Marwan

@github We need the name of the extension, please !

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

@github Extension are a problem. Will always be. Third party extensions in IDEs can be convenient but a potential backdoor. Never put keys in code and don’t forget to Rotate your keys!

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

@github GitHub can’t catch a break

@hetmehtaa You’re looking for work, huh? Were u part of your company’s security team?

my company got breached the attacker had access for 11 days on day 3 he emailed our IT helpdesk complained that the VPN was slow our helpdesk reset his password upgraded his access tier to fix the "connectivity issue" and closed the ticket as resolved CSAT score: 5 stars we found this in the logs during forensics the attacker had rated our IT support excellent

@nextjs Who expects vendors to apologize for spotting & fixing their own vuln?! 🙄✨ They did their due diligence & patched it FAST!! 💪🔥 What more do u even want?! 🤷‍♂️😂😂

We’ve released Next.js versions 16.2.6 and 15.5.18 with important security fixes. These fixes address multiple vulnerabilities across high, moderate, and low severity, including one upstream React issue. We strongly recommend upgrading as soon as possible. ⬇️

@alifdotbuild HQ

Move fast, break things, learn, and rebuild better. At Alif HQ, you're surrounded by people who shorten your feedback loop: other people can tell you what's working before you waste months building the wrong thing. We're creating a space where Muslim builders actually help each other win. Comment "HQ" to join the space.

ChatGPT allegedly shares your chat query topics, user IDs, and email addresses with Google and Meta, according to a new class action lawsuit filed today.

I feel like AI agents will fuel the AI mass surveillance era… digital identities and currencies 🤔

Claude shifted the focus to dev, but coding is just a tiny fraction of the magic. The AI race has given us tunnel vision. We’re overlooking the revolution in education, medical breakthroughs, scientific discovery, creative arts, and global logistics. We’re building a brain, not just a debugger. 🧠✨

@Replit For a replit corp license, do agents inherit permission?

Meet Replit Parallel Agents Build faster by running up to 10 agents in parallel Each agent gets its own copy of your app They work on their own computer Then merge their work agentically

@brian_armstrong No failover? Redundancy? Were your security team part of the mass layoff?

We experienced an outage at Coinbase last night, which is never acceptable. The root cause was a room overheating in an AWS datacenter when multiple chillers failed. We design our services to be redundant to downtime in any one AWS Availability Zone (AZ), and most of our systems worked this way last night, but not all. Our centralized exchange did not. Exchanges have unique architectures that optimize for latency and co-location of clients. It is possible to make exchanges resistant to AZ failures, but this can introduce latency delays that are not desirable along with breaking customer co-location. Given this incident, we'll revisit these tradeoffs to ensure we're giving you the best possible venue to trade. At a minimum, the duration of an outage should be able to be reduced considerably when an AZ move is needed. Thank you to the AWS and Coinbase teams for working through the night to mitigate the issue. We’ll share the detailed technical summary once it's ready.

@AnthropicAI @bcherny You guys are pioneering AI ‘clinical trials’.

New Anthropic research: Teaching Claude why. Last year we reported that, under certain experimental conditions, Claude 4 would blackmail users. Since then, we’ve completely eliminated this behavior. How?

@sama Where’s the bounty program?

we'd like to help companies secure themselves and we think it's important to start work on this quickly

@bridgemindai @bcherny Any evidence to this? Proof?

Claude Code just stopped a DDoS attack on BridgeMind in under 10 minutes. 13 million requests per minute hitting our API. CPU pegged at 94%. Latency spiking to 60 seconds. Production was down. I opened Claude Opus 4.7 in Claude Code and said "fix this now." It identified the attack, scaled ECS from 2 to 8 tasks, tightened WAF rules from 300 to 100 req/IP, blocked the attack vector, and brought CPU down to 15%. Latency dropped from 60 seconds to 1.25 seconds. No DevOps team. No on-call engineer. Just one prompt. This is why I keep coming back to Claude Code.

@Replit Good move ! Much needed. Competitors will follow suit

Next up in our commitment to security: Security Center 2.0. We’ve made it dramatically easier to understand your security posture across every Replit app you manage, and take action across all of them in bulk. With Security Center 2.0, you can: - Instantly identify risky apps - Fix critical vulnerabilities with Agent in seconds - Notify owners or un-publish apps with batch actions - Export software bill of materials (SBOM) to integrate with external tools

@dangtony98 @infisical Good move !

Earlier today I leaked AWS credentials to the world; except they weren’t real. This is part of our launch for Honey Tokens (HT) at @infisical - a new class of fake credentials that can be used to trick attackers into thinking that they’ve stolen your real secrets. HTs are useful as decoys for detecting bad actors and breaches in the event that they do happen. Under the hood, HTs are real AWS IAM credentials, except wired up to Infisical, but with zero permissions. When an attacker tries to use a HT, we notify you so you can stay proactive about further securing or rotating your real secrets. In a world where credential breaches are becoming more common, we hope to give you all the tools needed to combat modern security threats. More on this below 👇

@CloudflareDev 🤔

"Agents can now create Cloudflare accounts, buy domains, and deploy" Here's how it works in 4 minutes.

24-hour “disclosure” isn’t research — it’s a PR campaign with a technical pretext. CISA’s CVD framework exists precisely to prevent this. If the finding is legit, the rush to press undermines it. If it’s not, the rush explains everything. Nonetheless, security conversation in vibe coding is important.

A cybersecurity firm, “Red Access,” contacted us less than 24 hours before going to the media with vague claims about Replit. This is not how responsible security research works. The standard practice in terms of disclosure policies, as followed by CISA, CERT/CC, and most major firms, is to share findings privately and allow a defined window for remediation before public disclosure. A 24-hour countdown to a press cycle is not that. From the limited information they shared, their core claim appears to be that some users have published apps on the open web that should’ve been private. Replit allows users to choose whether apps are public or private. Public apps being accessible on the internet is expected behavior. Privacy settings can be changed at any time with a single click. Vibe Coding is a rapidly developing space, and we take our responsibility to both provide tools to create secure apps and educate our customers very seriously. Just in the past week, we launched two security products: Security Agent and Auto-Protect. If Red Access shares a list of impacted users, we will proactively default those apps to private and notify users directly. We welcome responsible security research and have a long history of working constructively with researchers who follow standard disclosure practices. That offer remains open.

@gabe_ragland Pretty cool stuff 🔥 and I want to see it win — but let's be real, auth is a liability right now. SMS/text = not secure. Codebase integrations = risky. Enterprise? Absolutely not yet. Fix the security foundation first, then we talk scale. 🔒

Introducing the Codex iMessage Handoff skill github.com/gragland/codex…

@gabrielste1n Great piece! Organizations are overlooking this