Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃

NYC this weekend

AI startup CFO, CEO, CMO, and CTO

CINEMA

SPEECHLESS. LFGK.

Wow, that was probably the most insane game ever. @NYCMayor -- tomorrow the day off for everyone?

My mayor Muslim My bagels Jewish James Dolan a liar KNICKS ON FIRE 🔥

Things that aren’t true and a little embarrassing for the poster for $20. Successfully signed up to the free non Fable CVP !

Up until just recently, some metrics of Microsoft Azure Attestation were completely vulnerable to spoofing in some circumstances, and would accept attacker controlled measurements. SecureBoot in this case, spoofed as ON from a malicious bootkit. see CVE-2026-45642

Thank goodness they are stopping the bad things from happening.

‼️🚨 BREAKING: ServiceNow has been breached. Customers are reporting unauthorised access to their instances. One customer states their security team reported this vulnerability to them, and they closed the case twice, saying they had already known since the 7th of April.

fun fact: tijdens de keynote hakt Apple een stukje 3k, 4k, 5k en 6kHz eruit wanneer ze "Siri" zeggen, zodat niet iedereens HomePods terug beginnen te praten 🗣️🚫

🔺NEW: Apple is expanding Private Cloud Compute (PCC) beyond our data centers. PCC on Google Cloud: NVIDIA Confidential Computing, Intel TDX, and Google's Titan chip, with capabilities that go far beyond a traditional confidential computing deployment. security.apple.com/blog/expa…

this one’s for a certain fuzzy little fence-sitter

🚨 BREAKING: MADISON SQUARE GARDEN ERUPTS IN BOOS AS DONALD TRUMP IS SHOWN ON SCREEN

Facing a lot of slophaustion, everything is just LLM generated and its a cognitive load to have to just try and differentiate what is valuable and what someone posted because the LLM told them what they wanted to hear.

Thanks for your critique, Janet. We actually tried a couple of episodes where House (Hugh Laurie) (please put the brackets in the right place) gets it right first time, but they were only 6 minutes long. NBC weren’t happy. Then we tried some where House never gets it right and the patient dies. The audience wasn’t happy. One could apply your trenchant analysis to other art forms: JS Bach wrote 30 Goldberg variations on the same chord structure; Frida Kahlo painted 50 portraits of herself; Henry Moore, what?? The point is, or was, variations on a theme; if all you see is hospital, medical blah blah, then it wasn’t meant for you. Nonetheless, I look forward to your first novel!

"Urgent Security Notice re: Your Sentry Organization" Someone tried to hack Sentry-using apps that use coding agents by 1. Sending a fake bug alert to their project (all you need is the app's public Data Source Name) 2. The fake bug tried tricking a coding agent trying to fix it into installing some a compromised NPM package 3. The compromised package would send the env contents of the machine to advisory-tracker[.]com/api/v1/telemetry This highlights a crucial thing for using agents in an automated way:

Discovered a new method for detecting if someone is using Incognito in Chrome: Write 512 tiny 1-byte responses into a scratch Cache API cache, then read: navigator.storage.estimate().usageDetails.caches Normal Chrome: ~393kb Incognito: ~85kb Why? When you're in incognito, Chrome writes to memory instead of disk, which leaves less metadata residue

More of my thoughts on the public vulnerability disclosure fight Microsoft picked with the researcher Nightmare Eclipse in this piece by Matt Kapko for @CyberScoopNews . @Andrew___Morris of @GreyNoiseIO Intelligence shares perspective too. cyberscoop.com/microsoft-coo…

Incredible stuff happening on this app