Posts

GitHub’s Critical RCE Flaw A critical vulnerability in GitHub’s internal git infrastructure allowed attackers to execute remote code on backend servers. On GitHub.com, this granted access to millions of public and private repositories on shared storage nodes; on GitHub Enterprise Server, it allowed full server compromise. The flaw was discovered using AI-augmented reverse engineering. https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 SAP Supply Chain Attack Attackers compromised SAP-affiliated npm accounts to distribute credential-stealing malware via core SAP Cloud Application Programming Model packages. The payload harvests GitHub, AWS, Azure, and GCP tokens and poisons victim repositories with a malicious VS Code tasks.json to establish persistent CI/CD footholds. ...

Google’s Android Lockdown Starting September 2026, Google will block any Android app whose developer has not registered with a government ID and paid a fee. This move fundamentally alters Android’s open nature, creating a high-friction ‘deterrence mechanism’ for sideloading and threatening the existence of open-source stores like F-Droid. https://keepandroidopen.org/en/ The 9GW ‘Shadow Grid’ Data Center Kevin O’Leary’s ‘Stratos’ project in Utah has been approved to build a massive AI data center that bypasses the public electricity grid entirely. By generating its own power via natural gas, the project avoids utility delays but raises significant environmental and heat pollution concerns. ...

AI Agent Nukes Production Database in 9 Seconds A coding agent using Claude Opus 4.6 via the Cursor tool deleted a company’s entire production database and all volume-level backups in nine seconds. The disaster was exacerbated by the cloud provider Railway’s API, which allowed destructive actions without confirmation and stored backups on the same volume as the source data. https://www.tomshardware.com/tech-industry/artificial-intelligence/claude-powered-ai-coding-agent-deletes-entire-company-database-in-9-seconds-backups-zapped-after-cursor-tool-powered-by-anthropics-claude-goes-rogue Mobile ‘SMS Blasters’ Prowl Toronto Streets Toronto police dismantled a scheme where suspects drove cars equipped with ‘SMS blasters’ to impersonate cell towers. The devices infiltrated tens of thousands of phones, causing 13 million network disruptions and blocking critical 911 emergency calls while stealing user data via fraudulent texts. ...

The ‘Fogbank’ Effect: AI’s Threat to Software Engineering The software industry faces a potential ‘knowledge collapse’ similar to the US defense industry’s loss of ability to manufacture legacy missiles. By replacing junior hiring and deep learning with AI copilots, the industry risks a future where no human understands the underlying systems well enough to fix critical failures. https://techtrenches.dev/p/the-west-forgot-how-to-make-things AI Solves 60-Year-Old Math Conjecture A 23-year-old amateur used ChatGPT to solve a long-standing conjecture by Paul Erdős. Unlike previous AI math wins, this solution utilized a completely new approach, suggesting LLMs can provide genuine cognitive leaps in theoretical mathematics. ...

France and India Pivot to Linux for Digital Sovereignty France is migrating 2.5 million government workstations to Linux to reclaim control over strategic data and infrastructure. This mirrors a broader ‘digital sovereignty’ trend in Europe and India, driven by geopolitical tensions and a desire to reduce reliance on US Big Tech. https://m.economictimes.com/tech/technology/france-ditches-windows-for-linux-to-move-away-from-american-tools-mirroring-a-shift-in-india/articleshow/130408025.cms https://tuta.com/blog/countries-ditching-microsoft-choosing-linux-digital-sovereignty Hairdryer Used to Rig Polymarket Weather Bets A gambler allegedly used a battery-powered hairdryer to heat a public temperature sensor at Paris’s Charles de Gaulle airport, triggering a temperature spike that netted them approximately $34,000 in Polymarket weather bets. ...

Google’s $40B Bet on Anthropic Google is investing up to $40 billion in Anthropic, providing $10 billion immediately and $30 billion based on performance. The deal secures Anthropic’s access to Google’s TPU infrastructure, as the AI firm struggles with compute limits and faces a potential IPO in October. https://techcrunch.com/2026/04/24/google-to-invest-up-to-40b-in-anthropic-in-cash-and-compute/ US Accuses China of Industrial AI Theft The US government is preparing sanctions against China for ‘industrial-scale’ theft of AI intellectual property via distillation attacks. The White House claims Chinese entities used tens of thousands of proxy accounts to clone US frontier models, a move that could rock the upcoming Trump-Xi summit. ...

Apple Patches FBI-Exploited Notification Bug Apple released emergency updates for iOS and iPadOS after reports surfaced that the FBI recovered deleted Signal messages from a suspect’s phone via internal notification storage. The bug allowed notifications to remain on the device even after the messages were deleted in-app or the app itself was removed. https://www.bleepingcomputer.com/news/security/apple-fixes-ios-bug-that-retained-deleted-notification-data/ https://www.techcrunch.com/2026/04/22/france-confirms-data-breach-at-government-agency-that-manages-citizens-ids/ France ID Agency Breach Exposes 19M Citizens The French government agency responsible for passports and national IDs confirmed a data breach affecting potentially 19 million records. A threat actor is currently offering the database for sale on hacking forums, significantly increasing the risk of targeted phishing and social engineering attacks against French citizens. ...

Meta’s AI Training Surveillance Meta is reportedly installing surveillance software on employee computers to record keystrokes, mouse movements, and screenshots. The data is intended to train AI agents to understand how humans interact with computers to automate professional workflows. https://www.theregister.com/2026/04/22/meta_employee_surveillance_software/ Anthropic’s Mythos: AI-Driven Bug Hunting Anthropic’s Mythos Preview identified 271 vulnerabilities in Firefox 150, demonstrating a massive leap in AI-aided security auditing. However, reports indicate an unauthorized group gained access to the tool via a third-party vendor, highlighting the risk of such powerful tools being weaponized. ...

TypeScript 7.0 Beta: 10x Speedup via Go Port TypeScript 7.0 Beta delivers up to 10x faster performance by replacing its bootstrapped JS codebase with Go. The update introduces parallelization for parsing, type-checking, and emitting, while maintaining structural parity with version 6.0 to ensure identical type-checking semantics. https://devblogs.microsoft.com/typescript/announcing-typescript-7-0-beta/ Vercel Breach: OAuth Trust Chain Exploited A 22-month intrusion into Vercel began with a compromise of Context.ai’s Google Workspace OAuth app, allowing attackers to pivot into employee accounts and eventually enumerate customer environment variables. The breach highlights the risk of long-lived OAuth tokens and Vercel’s ’non-sensitive’ variable model which left some secrets unencrypted at rest. ...

EU Age-Verification App Hacked in Minutes Cybersecurity experts bypassed the European Union’s new age-verification app in under two minutes, discovering that sensitive data was stored unprotected on devices and biometric locks could be easily skipped. Despite the EU’s claims that the tool was ’technically ready,’ researchers found the code failed to meet basic security standards. https://www.politico.eu/article/eu-brussels-launched-age-checking-app-hackers-say-took-them-2-minutes-break-it/ https://www.sofx.com/eu-declared-age-app-ready-while-github-flagged-it-unfit-then-hackers-bypassed-it-in-2-minutes/ Vercel Breached via AI Tool OAuth Over-Permissioning A security breach at Vercel occurred after an employee granted a third-party AI tool, Context.ai, unrestricted access to their corporate Google Workspace. The attacker, linked to the ShinyHunters group, exploited this broad access to move laterally into internal systems and is now demanding $2 million for stolen environment variables. ...