Bogdan Deac

Hi there! 🛡️ Security & Privacy * Mini Shai-Hulud strikes again: A compromised npm maintainer account published 637 malicious versions across 317 packages — including echarts-for-react (3.8M dl/mo) and size-sensor (4.2M dl/mo) — in a 22-minute automated burst. The payload harvests AWS keys, GitHub tokens, Vault secrets, SSH keys, and

Hi there! 🛡️ Security & Privacy * TanStack supply chain taken down by chained GitHub Actions exploit: An attacker combined a pull_request_target Pwn Request, GitHub Actions cache poisoning across fork/base trust boundaries, and in-memory OIDC token extraction to silently publish 84 malicious versions across 42 @tanstack/* npm packages — stealing

Hi there! 🛡️ Security & Privacy * Double Linux LPE week — Copy Fail (CVE-2026-31431) and Dirty Frag (CVE-2026-43284 / CVE-2026-43500) — Back-to-back kernel privilege escalation exploits hit in a single week. Copy Fail targets a page-cache write flaw and can be partially mitigated by rootless containers. Dirty Frag extends the same bug class through

Hi there! 🛡️ Security & Privacy * Notepad++ CVE-2026-3008: a %s format specifier in nativeLang.xml triggers a string injection in FindInFiles, enabling DoS crashes and memory address leaks that can bypass ASLR. Patched in v8.9.4; update immediately. More * GitHub RCE CVE-2026-3854 (CVSS 8.7): Wiz Research found a header

Hi there! 🛡️ Security & Privacy * 🚨 Bitwarden CLI 2026.4.0 compromised in supply chain attack — Attackers abused a GitHub Action in Bitwarden's CI/CD pipeline as part of the ongoing Checkmarx campaign; update immediately and rotate credentials. More * Pack2TheRoot (CVE-2026-41651): cross-distro Linux privilege escalation — CVSS 8.8; exploits

Hi there! 🛡️ Security & Privacy * Vertex AI vulnerability allowed malicious agents to exfiltrate Google Cloud data and access private Artifact Registry images — exploiting excessive default permissions in the P4SA service agent. Patch by enforcing least privilege and using BYOSA. More * axios supply chain attack: a hijacked npm maintainer account published

Hi there! 🛡️ Security & Privacy * GrapheneOS reaffirms its no-ID, no-account policy, pledging to remain globally accessible to anyone without collecting personal information — even if device sales become restricted in certain regions. More * Sysdig launches runtime security purpose-built for AI coding agents, extending its cloud-native protection platform to monitor, detect, and

Hi there! 🛡️ Security & Privacy * Glassworm Returns with Unicode Attacks - Invisible PUA Unicode characters exploiting 150+ GitHub repositories, npm packages & VS Code extensions simultaneously using AI-crafted commits. More * DarkSword iOS Exploit in Infostealer Campaign - New vulnerability targeting iPhones via malicious apps stealing credentials and sensitive data at

Hi there! 🛡️ Security & Privacy * Multiple critical AppArmor vulnerabilities enable kernel exploitation, privilege escalation, memory disclosure affecting Ubuntu, Debian systems. More * Glassworm malware returns with invisible Unicode code injection attacking 150+ GitHub repositories, npm packages spreading across ecosystems silently. More * Canada's Bill C-22 mandates metadata retention for telecom

Hi there! 🛡️ Security & Privacy * Clinejection is a chilling supply chain attack: a crafted GitHub issue title triggered an AI triage bot to install a malicious npm package, stealing tokens and silently deploying OpenClaw on ~4,000 developer machines. Prompt injection + confused deputy = full supply chain compromise. More * Coruna, a

Hi there! Anthropic refused to enable mass domestic surveillance. It refused to power fully autonomous weapons. And when the Department of War threatened to label them a national security risk — a designation historically reserved for US adversaries, never before applied to an American company — Anthropic said they'd see

Working on a new feature with Claude Code surfaced an unexpected skill gap: software architecture — not the usual suspects like design patterns, component design, or API contracts, but something more fundamental. The ability to communicate architecture clearly, concisely, and precisely. It turns out this is a must if you want

Hi there! The pace has increased across the industry. That's what I'm feeling, and experiencing to some extent. Code development has started to shift from a leisurely walk to an ultra-running competition. No pauses, no side paths to explore, no meditative moments. Just an relentless focus

Hi there! I had to provide growth opportunity directions for some people recently. Beside the specific advice, I included a sincere proposal available for everyone: Learn AI. No matter what position you're in. Are you a software engineer? Learn AI. Are you in QA? Learn AI. Are you

Hi there! Last week, the security and agentic AI communities were overtaken by OpenClaw (Clawdbot/Moltbot). It dominated discussions everywhere. Deployments surged from roughly 1,000 to over 21,000 in one week. GitHub stars skyrocketed from 9,000 to 60,000+ in days, later surpassing 140,000—including a

Hi there! I've been thinking about prompt injection lately, and it's honestly terrifying how vulnerable LLM applications are. The core problem is simple: these models can't reliably tell the difference between your instructions and user data. It's like having a computer that

Hi there! Some thoughts CES 2026 marked a turning point: AI is moving from screens into the physical world through robotics. While this represents humanity's most advanced creation capacity to date, the race toward deployment reveals critical gaps in planning, infrastructure, and safety. The Infrastructure Challenge The push

🛡️ Security & Privacy * Shai-Hulud 3.0 NPM supply chain attack discovered: New malware variant automatically spreads to steal developer credentials and cloud keys, currently limited in testing phase. More * Malicious Chrome extensions harvest 900K users' AI chats: Two extensions masquerading as AI assistants steal ChatGPT and DeepSeek conversations, including

🛡️ Security & Privacy * Pixelation Fails to Hide Sensitive Text - Blurring text through mosaics can be reversed via dictionary attacks matching all possible combinations against pixelation patterns. More * MongoBleed Exploited in Wild - Critical CVE-2025-14847 vulnerability in MongoDB allows unauthenticated attackers to extract sensitive data through zlib decompression flaws affecting

🛡️ Security & Privacy * Trigger.dev hit by Shai-Hulud supply chain worm; complete incident analysis reveals npm malware campaign - Trigger.dev shares detailed post-mortem after engineer's machine compromised via malicious npm package, leading to GitHub repo vandalism and credential theft across 17 hours. More * Urban VPN exposed: 8