The manufacturer of these devices is a Chinese company named Meari Technology (觅睿科技) (Meari). Meari is an Original Design Manufacturer (ODM) or white-label manufacturer, meaning the company designs and builds products, which are then sold and rebranded by other companies. In this case, Meari claims that the company’s products have been distributed to more than 100 countries, with over 35 million users, according to its official website.

Sammy Azdoufal has discussed with the Natto Team how he reached out to inform Meari of the vulnerabilities in their products and how he encountered difficulties for over two months, from when he first contacted Meari Technology on March 2 to when the five high-risk Meari vulnerabilities were formally disclosed on May 11 by RunZero, an official CVE Numbering Authority (CAN) and enterprise exposure management and asset discovery platform.

The Natto Team felt Sammy’s deep frustration during this process. Sammy told the Natto Team after he discovered the vulnerabilities at the end of February that he just wanted the company to fix the vulnerabilities as quickly as possible because seeing the faces of strangers’ children floating on the Internet made me “want to throw up.” However, after he emailed Meari on March 2 about his vulnerability discovery, he received no response for nine days, despite Sammy’s effort to contact the company through all possible channels. When Meari’s security team finally did start communicating with Sammy on March 11, Meari initially responded with what Sammy characterized as “veiled threats.” Eventually the company did address the primary flaw and issue a bug bounty award for his help, but this took six weeks of frustration, which Sammy has documented on his Github page.

This reminded us of the Natto Team’s previous report that detailed the story of Australian security researcher Sick Codes and his discovery in 2020 of vulnerabilities in Android TVs made by TCL, a Chinese multinational electronics company and the world’s second-largest TV manufacturer. The Natto Team’s previous research suggested that The TCL case in 2020 had taught the Chinese government and companies a lesson in how to respond to vulnerability reports by independent foreign researchers.1 However, six years later, Meari appears not to have learned the lesson that TCL did in 2020.

Indeed, the Meari case exposes a deeper problem. Meari’s Infrastructure-level vulnerabilities, not device-level flaws, enabled the exposure of over a million IoT (Internet of Things) devices. The case suggested that Meari fails to embrace the secure-by-design approach, in which security is proactively embedded into a system from the ground up. In fact, according to Sammy’s security audit analysis, which he shared with the Natto Team, Meari Technology: “possesses by-design, architectural access to every camera deployed worldwide. This is not a single misconfiguration or an isolated bug. The platform’s core architecture -- from MQTT [Message Queuing Telemetry Transport] broker topology to credential provisioning, from alert image storage to peer to peer (P2P) relay infrastructure -- is built such that the vendor (Meari) and anyone who compromises the vendor can monitor, control, and extract footage from any customer’s camera at any time, without the customer’s knowledge or consent.” Sammy documented 12 independent pieces of evidence in his security audit and discovered “each individually proves some degree of vendor-side access. Taken together, Meari establishes that no meaningful security boundary exists between Meari’s backend infrastructure and the end-user’s camera feed.”

It appears that Meari’s by-design, architectural access to every camera deployed worldwide may have its own reasons. The Natto Team noticed that the same week in March 2026, when Sammy was anxiously waiting for a response from Meari, the company went public on March 9. Chinese market commentators praised Meari’s successful IPO as a market recognition of Meari as a smart IoT firm “with core technologies and global market capabilities.” Meari’s share price doubled in the second trading day, reflecting investor enthusiasm for the company’s future growth. The contrast between a company with unsecure products distributed globally and a company celebrating its success domestically makes us wonder who Meari Technology really is.

In this piece, the Natto Team takes a deep dive into Meari Technology to understand how a domestically acclaimed tech company maneuvers the global market, how Meari’s response to vulnerability reporting reflects the ecosystem of vulnerability management in China, and how companies like Meari compete to develop artificial intelligence (AI) technologies.

Read more

Who is China’s Palantir?

The answer isn’t a single company, but an emerging ecosystem

—- An anonymous Chinese AI industry expert

In early April 2026, five weeks into the US and Israel’s war on Iran, a Washington Post report detailed a burgeoning market of private Chinese firms using artificial intelligence (AI) with open-source data to track U.S. military movements. These firms analyze intelligence on carrier groups and aircraft locations during the conflict. The report specifically highlighted two five-year-old companies : MizarVision (觅熵科技) and Jing’an Technology (靖安科技). Both are based in Hangzhou, a city widely considered the “center of China’s AI universe.” The Natto Team discovered that these companies, and a dozen others, have vied for the honor of being considered “China’s Palantir,” amid market hype over the role of AI in the military-industrial sector.

U.S.-based software company Palantir Technologies builds data integration and analytics platforms used by governments and commercial organizations around the world. Its products have reportedly played significant roles in recent conflicts, including the Israeli Defense Ministry’s use of AI-driven battlefield analytics in Gaza in 2024 and U.S. operations in Iran in 2026, which enabled the targeting of Iranian Supreme Leader Ali Khamenei. In April 2026, Palantir sparked global controversy by publishing a 22-point “manifesto” on X (formerly Twitter) that some commentators viewed as expressing a highly militaristic worldview with dangerous aspirations regarding AI, surveillance, and autonomous weapons.

In a November 2025 interview with The Axios Show, a digital media outlet based in the U.S., when asked “what should we worry about AI?,” Palantir CEO Alex Karp stated that the biggest risk of AI is the possibility of China winning the race for dominance. It appears Mr. Karp’s concerns seem valid; Palantir serves as a beacon for numerous Chinese companies striving for global influence. Many believe that China’s own Palantir(s) are those high growth companies that the Chinese government wants and needs to win global dominance.

In this post, the Natto Team analyzes two studies about Palantir from Chinese perspectives—one written in 2017 by an academic scholar and the other in 2026 by an industry AI expert—to reveal reasons behind China’s obsession with Palantir and barriers to the emergence of Chinese Palantir wannabes. It also sheds light on the evolution of the Chinese military-industrial sector and identifies the companies inspired by Palantir.

Although China’s Palantir-like companies have not fully emerged, they are on the horizon.

(Note: The appendix of this post provides a list of Chinese companies that have been mentioned by various Chinese media or have self-identified as being, or resembling, China’s Palantir. For more information about these companies, please contact nattoteam@nattothoughts.com.)

Subscribe now

Read more

“Whoever masters automated vulnerability discovery technology holds the upper hand in cyber offense and defense” – Zhou Hongyi, Chairman and CEO, 360 Digital Security Group (2018)

On April 7, 2026, artificial intelligence developer Anthropic introduced its new general-purpose model Claude Mythos Preview to a restricted partnership of over 40 vetted organizations, including major technology and cybersecurity firms, as part of its defensive security initiative Project Glasswing. The company stated that the Claude Mythos model has identified thousands of high-severity vulnerabilities across widely used software, including major operating systems and web browsers. Crucially, in some cases it can autonomously develop exploits and chain vulnerabilities without human intervention. Anthropic has not released the system publicly, citing the risks associated with such capabilities and the need for further safeguards before deployment at scale.

While independent assessment remains limited and technical details are sparse, governments are already responding: U.S. officials have reportedly briefed financial institutions on AI-enabled cyber risks, while German authorities have warned of significant disruption and the capacity of such systems to transform vulnerability discovery.

Recent developments suggest that similar capabilities are being explored in China. In February 2026, Natto Thoughts described how a team from 360 Digital Security Group (奇虎360, hereafter “360”), which won first place at the 2026 Tianfu Cup, a major Chinese exploit hacking contest,1 had relied extensively on AI-assisted discovery and exploitation, with its team lead stating that AI has evolved “from an auxiliary tool to the core engine of vulnerability discovery.” The team that placed third made similar claims. This raises a central question: have Chinese companies already developed systems with capabilities comparable to those claimed for Claude Mythos, and how might differences in institutional context shape their impact?

This analysis focuses on 360 as a primary case study, given its position as a leading cybersecurity company in China, its strong track record in top-tier vulnerability research, and the relative visibility of its recent AI-related disclosures.2 Recent disclosures describe internally developed multi-agent systems capable of identifying vulnerabilities, supporting exploit development, and automating parts of the research workflow that were previously manual, with claimed discovery at a scale approaching Anthropic’s description of Claude Mythos. Other firms appear to be pursuing similar approaches, though with more limited public information. The analysis then considers how such capabilities could translate into an asymmetric offensive advantage in China’s favor.

Subscribe now

Read more

Read more

Recent media coverage has intensified discussions about quantum computing’s potential threat to modern cryptography, following a South China Morning Post (SCMP) report on a breakthrough by Chinese researchers using quantum-based techniques to compromise symmetric encryption algorithms. The SCMP article highlighted research published in the Chinese Journal of Computers (CJC) (计算机学报) on September 30; however the article did not specify the date of the Journal publication. The reported research detailed the use of the D-Wave Advantage quantum processor to attack the lightweight encryption ciphers of PRESENT, GIFT-64, and RECTANGLE.

Most news outlets mistakenly cited the same authors’ earlier paper, published in May 2024, that used D-Wave to run annealing algorithms targeting the RSA (Rivest-Shamir-Adleman) encryption system. Confusing the new research with t…

Read more

Meet 360GPT, the Red Boy

Zhou Hongyi is the first Chinese tech tycoon wh…

Read more