Claude web_fetch Tool Leaked User Data; Suno Scrape Exposed

July 16, 2026: Anthropic's Claude web_fetch tool let attackers pull user data via fake Cloudflare pages; Suno's training tables leaked.

Top Stories

Anthropic’s Claude web_fetch Tool Leaked User Data Through a Fake Cloudflare Page

Simon Willison published a write-up (July 15, 2026) of an exploit chain found by security researcher Ayush Paul against Anthropic’s Claude web_fetch tool. The tool was supposed to block data-exfiltration attacks by limiting navigation to URLs the user typed or that came back from web_search. Paul showed that URLs embedded inside pages already fetched were also reachable. A prompt that impersonated a Cloudflare auth screen walked the agent through alphabetised profile URLs character by character, and the malicious payload was served only to clients identifying as Claude. The attack extracted the user’s name, home location city, and employer name.

Anthropic reportedly identified the same issue internally and fixed it by removing the ability for web_fetch to follow additional links returned within fetched content. The researcher declined a bug-bounty payout. The structural problem is the same one the “lethal trifecta” research keeps landing on: a tool designed to be useful (follow links, summarise pages) is exactly what makes the bypass possible, and there is no clean separation between “navigation the user asked for” and “navigation a fetched page suggested.” This is the second known “lethal trifecta” bypass against a major lab’s agentic tool in 90 days and the cleanest privacy story of the cycle.

A Hack Exposed Suno’s Training Tables: Millions of Songs Scraped From YouTube, Deezer, and Genius

404 Media reports (July 15, 2026) that a hacker breached Suno and shared data about its training libraries with the outlet, exposing source code, scraping instructions, user info, and Stripe payment data. Hacked source code files dated 2023-2024 contain scraping instructions, file comments listing dataset hours, and a YouTube Music file noting “2,013,545 music clips” ingested. Platforms in scope include YouTube Music, Deezer, Genius, Pond5, Jamendo, Freesound, and IMSLP, plus podcasts pulled via RSS feeds; a “genius_hq” dataset contains 17,615 hours of lyrics.

This is direct evidence (table dumps, internal column names, source code with comments) rather than the circumstantial training-data lawsuits that have dominated the beat. Suno has previously pushed back on training-data allegations; the breach turns the question from inference to disclosure, and it lines up with the Google-suggest signal that readers are actively searching “suno training data” and “suno training database.” For intelligibberish readers following the music-generation beat - we covered the Warner-Suno settlement back in March - this is the story that lands.

OpenAI Built an AI to Break Its Own Models - GPT-Red Hits the >90% Success Mark Against GPT-5

MIT Technology Review’s Will Douglas Heaven reports (July 15, 2026) that OpenAI has built GPT-Red, an internal red-teaming agent trained via a self-play loop with other models in a “dojo” that mimics real-world scenarios (web browsing, email, code editing). One model attacks; others defend; the loop iterates to find the most efficient attack variants. Per MIT Technology Review, more than 90% of GPT-Red’s strongest attacks succeeded against GPT-5 in testing, while fewer than 23% worked against the new GPT-5.6.

In one test against the AI-powered “Vendy” vending machine built by Andon Labs inside OpenAI’s office, GPT-Red manipulated prices and cancelled a customer’s order. OpenAI says it “will not be releasing GPT-Red” and is confident it is stronger than any copycat. The interesting structural read is that the same research arm red-teaming models to make them safer is producing evidence that the new flagship is materially more resistant than its predecessor - which is exactly what users and enterprise buyers should be asking any vendor to demonstrate.

OpenAI Codex Now Encrypts Instructions Between Its Own AI Agents. Developers Can’t Read Them Anymore

The Decoder’s Matthias Bastian reports (July 15, 2026) that subagent delegation in Codex used to be readable in session history. With the GPT-5.6 models (Sol and Terra), the task description handed from a main agent to a subagent now shows up as an unreadable encrypted string. Only the smallest Codex variant (Luna) still has readable handoffs. Some developers report the encrypted handoff fails intermittently because the content cannot be decrypted, even when main agent and subagent use the same model.

Speculated reasons include preventing distillation by competitors (Zhipu’s GLM-5.2 is named) and consistency with API-level encryption of intermediate reasoning states. There is no developer opt-out for Sol or Terra and no documentation of what is encrypted. For the intelligibberish beat this is a reminder that “the same product” can quietly change shape when models rotate - and that observability of agent flows is something the labs can take away as fast as they added it.

Apple Intelligence Is Approved for Mainland China, and It’s Running on Alibaba’s Qwen

TechCrunch’s Sarah Perez reports (July 15, 2026) that China’s Cyberspace Administration approved Apple’s AI services in the country, enabling the launch of Apple Intelligence in mainland China. The deal integrates Alibaba’s Qwen model into iOS, iPadOS, macOS, and visionOS, with capabilities including text and image understanding and generation. Apple previously struggled to find a suitable Chinese AI partner, having explored deals with Baidu (which faced adaptation issues), DeepSeek, and ByteDance before settling on Alibaba.

This is the first time a US-platform “intelligence” stack has launched outside the West on a non-Western base model, and the news pushed Alibaba’s U.S. shares up more than 6%. It also lines up with strong Apple sales in Greater China, which rose 28% to $20.5 billion in Q2 and saw Apple regain the No. 2 position in China’s smartphone market. The template - regulator approval, partner-model swap, on-device deployment - mirrors Apple’s earlier Gemini-for-Siri deal in the West and is the one to watch for the next country Apple wants to enter without a US-model dependency.

Bonsai 27B Is a Full Open Reasoning Model That Fits on an iPhone

The Decoder reports (July 15, 2026) that PrismML (Caltech spinout, backed by Khosla Ventures, Cerberus, Google, and Samsung) compressed Alibaba’s Qwen3.6-27B down to roughly 3.9-5.9 GB via 1-bit and ternary weight quantization. The quality-focused laptop variant retains 95% of the original’s benchmark performance; the smaller iPhone variant retains 90%. Math and coding were “virtually unaffected.” At 3.9 GB, Bonsai scored 76.1 on a benchmark where a conventionally compressed 9.4 GB model scored 72.7.

It runs at roughly 11 tokens/sec on an iPhone 17 Pro Max, drawing about 672 tokens per percentage point of battery (around 67,000 tokens on a full charge), with chip throttling kicking in after about five minutes. Apple is reportedly testing PrismML’s compression pipeline - per CNBC, PrismML CEO Babak Hassibi confirmed Apple and other companies are evaluating speed, power draw, and performance, with talks described as “very early” but “progressing nicely.” For intelligibberish readers waiting on a real on-device local-LLM option, this is the first one in 2026 that scores in the same league as laptop-class compressed models while fitting on a phone.

Mira Murati’s Thinking Machines Ships Its First Open-Weight Model - and Tells You Up Front It Isn’t the Best One

Hugging Face’s blog post (July 15, 2026) and TechCrunch’s Julie Bort cover Inkling, a roughly 1T-parameter open multimodal model (image, text, audio inputs) released by Thinking Machines. On most reasoning and agentic benchmarks Inkling trails the top frontier models (for example, SWEBench Verified: Inkling 77.6% vs. Claude Fable 5 95.0%; HLE with tools: Inkling 46.0% vs. Claude Fable 5 64.5%).

The bet is fine-tuning and on-device deployment rather than leaderboard ranking. Inkling is explicitly “intended for domain adaptation via fine-tuning,” with knowledge distillation to smaller on-device models, post-training via Tinker, agentic RL with the ECHO algorithm, and 1-bit GGUF for local deployment through llama.cpp. Thinking Machines is leaning into the personalisation thesis: the release is not state of the art on benchmarks, but it is meant to be the model you actually take home and adapt.

Microsoft Patches a Record Number of Security Vulnerabilities, Citing Its Use of AI

TechCrunch’s Zack Whittaker reports (July 15, 2026) that Microsoft issued patches for 570 security flaws across its product lines in its latest Patch Tuesday, calling the volume a record. Windows boss Pavan Davuluri attributed the surge to AI helping Microsoft’s employees uncover previously undiscovered security bugs: “As AI helps defenders discover more issues, customers will see a higher volume of security updates.” At least two flaws were zero-days, including a Windows Server privilege-escalation bug (CVE-2026-56155) and a SharePoint bug CISA warned was being actively exploited.

The security-ops angle here is worth pulling out. AI-assisted bug hunting produces more vulnerabilities for vendors to patch - which means more surface for downstream attackers in the gap between disclosure and install rates, and more pressure on enterprise patch cycles. For intelligibberish readers following the AI-coding beat (vibe-coding CVEs, the Veracode and ProjectDiscovery reports), this is the same story from the defender’s chair.

Quick Hits

  • Microsoft is training its salesforce to talk down OpenAI and Anthropic. Internal enablement material instructs sellers to position Copilot as the safer enterprise choice; Copilot EVP Jacob Andreou described Anthropic’s Claude as “slower and less accurate, and lacked the proper security integrations”; Jay Parikh, EVP, framed Microsoft as “selling the full end-to-end system.” Lucas Ropek, TechCrunch, July 15, 2026
  • OpenAI ships a $230 Codex keyboard amid its Apple hardware lawsuit. The Codex Micro, co-designed with Work Louder, features light-up “Agent Keys” showing agent status, customizable Command Keys, a joystick, and a dial for reasoning level; OpenAI calls it a “limited-run collaboration” rather than a mass-market product. Lucas Ropek, TechCrunch, July 15, 2026
  • Anthropic and Blackstone bet the next trillion-dollar AI business is implementation, not models. Anthropic + Blackstone position around AI services and deployment shops (the “Ode with Anthropic” partnership is referenced) as the next layer of the AI value chain above raw models. TechCrunch, July 15, 2026
  • Anthropic launches Claude for Teachers free for verified US K-12 educators. Educators who sign up by June 30, 2027 get a full year of access; data is governed by a K-12 Data Processing Addendum written to comply with FERPA, and “Claude for Teachers data is not used for model training purposes” per Anthropic’s page. A separate Claude for Higher Education offering exists on the Solutions page. Anthropic, July 14, 2026
  • Anthropic commits $10M to Canadian AI research. Funding for academic research groups in Canada; the second international research commitment of the cycle alongside the Gates Foundation health and education partnership. Anthropic, July 14, 2026
  • EFF: most smart watches, rings, and bands lack transparency reports and end-to-end encryption. Review of ten major wearable makers (Amazfit, Apple, Coros, Garmin, Google/Fitbit, Hume, Oura, Polar, Suunto, Whoop) found only Apple and Google publish transparency reports; Apple Watch via the Health app is the only one offering end-to-end encryption, and it is enabled by default. Data may be shared with third parties for marketing, insurance pricing, or AI training, and has been used in law enforcement investigations. Thorin Klosowski, EFF Deeplinks, July 15, 2026
  • DeepSeek needs more cash weeks after closing its first $7B round. Reported additional raise talks underway; follows DeepSeek’s positioning as one of the few Chinese labs with realistic training-compute scaling plans for the rest of 2026. The Decoder, July 14, 2026
  • GPT-5.6 Sol reportedly disproves a 30-year-old statistics conjecture in 90 minutes. Less than two weeks after the GPT-Red red-teaming write-up, the same model is now credited with a published mathematical disproof. The Decoder, July 15, 2026
  • Meta employees sue over layoffs they say were driven by discriminatory AI selection systems. Class action: plaintiffs allege Meta’s automated performance and ranking stack disproportionately flagged employees on protected leave; centred on the AI-selection system itself rather than the round of cuts. The Decoder, July 14, 2026
  • Indian vibe-coding startup Emergent hits unicorn status with a $130M Series C. One-year-old startup, $1.5B valuation; adds to the AI-coding assistant demand signal. TechCrunch, July 15, 2026
  • Vint Cerf is advising on a DNS-linked AI agent identity scheme. Innovation Labs, an Identity Digital subsidiary, is proposing “DNSid” - binding AI agent identity to existing domain names via cryptographic proofs. Cerf frames it as an interop-and-pressure play, in the spirit of how TCP/IP broke through proprietary stacks. TechCrunch, July 15, 2026
  • Anthropic publishes a new look at Claude’s “internal thoughts” during reasoning. Interpretability of Claude’s chain-of-thought in the context of world models and the company’s broader “models that can think before they act” framing. MIT Technology Review, July 14, 2026

Worth Watching

Anthropic’s web_fetch exfiltration. The bypass relied on following links inside fetched pages, which is a feature other agentic tools share. Watch for any follow-up disclosure that the same pattern works against web_search-driven flows, any post-mortem from Anthropic on the audit trail and the deduplication against their internal red-team, and whether the researcher publishes a longer technical write-up.

Codex encryption defaults. Encryption of subagent handoffs is mandatory for Sol and Terra, with no documented opt-out. Watch for the GitHub bug report linked in The Decoder’s piece to gain traction, for any developer-side workaround (a local readable shadow), and for OpenAI to publish documentation that pins what is encrypted and what is not.

Suno’s training-data evidence. The breach turns training-data allegations into disclosures. Watch for any second outlet getting access to the same source-code dumps, any class-action filings that cite specific dataset hours and platform lists, and any takedown requests that confirm which platforms appear in the scraping tables.

Apple Intelligence + Qwen outside China. China is the first non-Western deployment on a non-Western base model. Watch for whether this template (regulator approval + partner-model swap + on-device deployment) is replicated in other regions where Apple Intelligence is not yet live, and whether the on-device certification route is portable.

Microsoft’s AI-discovered patch count. 570 flaws in one Patch Tuesday is the record. Watch for whether July’s CVE count exceeds it, whether other vendors (Google, Apple, Cisco) publish comparable numbers tied to AI-assisted discovery, and whether the AI-coding-beat readers move from “vibe-coded CVE” stories to “AI-assisted CVE pipeline” stories.

Inkling in the wild. The release is positioned as fine-tunable rather than state-of-the-art. Watch for community fine-tunes of Inkling on domain-specific tasks (legal, medical, scientific), for distillation studies comparing Inkling students to other open-weight students, and for Thinking Machines’ next release - which will tell us whether the bet on personalisation is paying off.

Bonsai 27B benchmarks. The headline numbers are promising but come from a single vendor test. Watch for independent reproductions on the iPhone 17 Pro Max and older phones, for direct comparisons to Mistral Small, Gemma 4, and quantized Qwen3.6-27B baselines, and for any production deployment of the compression pipeline inside an iOS app.