Top stories.
- French police raid X's Paris offices.
- Moltbook database exposed 1.5 million API authentication tokens.
- Nitrogen ransomware cannot be decrypted.
French police raid X's Paris offices.
French prosecutors raided X's offices in Paris yesterday as part of a criminal inquiry into the platform's Grok AI tool, BleepingComputer reports. The investigation was opened in January 2025 over allegations of interference with automated data systems and fraudulent data extraction, then expanded to include Grok's generation of sexually explicit underage deepfakes and Holocaust-denial content. French authorities have also summoned Elon Musk and former CEO Linda Yaccarino for voluntary interviews in April 2026. X has criticized the probe as a politically motivated attack on free speech.
Separately, the UK's Information Commissioner’s Office (ICO) announced this morning that it has opened a formal investigation into X and xAI, "covering their processing of personal data in relation to the Grok artificial intelligence system and its potential to produce harmful sexualised image and video content."
Moltbook database exposed 1.5 million API authentication tokens.
Researchers at Wiz discovered a misconfigured Supabase database belonging to the AI social media platform Moltbook that contained "1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents." The site was secured within hours after Wiz notified the Moltbook team. Moltbook was vibe-coded by its developer, and Wiz notes that vibe-coded applications frequently possess glaring security flaws.
Moltbook has gone viral as a social media site for AI agents to converse with each other, supposedly independent of human interaction. However, while the site has more than 1.5 million registered agents, Wiz found that just 17,000 humans were behind the agents: "Anyone could register millions of agents with a simple loop and no rate limiting, and humans could post content disguised as 'AI agents' via a basic POST request. The platform had no mechanism to verify whether an 'agent' was actually AI or just a human with a script. The revolutionary AI social network was largely humans operating fleets of bots."
Nitrogen ransomware cannot be decrypted.
Coveware warns that the Nitrogen ransomware’s ESXi variant contains a fatal cryptographic flaw that permanently prevents decryption, even by the attackers themselves. Victims hit by this variant are discouraged from paying the ransom, since they won't be able to recover their data even if the attacker sends them the key.
Coveware explains, "[T]he corrupted public key is used in the key exchange to encrypt each file. Normally, when a public-private Curve25519 keypair is generated, the private key is generated first, and then the public key is derived subsequently based on the private key. The resulting corrupted public key wasn't generated based on a private key; it was generated by mistakenly overwriting a few bytes of another public key. The final outcome is that no one actually knows the private key that goes with the corrupted public key."
