How would you like to read it?
Same edition, explained without the jargon — and just as faithful. It's not a quick summary: an independent check confirms the plain-language version stays true to the original, without dropping or distorting anything.
Apple Rebuilds Siri at WWDC 2026: The Engine Is Google Gemini, and iOS 27 Opens Up to Claude and ChatGPT
At WWDC, Apple unveils a fully conversational Siri, complete with a standalone app. But the strategic story lies elsewhere: after delays on its own model, it outsources the intelligence to Google and opens the platform to rival assistants. The catch for Italy: Siri AI won't arrive right away on iPhone and iPad in the EU.
At WWDC 2026, Apple showed the deepest overhaul of Siri in 15 years: from a voice-command assistant to a true conversational companion. A standalone Siri app arrives on iPhone, iPad, and Mac, working as a chatbot alongside the system-level presence: it handles multi-step actions across apps, can answer questions about what's shown on screen, and includes a "Write with Siri" feature for composing emails and messages. The assistant also moves into the Dynamic Island and comes to macOS via Spotlight. The beta is expected "later this year" (TechCrunch).
The strategic point, though, isn't "a better Siri." According to independent reporting, the engine behind the new Siri rests on Google Gemini: a custom model with roughly 1.2 trillion parameters. The license is estimated at around $1 billion a year (The Next Web).
On where these models run, Apple has given official details. The third generation of Apple Foundation Models (AFM 3) is structured across multiple tiers: on-device models for local requests and server models on Private Cloud Compute for the more complex ones. The most capable model, AFM 3 Cloud Pro, was built in collaboration with Google and runs on NVIDIA GPUs inside Google Cloud: it's the first time Private Cloud Compute's privacy guarantees extend to third-party data centers (Apple Machine Learning; Apple Security). Apple specifies that the data stays protected by the same Private Cloud Compute properties regardless of where the infrastructure is hosted, and that it retains full control of the PCC software. The accounts from The Next Web (three-tier privacy, with the more complex reasoning routed to the cloud) and from MacRumors (models developed with Google, adapted for on-device and Private Cloud Compute, with Google kept out of data and training) don't contradict each other: they describe different parts of the same scheme.
Two caveats remain. First: the headline figures — parameters and license cost — are press numbers, not made official by Apple. Second, decisive for readers in Italy: Siri AI won't initially be available in the EU on iPhone and iPad. Apple attributes the delay to European regulators' interpretation of the DMA, which did not accept its proposals. EU users will still be able to use it on Mac, Apple Watch, and Vision Pro (Apple Newsroom). On the ecosystem front, iOS 27's Extensions should make it possible to connect and choose third-party AI services — such as Claude, Gemini, or ChatGPT — for some Apple Intelligence features, including Siri, Writing Tools, and Image Playground (MacRumors). Apple has not, however, confirmed the ability to set a third-party assistant as the default in place of Siri. The Gemini deal had already been anticipated by the press since January (TechCrunch).
Why it matters
- Entrepreneurs: Apple is shifting an AI control point toward a direct competitor: Siri's core intelligence becomes a contractual dependency on Google, with a recurring revenue stream estimated at ~$1B/year. Opening the platform to third-party AI services with iOS 27's Extensions — for Apple Intelligence features like Siri, Writing Tools, and Image Playground — cracks the walled garden and makes the iPhone ecosystem a more contestable distribution point. Meanwhile, the clash with the DMA shows how much European regulatory friction can reshape the rollout.
- End users: It changes where requests get processed — on-device or on Apple's Private Cloud Compute — with an arrangement that, according to MacRumors, keeps Google out of the data and out of training on the queries. For those in Italy, though, there's a concrete limit: on iPhone and iPad in the EU, Siri AI won't arrive right away (it remains available on Mac, Apple Watch, and Vision Pro). In exchange, where available, iOS 27's Extensions should make it possible to connect third-party AI services — Claude, Gemini, or ChatGPT — for some Apple Intelligence features, Siri included, though without fully replacing the default assistant.
'Miasma' Supply Chain Attack: 32 Red Hat npm Packages Trojanized by Abusing CI/CD OIDC
An attacker published malicious versions of 32 @redhat-cloud-services packages with authentic provenance, exploiting GitHub Actions' OIDC publishing workflow to bypass code review.
On June 1, 2026 an attacker published trojanized versions of 32 packages in the npm scope @redhat-cloud-services, hitting nodes such as frontend-components, rbac-client and chrome. Traces of the operation date back to May 29, with an early repository/test bearing the string "Miasma"; on June 2 Microsoft published its own analysis. Sources diverge on the version count: Microsoft cites "over 90 versions," SecurityWeek 96. The mechanism, however, is clear: each package carried a preinstall hook that, during npm install, executed an obfuscated index.js dropper. Microsoft estimates its size at roughly 4.29 MB, while independent analyses distinguish multiple payload variants, from ~4.05 to ~4.29 MB. The payload exfiltrated GitHub and npm tokens, AWS, Azure and GCP credentials, HashiCorp Vault and Kubernetes material, and SSH keys; it also included a destructive rm -rf ~ command triggered by interaction with a decoy honeytoken.
The critical point is the entry vector. According to Wiz's analysis, a compromised GitHub account belonging to a Red Hat employee pushed orphan commits to the RedHatInsights repositories in two waves (10:53 and 13:44–13:46 UTC); the injected workflow requested OIDC tokens with id-token: write permission and published the packages with valid SLSA provenance attestations. Signing and provenance, therefore, protected nothing: they were authentic because generated by the compromised upstream pipeline. The malware is a variant of Mini Shai-Hulud (code open-sourced by TeamPCP) rebranded "Miasma: The Spreading Blight," with a payload uniquely encrypted on each infection — hash-based IOCs are ineffective. SecurityWeek reports 210 repositories with already-stolen credentials. Red Hat removed the malicious versions and republished the 32 clean packages.
The downstream impact, however, needs to be put in proportion. In bulletin RHSB-2026-006 (updated June 3, 2026) Red Hat clarifies several key points: the packages are JavaScript frontend libraries used in the web interface of the Hybrid Cloud Console (console.redhat.com); no console release was published during the compromise window; the publishing process strips install-time scripts before deployment to console.redhat.com; based on current findings, no customer action is required. The concrete risk therefore falls on those who installed the packages directly from the npm scope, not on users of the managed console.
Why it matters
- ICT engineers / IT managers: It demonstrates that SLSA signing and provenance do not replace pipeline security: if the upstream CI/CD is compromised, malicious artifacts arrive with perfectly valid attestations. Concrete action: isolate/disable preinstall hooks during installation, tighten OIDC trust and
id-token: writepermissions, and don't rely on hash-based IOCs when the payload is encrypted per-infection.
Check Point: Critical Authentication Bypass (CVE-2026-50751) Exploited in the Wild — Urgent Hotfix for IKEv1 VPNs
A critical flaw (CVSS 9.3) in Check Point's Remote Access and Mobile Access VPNs allows attackers to bypass authentication on configurations that use the deprecated IKEv1 protocol. It is already being actively exploited, with one case traced back to the Qilin ransomware.
Check Point has released an urgent hotfix for CVE-2026-50751, a critical authentication bypass vulnerability (CVSS 9.3) affecting Remote Access VPN and Mobile Access configurations. The flaw is a logic error in the certificate validation process of the now-deprecated IKEv1 protocol. The consequence is clear-cut: an unauthenticated attacker can establish a VPN session without a valid password (Check Point).
This is not a theoretical weakness. According to the advisory, exploitation is active but confined to a few dozen organizations worldwide. The most operationally awkward detail is the timeline: the attacks began on May 7 and intensified in early June, while the patch only arrived on June 8. That means attackers had roughly a month's head start before a fix even existed (The Register).
In one confirmed case, the post-compromise activity was tied to an affiliate of the Qilin ransomware. Check Point assesses with medium confidence that the actor is financially motivated and uses Qilin, with exfiltration via Rclone (BleepingComputer).
The key point is that this involves legacy configurations still in production: the bug requires IKEv1 to be active, the acceptance of outdated remote access clients, and the absence of a mandatory machine certificate. Beyond the hotfix (sk185033/sk185035, with IoCs), Check Point recommends three countermeasures: switch to IKEv2-only authentication, make the machine certificate mandatory, and enable IPS. Also fixed was CVE-2026-50752 (CVSS 7.4, man-in-the-middle on IKEv1 site-to-site VPN), which was not found to be exploited.
Why it matters
- ICT engineers / IT managers: This is an immediate operational priority: inventory exposed Check Point gateways, check whether IKEv1 and legacy clients are still active, apply the hotfix, and migrate to IKEv2-only authentication with a mandatory machine certificate. Given the month of exploitation that preceded the patch, updating is not enough. The published IoCs should be hunted for, and any anomalous VPN access should be treated as a possible initial compromise, especially given the Qilin ransomware risk.
NVIDIA and SK hynix Sign a Multiyear Memory Partnership for AI Factories
On June 7, 2026, the two groups formalized in a multiyear agreement a collaboration that had already been running for years. The deal extends it to the co-design of next-generation memory and to the use of AI in chip design and manufacturing.
On June 7, 2026, NVIDIA and SK hynix announced a multiyear technology partnership for next-generation memory aimed at AI factories and to accelerate semiconductor design and manufacturing. The element to weigh: SK hynix is already NVIDIA's main memory supplier and its key source of HBM for AI accelerators. The agreement doesn't create a new relationship — it turns an established supply arrangement into structured co-design.
The SK hynix note details the two pillars. First: developing memory aligned with NVIDIA's roadmap — from Vera Rubin supercomputers to Vera CPUs, from RTX Spark PCs to Jetson Thor robotic computers. The scope covers AI infrastructure, personal AI, and physical AI. The official releases speak generically of advanced next-generation memory; according to Tom's Hardware, the initial cooperation concerns HBM4, LPDDR5X, and 3D NAND. Second pillar: applying AI to the fab itself. The CUDA-X and PhysicsNeMo libraries accelerate simulations, TCAD, and computational lithography; Omniverse, OpenUSD, and cuOpt feed the digital twins toward autonomous fabs.
No volumes or economic values were disclosed. The material caveat comes from independent coverage. Jensen Huang warned that the memory shortage will last years, with demand exceeding supply across memory, wafers, and packaging. SK Group chairman Chey Tae-won aims to double wafer capacity within five years, but 2026 HBM is already sold out.
Why it matters
- Entrepreneurs: It signals that margins, GPU availability, and the time-to-market of AI products will increasingly depend on capacity contracts and the memory supply chain, not just on model quality. With 2026 HBM already sold out and a shortage that, according to the players involved, could last years, access to capacity becomes a strategic constraint to manage today, not downstream.
Suno Raises Over $400 Million at a $5.4 Billion Valuation: AI-Generated Music Edges Toward the Mass Market, With Copyright Lawsuits Still Pending
The most popular AI music generator more than doubles its value in seven months. But the 'licensed' model built with the industry is still in testing, and the disputes with the major labels remain unresolved.
Suno, the Cambridge-based AI music generation platform, has closed a Series D round of over $400 million led by Bond Capital, bringing its valuation to $5.4 billion (TechCrunch, Suno's official announcement). The figure more than doubles the $2.45 billion reached just seven months earlier with the $250 million Series C. According to CEO Mikey Shulman, the company had surpassed 2 million paying subscribers by February and was "on pace" for $300 million in annual revenue (Music Business Worldwide); more than 7 million songs are generated on the platform every day (Fortune).
The sticking point remains legal. Suno is being sued by Universal Music Group, Sony, and Germany's GEMA (in addition to Denmark's Koda): in May 2026, UMG and Sony asked the court to add over 61,000 protected tracks to the original lawsuit, which had contested roughly 560, arguing that the model was trained on millions of copyrighted tracks. Suno's defense rests on "fair use." The only deal signed so far is the one with Warner Music, but the first model "developed in partnership with the music industry" is still in the testing phase and will arrive only "in the coming months." The underlying question raised by Fortune still stands: is the audience for music creation really large enough to support a $5.4 billion valuation, and will it become a daily habit like Spotify or ChatGPT?
Why it matters
- End users: Suno is making music creation an increasingly mainstream tool accessible to anyone, but with a decisive caveat: the fully licensed model built with the major labels is not yet available, and the tracks generated today rest on material being contested in court, in a copyright gray area that has yet to be resolved. What you can freely use and publish will depend on the outcome of the lawsuits and the launch of the model agreed upon with the industry.
The Pentagon Tests OpenAI, Google and xAI to Replace Claude; Anthropic Fights Back in Court
The U.S. Department of Defense is testing rival models after branding Anthropic a 'supply chain risk.' The reason: the company's refusal to drop its limits on mass surveillance and autonomous weapons. The case is now in litigation, with opposite outcomes in San Francisco and Washington.
The U.S. Department of Defense is evaluating models from OpenAI, Google and xAI (Grok) to replace Anthropic's Claude on classified networks. On those networks Claude was the primary AI provider, deeply integrated into the Maven Smart System. The trial was handed to 25 departmental "power users" and began in early March 2026. It started about three days after Defense Secretary Pete Hegseth had designated Anthropic a "supply chain risk". The news, originating from a May 21 Bloomberg report, has resurfaced in recent days.
The rift stems from Anthropic's refusal to remove two contractual red lines: no mass surveillance of Americans and no fully autonomous lethal weapons without human control. The crux is the how: OpenAI claims to have included explicit red lines and a safety stack, with language opposing domestic surveillance. Yet the published text retains the "all lawful purposes" standard. That text, according to public-procurement expert Jessica Tillipman, does not give OpenAI an Anthropic-style standalone right to prohibit uses the government deems otherwise lawful. After all, many surveillance practices remain legal until they are challenged in court.
Anthropic has taken the case to court in San Francisco and Washington, arguing that the designation would cost it billions in revenue. The outcomes so far diverge. In San Francisco a federal judge blocked the designation as likely retaliation. In the D.C. Circuit, however, on April 8 the court denied Anthropic's request to stay the designation pending appeal. At the subsequent May 19 hearing the panel appeared divided and gave no indication of when it would rule on the merits, with Judge Karen LeCraft Henderson calling the move a "spectacular overreach" by the department and her colleague Neomi Rao more cautious about second-guessing the secretary's judgment.
Why it matters
- Entrepreneurs: An AI vendor's ethical constraints can turn into concrete contractual risk. When choosing a vendor you must weigh not only capability and price, but also the clauses on permitted use and the strength of the relationship with the main customer: a single client that 'delists' the supplier can wipe out its revenue and continuity. 'Safety' thus becomes a compliance and lock-in variable to budget for.