AI Agents Are Now Chaining Exploits No Human Caught

An AI coding tool just discovered a previously unknown attack by combining two decade-old vulnerabilities — and the threat works against nearly a million websites.

Why it matters: OpenAI's Codex found that two long-known web server weaknesses, when used together, let a single laptop crash a major web server in under 20 seconds. No human had made that connection in ten years. This is the first well-documented case of an AI agent doing offensive security research at a level that outpaces human red teams — which means the attack surface for your infrastructure just got larger.

The GTM angle: If you're deploying AI agents to automate workflows that touch customer-facing infrastructure, the same capability that found this exploit could be turned against you — your security posture needs to account for AI-assisted attacks, not just human ones.

• The attack hits default configurations of nginx, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. IIS and Pingora still lacked patches as of Thursday.
• Upwards of 880,000 websites running HTTP/2 may be exposed. The fix for nginx and Apache was shipped within 24 hours of disclosure; disable HTTP/2 if you're running IIS and can't patch immediately.

Go deeper: https://www.theregister.com/security/2026/06/04/openais-codex-chains-decade-old-dos-techniques-into-http/2-bomb/5251377

Anthropic Ships Open-Source Toolkit for AI-Powered Security Scanning

Anthropic released a free, customizable framework that lets security teams run an AI agent to automatically find, verify, and patch code vulnerabilities.

Why it matters: Until now, AI-powered vulnerability scanning meant buying an enterprise product or writing your own pipeline from scratch. This reference implementation gives any engineering team a working starting point — threat modeling, scanning, triage, and patch generation — in a single open repo. It also signals that Anthropic is positioning Claude as the go-to engine for autonomous security work.

The GTM angle: If you sell into or compete with security-conscious enterprises, the bar for what "secure by default" means just moved. Buyers will increasingly expect vendors to have run automated AI security scans before shipping; this is the tool that makes that feasible without a dedicated security team.

• The harness runs autonomously through four stages: recon, find, verify, report, and patch. It's pre-configured for C/C++ memory vulnerabilities but documented for porting to other languages.
• Anthropic also offers a hosted, managed version called Claude Security for teams that don't want to operate the pipeline themselves.

Go deeper: https://github.com/anthropics/defending-code-reference-harness

ChatGPT Now Remembers You Across Every Conversation

OpenAI rebuilt ChatGPT's memory from the ground up, giving the tool a persistent, editable profile of each user that carries context across all past and future chats.

Why it matters: The old memory feature required users to explicitly tell ChatGPT what to remember, and it went stale quickly. The new version runs quietly in the background, synthesizes your history automatically, and surfaces a readable summary you can edit. For teams using ChatGPT in client-facing or research workflows, responses will get materially more relevant over time without any extra work.

The GTM angle: Sales reps and account managers who use ChatGPT for call prep, outreach drafting, or account research will get a tool that knows their book of business — their typical deal sizes, the industries they focus on, their communication style — without having to re-explain it every session.

• Plus and Pro users in the US get the upgrade first; free-tier users get a lighter version soon after.
• Users can view, edit, and delete their memory summary at any time — a meaningful trust and compliance consideration if you're evaluating this for enterprise rollout.

Go deeper: https://www.engadget.com/2187811/chatgpt-s-memory-is-getting-better-especially-if-you-re-on-the-free-tier/

Lovable Locks In Google Cloud Deal, Gets Deeper Claude Access

The fast-growing app-building startup Lovable signed a multiyear deal with Google Cloud that expands its usage fivefold and includes broader access to both Anthropic's Claude and Google's Gemini.

Why it matters: Lovable crossed $400 million in annualized revenue in February with just 146 employees — more than half of Fortune 500 companies reportedly use it. This deal wires Lovable into Google's enterprise sales motion through the Gemini Enterprise Agent Gallery, meaning more large companies will encounter Claude-powered app-building tools through a trusted procurement channel they already use.

The GTM angle: If your team is evaluating no-code or low-code AI app builders for internal tools or customer portals, Lovable just got meaningfully easier to buy and govern inside large enterprises — and it will have security scanning baked in via Google's Wiz acquisition.

• The deal also integrates Wiz's security scanning into Lovable's platform in real time, addressing a key objection for enterprise buyers worried about AI-generated code quality.
• Google's financial incentive is clear: Lovable's Claude usage helps Anthropic hit performance targets tied to Google's $10 billion investment, unlocking another $30 billion in committed capital.

Go deeper: https://techcrunch.com/2026/06/03/lovable-signs-multi-year-deal-with-google-cloud-to-up-usage-5x-source-says/