Hello. Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.

The attack involves several versions of Microsoft’s SharePoint software. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.

It’s the latest in a string of lapses by the tech giant that have benefited China’s global cyber-espionage operations. Read the full story.

Also today: 

• Arizona woman gets prison time for aiding North Korean tech workers
• Large language model carries out Equifax-style hack all on its own
• Sean Plankey, nominee to lead CISA, gets grilled in Senate
• Vanta raised $150 million Series D round
• And more

• Chapman's operation helped the North Koreans earn $17 million, the Justice Department said Thursday.
• The impacted companies included a top-five major television network, a Silicon Valley tech company, an aerospace manufacturer, an American car maker, a luxury retail store and a U.S. media and entertainment company, prosecutors said.

Sean Plankey, nominated by President Trump to lead the Cybersecurity and Infrastructure Security Agency, pushed lawmakers to renew the 2015 Cybersecurity Information Sharing Act during his Senate confirmation hearing Thursday. The act allows the federal government to share threat intelligence with U.S. business and other entities. It expires in September. 

• Plankey also said if confirmed to lead CISA, he wouldn't guide the agency to investigate disinformation. Rather, the agency's election-related role should be to help states protect voting infrastructure. (Cybersecurity Dive)

AI can hack: Carnegie Mellon researchers were able to get a large language model to autonomously plan and execute a cyberattack. The researchers, working with AI company Anthropic, demonstrated that an LLM could recreate and carry out the 2017 hack of Equifax, exploiting the same vulnerabilities, installing malware and stealing data without human intervention. 

• Scary in the wrong hands, certainly. But companies could use the findings to automate red teaming, the researchers said. Read their paper. 

• Cloud-security company Commvault Systems said it plans to acquire Satori Cyber, an Israeli data-security provider. Financial terms weren't disclosed. The deal is expected to close in August. 
• HeroDevs raised $125 million in a growth funding round from investor PSG. HeroDevs specializes in protecting open-source software that has reached end of life, providing patches and other measures to keep the software going. (SecurityWeek)
• Vanta, which provides security reviews and compliance products, raised $150 million in Series D funding led by Wellington Management. The round values Vanta at $4.15 billion. The company said it will put some of the money toward expanding its AI capabilities. (Reuters)

The WSJ Pro Cybersecurity team is Deputy Bureau Chief Kim S. Nash and reporters Angus Loten, James Rundle and Catherine Stupp. Follow us on X @WSJCyber. Reach the team by replying to any newsletter you receive or by emailing Kim at kim.nash@wsj.com.