voidbear
20 posts
Security things from the last few days:
- CopyFail (linux pwn'd)
- CopyFail 2/Dirty Frag
- 13 advisories in Next.js
- Over 70 CVEs addressed in MacOS 26.5
- ~50 CVEs addressed in iOS 26.5
- YellowKey (Windows Bitlocker pwn'd entirely)
- GreenPlasma (Windows privilege escalation)
- CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE
- CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access
- Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning)
- Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too"
- Canvas (popular LMS used in most schools) pwn'd entirely
- PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300
Are you scared yet?
English
Now that Bun is moving off Zig ... will we ever hear about that language again?
Bun was the only thing I'd ever heard of using it, and it's moving to Rust.
Hard to imagine anyone being eager to build on Zig at this point. Am I missing something?
English
Find out what vulnerabilities are lurking in your code. 👀
GitHub's new Code Security Risk Assessment scans your organization's code and delivers a vulnerability dashboard broken down by severity, language, and repo.
No config, no commitment. Run your free assessment now.
github.blog/security/appli…
English
voidbear retweetledi
we ACTUALLY got the oppressor mk2 before GTA 6.
Polish engineer Tomasz Patan built the Volonaut Airbike.
it hits 124 mph, runs on jet propulsion, has no propellers, and weighs less than your dog.
pretty fucking sick.
English
I'll waiting for the claude astro clone embedded into bun to drop any day now.
voidbear@mrvoidbear
I'm sorry, but like Anthropic is a plague between this and the "game engine" tui that is mostly spyware. You can put html and other things into markdown and not worry about all the boilerplate.
English
I'm sorry, but like Anthropic is a plague between this and the "game engine" tui that is mostly spyware.
You can put html and other things into markdown and not worry about all the boilerplate.
Thariq@trq212
English
Thank you. The lack of decent ffi in node has been a major pain.
dax@thdxr
we sponsored the ffi work with @matteocollina and the team from @platformatic exciting to have the resources to push on these things - we did it for OpenTUI but will usher in an era of high performance libraries for ecosystem ultimately very little cost compared to the impact
English
One of the biggest reasons I've stuck to deno and bun for the last few years is ffi.
The other is deno's ability to run a script and with dynamics installs and without package.json
Huge win for node.
Node.js@nodejs
Node.js 26.1.0 is out, with a new `node:ffi` module, `crypto.randomUUIDv7()`, and many more features and bug fixes. Full changelog and download links: nodejs.org/en/blog/releas…
English
voidbear retweetledi
Node.js 26.1.0 is out, with a new `node:ffi` module, `crypto.randomUUIDv7()`, and many more features and bug fixes.
Full changelog and download links: nodejs.org/en/blog/releas…
English
voidbear retweetledi
voidbear retweetledi
voidbear retweetledi
⚠️ Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse
Source: cybersecuritynews.com/azure-ad-condi…
Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.
Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.
This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.
#cybersecuritynews #Azure
English
@MADDNational @lib3rty0rd3th @RepKeithSelf Ok get rid of the wine and alcohol. Leave the cars alone.
English
@lib3rty0rd3th @RepKeithSelf Uber is a great option - but it’s not enough on its own. Thousands of people are still killed every year by drunk drivers. Anti-drunk driving technology adds a critical safeguard to help stop someone from driving drunk before it turns deadly.
English
The Kill Switch was pitched to Congress as a way to stop drunk driving—but its real-world implications are far more troubling.
No government should have the authority to remotely control a vehicle you paid for, or turn it into a tool for surveillance.
Stop the overreach. Kill the Kill Switch.
English
Can't tell if Dario got what he wanted or mythos fear mongering backfired.
Polymarket@Polymarket
JUST IN: Trump is reportedly considering an executive order requiring vetting of new AI models before they are released.
English
@akoskm I actually liked Kimi in open code but there is no sub so doing any multi agent work is still expensive, in an hour I burned through $90 while I struggle to burn through gpt5.5 with sub agents
English
Cancelled both my Claude Code Pro and ChatGPT Pro for this.
Kimi K2.6 is just as good for my side projects as Opus or GPT 5.4 were. The price for this is crazy low, and there are a bunch of models I can try (like DeepSeek).
Bonus: I'm moving away from building everything on Claude Code - now that both @opencode and @cursor_ai have their SDKs open, I feel I can rebuild the agentic workflows I built for Claude Code in a more platform-independent manner.
Lotto@LottoLabs
Update on Opencode Go It’s great value for $5/month, there’s really no reason not to do the first month. At $10/month it’s still good value and gets you access to all sota OS models. You can’t daily drive it without hitting limits on the big models but w/ Kimi x3 you won’t hit limits unless you’re insane. Overall highly recommend the first month, then make your own decision.
English
voidbear retweetledi
CVE-2026-31431 a/k/a CopyFail
> Linux LPE
> Description sounds like AI slop
> Exploit is legit
> Impacts every Linux kernel from 2017 - Now
> Proof-of-concept released
> It's Wednesday?
copy.fail
English
voidbear retweetledi
🚨 Bitwarden CLI 2026.4.0 was compromised as part of the ongoing Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
We’ll continue updating our coverage as more details are confirmed.
socket.dev/blog/bitwarden…
English
voidbear retweetledi
they recovered like 20 boxes
Dexerto@Dexerto
Authorities have recovered $1 million worth of stolen LEGO in Texas Three have been arrested over the incident
English
voidbear retweetledi
Someone open-source a Chromium browser that runs entirely in your terminal.
It's called Carbonyl. It renders actual web pages in your command line. The best part is it runs with 0% CPU usage when idle.
→ Full Chromium engine in the terminal.
→ Dles at exactly 0% CPU.
→ Fast, lightweight, and completely terminal-native.
100% Open Source.
English