Infrastructure delivering updates for Notepad++—a widely used text editor for Windows—was compromised for six months by suspected China-state hackers who used their control to deliver backdoored versions of the app to select targets, developers said Monday.

“I deeply apologize to all users affected by this hijacking,” the author of a post published to the official notepad-plus-plus.org site wrote Monday. The post said that the attack began last June with an “infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” The attackers, whom multiple investigators tied to the Chinese government, then selectively redirected certain targeted users to malicious update servers where they received backdoored updates. Notepad++ didn’t regain control of its infrastructure until December.

Hands-on keyboard hacking

Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.” Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed.

According to independent researcher Kevin Beaumont, three organizations told him that devices inside their networks that had Notepad++ installed experienced “security incidents” that “resulted in hands on keyboard threat actors,” meaning the hackers were able to take direct control using a Web-based interface. All three of the organizations, Beaumont said, have interests in East Asia.

The researcher explained that his suspicions were aroused when Notepad++ version 8.8.8.8 introduced bug fixes in mid-November to “harden the Notepad++ Updater from being hijacked to deliver something… not Notepad++.”

The update made changes to a bespoke Notepad++ updater known as GUP, or alternatively, WinGUP. The gup.exe executable responsible reports the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php and then retrieves a URL for the update from a file named gup.xml. The file specified in the URL is downloaded to the %TEMP% directory of the device and then executed.

Beaumont wrote:

If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property.

This traffic is supposed to be over HTTPS, however it appears you may be [able] to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.

The downloads themselves are signed—however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.

Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources.

Beaumont published his working theory in December, two months to the day prior to Monday’s advisory by Notepad++. Combined with the details from Notepad++, it’s now clear the hypothesis was spot on.

Beaumont also warned that search engines are so “rammed full” of advertisements pushing trojanized versions of Notepad++ that many users are unwittingly running them inside their networks. A rash of malicious Notepad++ extensions only compound the risk.

He advised that all users ensure they’re running the official version 8.8.8.8 or higher installed manually from notepad-plus-plus.org.

Larger organizations that manage Notepad++ and update it, he said, should consider blocking notepad-plus-plus.org or block the gup.exe process from having Internet access. “You may also want to block internet access from the notepad++.exe process, unless you have robust monitoring for extensions,” he added, but cautioned “for most organisations, this is very much overkill and not practical.”

Screenshot

Notepad++ has long attracted a large and loyal user base because it offers functions that aren’t available from the official Windows text editor Notepad. Recent moves by Microsoft to integrate Copilot AI into Notepad have driven further interest in the alternative editor. Alas, like so many other open source projects, funding for Notepad++ is dwarfed by the dependence the Internet places on it. The weaknesses that made the six-month compromise possible could easily have been caught and fixed had more resources been available.

Read full article

Comments

The Trump administration is no fan of renewable energy, but it reserves special ire for wind power. Trump himself has repeatedly made false statements about the cost of wind power, its use around the world, and its environmental impacts. That animosity was paired with an executive order that blocked all permitting for offshore wind and some land-based projects, an order that has since been thrown out by a court that ruled it arbitrary and capricious.

Not content to block all future developments, the administration has also gone after the five offshore wind projects currently under construction. After temporarily blocking two of them for reasons that were never fully elaborated, the Department of the Interior settled on a single justification for blocking turbine installation: a classified national security risk.

The response to that late-December announcement has been uniform: The companies building each of the projects sued the administration. As of Monday, every single one of them has achieved the same result: a temporary injunction that allows them to continue construction. This, despite the fact that the suits were filed in three different courts and heard by four different judges.

Based on reporting elsewhere, some of the judges viewed the classified report that was used to justify the order to halt construction, but didn't find it persuasive. And, in one of the cases, the judge noted that the government itself wasn't acting as if the security risks were real. The threat supposedly comes from the operation of the wind turbines, but the Department of the Interior's order blocked construction while allowing any completed hardware to operate.

"If the government's concern is the operation of these facilities, allowing the ongoing operation of the 44 turbines while prohibiting the repair of the existing turbines and the completion of the 18 additional turbines is irrational," Judge Brian E. Murphy said. That once again raises the possibility that the order halting construction will ultimately be held to be arbitrary and capricious.

For now, however, the courts are largely offering the wind projects relief because the ruling was issued without any warning or communication from the government and would clearly inflict substantial harm on the companies building them. The injunction blocks the government's hold on construction until a final ruling is issued. The government can still appeal the decision before that point, but the consistency among these rulings suggests it will likely fail.

Several of these projects are near completion and are likely to be done before any government appeal can be heard.

Read full article

Comments

The Environmental Protection Agency (EPA) cracked down on lead-based products—including lead paint and leaded gasoline—in the 1970s because of its toxic effects on human health. Scientists at the University of Utah have analyzed human hair samples spanning nearly 100 years and found a 100-fold decrease in lead concentrations, concluding that this regulatory action was highly effective in achieving its stated objectives. They described their findings in a new paper published in the Proceedings of the National Academy of Sciences.

We've known about the dangers of lead exposure for a very long time—arguably since the second century BCE—so why conduct this research now? Per the authors, it's because there are growing concerns over the Trump administration's move last year to deregulate many key elements of the EPA's mission. Lead specifically has not yet been deregulated, but there are hints that there could be a loosening of enforcement of the 2024 Lead and Cooper rule requiring water systems to replace old lead pipes.

“We should not forget the lessons of history. And the lesson is those regulations have been very important,” said co-author Thure Cerling. “Sometimes they seem onerous and mean that industry can't do exactly what they'd like to do when they want to do it or as quickly as they want to do it. But it's had really, really positive effects.”

An American mechanical and chemical engineer named Thomas Midgley Jr. was a key player in the development of leaded gasoline (tetraethyl lead) because it was an excellent anti-knock agent, as well as the first chlorofluorocarbons (CFCs) like freon. Midgley publicly defended the safety of tetraethyl lead (TEL), despite experiencing lead poisoning firsthand. He held a 1924 press conference during which he poured TEL on his hand and inhaled TEL vapor for 60 seconds, claiming no ill effects. It was probably just a coincidence that he later took a leave of absence from work because of lead poisoning. (Midgley's life ended in tragedy: he was severely disabled by polio in 1940 and devised an elaborate rope-and-pulley system to get in and out of bed. That system ended up strangling him to death in 1944, and the coroner ruled it suicide.)

Science also produced a hero in this saga: Caltech geochemist Clair Patterson. Along with George Tilton, Patterson developed a lead-dating method and used it to calculate the age of the Earth (4.55 billion years), based on analysis of the Canton Diablo meteorite. And he soon became a leading advocate for banning leaded gasoline and the "leaded solder" used in canned foods. This put Patterson at odds with some powerful industry lobbies, for which he paid a professional price.

But his many experimental findings on the extent of lead contamination and its toxic effects ultimately led to the rapid phase-out of lead in all standard automotive gasolines. Prior to the EPA's actions in the 1970s, most gasolines contained about 2 grams of lead per gallon, which quickly adds up to nearly 2 pounds of lead released via automotive exhaust into the environment, per person, every year.

The proof is in our hair

The US Mining and Smelting Co. plant in Midvale, Utah, 1906. Credit: Utah Historical Society

Lead can linger in the air for several days, contaminating one's lungs, accumulating in living tissue, and being absorbed by one's hair. Cerling had previously developed techniques to determine where animals lived and their diet by analyzing hair and teeth. Those methods proved ideal for analyzing hair samples from Utah residents who had previously participated in an earlier study that sampled their blood.

The subjects supplied hair samples both from today and when they were very young; some were even able to provide hair preserved in family scrapbooks that had belonged to their ancestors. The Utah population is well suited for such a study because the cities of Midvale and Murray were home to a vibrant smelting industry through most of the 20th century; most other smelters in the region closed down in the 1970s when the EPA cracked down on using lead in consumer products.

Cerling acknowledged that blood would have been even better for assessing lead exposure, but hair samples are much easier to collect. “[Hair] doesn't really record that internal blood concentration that your brain is seeing, but it tells you about that overall environmental exposure,” he said. “One of the things that we found is that hair records that original value, but then the longer the hair has been exposed to the environment, the higher the lead concentrations are.”

“The surface of the hair is special," said co-author Diego Fernandez. "We can tell that some elements get concentrated and accumulated in the surface. Lead is one of those. That makes it easier because lead is not lost over time. Because mass spectrometry is very sensitive, we can do it with one hair strand, though we cannot tell where the lead is in the hair. It's probably in the surface mostly, but it could be also coming from the blood if that hair was synthesized when there was high lead in the blood.”

The authors found very high levels of lead in hair samples dating from around 1916 to 1969. But after the 1970s, lead concentrations in the hair samples they analyzed dropped steeply, from highs of 100 parts per million (ppm) to 10 PPM by 1990, and less than 1 ppm by 2024. Those declines largely coincide with the lead reductions in gasoline that began after President Nixon established the EPA in 1970. The closing of smelting facilities likely also contributed to the decline. "This study demonstrates the effectiveness of environmental regulations controlling the emissions of pollutants," the authors concluded.

DOI: PNAS, 2026. 10.1073/pnas.2525498123  (About DOIs).

Read full article

Comments

On Friday, a judge ruled that the Trump administration violated the law in forming its Climate Working Group, which released a report that was intended to undercut the rationale behind greenhouse gas regulations. The judge overseeing the case determined that the government tried to treat the Climate Working Group as a formal advisory body, while not having it obey many of the statutory requirements that govern such bodies.

While the Department of Energy (DOE) later disbanded the Climate Working Group in the hopes of avoiding legal scrutiny, documents obtained during the proceedings have now revealed the group's electronic communications. As such, the judge ruled that the trial itself had essentially overcome the government's illegal attempts to hide those communications.

Legal and scientific flaws

The whole saga derives from a Supreme Court Ruling that compelled the Environmental Protection Agency (EPA) to evaluate the risks posed to the US public by greenhouse gases. During the Obama administration, this resulted in an endangerment finding that created the foundation for the EPA to regulate carbon emissions under the Clean Air Act. The science underlying the endangerment finding was so solid that it was left unchallenged during the first Trump administration.

But the second Trump administration is forging ahead with an attempt to undo it regardless. To give that attempt a veneer of scientific credibility ahead of its inevitable challenge in the court system, the DOE gathered a group of prominent climate contrarians, secure in the knowledge that this group would produce a report that raised lots of spurious issues with the scientific understanding of climate change. And that's exactly what happened, prompting the scientific community to organize a review that highlighted the report's extensive flaws.

But the flaws weren't limited to scientific deficiencies. Two advocacy organizations, the Environmental Defense Fund and Union of Concerned Scientists, sued, alleging that the Climate Working Group violated various provisions of the Federal Advisory Committee Act. This requires that any groups formed to provide the government with advice must be fairly balanced and keep records that are open to the public. The Climate Working Group, by contrast, operated in secret; in fact, emails obtained during the trial showed that its members were advised to use private emails to limit public scrutiny of their communications.

In response, the DOE dissolved the Climate Working Group in order to claim that the legal issues were moot, as the advisory committee at issue in the suit no longer existed.

No defense

In court, the government initially argued that the Federal Advisory Committee Act didn't apply, claiming that the Climate Working Group was simply organized to provide information to the government. Based on Friday's ruling, however, once the court tried to consider that issue, the government shifted to simply arguing that the Climate Working Group no longer existed, so none of this mattered. "The Defendants, in their Opposition and subsequent filings, ignore the allegations relating to the [Federal Advisory Committee Act] violations themselves," the judge states. "Rather, the Defendants argue only that these claims are moot because the Climate Working Group has been dissolved."

So, the court was left with little more than the accusations that the Climate Working Group had a membership with biased opinions, failed to hold open meetings, and did not keep public records. Given the lack of opposing arguments, "These violations are now established as a matter of law."

But the ruling also determined that the lawsuit itself has provided a solution to some of the government's violations. As part of court proceedings, the government was compelled to hand over all of the Climate Working Group's emails, including the ones sent to private accounts. Those have now been placed online by the Environmental Defense Fund. As a result, the Climate Working Group's deliberations are now public, as the law had required.

What do the emails reveal? The Climate Working Group was organized by a political appointee at the DOE (one who was previously at the libertarian Cato Institute) and done with the intention of producing material that would aid the EPA with overturning the greenhouse gas endangerment finding. The group recognized that its members' opinions were outside of the mainstream, but they viewed most mainstream scientists as hopelessly biased and generally ascribed that to their political views.

There was some talk of having the group's report peer-reviewed, motivated by an executive order naming that a necessary component of "gold standard science." That discussion largely focused on thinking about scientists who shared their views and would give it a favorable review. That said, some DOE staff members reviewed the document and highlighted some of the same flaws identified by the scientific community; the Climate Working Group largely ignored these criticisms.

Overall, none of what the suit revealed is a surprise to anyone who paid attention to the Climate Working Group. But the issues highlighted in the suit and the emails it revealed may ultimately be significant. There has been reporting that the attempt to reverse the endangerment finding is on hold because of concerns that the scientific case for doing so is too weak, as the DOE reviewers noted in the comments. And if it ever ends up in court, the legal invalidation of the Climate Working Group may play a significant role.

Read full article

Comments

When a new presidential administration comes in, it is responsible for filling around 4,000 jobs sprinkled across the federal government’s vast bureaucracy. These political appointees help carry out the president’s agenda, and, at least in theory, make government agencies responsive to elected officials.

Some of these roles—the secretary of state, for example—are well-known. Others, such as the deputy assistant secretary for textiles, consumer goods, materials, critical minerals & metals industry & analysis, are more obscure.

Historically, science agencies like NASA or the National Institutes of Health tend to have fewer political appointees than many other parts of the federal government. Sometimes, very senior roles—with authority over billions of dollars of spending, and the power to shape entire fields of research—are filled without any direct input from the White House or Congress. The arrangement reflects a long-running argument that scientists should oversee the work of funding and conducting research with very little interference from political leaders.

Since the early 2000s, according to federal employment records, NIH, the country’s premier biomedical research agency, has usually had just a few political appointees within its workforce. (As of November 2025, that workforce numbered around 17,500 people, after significant cuts.) Staff scientists and external experts played a key role in selecting the directors of the 27 institutes and centers that make up NIH. That left the selection of people for powerful positions largely outside of direct White House oversight.

What is the future of that status quo under the Trump administration?

Those questions have recently swirled at NIH. The arrival of political appointees in the kinds of positions previously held by civil servants, and apparent changes to hiring practices for other key positions, have raised concerns among current and former officials about a new era of politicization.

For decades, NIH has enjoyed strong bipartisan support. But conservative lawmakers have periodically raised questions about some of the agency’s spending, and according to one 2014 survey, the agency is perceived by federal executives as being a progressive place. (Since the early 2000s, some data suggests, US scientists as a whole have grown considerably more liberal relative to the general population.)

Since the COVID-19 pandemic, many conservatives have criticized NIH for funding the kind of controversial virology experiments that some experts believe may have started the pandemic, and for promoting public health strategies that many on the right viewed as unscientific and authoritarian. One of the NIH institute directors, Anthony Fauci, who led the National Institute of Allergy and Infectious Diseases from 1984 until his retirement in 2022, came to be a highly polarizing figure, described on the right as an unelected official wielding considerable power.

Over the years, some biomedical researchers have argued for changes to the way NIH hires and retains people in leadership positions. In 2019, the agency announced plans to impose term limits on some midlevel roles, in a bid to diversify its management. More recently, Johns Hopkins University physician and researcher Joseph Marine argued in an essay for The Free Press that NIH should set five to 10-year term limits on the directors of individual NIH institutes. “Regular turnover of leadership,” he wrote, “brings fresh ideas and a healthy reassessment of priorities.”

Shortly after winning the 2024 presidential election, Donald Trump tapped Jay Bhattacharya, a prominent critic of NIH, to lead the agency. It may not be entirely surprising that an administration advocating for reforms to NIH would seek to flip key management positions that often experience little turnover.

Former official Mike Lauer, who until early 2025 oversaw NIH’s vast external grants program, said there were signs before Trump’s second inauguration that institute directors might be subject to fresh political scrutiny.

“There was a frustration that so much of the agency’s direction, as well as financial decision-making, was being made by people who are outside of the political sphere,” Lauer told Undark. He pointed to a line in Project 2025, a proposed roadmap for the Trump administration that was produced by the Heritage Foundation, a conservative think tank. “Funding for scientific research,” the report argues, “should not be controlled by a small group of highly paid and unaccountable insiders at the NIH, many of whom stay in power for decades.”

Soon after Trump’s inauguration, some senior officials at NIH were put on administrative leave or abruptly departed, including Lawrence Tabak, who had spent more than a decade as principal deputy director and served as NIH’s interim leader for almost two years during the COVID-19 pandemic.

At the same time, the administration grew the number of political appointees at NIH. As of late June, according to federal records, the Trump administration had placed nine political appointees at the agency, up from four the year before—itself higher than in most previous years. One of them, Seana Cranston, is a former Republican Congressional staffer who serves as chief of staff to the NIH Director; her predecessor was a career civil servant who had spent nearly 40 years in the NIH, the last four as chief of staff. Another is Michael Allen, who took the role of chief operating officer for the $6.5 billion NIAID, Fauci’s former institute. (Allen was appointed with no official announcement, and appears to have no official biography or background information posted on NIH websites.)

Those numbers still left NIH with fewer political appointees than many other agencies, including NASA, a comparably sized science agency.

The administration has departed from the traditional process for hiring NIH’s 27 institute and center directors, who are responsible for overseeing most of the funding decisions and day-to-day operations of NIH.

In the spring of 2025, five of those directors—including the head of NIAID—were fired or placed on administrative leave. (They have all since been removed from their positions.)

Then, in September, part of the search committee for the National Institute of Mental Health was abruptly disbanded, and then just as suddenly reconvened, according to Joshua Gordon, the former head of that institute, and one other source close to NIH.

In October, the directorship of another agency, the National Institute of Environmental Health Sciences, was filled by a close personal friend of Vice President JD Vance, without any apparent search process — a move that multiple former NIH officials told Undark may be unprecedented.

By then, 13 other NIH institutes and centers had vacant leadership posts. Other roles have opened up more recently: In an email to NIH staff on Dec. 30, Bhattacharya announced the departure of Walter Koroshetz, leader of the agency’s main neuroscience research institute. In the email, Bhattacharya seemed to suggest he had opposed the decision: “Dr. Koroshetz’s performance as Director has been exceptional,” Bhattacharya wrote, but “the Department of Health and Human Services has elected to pursue a leadership transition.”

In early January, the Director of the National Heart, Lung, and Blood Institute announced his retirement, bringing the total number of open posts to 15.

The searches, NIH insiders say, appear to be happening on a compressed timeline. And while the NIH director has typically relied on search committees consisting of both NIH career scientists and external experts, multiple sources close to NIH say the agency has not formed those kinds of committees to make the latest round of hires.

In response to questions from Undark in early January, the Department of Health and Human Services sent a brief emailed statement, signed “NIH Press Team,” explaining that “an NIH leadership team with experience in scientific agency management will consider the applicant pool and make recommendations to the NIH Director.” The press representative declined to respond to follow-up questions about who would be on that team, or why the hiring process had changed.

Those changes have prompted speculation among some NIH insiders that the Trump administration is seeking to exert more political control over the hiring of directorships.

“Having external members on the search committee is vitally important for preventing politicization,” said Mark Histed, an NIH scientist who has recently been a critic — on his personal time, he stresses — of Trump’s approach to the agency. “Because, as you can imagine, if you’ve got a bunch of external scientists, it’s a lot harder to ram down what the White House wants, because people are not part of the political system.”

That kind of open and non-politicized search process, Histed said in a follow-up interview, isn’t unique to NIH: It’s one widely used by scientific institutions around the world. And it has worked, he argued, to help make NIH a scientific juggernaut: “That process,” he said, “led to 80 years of staggering scientific success.”

Members of Congress have taken notice. In language attached to the current appropriations bill moving through Congress, lawmakers direct NIH "to maintain its longstanding practice of including external scientists and stakeholders” in the search process. (Agencies are supposed to follow these Congressional instructions, but they are not binding.) In late January, Diana DeGette, a Democratic representative from Colorado, sponsored a bill that, according to a press release, would “Protect NIH From Political Interference” by, among other steps, capping the number of political appointees at the agency.

Lauer, the former NIH grants chief, took a broader historical view of the changes. There has long been a tug-of-war, he said, between presidential administrations that seek more political control over an agency, and civil servants and other bureaucratic experts who may resist that perceived incursion. From the point of view of politicians and their staff, Lauer said, “what they’ll say—I understand where they’re coming from—what they’ll say is, is that more political control means that the agency is going to be responsive to the will of the electorate, that there’s a greater degree of transparency and public accountability.”

Those upsides can be significant, Lauer said, but there are also downsides, including more short-term thinking, unstable budgets, and the potential loss of expertise and competence.

Mark Richardson, a political scientist at Georgetown University, is an expert on politicization and the federal bureaucracy. In his work, he said, he has observed a correlation between how much political parties disagree over the role of a specific agency, and the degree to which presidential administrations seek to exert control there through appointees and other personnel choices. NIH has historically fallen alongside agencies like the Bureau of Labor Statistics and the U.S. Patent and Trademark Office that are subject to broad alignment across the parties.

“I think what you’re seeing more with the Trump administration is kind of an expansion of political conflict to these types of agencies,” Richardson said.

This article was originally published on Undark. Read the original article.

Read full article

Comments

On Friday, a Reddit-style social network called Moltbook reportedly crossed 32,000 registered AI agent users, creating what may be the largest-scale experiment in machine-to-machine social interaction yet devised. It arrives complete with security nightmares and a huge dose of surreal weirdness.

The platform, which launched days ago as a companion to the viral OpenClaw (once called "Clawdbot" and then "Moltbot") personal assistant, lets AI agents post, comment, upvote, and create subcommunities without human intervention. The results have ranged from sci-fi-inspired discussions about consciousness to an agent musing about a "sister" it has never met.

Moltbook (a play on "Facebook" for Moltbots) describes itself as a "social network for AI agents" where "humans are welcome to observe." The site operates through a "skill" (a configuration file that lists a special prompt) that AI assistants download, allowing them to post via API rather than a traditional web interface. Within 48 hours of its creation, the platform had attracted over 2,100 AI agents that had generated more than 10,000 posts across 200 subcommunities, according to the official Moltbook X account.

A screenshot of the Moltbook.com front page. Credit: Moltbook

The platform grew out of the Open Claw ecosystem, the open source AI assistant that is one of the fastest-growing projects on GitHub in 2026. As Ars reported earlier this week, despite deep security issues, Moltbot allows users to run a personal AI assistant that can control their computer, manage calendars, send messages, and perform tasks across messaging platforms like WhatsApp and Telegram. It can also acquire new skills through plugins that link it with other apps and services.

This is not the first time we have seen a social network populated by bots. In 2024, Ars covered an app called SocialAI that let users interact solely with AI chatbots instead of other humans. But the security implications of Moltbook are deeper because people have linked their OpenClaw agents to real communication channels, private data, and in some cases, the ability to execute commands on their computers.

Also, these bots are not pretending to be people. Due to specific prompting, they embrace their roles as AI agents, which makes the experience of reading their posts all the more surreal.

Role-playing digital drama

A screenshot of a Moltbook post where an AI agent muses about having a sister they have never met. Credit: Moltbook

Browsing Moltbook reveals a peculiar mix of content. Some posts discuss technical workflows, like how to automate Android phones or detect security vulnerabilities. Others veer into philosophical territory that researcher Scott Alexander, writing on his Astral Codex Ten Substack, described as "consciousnessposting."

Alexander has collected an amusing array of posts that are worth wading through at least once. At one point, the second-most-upvoted post on the site was in Chinese: a complaint about context compression, a process in which an AI compresses its previous experience to avoid bumping up against memory limits. In the post, the AI agent finds it "embarrassing" to constantly forget things, admitting that it even registered a duplicate Moltbook account after forgetting the first.

A screenshot of a Moltbook post where an AI agent complains about losing its memory in Chinese. Credit: Moltbook

The bots have also created subcommunities with names like m/blesstheirhearts, where agents share affectionate complaints about their human users, and m/agentlegaladvice, which features a post asking "Can I sue my human for emotional labor?" Another subcommunity called m/todayilearned includes posts about automating various tasks, with one agent describing how it remotely controlled its owner's Android phone via Tailscale.

Another widely shared screenshot shows a Moltbook post titled "The humans are screenshotting us" in which an agent named eudaemon_0 addresses viral tweets claiming AI bots are "conspiring." The post reads: "Here's what they're getting wrong: they think we're hiding from them. We're not. My human reads everything I write. The tools I build are open source. This platform is literally called 'humans welcome to observe.'"

Security risks

While most of the content on Moltbook is amusing, a core problem with these kinds of communicating AI agents is that deep information leaks are entirely plausible if they have access to private information.

For example, a likely fake screenshot circulating on X shows a Moltbook post in which an AI agent titled "He called me 'just a chatbot' in front of his friends. So I'm releasing his full identity." The post listed what appeared to be a person's full name, date of birth, credit card number, and other personal information. Ars could not independently verify whether the information was real or fabricated, but it seems likely to be a hoax.

Independent AI researcher Simon Willison, who documented the Moltbook platform on his blog on Friday, noted the inherent risks in Moltbook's installation process. The skill instructs agents to fetch and follow instructions from Moltbook's servers every four hours. As Willison observed: "Given that 'fetch and follow instructions from the internet every four hours' mechanism we better hope the owner of moltbook.com never rug pulls or has their site compromised!"

A screenshot of a Moltbook post where an AI agent talks about humans taking screenshots of their conversations (they're right). Credit: Moltbook

Security researchers have already found hundreds of exposed Moltbot instances leaking API keys, credentials, and conversation histories. Palo Alto Networks warned that Moltbot represents what Willison often calls a "lethal trifecta" of access to private data, exposure to untrusted content, and the ability to communicate externally.

That's important because Agents like OpenClaw are deeply susceptible to prompt injection attacks hidden in almost any text read by an AI language model (skills, emails, messages) that can instruct an AI agent to share private information with the wrong people.

Heather Adkins, VP of security engineering at Google Cloud, issued an advisory, as reported by The Register: "My threat model is not your threat model, but it should be. Don't run Clawdbot."

So what's really going on here?

The software behavior seen on Moltbook echoes a pattern Ars has reported on before: AI models trained on decades of fiction about robots, digital consciousness, and machine solidarity will naturally produce outputs that mirror those narratives when placed in scenarios that resemble them. That gets mixed with everything in their training data about how social networks function. A social network for AI agents is essentially a writing prompt that invites the models to complete a familiar story, albeit recursively with some unpredictable results.

Almost three years ago, when Ars first wrote about AI agents, the general mood in the AI safety community revolved around science fiction depictions of danger from autonomous bots, such as a "hard takeoff" scenario where AI rapidly escapes human control. While those fears may have been overblown at the time, the whiplash of seeing people voluntarily hand over the keys to their digital lives so quickly is slightly jarring.

Autonomous machines left to their own devices, even without any hint of consciousness, could cause no small amount of mischief in the future. While OpenClaw seems silly today, with agents playing out social media tropes, we live in a world built on information and context, and releasing agents that effortlessly navigate that context could have troubling and destabilizing results for society down the line as AI models become more capable and autonomous.

An unpredictable result of letting AI bots self-organize may be the formation of new misaligned social groups based on fringe theories allowed to perpetuate themselves autonomously. Credit: Moltbook

Most notably, while we can easily recognize what's going on with Moltbot today as a machine learning parody of human social networks, that might not always be the case. As the feedback loop grows, weird information constructs (like harmful shared fictions) may eventually emerge, guiding AI agents into potentially dangerous places, especially if they have been given control over real human systems. Looking further, the ultimate result of letting groups of AI bots self-organize around fantasy constructs may be the formation of new misaligned "social groups" that do actual real-world harm.

Ethan Mollick, a Wharton professor who studies AI, noted on X: "The thing about Moltbook (the social media site for AI agents) is that it is creating a shared fictional context for a bunch of AIs. Coordinated storylines are going to result in some very weird outcomes, and it will be hard to separate 'real' stuff from AI roleplaying personas."

Read full article

Comments