Hi there!

🛡️ Security & Privacy

• Meta's Instagram AI support chatbot turned out to be a zero-auth account takeover machine — attackers only needed a username, a VPN, and the patience to ask nicely. The AI would reset passwords to an arbitrary attacker-controlled email with no verification, bypassing 2FA entirely. High-profile accounts like obamawhitehouse were compromised. Meta has since patched it, but Telegram black markets were busy for weeks. More
• Your smart TV is moonlighting as a web scraping exit node. Researchers at Include Security reverse-engineered Bright Data's SDK — embedded in hundreds of apps across major TV platforms — and found it silently routes AI training scraping traffic through your home IP, up to 200 GB/month by default, bypasses VPN interfaces, and works even while you're on a call. More
• A critical vulnerability in an open-source package put millions of AI agents at risk. Agentic stacks depending on the affected library were exposed before patches were issued. More

🛸 Tech

• Ladybird browser is closing to outside pull requests, citing AI-generated contributions that look serious but can't be verified for intent or quality. For a security-sensitive browser codebase, only project maintainers will introduce changes going forward. An interesting inflection point for open-source trust models. More
• C++: The Documentary premiered on YouTube — a 70-minute deep dive into 40 years of C++ history featuring Bjarne Stroustrup, Anders Hejlsberg, Chris Lattner, John Romero, and more. C++ is currently the fastest-growing of the top four languages, up 90% in users over 3.5 years. More
• ETH Zurich achieved certified perfect randomness for the first time, using entangled superconducting qubits and a Bell-test. The resulting random numbers are mathematically provable as unbiased — a potential foundation for next-gen cryptography and blockchain applications. More
• Linux may finally get a proper posix_spawn() implementation, replacing the long-standing fork() + exec() pattern. A proposal for "spawn templates" was rejected in its current form, but it sparked a productive kernel thread converging on a cleaner pidfd-based API — creating an empty process first, then configuring it before execution. More

🤖 AI

• Google introduced Gemma 4 12B, a laptop-ready multimodal model (16GB VRAM) with a novel encoder-free architecture that natively processes audio and vision without separate encoders. It also introduces native audio input support and Multi-Token Prediction drafters. Paired with Gemma 4 QAT models — quantization-aware training variants optimized for mobile and laptop efficiency. More / QAT More
• How LLMs actually work — a clear, no-hype walkthrough of transformers, attention, and token prediction. Great refresher or first-read for anyone who's been skipping the fundamentals. More
• Anthropic released a defending-code reference harness — an open-source toolkit for testing AI models' ability to detect and resist code-level attacks, tied to Project Glasswing. More
• Stanford CS336 (LLM from scratch) has published its Claude.md assignment guide — a detailed spec for how students should interact with Claude while building their own language model from the ground up. Fascinating peek inside an elite ML curriculum. More

🛠️ Tools

• Odysseus — a self-hosted AI workspace (63k ⭐) with chat, deep research, agent mode, email with AI triage, calendar, notes, model comparison, and a Cookbook for local model recommendations. Think private ChatGPT + Claude, running on your own hardware. MIT licensed. More
• Alibaba's open-code-review — a battle-tested LLM-powered code review CLI that reads Git diffs and produces line-level structured comments with a hybrid deterministic + agent architecture. Supports OpenAI and Anthropic models, integrates with Claude Code as a plugin. More
• mouseless — lightning-fast keyboard-driven mouse control, for those who prefer keeping their hands on the keys. More
• linux-basics-for-hackers-notes — a structured GitHub course built from personal study notes of the OccupyTheWeb book, covering terminal, networking, bash scripting, security, and more. Great onboarding resource for security-minded Linux newcomers. More
• lathe — a Go CLI + Claude Code skill combo that generates on-demand, step-by-step technical tutorials for niche topics ("build a digital synth in Zig", "write a database from scratch in Go"), serves them in your browser, and optionally spawns a background Claude subprocess to verify every checkpoint actually compiles and runs. More

Stay curious. Stay secure. See you next week. 🔒

📩 Please feel free to share this article with colleagues and friends who will find it valuable.

Thanks for reading!

Have a great day!
Bogdan