blocked by default in exactly that kind of setup, which is a point worth raising if you're weighing endpoint security options.

How quickly can your organization move from "patch available" to "patch deployed" across your Windows endpoints? Even a rough answer — days, weeks, longer — is useful data.

Hit reply with a one-liner.

The AI tool you tried last quarter waited for a prompt, hallucinated a number, then asked if you'd like a summary.

Viktor opened a PR at 2am, rebased it against main, ran your test suite, and posted a note in #eng: "Two flaky tests in payments service, both pre-existing. Recommended merging after fixing them." Then drafted the customer reply for the support ticket the bug created.

That's 619K autonomous actions per day across 20,000+ teams. Not chat replies. Real work shipped to GitHub, Stripe, Linear, Notion, and 3,000+ other tools, from inside Slack and Microsoft Teams.

You don't supervise him any more than you supervise a senior engineer.

SOC 2 certified. Your data never trains models.

"It's what you probably originally thought AI was going to be when you first heard of it in sci-fi movies." Tyler, CEO.

Get Started for Free

What Happened

On June 10, the European Union published the final rulebook for a requirement that's been coming for a while: if you use AI to create content, you have to label it as AI-generated. The label has to be both visible to people and readable by machines — meaning it's baked into the file itself, not just a note in the caption.

In practice, that covers AI-generated text, images, audio, and video, with a standard EU icon set for things like deepfakes and AI-generated material on matters of public interest. The technical method behind it is an industry standard that tags each piece of content with a secure, tamper-resistant record of where it came from and how it was edited. The key dates: signing onto the EU's voluntary guidelines is optional, but the underlying legal requirement is not — and it takes effect August 2, 2026. That's eight weeks away.

Here's who this actually applies to. If your organization uses AI to produce anything customer-facing in European markets — marketing copy, product images, customer emails, social content — and that content could be mistaken for something a human made, you're covered by this rule. That's most companies using generative AI today, not a narrow slice.

(For your legal or compliance team: this is the Code of Practice implementing Article 50 of the EU AI Act, and the technical standard is C2PA — the Coalition for Content Provenance and Authenticity. Enforcement runs through each member state's market surveillance authority.)

Why It Matters

→ Eight weeks is not much runway. Building automatic AI labeling into every channel where your company produces content takes time to scope, set up, and test — and August 2 is close. Any organization putting AI-generated content into European markets that hasn't started this is already behind schedule.

→ The obligation is yours, not just your AI vendor's. It helps that companies like OpenAI, Adobe, and Anthropic are building this labeling capability into their tools. But it doesn't let you off the hook. If you're using those tools to create content that goes out under your company's name in Europe, you're the one responsible for making sure the labeling is actually switched on and working.

→ This is a preview of where the U.S. is heading. A White House AI executive order signed June 2 has federal agencies working with industry on AI standards, and several states have their own AI transparency bills moving through the pipeline. Europe tends to go first, and U.S. regulators tend to borrow from what it builds. Organizations that get this right for their EU operations now will be ahead when similar rules show up domestically.

If you sell into Europe, the question to put in front of your legal or compliance team before August 2 is simple: does the AI-generated content we put out carry the required built-in labeling, everywhere we publish it? If your team uses tools like Adobe Firefly or OpenAI's image generators, someone should check whether this labeling is turned on automatically or has to be enabled — it varies by tool. And if you generate content through custom setups or direct integrations, putting the labeling in place is your responsibility, not the vendor's.

If someone in your organization needs to be reading this brief, it's probably the person making AI tool decisions without a security lens. Forward it their way.

- Hashi