AI
Ukraine Deploys Fully Autonomous AI Drones to Kill Russian Soldiers
Two years ago, a swarm of drones flew themselves to a battlefield, made their own decisions about who to kill, and apparently succeeded. Nobody was watching in real time. Nobody pressed a button. That detail — quietly disclosed at a Ukrainian embassy event in London — is the part that should make you stop scrolling.
The disclosure came from Alexander Kokhanovskyy, CEO of Ukrainian drone manufacturer Aero Center. He described a one-time experiment, conducted before his current role, involving quadcopter drones preprogrammed to navigate to a front-line zone and then activate what he called a "Terminator mode." Once triggered, the drones hunted and attacked targets in the area without any human in the loop. Human-piloted drones sent to assess the aftermath reportedly found a small number of dead Russian soldiers.
There was no live video feed. No operator was watching the engagement unfold. The conclusion that the autonomous drones caused those deaths was drawn entirely from the scene they left behind. That is an uncomfortably thin evidentiary thread for what would be a genuine historical first in warfare.
To be clear, Ukraine's official position is that it does not allow AI to make the final call in target engagement. Defense representatives at the same embassy event said Ukrainian law prohibits AI involvement in the terminal phase of an attack. A Ukrainian military commander separately told reporters that his pilots operate semi-autonomous systems where humans retain meaningful control at every critical step. Ukraine has consistently pointed to its commitments under international humanitarian law as a guardrail.
So what actually happened here? The most charitable read is that this was a tightly scoped, one-off field test — not standard operating procedure. The practical problems with fully autonomous lethal drones are significant. A system told to attack anything in a given area has no reliable way to distinguish an enemy combatant from a civilian, or from a friendly soldier who wandered into the zone. Friendly-fire risk alone makes this approach a logistical nightmare, let alone the legal exposure.
The United Nations still has no universally agreed definition of what a lethal autonomous weapon system actually is, which tells you a lot about how far global governance has fallen behind the technology. The US Defense Department defines the category as any weapon that, once activated, selects and engages targets without further human input. By that definition, what Kokhanovskyy described qualifies.
The broader context is that Ukraine has become the world's most active proving ground for military drone technology. The pace of innovation on both sides of this conflict has outrun nearly every prediction made at the war's start. What begins as a one-time experiment has a tendency, in wartime, to become next week's standard kit.
The question hanging over all of this is not whether fully autonomous lethal drones can work. Apparently they can, at least in limited conditions. The question is whether the international community can agree on rules before the technology becomes too widespread to constrain.
Source: Ars Technica
SECURITY
Critical PeopleSoft Zero-Day Hits Hundreds of Organizations Worldwide
A hacker group managed to exploit a critical Oracle software vulnerability for more than two weeks before Oracle even flagged the problem. By the time anyone raised the alarm, roughly 300 endpoints across 100 organizations had already been hit, and at least one victim had handed over a ransom to keep their stolen data off the internet.
The group behind the campaign is ShinyHunters, one of the most prolific cybercriminal operations of the past several years. Their target this time was Oracle's PeopleSoft platform — the software that universities, hospitals, and large enterprises rely on to manage everything from HR and payroll to student records. The vulnerability they exploited, CVE-2026-35273, scored a 9.8 out of 10 on the standard severity scale. That is about as bad as it gets before you hit the theoretical ceiling.
The flaw is what security researchers call a server-side request forgery, or SSRF. In plain terms, it lets an attacker hijack a vulnerable server and use it to send requests to other internal systems — effectively turning an organization's own infrastructure against itself. Oracle has pushed out a temporary mitigation but has not yet issued a full patch, which means exposed organizations are still running on borrowed time.
Google's Mandiant team, which has been tracking the campaign, confirmed that ShinyHunters began exploiting the flaw on May 27. The group has been systematic about it. They left behind a staging server containing their attack toolkit, and an analysis of a script found there shows they were doing serious reconnaissance inside compromised networks — mapping PeopleSoft configurations, poking around scheduling systems, reading server configuration files. Eventually they piped stolen data out through an encrypted SSH connection to a server hosting their own data leak site.
One victim, the University of Nottingham, confirmed publicly that a significant volume of student data had been taken. ShinyHunters had already claimed credit and posted samples online before the university said a word. That sequencing — attackers publishing before victims respond — has become a depressingly familiar pattern.
Nearly 70 percent of the targeted organizations were in higher education. That concentration is not an accident. Universities run PeopleSoft at scale, often with stretched IT teams and complex legacy configurations, and they hold exactly the kind of data — student records, financial information, research files — that has resale value and extortion leverage.
ShinyHunters has been operating since at least 2019 and has an extensive rap sheet. Ticketmaster, Santander, Salesforce — the group's past targets read like a Fortune 500 casualty list. They know how to find a high-value vulnerability, move fast before patches arrive, and monetize the chaos.
For any organization still running unpatched PeopleSoft instances, Oracle's interim mitigation is not optional at this point. It is the floor, not the ceiling.
Source: Ars Technica