Hi there!

🛡️ Security & Privacy

• Mini Shai-Hulud strikes again: A compromised npm maintainer account published 637 malicious versions across 317 packages — including echarts-for-react (3.8M dl/mo) and size-sensor (4.2M dl/mo) — in a 22-minute automated burst. The payload harvests AWS keys, GitHub tokens, Vault secrets, SSH keys, and even local password manager vaults (1Password, Bitwarden), exfiltrating via fake OpenTelemetry traces and GitHub "orphan commits." It also hijacks Claude Code and Codex via SessionStart hooks and installs a persistent GitHub dead-drop C2 backdoor. Check your lockfiles. More
• GitHub breached via poisoned VS Code extension / Megalodon mass backdooring: On May 20, GitHub confirmed threat actor TeamPCP compromised an employee's device via a malicious VS Code extension, exfiltrating ~3,800 internal repos offered for sale at $50K. Separately, the Megalodon campaign hit 5,561 GitHub repositories in six hours on May 18, injecting malicious CI workflows to steal cloud credentials from AWS, GCP, and Azure. Two independent attacks, same week, same attack surface: developer tooling. More (GitHub breach) — More (Megalodon)
• PinTheft — Arch Linux root escalation PoC goes public: A public exploit for PinTheft, a Linux kernel RDS zerocopy double-free chained with io_uring, lets any local user gain a root shell reliably without a race condition. It mainly affects Arch Linux, the only common distro that loads the RDS module by default. Patch immediately or block the rds and rds_tcp modules. More
• Bitwarden red flags: time to migrate?: A new M&A-focused CEO, a quiet doubling of Premium prices, and the stealth removal of the "Always free" commitment from the website have the community alarmed. The core values acronym also changed — "Inclusion" and "Transparency" were dropped. If you rely on Bitwarden's free tier, consider migrating to a KeePass-format database you control. More

🛸 Tech

• Flipper One — the open Linux cyberdeck, needs your help: Flipper Devices revealed Flipper One: an RK3576-powered Linux handheld with 8GB RAM, Wi-Fi 6E, dual Gigabit Ethernet, USB 3.1, PCIe/SATA M.2 expansion, and a Raspberry Pi RP2350 co-processor controlling display and power. The goal is mainline kernel support with zero binary blobs — and they're opening the development process publicly, asking the community for kernel, UI, and hardware contributions. More
• Vivaldi 8.0 — biggest design overhaul ever: Vivaldi's 8.0 release introduces a "Unified" interface — a single continuous surface replacing the layered tab/toolbar/panel structure — along with six preset layouts (Simple, Classic, Vertical, Auto-hide, Bottom) and a revamped theming system. No ads, no AI deciding what you see, same philosophy. More
• Google IO 2026 & the war on the open web: Google Search is pushing further into "AI Overviews" — decontextualizing information, removing links to sources, and replacing them with LLM-generated answers. Commentators argue this is a strategic move to monopolize information access, with your website becoming unpaid raw material for Google's abstraction layer. More
• AMD drops Linux from Vivado free tier: Starting with Vivado 2026.1, AMD's FPGA toolchain moves Linux support behind a paid tier (Core+, starting at ~$1,200/year). The free Basic tier is now Windows-only. Students, hobbyists, and embedded Linux developers on Zynq are hit hardest. AMD cited 70% Windows adoption — but that doesn't explain locking out the remaining 30%. Vivado 2025.2 remains free and Linux-compatible for now. More

🤖 AI

• Project Glasswing — Anthropic's AI-powered vulnerability hunt: Anthropic's Claude Mythos Preview found over 10,000 high/critical vulnerabilities across partners' codebases in one month, and 6,200+ in 1,000+ open-source projects (90.6% confirmed true positives). The bottleneck has shifted from finding bugs to triaging and patching them fast enough — a new era for defensive security. More
• Gemini 3.5 Flash — frontier performance for agents at speed: Announced at Google I/O, Gemini 3.5 Flash is now the default model in the Gemini app and Google Search globally. It outperforms Gemini 3.1 Pro on key agentic and coding benchmarks (Terminal-Bench 2.1: 76.2%), runs 4× faster than other frontier models, and powers the new "Gemini Spark" personal AI agent rolling out to ultra subscribers. More
• Qwen 3.7 Max — Alibaba's new agentic flagship: Announced at the 2026 Alibaba Cloud Summit, Qwen 3.7-Max scores #1 on the Artificial Analysis Intelligence Index (57 points), supports a 1M-token context window, and was demonstrated running 1,158 tool calls in a 35-hour autonomous session. Currently API/preview only, no open weights yet. More
• Six months in LLMs — Simon Willison's 5-minute recap: A sharp PyCon US 2026 lightning talk summary: the "best" model changed hands five times between Anthropic, OpenAI, and Google between November and May; coding agents crossed a reliability threshold in December 2025; and local models now wildly outperform expectations. More

🛠️ Tools

• auto-identity-remove — automated data broker opt-out: Open-source macOS tool that automatically opts you out of 500+ people-search sites and data brokers (Spokeo, Acxiom, LexisNexis, ZoomInfo…) on a monthly schedule, with CAPTCHA solving, state tracking, and iMessage summaries. Your data stays local. More
• Semble — fast, accurate code search for AI agents: CPU-only MCP server that indexes any git repo in ~250ms and answers queries in ~1.5ms, achieving 99% of transformer-level retrieval quality. Works with Claude Code, Cursor, Codex, and any MCP-compatible agent — no GPU, no API keys. More
• files.md — your life in plain Markdown files: A local-first, offline-capable PWA for notes, journals, tasks, and knowledge bases — all in .md files you own. LLM-friendly, Telegram bot for on-the-go access, and no bloated PKM system. Simple, single-person maintainable codebase. More
• GenCAD — image-conditioned CAD generation (MIT): Generate full parametric CAD command sequences from image renderings using a transformer + contrastive + diffusion pipeline. Outputs actual CAD programs, not just meshes. More
• remove-ai-watermarks — strip visible and invisible AI watermarks: CLI tool that removes Gemini sparkle logos, SynthID, TreeRing, StableSignature, and C2PA/EXIF/XMP "Made with AI" metadata from images generated by major AI models — also bypasses AI image classifiers via analog humanizer. More
• Roughdraft — local-first Markdown reviews for coding agents: A desktop app designed for reviewing, commenting, and suggesting edits on Markdown files generated by coding agents — a human-in-the-loop layer between you and your AI pair programmer. More

📂 Misc

Virtual OS Museum — 1,700+ operating systems, one click away: A single downloadable Linux VM with over 1,700 pre-installed and pre-configured operating systems spanning 1948 to today — from the Manchester Baby to early Android, across mainframes, workstations, home computers, and obscure research systems. 20 years of collecting, bundled with QEMU/VirtualBox/UTM launchers. Truly remarkable preservation work. More

📩 Please feel free to share this article with colleagues and friends who will find it valuable.

Thanks for reading!

Have a great day!
Bogdan