Skip to the content
Sleep Token’s ‘Emergence’ and ‘Caramel’ have both passed 100 million streams on Spotify.
Both tracks featured on the band’s latest album ‘Even In Arcadia’, which arrived earlier this year.
It’s been another landmark year for Sleep Token, with their epic Download Festival headline set making metal history this summer.
You can relive it all inside the new issue of Rock Sound, available with two collectible Vessel covers.
Order yours now at SHOP.ROCKSOUND.TV.
The American Cancer Society (ACS) has published its annual Prostate Cancer Statistics, 2025 report, showing increasing incidence rates alongside slowing declines in mortality rates.1
Data for the report were collected by the National Cancer Institute and the Centers for Disease Control and Prevention. Population-based incidence data were analyzed through 2021, and mortality data were analyzed through 2023.
The ACS estimates that in 2025, there will be 313,780 new cases of prostate cancer and 35,770 deaths due to the disease.
Overall, the data showed a marked reversal in prostate cancer incidence trends in recent years. Although the incidence rates declined by 6.4% per year from 2007 to 2014, data show that these rates have been increasing by 3.0% annually from 2014 to 2021. This trend has been largely driven by increasing rates of advanced-stages diagnoses, which are climbing by approximately 4.6% to 4.8% per year.
Notably, prostate cancer mortality rates have been decreasing since the 1990s, though the declines have slowed in recent years. In the 1990s and 2000s, mortality rates decreased by 3% to 4% annually. Over the past decade, these rates have waned to approximately 0.6% per year.
According to the report, rates of distant-stage disease are increasing across every age group. Specifically, rates are increasing by about 3% in those younger than 55 years and about 6% among those aged 55 years and older.
The 5-year relative survival rate for distant-stage prostate cancer is 38%, but the rate increases to nearly 100% for men diagnosed with local-stage or regional-stage disease, emphasizing the importance of early detection.
Overall, the ACS estimates that in 2025, there will be 313,780 new cases of prostate cancer and 35,770 deaths due to the disease.
The report also sheds light on persistent and wide racial disparities.
Based on the data, Black men have a 67% higher incidence rate and are 2 times more likely to die from prostate cancer compared with White men. Similarly, Native American men have a 12% higher prostate cancer mortality rate compared with White men, despite having a 13% lower incidence rate.
“Our research highlighting the continued increases in prostate cancer incidence and persistent racial disparities underscores the need for redoubled efforts to understand the etiology of prostate cancer and optimize early detection,” commented lead author Tyler Kratzer, MPH, associate scientist, cancer surveillance research at the ACS, in a news release from the organization.2 “At age 50, per ACS guidelines, all men should have a conversation with their health care provider about the benefits and harms of screening, but Black men and those with a family history of prostate cancer should have that conversation at age 45.”
Data also showed that American Indian and Alaska Native (AIAN) men were the most likely racial group to be diagnosed with distant-stage disease (12% vs 8% among White men). According to the authors, this finding “at least in part reflect[s] lower screening prevalence compared with other men.”
Further, data showed that prostate cancer mortality rates are highest among Black men at 36.9 per 100,000 population, following by 20.6 deaths per 100,000 among AIAN men, 18.4 deaths per 100,000 among White men, 15.4 deaths per 100,000 among Hispanic men, and 8.8 deaths per 100,000 among Asian American and Pacific Islander men.
By geographic location, the highest prostate cancer mortality rates were observed in Washington DC (27.5 deaths per 100,000 population) and Mississippi (24.8 deaths per 100,000 population), both of which have a high proportion of Black residents.
The authors noted, “Increases in advanced diagnosis and persistent disparities highlight the need for redoubled efforts to optimize early detection and address barriers to equitable outcomes, including improved access to high-quality health care for all men.”
The Prostate-Specific Antigen Screening (PSA) for High-risk Insured Men (HIM) Act (H.R. 1300/S. 297) is a bipartisan bill in Congress aimed at improving access to prostate cancer screening. Specifically, this bill would waive cost-sharing requirements (deductibles, copays, and coinsurance) for prostate cancer screening tests for men who are at high-risk for the disease.
The ACS Cancer Action Network, the advocacy affiliate for the ACS, has expressed strong support for the bill.
“Out-of-pocket costs such as co-pays can be a barrier to accessing early detection,” explained Lisa A. Lacasse, president of ACS CAN, in the news release.2 “No one should be at a disadvantage against cancer. The PSA Screening for HIM Act will help remove a major obstacle that can prevent those at high risk for the disease from getting the screening tests they need to find prostate cancer at the earliest, most treatable stage.”
She added, “We urge the House and the Senate to pass this legislation to help reduce prostate cancer disparities and save more lives.”
REFERENCES
1. Kratzer TB, Mazzitelli N, Star J, et al. Prostate cancer statistics, 2025. CA: A Cancer Journal for Clinicians. 2025. doi:10.3322/caac.70028
2. New ACS Prostate Cancer Statistics Report: Late-stage incidence rates continue to increase rapidly as mortality declines slow. News release. American Cancer Society. September 2, 2025. Accessed September 2, 2025. https://www.prnewswire.com/news-releases/new-acs-prostate-cancer-statistics-report-late-stage-incidence-rates-continue-to-increase-rapidly-as-mortality-declines-slow-302543895.html
Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities on major platforms like Microsoft’s Azure AI Foundry, Google’s Vertex AI and thousands of open-source projects. We refer to this issue as Model Namespace Reuse.
Hugging Face is a platform that enables AI developers to build, share and deploy models and datasets. On that platform, namespaces are the identifiers of models, which are Git repositories that are stored on the Hugging Face hub. Hugging Face models contain configurations, weights, code and information to enable developers to use the models.
Model Namespace Reuse occurs when cloud provider model catalogs or code retrieve a deleted or transferred model by name. By re-registering an abandoned namespace and recreating its original path, malicious actors can target pipelines that deploy models based solely on their name. This potentially allows attackers to deploy malicious models and gain code execution capabilities, among other impacts.
While we have responsibly disclosed this to Google, Microsoft and Hugging Face, the core issue remains a threat to any organization that pulls models by name alone. This discovery proves that trusting models based solely on their names is insufficient and necessitates a critical reevaluation of security in the entire AI ecosystem.
Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.
The Unit 42 AI Security Assessment can assist organizations with empowering safe AI use and development.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Understanding how Hugging Face organizes and identifies models is crucial to understanding the model namespace reuse technique. The most common resource on their platform is the model. These models are essentially Git repositories that contain model configurations, weights and any additional code or information that developers and researchers might need to use the models effectively.
For identification and access, developers can reference and pull models using a two-part naming convention: Author/ModelName. In this structure, the Author component represents the Hugging Face user or organization that published the model, while ModelName is the name of the model.
For example, if AIOrg published the model Translator_v1, the model name is AIOrg/Translator_v1. Author names serve as unique identifiers. If an author already exists, a new author with the same name cannot be created.
Developers use the Author/ModelName identifier directly in their code across various Hugging Face libraries to fetch and utilize models. For example, developers can use the code shown in Figure 1 to fetch the Translator_v1 model from the commonly used Transformers library.
This hierarchical structure allows for clear attribution and organization. However, in the absence of stringent lifecycle controls over these namespaces, this structure also creates an unexpected attack surface.
The model namespace reuse technique exploits the way that Hugging Face manages Author/ModelName namespaces after an organization or author deletes their own account. Our investigation into this area revealed a critical aspect: Anyone can re-register a deleted namespace.
When a user or organization is deleted from Hugging Face, its unique namespace does not become permanently unavailable. Instead, these identifiers return to a pool of available names, allowing another user to later create an organization with the same name. This reuse process is shown in Case Study 1 – Vertex AI.
Consider the following fictional scenario of a model that had its author deleted:
The DentalAI organization created the legitimate model toothfAIry. The model can analyze dental images and accurately detect cavities and other tooth abnormalities. Its effectiveness and ease of use made it a favorite among developers, dental researchers and healthcare professionals. Over time, DentalAI/toothfAIry was integrated into diagnostic tools, medical platforms and even open-source health-tech repositories.
At some point, however, developers from DentalAI deleted the organization from Hugging Face. A malicious actor noticed this and took advantage of the situation by recreating the DentalAI organization and uploading a compromised version of the toothfAIry model under the same name.
As a result, all codebases and pipelines still referencing the original model are now at serious risk.
One might assume that as long as a trusted model name continues to function in its code, there is no risk of malicious reuse of that namespace. This is a misconception. Without developers being aware of it, codebases and pipelines might pull and deploy the malicious version. Malicious models could result in a range of unintended outcomes, from incorrect diagnoses to ongoing unauthorized access by an attacker on affected systems.
Figure 2 outlines the steps followed in this fictional scenario.
Another potential attack vector stems from the way Hugging Face manages the transfer of model ownership.
Hugging Face provides the ability to change the author of a model by transferring ownership from the current owner to another. This transfer results in a new namespace for the model — for example, changing from AIOrg/Translator_v1 to AIOrgNew/Translator_v1. Users can deploy the model using this new namespace. However, the original namespace remains accessible for deployment as well.
When a user submits a request to the old namespace, Hugging Face automatically redirects the user to the new, current namespace. This redirection applies across all access points, including the user interface (UI), REST APIs and common software development kits (SDKs).
This behavior is logical and intentional. Hugging Face aims to ensure that existing pipelines continue functioning smoothly even after a namespace change. However, as shown in the scenario above, if the owner of the original model deleted its organization, the namespace becomes available for re-registration.
If a malicious actor registers the namespace, this breaks the redirection mechanism, causing the compromised model to be prioritized over the legitimate new model.
To explain this fictional scenario, we’ll again draw on dental health.
Dentalligence, another organization, has acquired DentalAI. As part of the acquisition, DentalAI transferred all of its AI models to the Dentalligence organization. Following the transfer, the administrators of DentalAI deleted the original organization from Hugging Face, as it was now fully absorbed into Dentalligence.
All models formerly under DentalAI — such as DentalAI/toothfAIry — became accessible via their new paths, like Dentalligence/toothfAIry. For continuity, Hugging Face maintained redirects from the old namespaces to the new ones, allowing users to access the models without updating their code.
However, a malicious actor noticed that the original DentalAI organization was available. The attacker registered a new organization under that name and uploaded malicious models using the same names as those DentalAI hosted before the acquisition.
Since the original model names remained valid and deployable throughout the transition, users were unaware of the change. They didn’t sense any downtime and did not have to change the model names in their code. For example, making a request to pull the model DentalAI/toothfAIry automatically pulled Dentalligence/toothfAIry. As a result, when the malicious actor inserted their version using the original names, users unknowingly began deploying the malicious versions instead of the trusted models they had originally integrated.
Hard-coded reusable model namespaces exist in thousands of open-source projects. These include popular and highly starred repositories, and repositories that belong to prominent organizations in the industry. Additionally, such models pose a threat to users of leading AI platforms.
Table 1 sums up the differences between the two scenarios.
| Ownership Deletion | Ownership Transfer | |
| Cause | The model author was deleted from Hugging Face. | The model was transferred to a new owner, and the old author was deleted from Hugging Face. |
| User Experience | Users will experience downtime, as the model does not exist. | Users will not be affected, as their requests are redirected to the new model. |
| HTTP Status Codes on Model Access | 404 | 307 |
| Identifying Signs | The author of the model is no longer available on Hugging Face. | When attempting to access the model, Hugging Face redirects to a different author. In addition, the old author is no longer available. |
Table 1. Key differences between reusable deleted models and reusable transferred models.
Google Vertex AI is a managed machine learning (ML) platform on Google Cloud Platform (GCP). Developers use Vertex AI to build and scale models that integrate with other Google Cloud services.
A key feature of Vertex AI is the Model Garden, a centralized repository of pre-trained models from Google, third parties and the open-source community. Notably, Vertex AI’s Model Garden supports direct deployment of models from Hugging Face. This means users can select a model from Hugging Face and deploy it to Vertex AI in just a few steps, without custom packaging.
Figure 3 displays the deployment of the model distilbert/distilgpt2.
It’s important to note that not all models are immediately deployable via Vertex AI. A green check mark next to the model name signifies that Google has verified that the model can be deployed to Vertex AI.
Additionally, the interface provides a convenient link to the model’s card on Hugging Face, allowing users to quickly review documentation, licensing and other key details. Figure 4 shows an example of the model card of the model distilbert/distilgpt2.
By examining the list of models that Vertex AI offers for direct deployment from Hugging Face and checking whether their original authors have been deleted, we identified several reusable models. These are models that meet both of the following conditions:
Figures 5 and 6 illustrate an example of such a model — one that qualifies for deployment on Vertex AI, despite its author not existing on Hugging Face.
We proceeded to register one of the author namespaces and created a model using the same name within it, as Figure 7 shows.
After performing the takeover, any deployment of the original model will instead result in the deployment of our new model.
To demonstrate the potential impact of such a technique, we embedded a payload in the model that initiates a reverse shell from the machine running the deployment back to our servers. Once Vertex AI deployed the model, we gained access to the underlying infrastructure hosting the model — specifically, the endpoint environment. Figure 8 shows the reverse shell from the endpoint to our controlled machine.
The accessed environment is a dedicated container with a limited scope within the GCP environment. Once we demonstrated this vector, we removed the backdoor from the model’s repository.
Since we reported this issue to Google in February 2025, Google now performs daily scans to identify models that have been orphaned. The scan marks orphaned models as “verification unsuccessful,” preventing them from being deployable to Vertex.
Azure AI Foundry is Microsoft’s platform for developing ML and generative AI applications. It provides tools for the different stages of the AI lifecycle, including data ingestion, model training, deployment and monitoring.
At the core of Azure AI Studio is its Model Catalog — a hub featuring foundation models from Microsoft, open-source contributors and commercial vendors. The catalog in Azure AI Foundry allows users to deploy and customize models on the platform. Figure 9 shows that the catalog features many models sourced from Hugging Face.
We reviewed the list of models available in Azure AI Foundry and focused on those sourced from Hugging Face. For each model, we checked whether its original author account had been deleted. Once again, we identified several reusable models — models whose author namespaces were no longer claimed but are still available for deployment.
To demonstrate the risk, we registered one of these unclaimed author names on Hugging Face and uploaded a model embedded with a reverse shell. Upon deployment, the reverse shell executed successfully, granting us access to the underlying endpoint, as Figure 10 shows.
By exploiting this attack vector, we obtained permissions that corresponded to those of the Azure endpoint. This provided us with an initial access point into the user’s Azure environment. Once we demonstrated this vector, we removed the backdoor from the model’s repository.
After observing the impact of model namespace reuse on leading cloud AI services, we conducted an extensive search of open-source repositories. Our aim was to identify projects that referenced Hugging Face models by Author/ModelName identifiers that are available to be reclaimed.
Such projects expose their users to significant security risks. Attackers can take advantage of project dependencies by identifying an available Author/ModelName, registering it and uploading malicious files to it. These files are then likely to be deployed into user environments during the project’s deployment or execution.
We began by searching GitHub for open-source repositories with SDK methods that fetch models from Hugging Face. We then narrowed the search by identifying model names in these repositories. To discover reusable models, we checked each model for whether its author was deleted and could be registered.
This investigation revealed thousands of susceptible repositories, among them several well-known and highly starred projects. These projects include both deleted models and transferred models with the original author removed, causing users to remain unaware of the threat as these projects continue to function normally.
Figures 11 and 12 demonstrate the presence of reusable models and names in popular open-source projects.
So far, we’ve examined scenarios in which users and developers fetch models directly from Hugging Face. Whether using a managed AI platform or an open-source SDK, many environments use it as a primary source.
However, other model registries — centralized systems that manage the storage, versioning and lifecycle of ML models — also pull models from Hugging Face and offer them to users as part of their available models.
This creates a supply chain risk. If a model registry ingests reusable models from Hugging Face, those models can propagate downstream. As a result, users relying on such registries could be exposed to compromised models without ever directly interacting with Hugging Face.
Take Vertex AI as an example. As discussed earlier, Vertex AI offers seamless integration to deploy and utilize Hugging Face models within the GCP environment. Users can easily fetch a model using the Vertex AI SDK, as Figure 13 shows.
In this scenario, the user obtains the model model_name directly from Vertex AI. However, if this model is sourced from Hugging Face and is available in the Model Catalog, the user might inadvertently access an infected model.
Another Google-owned platform that incorporates Hugging Face as a model source is Kaggle. Kaggle is a well-known hub for data science and ML that provides datasets, notebooks and a collection of pre-trained models. Figure 14 shows that in its Model Catalog, Kaggle offers thousands of Hugging Face-originated models for deployment.
As with the previously discussed model registries, Kaggle also offers several models that are vulnerable to model namespace reuse, posing an immediate risk to their users.
Keeping track of ML models is a complex and ongoing challenge. Developers constantly update, fine-tune, fork and republish their models. They often do this across multiple platforms and organizations. We observed model namespace reuse opportunities across various parts of these complex, multi-component systems. This is true not only in model deployments, which pose the most immediate and significant risk. We found reusable model references in model cards, documentations, default parameters and example notebooks.
Finding the same model reuse issue in GCP, Azure and many open-source projects highlights one of the most critical and often overlooked aspects of AI and ML security: verifying that the model you’re using is truly the one you think it is. Whether the project pulls a model from a public registry, reuses it from an internal pipeline, or deploys through a managed service, there’s always a risk that someone replaced, tampered with or exploited the redirection of the model.
Models can originate from a variety of registries, not just Hugging Face. The Vertex AI Model Garden, Azure AI Foundry Model Catalog and Kaggle all feature a wide range of models, including many sourced directly from Hugging Face.
This integration, while convenient, introduces risks. Developers who rely on the trusted model catalogs of major cloud AI services could unknowingly deploy malicious models originally hosted on Hugging Face without ever interacting with Hugging Face directly.
To their credit, all of these platforms make significant efforts to secure their model registries. However, as we’ve demonstrated, no system is entirely immune to namespace hijacking or supply chain vulnerabilities. Even with strong safeguards in place, a single overlooked edge case can lead to destructive exploitation.
Ensuring the security of AI tools is not solely the responsibility of platform providers. Developers must also take active steps to secure pipelines and environments.
We’ve explored some of the inherent challenges in securing the pipelines that power ML models. From data ingestion to deployment, ensuring integrity at every step is crucial. But the good news is that we’re not powerless in the face of these complexities. There are concrete steps we can take to significantly improve the security and reliability of AI systems. Following are some key practices.
We showed how an attacker could reclaim and reuse model identifiers on Hugging Face to execute remote code within popular AI platforms such as Google Vertex AI, Azure AI Foundry and various open-source projects. In both cases, the issue arises because a model’s name alone is not enough to guarantee its integrity or trustworthiness.
We have discussed this issue with the vendors mentioned in this article. Model namespace reuse is a complex problem to solve and its risk still exists. This is not an isolated problem, but a systemic challenge to how the AI community manages and validates shared model integrity. This challenge extends far beyond simple namespace management, forcing us to confront questions about the foundational security of the rapidly evolving AI infrastructure.
Users can improve security with respect to the threats described above by implementing version pinning, cloning model repositories to trusted storage locations and scanning for reusable references.
Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.
The Unit 42 AI Security Assessment can assist organizations with empowering safe AI use and development.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
PRAGUE — Japanese carmaker Toyota said on Wednesday it will invest 680 million euros ($792 million) on a new production line in the Czech Republic to make a battery electric car.
The line will be built with a government incentive of up to 64 million euros ($75 million) to expand Toyota’s existing plant in Kolin, around 50 kilometers (31 miles) east of Prague, the Czech government and the company said in a joint statement.
It will become the first Toyota plant to produce battery electric cars in Europe .
Prime Minister Petr Fiala said the new line will create another 245 jobs at the factory that already employs 3,200 people.
Toyota did not disclose details of when production would start or of the model.
The world’s top automaker currently makes Aygo X and Yaris Hybrid models at the plant, which made over 225,000 cars last year.
Skip to main content
Copyright © 2025 by IOP Publishing Ltd and individual contributors
Think of a dinosaur. It’s likely that the first animals popping into your head were Tyrannosaurus, Diplodocus or Velociraptor, which all hark from the fossil-rich fields of North America and Asia, and are frequent Hollywood stars says Professor Paul Barrett from the Natural History Museum.
However, although spectacular dinosaur remains have been found all over the world, from Antarctica to Alaska, the UK dinosaur record is often overlooked. This is despite the UK dinosaur record being the most historically important and one that many scientists are still working to unravel.
The first three dinosaurs to receive scientific descriptions, Megalosaurus, Iguanodon and Hylaeosaurus, were all found in the soft sandstones and mudstones of southern England, opening the eyes of scientists and an incredulous public to the existence of past worlds that were populated by animals radically different from anything alive today.
These three were later selected to form the core of a newly recognised group, Dinosauria, which was named in 1842 by prominent anatomist Sir Richard Owen (founder of the Natural History Museum, London). Since then, rocks of Triassic, Jurassic and Cretaceous age from across the UK, with a record spanning from around 220–100 million years ago, have continued to yielded new and important dinosaur fossils, from many corners of the British Isles.
This is the least well-known of the three animals which were used to found Dinosauria, but undeservedly so. Known primarily from a single partial skeleton and a handful of other bones, Hylaeosaurus was a relatively small (3–4 m long) dinosaur and a member of the tank-like armoured group Ankylosauria. In addition to the numerous stud-like bones embedded throughout its skin, its armour also included a series of impressive, curved shoulder spines, all of which would have deterred attacks from most would-be predators.
The remains of Hylaeosaurus were first described in 1833 by Gideon Mantell, a Sussex country doctor who made many of the first dinosaur discoveries. It has the distinction of being the first armoured dinosaur to have been discovered anywhere in the world.
The known specimens all come from Early Cretaceous rocks (around 140 million years old) around Cuckfield and Hastings in Sussex, but we have yet to find a complete skeleton. Like other ankylosaurs, Hylaeosaurus was a herbivore that would have browsed on ferns and other low-growing plants and it walked on all fours.
A reconstruction of Hylaeosaurus can be found among the famous statues at Crystal Palace Park in southeast London, although modern reconstructions have updated this image.
Until recently dinosaurs were depicted as lumbering brutes, but vast amounts of new work have overturned this view and revealed them as dynamic, active animals. Nevertheless, a consistent exception to this earlier rule was Hypsilophodon, a bipedal, lightly-built species that has always been regarded as a speedster and the dinosaur equivalent of a gazelle.
Its slender hind legs and long counterbalancing tail anchored powerful muscles, which allowed this small, defenceless animal to outrun and out-manoeuvre most predators. Many skeletons of this dinosaur athlete have been found, providing us with one of the most complete pictures of how small plant-eating dinosaurs looked and behaved.
Hypsilophodon has also been an important animal for understanding the origin and evolution of its later relatives, like Iguanodon and the duck-billed dinosaurs.
Strangely, however, all of the skeletons we have are of youngsters: no adults have been found. All known Hypsilophodon remains come from a single thin layer of sandstone on the Isle of Wight, which dates from the Early Cretaceous period (~125 million years ago). Its currently thought that of these animals belonged to a single herd, which was wiped out in a single tragic event, such as a flash flood or miring in quicksand.
By Nobu Tamura (http://spinops.blogspot.com) – Own work, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=19459514.
Pantydraco is one of the oldest dinosaurs known from the UK, with fossils dating back to the Late Triassic around 210 million years ago. Its fossils come from what is now southern Wales and Bristol, but during the Triassic the area looked quite different with several large islands set in a tropical sea. Pantydraco is a sauropodomorph dinosaur – a member of the same group that went on to include giants like Brachiosaurusand Diplodocus.
Unlike its later relatives, Pantydraco was small (no more than 1.5 m in length), ran on its hind legs and might have eaten both plants and animals. It had a small skull, a long neck and hands that were adapted for grasping, each with a large thumb claw that might have been for defence or to help in gathering food. It is named after the Welsh quarry where the fossils were first found, meaning ‘dragon from Pant-y-ffynnon’.
Most of our knowledge of dinosaur biology is built on bones, using their shapes, sizes and arrangements to reconstruct the animal’s overall appearance, as well as providing many of the clues used to infer important behaviours such as feeding and walking.
However, bones are just one of the many lines of evidence that palaeontologists can use, and other types of dinosaur fossils offer unique and important insights into dinosaur lifestyles, such as footprints or preserved gut contents. Sometimes we are fortunate enough to get the remains of dinosaur skin, which might be either scaly or feathered.
The first dinosaur skin impression found anywhere in the world was discovered in the UK, from the Early Cretaceous rocks of Sussex. It was described in 1852 (again, by Gideon Mantell) and was found together with two large arm bones. Although known from relatively meagre material, these bones are distinctive enough that they can be recognised as a distinct species: Haestasaurus becklesii.
Haestasaurus was a sauropod dinosaur and probably a close relative of animals like Camarasaurus from the USA. The skin impression shows that the body would have been covered with thousands of closely-packed polygonal scales, in an arrangement similar to those of many living reptiles.
In 1983, Bill Walker, an amateur palaeontologist, made a stunning discovery in a Surrey clay pit – the enormous claw of a theropod (meat-eating) dinosaur. The claw was unlike that of any other theropod and further excavation at the site uncovered one of the most complete theropod skeletons ever found in Europe. More surprising was that the new animal belonged to a theropod group that was very poorly known.
Analysis of the fossil showed that it shared many similarities with a famous, but poorly understood, dinosaur from north Africa: Spinosaurus. The new species was named Baryonyx walkeri in honour of its discoverer and the enormous hand claw, which measures 30 cm in length (Baryonyx means ‘heavy claw’).
Like Spinosaurus, Baryonyx has a long, almost crocodile-like snout, which was lined with over 200 conical teeth. These skulls are not adapted for ripping through flesh, as in most other meat-eating dinosaurs, but for impaling more slippery prey, namely fish. The huge claw would have been used to whisk fish from rivers and lakes as Baryonyx prowled through the shallows. We are sure that Baryonyx was a fish-eater for another good reason: in the region where its stomach would have been palaeontologists found a preserved set of partly digested fish scales.
Discover more fascinating dinosaur facts
Professor Paul Barrett is a researcher at the Natural History Museum in London, centring on the evolutionary palaeobiology of dinosaurs and other amniotes.
Main image: An artistic representation of Hypsilophodon. Trustees of the Natural History Museum
Red Bull Team Principal Laurent Mekies has declared he will support Yuki Tsunoda through his on-track struggles, while revealing the team is in “no rush” to finalise its 2026 line-up.
Tsunoda has found the going tough since his promotion from Racing Bulls to Red Bull two weekends into the season – with Liam Lawson heading in the opposite direction – with Tsunoda having failed to score points in the seven races leading up to the Dutch Grand Prix, where he managed to claim P9 to end that streak.
Amid growing speculation that the Isack Hadjar – who scored his maiden podium in Zandvoort – could replace the Japanese driver at Red Bull for 2026, Mekies was asked by Sky Sports F1 what the minimum he needed to see from Tsunoda was to avoid a swap.
“We don’t think speed can disappear,” Mekies said. “Yuki did a very good end of last year, and a very good first part of the season [with Racing Bulls].
“Of course, he has been having a rough time in the first part of the season with this team, but we take it race by race. It was a step forward in Spa. Budapest, it being our worst weekend, he was still very close in terms of pace to Max. He was a tenth and a half away from Max in Qualifying.
“Normally, if you are a tenth and a half away from Max, it is going to give you a front row. But in Budapest, it meant being kicked out in Q1. He is progressing step by step.”
On the topic of Red Bull’s 2026 line-up, Mekies added: “We are not in a rush… We try to do the best we can to support our drivers, and we certainly see some refreshed approach with Yuki and we try to support his progress.”
Much has been made of the relative drivability of the Red Bull and Racing Bulls cars, with Lawson and Tsunoda both struggling to score points in the Red Bull, while achieving their best results in the sister team.
Asked what changes Red Bull could make to get Tsunoda more comfortable with the RB21, Mekies said: “Pure development for this team, as with most teams, is now focused on 2026. However, it is key that we use these… remaining races to learn what we can on why this season hasn’t gone the way it was supposed to go.
“Especially when you are in a situation where you are not where you want to be, there are many things that you can use the race weekends to try and experiment with, and that applies to the team, that applies to the drivers, and that is the work that we are doing with both.”
The joint project began when a nine-year-old boy came to Prof. Shoshana Greenberger’s clinic at Sheba’s Safra Children’s Hospital with severe shortness of breath and was diagnosed with KLA. Seeking to deepen understanding of the disease, Greenberger approached Prof. Karina Yaniv, of Weizmann’s Immunology and Regenerative Biology Department, who for over two decades has been studying how blood and lymphatic vessels form, using zebrafish models.
In KLA, lymphatic vessels become abnormally enlarged and distorted, which keeps the lymphatic system from properly doing its job: draining fluid from tissues and supporting many essential bodily functions. As in the case of the boy treated by Greenberger, what typically brings young patients to the doctor is difficulty breathing caused by fluid buildup in the chest, but the disease also affects the skin and numerous other organs
“It was an amazing moment. Just by looking at these mutant embryos, I knew we were on the right track”
In earlier work led by Greenberger, her team at Sheba had traced the disease to a single mutation in a gene called NRAS, known to act as an oncogene. Physicians around the world started treating patients with certain cancer drugs that block NRAS or its partners, but these drugs are not always sufficiently effective and they come with harsh side effects. They failed to save the life of Greenberger’s patient, but the boy’s cells became the basis of research into the mechanisms of KLA.
“We wanted to be sure the mutation we had found really causes KLA and learn how it does that, in the hope of finding a better therapy,” says Greenberger, who heads the Multidisciplinary Center for Vascular Anomalies at Sheba. “That’s what led us to the collaboration with Weizmann.”
Zebrafish became powerful allies in this research not only because their embryos are transparent and develop rapidly, but also because their lymphatic systems share a surprising number of features with those of humans, from genetics to anatomy. The project – jointly spearheaded by Greenberger and Yaniv and led by Dr. Ivan Bassi, a postdoctoral fellow in Yaniv’s lab – began with creating a zebrafish model of the human disease. This model was initially validated by Amani Jabali, an MSc student supervised by Greenberger and Yaniv.
Since the human NRAS gene is about 80 percent identical to the zebrafish version and activates similar biochemical pathways, the researchers were able to insert the mutated human gene, taken from the cells of Greenberger’s patient, into tiny zebrafish embryos. The challenge was to ensure that the mutated gene was expressed in the lymphatic vessels alone, as it is in human disease, and nowhere else in the body. Once this was achieved, the embryos developed lymphatic abnormalities that bore a remarkable resemblance to those of human patients.
“It was an amazing moment,” Yaniv recalls. “Just by looking at these mutant embryos, I knew we were on the right track.”
The main lymphatic vessel of the embryos became grossly distorted, causing their hearts to become dilated and balloon. Further examination confirmed that these embryos shared key features with human KLA patients, including enlarged lymphatic vessels and swelling around the heart.
Using their model, Bassi and colleagues deciphered previously unknown aspects of the disease mechanism. In healthy cells, NRAS triggers cell division only when activated by a signal. In KLA, the mutated NRAS is stuck in the “on” position, causing lymphatic cells to divide and grow uncontrollably.
The next critical step was finding a small molecule that could block the effects of the disease-causing mutation. Zebrafish embryos were perfect for this task because they enabled the testing of potential drugs on a living organism, not just isolated proteins or cells. But they also posed a major headache. High-throughput screening, the standard method for quickly testing large numbers of compounds, is normally automated. The tricky part was figuring out how to get each zebrafish into exactly the right position under a microscope – without doing it by hand – so that a machine could capture consistent images and assess the effects of treatments.
Working with collaborators, the team designed a clever automated system, in which each embryo was gently dropped into a precisely fitting slit under the microscope, where it was photographed. Then, an AI-based algorithm outlined the entire body of the larval fish and measured its area after exposure to each drug. Because the mutant fish had enlarged hearts, their total body area was significantly greater than normal, an effect expected to decrease after treatment with an effective drug.
Using this setup, the team screened about 150 small molecules, all of them existing drugs already approved for other uses. About 30 showed promising effects; two top candidates were ultimately selected through further testing.
Both these drugs reversed the KLA-like symptoms in the zebrafish model: The ballooned heart and main lymphatic vessel shrank back to their normal size and shape. To test whether these drugs might help treat the human disease, the Sheba team applied them to lymphatic cells from Greenberger’s KLA patient. The two compounds had a striking effect, blocking the cells’ abnormal sprouting, a hallmark of the disease. Importantly, both drugs have a better safety profile than the cancer drugs physicians use today to treat KLA, meaning they could cause fewer side effects.
“We hope a clinical trial will be launched soon to evaluate these drugs in patients,” Greenberger says. “Since KLA is a rare disease, we will work toward creating a multi-center collaboration to bring together enough participants.”
Meanwhile, Yaniv’s lab is using zebrafish models to explore other lymphatic disorders and to further investigate KLA. One question still puzzles them: Why does the NRAS mutation severely damage lymphatic vessels but leave veins and arteries untouched? Solving this mystery could lead to entirely new therapeutic strategies.
“These are longer-term questions,” Yaniv says, “but what we’ve found in the present study could help patients much sooner. Since the drugs we identified are already approved, getting them repurposed for KLA could move much faster than starting from scratch.”
Reference: Bassi I, Jabali A, Levin L, et al. A high-throughput zebrafish screen identifies novel candidate treatments for kaposiform lymphangiomatosis (KLA). J Exp Med. 2025;222(11):e20240513. doi: 10.1084/jem.20240513
This article has been republished from the following materials. Note: material may have been edited for length and content. For further information, please contact the cited source. Our press release publishing policy can be accessed here.
