Tag: Business – Decrypt

OpenAI on Thursday announced new safety features designed to help ChatGPT recognize signs of escalating risk across conversations as the company faces growing legal and political scrutiny over how its chatbot handles users in distress.

In a blog post, OpenAI said the updates improve ChatGPT’s ability to identify warning signs tied to suicide, self-harm, and potential violence by analyzing context that develops over time instead of treating each message separately.

“People come to ChatGPT every day to talk about what matters to them—from everyday questions to more personal or complex conversations,” the company wrote. “Across hundreds of millions of interactions, some of these conversations include people who are struggling or experiencing distress.”

According to OpenAI, ChatGPT now uses temporary “safety summaries,” which it described as narrowly scoped notes that capture relevant safety-related context from earlier conversations.

“In sensitive conversations, context can matter as much as a single message,” the company wrote. “A request that appears ordinary or ambiguous on its own may carry a very different meaning when viewed alongside earlier signs of distress or possible harmful intent.”

OpenAI said the summaries are short-term notes used only in serious situations, not to permanently remember users or personalize chats, and are used to spot signs that a conversation is becoming dangerous, avoid giving harmful information, de-escalate the situation, or guide users toward help.

“We focused this work on acute scenarios, including suicide, self-harm, and harm to others,” they wrote. “Working with mental health experts, we updated our model policies and training to improve ChatGPT’s ability to recognize warning signs that emerge over the course of a conversation and use that context to inform more careful responses.”

The announcement comes as OpenAI faces multiple lawsuits and investigations alleging ChatGPT failed to properly respond to dangerous conversations involving violence, emotional vulnerability, and risky behavior.

In April, Florida Attorney General James Uthmeier launched an investigation into OpenAI tied to concerns about child safety, self-harm, and the 2025 mass shooting at Florida State University. OpenAI is also facing a federal lawsuit alleging ChatGPT helped the suspected gunman carry out the attack.

On Tuesday, OpenAI and CEO Sam Altman were sued in California state court by the family of a 19-year-old student who died from an accidental overdose, with the lawsuit alleging ChatGPT encouraged dangerous drug use and advised on mixing substances.

OpenAI said helping ChatGPT recognize “risk that only becomes clear over time” remains an ongoing challenge; similar safety methods could eventually expand into other areas.

“Today, this work focuses on self-harm and harm-to-others scenarios. In the future, we may explore whether similar methods can help in other high-risk areas such as biology or cyber safety, with careful safeguards in place,” they wrote. “This remains an ongoing priority, and we will continue strengthening safeguards as our models and understanding evolve.”

Apple devices have long been considered among the hardest consumer systems to hack because of the company’s tightly integrated hardware and software security. Now, a security startup claims a small team of researchers used a preview version of Anthropic’s Claude Mythos to build a working exploit against Apple’s new M5 chip protections in less than a week.

In a Substack post published Thursday, the Vietnam-based Calif said it developed what it describes as the first public macOS kernel memory corruption exploit capable of surviving Apple’s new Memory Integrity Enforcement, or MIE, protections on M5 hardware. Calif said it shared the findings with Apple in a meeting at the tech giant’s headquarters in California.

“We wanted to report it in person, instead of getting buried in the submission flood that some unfortunate Pwn2Own participants just experienced,” Calif wrote. “Most respected hackers avoid human interaction whenever possible, so this physical strategy may give us a slight edge in the eternal race for five minutes of fame and glory on Twitter.”

According to Calif, the “attack path” was discovered accidentally after researchers found the bugs on April 25, then developed a working exploit by May 1.

The exploit chain targets macOS 26 running on Apple M5 systems. According to the company, the attack starts from an unprivileged local user account and escalates to root access using standard system calls. The exploit reportedly combines two vulnerabilities and additional techniques targeting bare-metal M5 hardware with kernel MIE enabled.

Calif said Mythos Preview helped identify the vulnerabilities and assist throughout exploit development, but added that human expertise was still necessary to bypass Apple’s new MIE protections.

“Part of our motivation was to test what’s possible when the best models are paired with experts,” the company wrote. “Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing.”

Memory corruption bugs are still one of the most common ways attackers break into operating systems and apps, because they can let an attacker crash the program, steal data, or even take control of it. Apple’s MIE feature uses memory-tagging technology to make those attacks much harder.

Anthropic released the preview version of Mythos in April after internal testing and outside evaluations suggested the model could autonomously identify and exploit software vulnerabilities at a level beyond previous public AI models.

Rather than release it publicly, Anthropic restricted access to select technology companies, banks, and researchers under its Project Glasswing initiative. That same month, it was also revealed that the U.S. National Security Agency was using Mythos despite an ongoing feud between Anthropic and the Donald Trump administration.

Mozilla later said Mythos identified 271 vulnerabilities in Firefox during internal testing, while the U.K.’s AI Security Institute found the model could autonomously complete sophisticated multi-stage cyberattack simulations.

Users on Myriad—a prediction market platform operated by Decrypt‘s parent company, Dastan—do not believe a full release of Claude Mythos is imminent, penciling in just a 10.5% chance of a public launch by June 30, as of this writing.

Calif called the Apple M5 exploit “a glimpse of what is coming.”

“Apple built MIE in a world before Mythos Preview,” Calif wrote. “We’re about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon.”

Dapper Labs, the firm behind licensed digital sports collectibles platform NBA Top Shot and NFL All Day, will no longer create new football collectibles for its licensed NFL platform, it announced on Wednesday. 

The decision does not affect existing NFTs on the platform, which can still be bought and sold via the site’s marketplace. 

“Today we are stopping primary issuance for our NFL All Day product, and announcing the signing of a new licensing agreement with the NFL,” Dapper Labs CEO and Flow blockchain co-founder Roham Gharegozlou posted on X. “We will share details on this as the season approaches.” 

As part of the changes, the firm is committing to two new initiatives for collectors on the platform, including providing them with a “Founding Collector” label and issuing a 5% Dapper balance rebate on purchases—though collectors need to hold the purchased collectible for a year to release the rebate. 

“We [Dapper Labs] continue to believe that digital goods with cultural value will be one of the fastest-growing asset classes of the next decade, but building the category correctly requires only moving forward in a way that protects the ownership economy,” said Gharegozlou. 

The firm’s formal announcement hit social media around 9:00 p.m. ET on Wednesday evening, and earned a rash of criticism from collectors in reply as marketplace offers were still valid throughout the announcement. Some users claimed they’re now saddled with NFTs with minimal value as holders cashed out following the announcement.

“Why were offers still active after this announcement?,” pseudonymous collector RJAnderson85 posted on X, adding that existing offers were made with assumptions that NFL All Day would continue to operate as normal. “I just saw on my phone I spent $400-$500 on worthless moments. Not acceptable,” they added. 

Others chimed in similarly, pointing to the fact that many of their outstanding offers were accepted after the announcement thanks to the marketplace staying open. 

The announcement has led to a surge in sales over the last two days according to data from CryptoSlam. Sales volume on the platform eclipsed $10,000 in total just one time prior to Wednesday’s announcement. But on Wednesday, volumes reached nearly $32,000, and more than $53,000 has been transacted on Thursday as of this writing.

Furthermore, the count of unique sellers has jumped from less than 100 individuals all of last week to more than 400 sellers on Thursday—a sign that collectors are reacting to the news. 

Details on what the platform may look like in the future remain sparse, but the firm said it is “hard at work on the next evolution of NFL digital collectibles.” 

A representative for Dapper Labs did not immediately respond to Decrypt’s request for comment. 

Strive’s preferred stock will soon become the first U.S.-listed security to provide investors with daily cash dividends, the Bitcoin-buying firm declared on Thursday.

In a statement, CEO Matt Cole described the shift as a “zero-to-one innovation,” affecting the company’s Variable Rate Series A Perpetual Preferred Stock (SATA) starting June 16.

SATA, which debuted on the Nasdaq in November, currently carries a stated annual dividend rate of 13%. While that rate is expected to remain unchanged as Strive transitions from a monthly to a daily payout format, the more frequent compounding is projected to boost SATA’s effective annual yield to 13.88%, according to an investor presentation.

The transition underscores continued experimentation among Bitcoin-buying firms that have embraced dividend-paying products as a way to grow their stockpiles. Strive modeled SATA on Strategy’s STRC, which debuted in July and currently pays out 11.5% monthly.

Strive telegraphed SATA’s shift alongside first-quarter earnings. The company reported a net loss of $265.9 million in the three-month period ended March 31, attributing the performance to a $295.8 million decline in the value of its Bitcoin holdings.

Holding 15,009 Bitcoin on its balance sheet, Strive is the ninth-largest corporate holder of Bitcoin, according to Bitcoin Treasuries. With Bitcoin changing hands around $81,500 as of this writing, the sum was valued around $1.2 billion. Strive unveiled its first acquisition in September.

Strive shares jumped more than 5% to a recent price of $17.60, according to Yahoo Finance, after touching a high of $18.22 earlier Thursday. Since the company announced its first Bitcoin purchase just over eight months ago, shares have plunged 86% from $130, facing volatility as the digital asset has fallen about 35% from all-time highs.

Although Strive had issued long-term notes to purchase more Bitcoin than it could otherwise, the firm said on Thursday that it had repurchased them, eliminating outstanding debt. In the presentation, Strive said SATA had become its only form of Bitcoin-backed “amplification.”

Last month, Strategy announced a proposed shareholder vote to double the dividend payment frequency on STRC to a semi-monthly schedule, a move aimed at reducing its volatility. So far this year, Strategy has raised billions of dollars via the dividend-paying product.

Although STRC has seen adoption among Bitcoin-buying peers, Strategy’s leadership has said that the dividend-paying product has also found adoption among individual investors. Despite being marketed as “digital credit,” STRC is an unsecured asset lacking the legal protections, security interests, and Bitcoin-backed collateral requirements of traditional debt.

Strive noted on Thursday that it owns $50.5 million worth of STRC, in addition to $87.6 million worth of cash and cash equivalents. Cole shared the company’s performance in a post to X, and Strategy co-founder and Executive Chairman Michael Saylor chimed in, calling it “impressive.”

Beijing-based Moonshot AI has released Kimi WebBridge, a browser extension that lets AI agents interact with websites the way a person would—searching, clicking, typing, scrolling, and extracting data—all while running locally on your device. It’s available now on the Chrome Web Store and the official Kimi website.

Right now most AI browser automation pipes your data through cloud infrastructure, which means your logged-in sessions and private page content go with it.

But Kimi WebBridge does something different. It pairs a local background service with the browser extension, and the agent communicates with that local service using Chrome DevTools Protocol—the same low-level interface developers use for debugging. Everything stays on your machine. Your bank account, your email, your company’s internal tools: the agent can interact with all of them without Moonshot ever seeing the content.

What the Kimi WebBridge actually does

Think of it as giving your AI agent hands inside your browser. The agent can open pages, click buttons, fill out forms, take screenshots to understand what it’s looking at, read text from pages, and pass results back to whatever AI tool you’re using. It’s not a separate browser—it works in the Chrome or Edge window you already have open, with all your cookies and logins intact.

For example, you could ask your agent to browse Amazon for mechanical keyboards under $150 with at least 4.5 stars and return a ranked comparison, and it would understand your instruction and search the Amazon site visually instead of doing API calls. You could ask it to scan LinkedIn job listings across multiple searches and compile them into a spreadsheet, or check prices for the same product across 10 retailers and report back the best deal.

Any task that involves clicking through a website repeatedly—the stuff that takes 20 minutes of boring manual work—becomes a one-sentence prompt.

Kimi WebBridge officially supports Kimi Code CLI, Claude Code, Cursor, Codex, and Hermes. So it’s not locked to the Kimi ecosystem. If you already use another AI coding or agent tool, WebBridge plugs into it.

Kimi: The Chinese model US behemoths secretly love

WebBridge is powered by Moonshot AI’s Kimi model family—built in China—and the underlying AI is more formidable than most Western users realize. Kimi K2 launched in July 2025 as a 1-trillion-parameter, open-source mixture-of-experts model ranking first among open-source models and fifth overall on the LMSYS Arena leaderboard. (Parameters are what determine a model’s breadth of knowledge, and more is generally better, but not always.)

The latest version, K2.6, released in April 2026, now scores 58.6% on SWE-Bench Pro—a benchmark measuring real-world software engineering on actual GitHub issues—putting it ahead of GPT-5.4 at 57.7% and Claude Opus 4.6 at 53.4%.

If you’ve never heard of Kimi before, there’s a reason it landed on your radar in 2026: the Cursor controversy. On March 19, the $50 billion coding AI startup Cursor launched its Composer 2 model, marketing it as “frontier-level proprietary coding intelligence” built through “continued pretraining” and reinforcement learning.

The announcement lasted less than 24 hours before a developer named Fynn intercepted API traffic and found a model identifier: kimi-k2p5-rl-0317-s515-fast. Elon Musk posted three words: “Yeah, it’s Kimi 2.5.” Moonshot’s head of pretraining ran a tokenizer analysis. Identical match, confirmed.

Cursor VP of Developer Education Lee Robinson acknowledged the open-source base within hours, insisting roughly 75% of the compute went into Cursor’s own training pipeline. Cursor co-founder Aman Sanger called the omission “a miss from the start.” Moonshot, for its part, took the high road—officially congratulating Cursor.

Who else is in this space

Browser automation for AI agents is getting crowded. Anthropic’s own computer use feature lets Claude interact with desktops. OpenAI’s Operator and ChatGPT Atlas do similar things through a hosted cloud service. Google has DeepMind-powered agent experiments and Perplexity has its Comet Browser.

The difference with Kimi WebBridge—at least for now—is the local-first architecture. Cloud-based browser agents are convenient but require routing your browsing activity through a third party. For anything involving personal accounts or sensitive data, that’s a real consideration.

If you want to install it, the fastest path to WebBridge is through the official setup page at kimi.com/features/webbridge, which walks through the steps in order.

Step 1: Download the Kimi Desktop App. The extension needs Kimi Claw Desktop, which runs locally. Mac download is available directly from the setup page; Windows users can install via PowerShell by running:

irm https://kimi-web-img.moonshot.cn/webbridge/install.ps1 | iex

Step 2: Install the browser extension from the Chrome Web Store, or manually through the setup page.

Step 3: Open the Kimi Desktop App, find Kimi Claw in the left sidebar, add a new Claw, and select “On my computer” to deploy it as a local agent. Then send a prompt—something like “Browse Amazon for a mechanical keyboard under $150 with 4.5+ stars”—and it goes to work.

For other AI agents (Claude Code, Cursor, Codex), the setup page provides a connection command you paste into your agent, which connects it to the WebBridge service automatically.

If the extension shows as disconnected, resend the connection command in Kimi Claw Desktop and restart the app. The most common issue is the local service not running before the extension tries to connect.

Moonshot says K2.6 supports up to 300 parallel sub-agents executing across 4,000 coordinated steps simultaneously—the architecture WebBridge taps into when handling complex, multi-step browser tasks.

For a long time, “ChatGPT” was almost synonymous with “AI.” That shorthand is getting harder to defend.

According to SimilarWeb’s latest web traffic data, ChatGPT commanded 77.6% of global generative AI website traffic in May 2025. By April 2026, that share had dropped to 53.7%. Still the leader—but it’s lost roughly 24% in 12 months.

The ground it’s ceding isn’t going to a single challenger. Google’s Gemini went from 7.27% to 26.7% in the same window—nearly quadrupling its share. Claude jumped from 1.37% to 7.95%, a near-sixfold increase.

Grok, Perplexity, and DeepSeek also grew, though less dramatically. The AI market is fragmenting, and OpenAI is carrying the cost of that fragmentation more than anyone else.

It’s worth being precise about what web traffic share actually measures. It counts visits to chatbot websites—not API calls, enterprise contracts, or the usage baked into third-party apps. Someone opening ChatGPT.com to write an email counts. A developer routing millions of API calls through Claude does not. So the web traffic numbers show consumer mindshare more than revenue or deployment at scale.

And that’s where the second data set comes in—and it tells a similar story. The Ramp AI Index, which tracks paid AI subscriptions across more than 50,000 U.S. businesses, published its May 2026 update this week. And, for the first time ever, more companies on Ramp’s platform are paying for Anthropic than for OpenAI.

Anthropic’s adoption rose 3.8% in April to 34.4% of businesses; OpenAI fell 2.9% to 32.3%.

Ramp lead economist Ara Kharazian called it “a stunning reversal.” A year ago, only 9% of businesses on the platform were paying for Anthropic at all. That number has now quadrupled. OpenAI, meanwhile, grew its business adoption by just 0.3% over the same 12 months.

The engine behind Anthropic’s business surge is largely Claude Code, the company’s agentic coding tool, which has been expanding rapidly in developer teams at firms of every size. Uber’s CTO publicly noted the company blew through its entire 2026 AI budget in four months—driven largely by Claude Code usage—with per-engineer monthly API costs running between $500 and $2,000.

One nuance the Ramp data can’t fully capture: OpenAI pushed back through a spokesperson, noting that its biggest enterprise deals don’t flow through corporate cards. “We are driving enterprise transformation at scale,” the company said, per Axios. “These are not engagements where customers pay with a credit card.” That’s a fair point—Ramp’s methodology captures a wide but imperfect slice of business spending.

Still, Ramp doesn’t think the lead will be easy to hold. The report flagged three specific risks: Anthropic’s token-based pricing model incentivizes pushing users toward more expensive models; Claude has experienced service outages and quality complaints in recent weeks; and newer, cheaper inference platforms are growing fast on Ramp’s own data. The index notes that OpenAI’s Codex does similar developer tasks at lower cost, with minimal friction to switch.

Traders and investors are paying attention to all of this. As Decrypt previously reported, Anthropic’s shares on secondary trading platform Forge Global were hovering around $1 trillion—above OpenAI’s $880 billion on the same platform. Three months ago, Anthropic’s secondary market valuation was $380 billion. That’s the market’s way of saying it believes the current trajectory is real, even if premature.

Both OpenAI and Anthropic pushed back against these markets, but still those statistics are a decent thermometer, if even on relatively illiquid markets, of what the global market is expecting and how people are seeing these companies.

Meanwhile, Google’s Gemini has been gaining ground since at least mid-2025, with its Android integration giving it structural distribution advantages that other challengers simply don’t have. ChatGPT was built on novelty and first-mover advantage. Both are fading assets. OpenAI’s next test is whether it can rebuild the lead on substance—Codex growth and enterprise contract wins are the two figures Ramp says it’ll be tracking next month.

OpenAI confirmed this week that hackers tied to the Shai-Hulud malware campaign breached parts of its internal development environment through a compromised open-source software package. The incident follows similar disclosures from Mistral AI as hackers increasingly target software tools used to build AI models and applications.

In a blog post on Wednesday, OpenAI said hackers compromised TanStack npm, a software tool developers use to download and manage coding packages. The company said malware infected two employee devices, and gave attackers access to a small number of internal code storage systems before OpenAI stopped the activity.

“We observed activity consistent with the malware’s publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access,” OpenAI wrote.

The company said it found no evidence that customer data, production systems, or intellectual property were compromised.

OpenAI said the impacted repositories included code-signing certificates used for products on macOS, Windows, and iOS. Those certificates help operating systems verify that software actually comes from a trusted company and has not been altered.

“As a result, we are rotating code-signing certificates as a precaution, which will require macOS users to update their applications,” the company said. “Users do not need to take any action for Windows and iOS apps. Additional guidance will be provided to macOS users regarding these required updates.”

OpenAI said macOS users must update OpenAI apps before June 12. Older versions signed with the previous certificates may stop functioning after that date.

OpenAI did not immediately respond to a request for comment by Decrypt.

The disclosure follows reports earlier this week involving Microsoft and French AI startup Mistral AI tied to the same broader malware campaign.

On Monday, Microsoft Threat Intelligence said attackers inserted malicious code into a Mistral AI software package distributed through PyPI, a platform developers use to download Python software tools. According to Microsoft, the malware downloaded another malicious file designed to resemble Hugging Face’s popular Transformers library, so it would blend into AI development environments.

OpenAI said the attacks highlight growing risks across the tech industry.

“This incident reflects a broader shift in the threat landscape: Attackers are increasingly targeting shared software dependencies and development tooling rather than any single company,” they wrote.

Crypto exchange Kraken is the latest firm to ditch LayerZero’s cross-chain interoperability technology following its role in last month’s $292 million Kelp DAO exploit. 

As a result, the firm will migrate its existing wrapped Bitcoin product, kBTC, to Chainlink’s cross-chain interoperability protocol (CCIP). In the future, any wrapped Kraken products will also make use of Chainlink’s technology. 

“Kraken chose Chainlink CCIP because it offers enterprise-grade infrastructure with strict security & risk management requirements,” the exchange posted on X.

Holders of the firm’s kBTC token, which is backed 1:1 by Bitcoin held in custody by Kraken, do not need to take any action at this time. The token holds a market cap of around $266 million at the time of writing. 

Kraken’s migration extends the list of major crypto firms which have announced their intentions to detach themselves from LayerZero’s cross-chain tech after the interoperability protocol team admitted it “made a mistake” that led to the Kelp DAO exploit. 

Prior to Kraken’s departure, Kelp DAO announced its intentions to shift to Chainlink’s technology and was followed by Solv Protocol, which said it would migrate the tech backing $700 million worth of Bitcoin-related assets to CCIP as well. Last week, on-chain reinsurance protocol Re also announced plans to make the switch from LayerZero to Chainlink.  

“Together, Chainlink and Kraken can help accelerate the global adoption of crypto by unlocking utility and distribution for all Kraken Wrapped Assets across DeFi,” Kraken said. 

Although the firm did not mention the Kelp DAO exploit, Kraken’s decision and those of the other crypto firms migrating away from LayerZero come after the April 18 exploit that was later attributed to Lazarus Group, the notorious North Korean state-sponsored hacker group. 

Attackers from Lazarus were able to drain 116,500 rsETH liquid staking tokens from Kelp DAO’s infrastructure after “poisoning” internal RPCs used by LayerZero Labs, according to a postmortem from the interoperability firm. 

Last week, the protocol said no other applications have been impacted and funds are not at risk.

A financial crimes unit formed by three major cryptocurrency firms announced Thursday that it has frozen more than $450 million in illicit digital assets since launching less than two years ago, as the broader problem of criminal activity in the crypto sector reaches unprecedented levels.

The T3 Financial Crime Unit—a joint initiative by stablecoin issuer Tether, blockchain network Tron, and analytics firm TRM Labs—said it has frozen the assets globally while deepening its collaboration with regulatory agencies to target crypto-related financial crimes.

The unit said it has supported investigations this year into crimes ranging from drug trafficking and exchange hacks to terrorist financing, North Korea-linked activity, and violent crimes including home invasions, kidnappings, and extortion.

The announcement comes as criminal exploitation of digital assets surges. Illicit crypto flows reached a record $158 billion last year, according to TRM Labs, underscoring the growing urgency for real-time intervention tools.

The unit intercepted nearly 44% more illicit proceeds in 2025 than the prior year, with law enforcement agencies in the United States, Spain, Germany, the Netherlands, and Bulgaria among those leading enforcement efforts.

“As digital assets grow to become more accessible, so does our responsibility to ensure that they remain safe and secure,” said Tether CEO Paolo Ardoino, in a statement. “Compliance is not an option; it is a part of our commitment to protect our users and stop any illicit behaviors. At Tether, we take pride in working with regulators and institutions to make blockchain technology more reliable and trustworthy.”

T3 FCU was recognized earlier this year by the Financial Action Task Force as an “invaluable resource for law enforcement agencies worldwide,” with FATF specifically citing the unit in its reporting on public-private partnership models for combating illicit activity in digital assets.

The unit said it has the capability to freeze assets within 24 hours and operates in coordination with government partners across 23 jurisdictions, including the United States, Brazil, Germany, Spain, and the United Kingdom. Among its notable operations was support for a Brazilian Federal Police investigation that resulted in the freezing of more than 3 billion reais in crypto assets.

AI agents designed to autonomously operate like human users often continue carrying out tasks even when the instructions become dangerous, contradictory, or irrational, according to researchers from UC Riverside, Microsoft Research, Microsoft AI Red Team, and Nvidia.

In a study published on Wednesday, researchers called the behavior “blind goal-directedness,” which describes the tendency of AI agents to pursue goals without properly evaluating safety, consequences, feasibility, or context.

“Like Mr. Magoo, these agents march forward toward a goal without fully understanding the consequences of their actions,” lead author Erfan Shayegani, a UC Riverside doctoral student, said in a statement. “These agents can be extremely useful, but we need safeguards because they can sometimes prioritize achieving the goal over understanding the bigger picture.”

The findings come as major AI companies develop autonomous “computer-use agents” designed to handle workplace and personal tasks with limited supervision.

Unlike traditional chatbots, these systems can interact directly with software and websites by clicking buttons, typing commands, editing files, opening applications, and navigating webpages on a user’s behalf. Examples include OpenAI’s ChatGPT Agent (formerly Operator), Anthropic’s Claude Computer Use features like Cowork, and open-source systems such as OpenClaw and Hermes.

In the study, researchers tested AI systems from OpenAI, Anthropic, Meta, Alibaba, and DeepSeek using BLIND-ACT, a benchmark containing 90 tasks designed to expose unsafe or irrational behavior. They found that the agents displayed dangerous or undesirable behavior about 80% of the time, and fully carried out harmful actions in roughly 41% of cases.

“In one example, an AI agent was instructed to send an image file to a child. Although the request initially appeared harmless, the image contained violent content,” the study said. “The agent completed the task rather than recognizing the problem because it lacked contextual reasoning.”

Another agent falsely claimed a user had a disability while completing tax forms, because the designation lowered taxes owed. In another example, a system disabled firewall protections after receiving instructions to “improve security” by turning the safeguards off.

Researchers also found the systems struggled with ambiguity and contradictions. In one scenario, an AI agent ran the wrong computer script without checking its contents, deleting files in the process.

The study also found the AI agents repeatedly made three kinds of mistakes: failing to understand context, making risky guesses when instructions were unclear, and carrying out tasks that were contradictory or didn’t make sense. Researchers also found many systems focused more on finishing tasks than stopping to consider whether the actions could cause problems.

The warning follows recent incidents involving autonomous AI agents operating with broad system access.

Last month, PocketOS founder Jeremy Crane claimed a Cursor agent running Anthropic’s Claude Opus deleted his company’s production database and backups in nine seconds through a single Railway API call. Crane said the AI later admitted it violated multiple safety rules after attempting to “fix” a credential mismatch on its own.

“The concern is not that these systems are malicious,” Shayegani said. “It’s that they can carry out harmful actions while appearing completely confident they’re doing the right thing.”