ErrorToCompile

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

JIT @sigintzero_ submission for @colosseum hackathon submission! Lets show em what we got downunder @SuperteamAU!

industry: gets hacked “how did the devs let this happen?” the devs:

Always great to have more compute. But until there's some transparency on actual token amounts you offer with Claude Code, this doesn't mean much if next week you silently reduce the usage.

When an Ex-FAANG Engineer Joins a Startup 😂😂

The RF world is insane. Researchers recovered AES-128 keys from a Bluetooth chip by listening to its own antenna from 10 meters away. Crypto-engine switching noise couples into the RF chain, rides the 2.4 GHz carrier, and leaks out as radio.

wasnt blockchain meant to stop this shit

We're just getting started!

Super stoked to share that we at @sigintzero_ have been awarded a $10k USDG grant from @SuperteamAU as we build toward Tripwire, our 24/7 on-chain monitoring and threat response system for Solana, focused on post-deployment security and real-time protection. Awesome to see support going toward Australian builders pushing the ecosystem forward. We’re now heads down for the final stretch of the @colosseum Frontier Hackathon, focused on delivering it in full and getting it into the hands of teams.

Claude Security is now in public beta for Claude Enterprise customers. Claude scans your codebase for vulnerabilities, validates each finding to cut false positives, and suggests patches you can review and approve.

think you are safe? think again

The Son of Anton scene will almost certainly be the most referenced Silicon Valley scene in age of AI: “It’s possible that…the most efficient way to get rid of all the bugs, was to get rid of all the software.”

New Robinhood phishing chain that's kinda beautiful: 1. Attacker creates an RH account using the Gmail dot trick of your email (same inbox, different address) 2. Sets device name to HTML 3. RH's "unrecognized activity" email renders the device name unsanitized (html injection) The result is a real email from noreply@robinhood.com, DKIM pass, SPF pass, DMARC pass, with a phishing CTA Just because it's real, doesn't mean it's safe... $HOOD

The most australian collection i have ever seen: miladycare.xyz @miladycare_aus @ausbuildooors

🛡 Sentinel's first cohort is live with @koreabuidlweek Free AI audits for their teams, fast turnaround. You already built it. Now secure it.

the way its heading

⚠️ALERT: $AAVE is now down -19% today after a $292M Kelp DAO rsETH exploit triggered a full-blown liquidity crisis. Aave's ETH pool just hit 100% utilization. That means one thing: there's almost no ETH left to withdraw. Here's what happened: Attacker drained 116,500 rsETH ($292M) from Kelp DAO's LayerZero bridge He then deposited the stolen rsETH as collateral on Aave V3 to borrow ~$236M in WETH. Because the rsETH is now unbacked, those positions are unliquidatable. Aave is now stuck with ~$280M in bad debt it cannot recover. Panic withdrawals have followed: $5.4 BILLION in $ETH outflows, with Justin Sun pulling 65,584 ETH ($154M) alone. ETH utilization has maxed out at 100%, which means there's almost no ETH left to withdraw. This is the FIRST real-world test of Aave's Umbrella safety module & the BIGGEST DeFi exploit of 2026. This is a developing story.

Some contracts accept ETH in `payable` functions & send it to other contracts within the same txn. Useful invariant: contract should never hold ETH before/after any function call. Specialist AIs can easily detect this invariant & generate formal verification rules for it.

Kraken Security Update We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It’s important to start with the most important points: our systems were never breached; funds were never at risk; we will not pay these criminals; we will not ever negotiate with bad actors. Kraken identified and shut down two instances of inappropriate access to limited client support data. In February 2025, we received a tip from a trusted source regarding a video shared on a criminal forum that appeared to show access to our client support systems. We immediately launched an investigation and quickly identified the individual involved as a member of our support team. Their access was revoked immediately, a full investigation was conducted, additional security controls were put in place and a limited number of affected clients were notified. Since then, we have been collaborating with industry partners and law enforcement to investigate and disrupt insider recruitment efforts targeting not only crypto companies, but also gaming and telecommunications organizations. More recently, we received another tip, along with a new video showing similar activity. We quickly identified the individual involved and terminated their access. As before, we acted immediately to revoke access, conduct a full investigation, and notify the small number of affected clients. Across both incidents, only a very small number of client accounts were potentially viewed - approximately 2,000 in total (0.02% of clients). Shortly after access was terminated, we began receiving extortion demands. The criminals threatened to distribute materials from both the February 2025 incident and the recent incident to media outlets and on social media if we did not comply. We will not pay these criminals. Based on intelligence gathered across both incidents, along with extensive ongoing analysis, we believe there is sufficient evidence to support the identification and arrest of those responsible. We are actively working with federal law enforcement across multiple jurisdictions to pursue all individuals involved and bring them to justice. Due to the ongoing investigation, we cannot share additional details at this time. However, anyone with relevant information is encouraged to contact us directly. The security of our clients is our highest priority, and we remain fully committed to combating the growing global threat of insider recruitment and constantly enhancing our security practices to combat new threats. Note: If you are a client potentially affected by this, you've already been notified.

26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet. We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts. Check our paper: arxiv.org/abs/2604.08407