Check out audit-logs.tax - we want to crowdsource a list of vendors who don't prioritize high quality, widely available audit logs. We started with a list of apps we're focused on but happy to take issues/PRs for logs you're focused on: github.com/shellcromancer/au…

Pour one out for the agents that remove Fable from model selectors tonight 🍻

Biggest #WWDC miss: no Safari support for Device Bound Session Credentials :( Maybe we’ll get an update soon! github.com/WebKit/standards-…

I wanted to address the speculation about the recently introduced Device Bound Session Credentials (DBSC) security feature in Google Chrome. Does it help increase the security of session cookies against infostealer malware and MFA phishing? The feature has been available and enabled by default since the Chrome 146 update (April 2026), if you're running Windows with a hardware-backed TPM security module (macOS support is coming in future updates). DBSC allows the browser to upgrade session cookies from long-lived to short-lived, requiring the browser to refresh them approximately every 10 minutes to maintain access to the user's account. > Does DBSC prevent account takeover by threat actors using a stolen session cookie obtained from the user's browser via infostealer malware? Yes (kind of). The extracted session cookie will be valid for up to 10 minutes from the time it is extracted. The attacker will be unable to maintain long-term access to the user's account. Still, the timeframe may be sufficient, for example, to exfiltrate the inbox if the attack is automated. The attacker cannot refresh the short-lived session cookie because it requires the private key (stored in the TPM) assigned to the account to sign the challenge. The malware cannot access the private keys stored in the TPM. > Does DBSC prevent account takeover by threat actors during a phishing attack? No. Servers need to provide legacy support for the browsers that do not yet support DBSC. By default, the server registers and sends a long-lived session cookie to the browser. If the server supports DBSC, it will announce the DBSC API endpoint URL in the `Secure-Session-Registration` HTTP header of the response packet that contains the long-lived session cookies. Only after the short-lived session cookie is registered via the DBSC API endpoint is the long-lived session cookie invalidated. When the attacker removes the `Secure-Session-Registration` HTTP header retrieved from the server during a phishing attack, the browser will continue using long-lived session cookies and assume the server does not support DBSC. In short, removing that HTTP header while proxying traffic during a phishing attack allows the attacker to maintain long-term access to the user's account using the stolen long-lived session cookie. I hope I've managed to clear up some confusion. On a related note, you will soon be able to simulate phishing attacks against Google Workspace accounts (and other websites) that bypass DBSC and MFA protections using Evilginx Pro with the Phishlets 2.0 update.

The industry has seen an unprecedented wave of supply chain attacks over the past few months. That's why we built Bumblebee, a lightweight security scanner that continuously monitors endpoints and hunts for malicious packages. Bumblebee has been a critical asset in keeping @perplexity_ai secure, and we're thrilled to open source it for everyone. We're also using Perplexity Computer to monitor public threat intelligence feeds in real time and update the Bumblebee repo as new threats emerge. Excited to share this with the community!

🚀 Big news: Socket has acquired Secure Annex. John @tuckner is joining the team, and we’re excited to expand our coverage across browsers, code editors, and AI tools. Read more → socket.dev/blog/socket-acqui…

Best extension scanning 🤝 Best dependency scanning Congrats to @tuckner, @feross and all the customers!

Is it expected that Google Workspace admins don't even get notifications when users requests apps? Seems incredibly silly there is no notification mechanism for this... Pretty easy to make an Alert Center rule but these sort of things should be on by default!

> The refactor itself typechecks conceptually; Name that Agent!

Big day: toddler’s first data breach!

We at @cotoolai are stoked to announce our $7.4m fundraise from @a16z . Offensive cyber operations are now JIT code; we started Cotool to give defenders their leverage back. Grateful to everyone who took the bet early, especially @koomen @garrytan @MaikaThoughts @zanelackey.

Today we're introducing @usefiretiger. You and your AI agents write code. Firetiger makes sure it works. Our team and I have plenty of incident war stories building @Cloudflare, @segment, @Twitch. In the agentic coding era, the volume of code changes quality issues in prod is ever increasing, but observability vendors aren't incentivized to close the gap. They make money when you write more data to them, not when your software actually works. Firetiger is the agentic operations layer for the agentic coding era. We combine production observability data, codebase understanding, and knowledge of your business to find problems before your customers do and fix them before they notice. We've raised $7.6 million led by @sequoia with participation from angels who believe in better software, including @eastdakota, @calvinfo, @NicoRosberg, @dok2001, @jeffawilke, and @alanaagoyal. You can sign up for @usefiretiger today, self serve. We charge for agents that directly make your software better and more reliable, not for observability data ingested, with plans starting at $599/month. Observability is dead. Long live outcome engineering.

Effective Cloudflare ad from whatever ai(.)com is

Using ChatGPT Pulse to read my newsletter inbox and show me cute card summaries is really nice. The intro name in today’s was a little off though…

Nice post from @arenamagdotcom with a contrarian bull-case for US rare earth independence 🐂🇺🇸 arenamag.com/articles/americ…