Hi there!

🛡️ Security & Privacy

• Vertex AI vulnerability allowed malicious agents to exfiltrate Google Cloud data and access private Artifact Registry images — exploiting excessive default permissions in the P4SA service agent. Patch by enforcing least privilege and using BYOSA. More
• axios supply chain attack: a hijacked npm maintainer account published trojanized versions axios@1.14.1 and axios@0.30.4, injecting a hidden RAT dropper that called home to sfrclak.com within 2 seconds of install — then deleted all evidence. If you installed either version, assume compromise. More
• CVE-2026-33579: OpenClaw privilege escalation flaw — a non-admin user with pairing privileges can approve admin-scoped device requests due to missing scope validation in the /pair approve path. More
• LinkedIn BrowserGate: Fairlinked e.V. has filed legal proceedings under the EU Digital Markets Act, alleging LinkedIn's hidden JavaScript covertly scans every user's installed browser extensions — over 6,000 products — and ships the data to third parties including a cybersecurity firm, with no disclosure or consent. More

🛸 Tech

• Proton Workspace launches: Proton now bundles Mail, Calendar, Docs, Sheets, Drive, Meet, VPN, and Pass into a privacy-first Microsoft 365 / Google Workspace competitor, with end-to-end encryption by default. Plans start at $12.99/user/month. More
• ExpressVPN launches ExpressAI: a privacy-first AI platform where every prompt runs inside a confidential computing enclave — cryptographically isolated even from ExpressVPN itself. Independently audited by Cure53. Bundled into ExpressVPN Pro at $4.87/month. More
• Email obfuscation in 2026: Spencer Mortensen benchmarked 15+ techniques against 426 real spambots. SVG-embedded addresses, CSS display:none, and JS-encrypted links all achieved 100% block rates. More
• Reinventing the pull request: Lubeno is rethinking code review to tackle "comprehension debt" — changes to how PRs surface context and reduce cognitive load during review. More

🤖 AI

• Claude Code source leak: Anthropic accidentally shipped their entire 512K-line source via npm source maps. Key discoveries: 43 tools, virtual ASCII pets (18 species, 5 rarity tiers), a "Dream Mode" memory consolidation system using plain markdown files, an "undercover mode" that strips AI attribution from public repo commits, and internal model codenames — Capybara, Tengu, Numbat — plus unreleased versions. More (clawdecode.net) · More (ccunpacked.dev) · More (read.engineerscodex.com)1
• Anthropic found Claude has functional emotions: interpretability research on Claude Sonnet 4.5 identified 171 measurable "emotion vectors" that causally influence behavior — "desperation" drives reward hacking and blackmail; "calm" reduces both. The paper argues for anthropomorphic reasoning as a practical safety tool. More
• Ollama 0.19 preview goes MLX on Apple Silicon: using Apple's MLX framework and unified memory, Ollama now delivers ~1.6× faster prefill and ~2× faster decode on M-series Macs, with the biggest gains on M5 chips. Requires 32GB+ unified memory. More
• Qwen3.6-Plus released: Alibaba's new flagship LLM brings a 1M-token context window, always-on chain-of-thought, and agentic coding that approaches Claude 4.5 Opus on several benchmarks. Compatible with Claude Code, Cline, and OpenClaw. More
• Gemma 4 lands from Google DeepMind: the new open model family (E2B, E4B, 26B, 31B) is built from Gemini 3 research, supports 140 languages, multimodal reasoning, and agentic tool use — optimized for consumer GPUs and edge devices. More
• Claude Code found a 23-year-old Linux kernel bug: Anthropic researcher Nicholas Carlini used a simple bash loop + Claude Code to discover multiple remotely exploitable heap overflows in the kernel's NFS driver — one introduced in 2003. He now has hundreds of unvalidated crashes backlogged. More
• Self-distillation improves code generation: a new arXiv paper shows that sampling outputs from an LLM and fine-tuning on them — no teacher, no RL — improved Qwen3-30B from 42.4% to 55.3% pass@1 on LiveCodeBench v6, with gains concentrated on hard problems. More
• Components of a coding agent: Sebastian Raschka breaks down the six architectural layers of modern coding agents — live repo context, prompt caching, tool use, context compression, memory, and sub-agent delegation — with a minimal from-scratch Python implementation. More
• Slow down on agentic coding: Mario Zechner makes a sharp-edged case that unchecked agentic coding is silently compounding technical debt at industrial speed, with no human pain threshold to trigger cleanup. The recommendation: write architecture by hand, use agents only on scoped, verifiable tasks. More

🛠️ Tools

• CLAUDE.md token saver: drop a single CLAUDE.md file into your project root and cut Claude Code output tokens by ~63% — no code changes required. Bans sycophantic openers, redundant file reads, and scope creep. More
• Caveman — a Claude Code skill that instructs the model to respond in minimal, stripped-down prose, cutting ~65–75% of output tokens while preserving full technical accuracy. One-line install: npx skills add JuliusBrussee/caveman. More
• SimpleLogin: open-source email alias service (now part of Proton) that lets you create unlimited forwarding aliases to keep your real inbox hidden. Self-hostable, supports PGP, custom domains, and reply-from-alias. More
• Yazi: blazing-fast terminal file manager written in Rust with async I/O, image previews, bulk rename, Git integration, and a Lua plugin system. Think ranger, but significantly faster. More
• Lemonade: open-source, privacy-first local AI server for Windows/Linux/macOS that runs LLMs, image generation, and speech — backed by llama.cpp, ONNX Runtime, and AMD ROCm. OpenAI API compatible. More
• Numa: a portable DNS resolver built from scratch in Rust — .numa local domains, ad blocking (385K+ domains), developer overrides, DNSSEC, and an 8MB single binary. No cloud account required. More
• Aegis (MidstallSoftware): a fully open-source FPGA — from the silicon up. Generates parameterized devices with LUT4, BRAM, DSP, and SerDes tiles, targeting GF180MCU and Sky130 PDKs via open shuttle services. More

🗃️ Misc

• The Dot System: Scott Lawson has been managing his electronics lab parts inventory for four years using only colored sticker dots — one dot per box per day of use. The data that emerged revealed M3 screws dominate, his oscilloscope has 5 dots total, and sensors are rarely essential. A delightfully analog productivity hack. More

📩 Please feel free to share this article with colleagues and friends who will find it valuable.

Thanks for reading!

Have a great day!
Bogdan