Hi there!

🛡️ Security & Privacy

• Three Windows zero-days now actively exploited in the wild — BlueHammer (CVE-2026-33825), RedSun, and UnDefend, all leaked by a disgruntled researcher angry at Microsoft's MSRC handling process. Only BlueHammer has been patched as of April 2026. More
• EU's age verification app bypassed in under 2 minutes — Researchers found PIN encryption stored in an editable local config file, enabling authentication bypass, rate-limit reset, and full biometric skip without triggering alerts. More
• Time to ban the sale of precise geolocation data — Lawfare's deep dive into Webloc/Penlink exposes how adtech surveillance tracks 500M devices globally, available to law enforcement and foreign intelligence alike. More
• 30 WordPress plugins backdoored via supply chain attack — A buyer on Flippa acquired a 30-plugin portfolio for six figures, planted a dormant RCE backdoor using blockchain-based C2 for 8 months, then activated it. WordPress.org closed all 31 plugins in a single day. More
• Apple Pay + Visa Express Transit exploit drains locked iPhones — NFC relay attack bypasses transaction limits via a spoofed transit terminal ID, demonstrated live by stealing $10,000 from MKBHD. Visa-specific; doesn't affect Mastercard or Samsung Pay. More
• Android silently strips EXIF geolocation from photos shared via browser — Google's privacy-driven change breaks web apps relying on GPS metadata in uploads, with no advance notice and no user-controlled opt-in mechanism. More
• Google warns developers about back-button hijacking — A new entry in the Google Search blog flags techniques that manipulate browser history to trap users on pages, impacting both UX and search quality signals. More
• Critical X.org/Xwayland security vulnerability announced — The X.Org security team published a formal advisory for a flaw in the X display server stack; patch and update details in the announcement. More

🛸 Tech

• Humanoid robots race humans in Beijing half-marathon — Multiple bipedal robots completed a half-marathon alongside human runners in Beijing, demonstrating the rapid maturation of locomotion and endurance in humanoid robotics. More
• Cloudflare Email Service enters public beta — Full bidirectional email for AI agents: receive with Email Routing, send with Email Sending binding, include DKIM/SPF auto-setup, and an open-source Agentic Inbox reference app. More
• Cybersecurity is now "proof of work" — dbreunig argues: with Anthropic's Mythos completing 30-step corporate network attacks, security has become a token-spending arms race. Whoever throws more compute at finding exploits wins. More
• Google: build Android apps 3x faster with AI agents — Android Developers blog details how coding agents integrated into Android Studio can triple development velocity through automated scaffolding, testing, and code review. More
• GitHub launches gh-stack for stacked pull requests — GitHub's official CLI extension for managing stacked PRs, making it easier to break large features into reviewable layers without losing context. More
• Jujutsu (jj): a better version control system — A thorough tutorial introduction to jj, a Git-compatible VCS with a simpler mental model, first-class conflict handling, and cleaner history rewriting built for modern workflows. More

🤖 AI

• Claude Opus 4.7 released — Major jump in software engineering, vision (3x higher resolution images), and long-running agentic tasks. Ships with new cyber safeguards and a Cyber Verification Program for security professionals. New xhigh effort level added. More
• Anthropic launches Claude Design — Powered by Opus 4.7, it lets teams build interactive prototypes, pitch decks, and on-brand marketing assets through conversation, with exports to Canva, PPTX, and Claude Code handoffs. More
• Anthropic Labs: the experimental product arm — Led by Instagram co-founder Mike Krieger, Labs is Anthropic's dedicated incubator for frontier product experiments — the team behind Claude Code, MCP, and Cowork. More
• Claude Code gets automated Routines — Schedule prompts to run nightly, trigger them via API webhook, or fire them on GitHub PR events. Runs on Claude Code's cloud infrastructure, no local machine needed. More
• Qwen 3.6-35B-A3B: a 21GB MoE model that runs on a laptop — Alibaba's new mixture-of-experts model outperformed Claude Opus 4.7 in SVG generation benchmarks in Simon Willison's informal tests, running locally on an M5 MacBook Pro via LM Studio. More / More
• OpenAI Codex goes "for almost everything" — Major update adds background computer use (macOS), in-app browser for visual iteration, image generation, 90+ plugins, memory preview, and long-running automations. Not just a coding tool anymore. More
• Claude 4.7's new tokenizer costs more tokens — Analysis shows the updated tokenizer produces 1.0–1.35x more tokens than Claude 4.6 for identical input, with variable impact depending on content type. Plan your budget accordingly. More
• Perplexity launches Personal Computer Assistant on Mac — A new ambient AI feature for Perplexity subscribers on macOS that can access and act on your desktop context, similar to Anthropic's Cowork. More
• OpenAI announces Trusted Access for Cyber — A verified program granting security researchers expanded access to OpenAI models for offensive/defensive cybersecurity research, similar to Anthropic's Cyber Verification Program. More
• Google Chrome gains AI Skills — Google is rolling out AI-powered Skills inside Chrome, enabling in-browser task automation and contextual assistance tied directly to your browsing activity. More
• AMD Gaia: run local AI on Ryzen AI hardware — AMD's official framework for running LLMs locally on Ryzen AI NPU chips, with documentation now public for developers to start building. More
• Why you might want to stop using Ollama — A developer makes the case for alternatives to Ollama for local LLM inference, arguing the abstraction layer adds friction without enough benefit for production-oriented setups. More

🛠️ Tools

• AI token leaderboard tracks model cost-efficiency — A community dashboard ranking AI models by tokens-per-dollar performance across common tasks. Useful for comparing value at scale. More
• Is It Agent Ready? — A quick reference tool to check whether popular websites, APIs, and SaaS products support AI agent interaction (MCP, structured data, automation-friendly endpoints). More
• CodeRabbit: AI-powered code review — Automated code review tool that integrates with GitHub/GitLab and provides inline PR comments, security analysis, and style feedback on every commit. Used internally by teams running Claude Opus 4.7. More

🚆 Misc

• Inside the B-52's electromechanical star tracker — Ken Shirriff tears down the Angle Computer, a 1960s analog machine that physically modeled the celestial sphere to navigate without GPS, using gears, synchros, and spherical trigonometry. Stunning engineering. More
• Why Japan has such good railways — Deep structural analysis: private ownership, transit-oriented development (railways owning shopping centers, resorts, and baseball teams), liberal zoning, and smart privatization of JNR created the world's best rail system — and it's replicable. More

📩 Please feel free to share this article with colleagues and friends who will find it valuable.

Thanks for reading!

Have a great day!
Bogdan