Can't quotetoot the original but:
This is a VERY CLEAR attack on open source projects. Why would random people be registering domains en masse for popular open source projects that (currently) only redirect to the authoritative home?
Why? Because they're building search engine credibility. Once the attackers have gained enough credibility, they will pull the bait and swap to an attack payload at the domain.
Exercise EXTREME caution with your internet searches.
https://social.kernel.org/objects/bc6c59fe-a58c-47f7-9f1a-604d21b7f003
I am collecting material, sources on LLMs and vulns before and after the recent mythical moment in time.
The (searchable) list is here: https://tzafaar.codeberg.page/
Take a look and let me know if your favourite source, paper, blog post, repo is missing.
Would appreciate retoots
One thing I've noticed after tracking down so many cybercriminals is that it's super common for the person's first sales thread on a forum to include data stolen from an organization in the country where they live. This is more remarkable when the threat actor is outside the United States, because it very often tells you exactly which country they are from.
You might think that this would be a very dumb thing to do from a self-preservation perspective, but a lot of times they are eager to make a splash on the forums and the best data or access they have is their government's data or some company working with their country's govt. And if you consider that many young people get started in hacking by sticking it to the local authorities and trying to make them look like clowns, it makes a lot more sense.
See how a single race condition led to renderer RCE.
In our new article, we examine a high-severity TOCTOU bug between Blink and V8's WebAssembly compiler that allowed a benign module to pass validation while a malicious one was compiled. Because the Wasm JIT pipeline resides outside the V8 heap sandbox, this resulted in renderer RCE without requiring a V8 sandbox escape.
Read our full analysis: https://ssd-disclosure.com/readablestream-toctou-v8-sandbox-bypass-via-wasm-streaming/
strace(1) is cool btw
I usually take it for granted, but like, imagine how hard life would be if your OS didn't have a well-documented syscall layer, or if you couldn't snoop at it to see how a process interacts with the rest of the system.
I broke my Rust installation by deleting .cache (who stores anything important in .cache?!) and had to reinstall on a dirty FS.
Now I don’t know if it’s me, or it’s impossible to install @atuin from crates.io with rustc 1.85.0?
On the latest version the atuin-ai breaks - which I really don’t need in a shell history manager - this one worked:
cargo install atuin --no-default-features --features=client,check-update,daemon,pty-proxy
KPMG pulls report on AI usage due to apparent hallucinations
L: https://techcrunch.com/2026/06/13/kpmg-pulls-report-on-ai-usage-due-to-apparent-hallucinations/
C: https://news.ycombinator.com/item?id=48527297
posted on 2026.06.14 at 10:01:35 (c=2, p=6)
June 12th: “Your Frontier Provider Is Quietly Limiting Your Capability & Research” https://starseer.ai/blog/your-frontier-provider-is-quietly-limiting-your-capability-research
June 13th: “Irony: The US Government Issues an Export Control Directive for Fable 5 and Mythos 5” https://berryvilleiml.com/2026/06/13/irony-the-us-government-issues-an-export-control-directive-for-fable-5-and-mythos-5/
Turns out, it’s not such a great idea for the entire industry to joyfully jump into a deep dependency on pre-IPO hype machines.
Did you know? The latest edition of the C standard introduces left-worm and right-worm operators which can be used in place of the cumbersome x + 1 and x - 1 notation: https://godbolt.org/z/jeYK9aaKv
I feel like this whole Anthropic export ban thing should be a wakeup call to anyone outside the US that if you've been newly developing a dependency on a proprietary US cloud service the government could decide to restrict export access to at any moment, you've made a strategic error and should probably reconsider that.
*Student Worker Position in the Mozilla Firefox Application Security Team*
I'm hiring for a part-time student role in Mozilla's Firefox Application Security team in Berlin/Germany (remote possible). We are trying to reach students from a broad range of backgrounds, not only people who already see themselves as "security people". It is required that applicants are enrolled in a university in Germany.
NEW: Oracle is warning customers of an unpatched bug in its PeopleSoft software, which Google says is the flaw that the cybercrime group ShinyHunters is exploiting in its latest mass hacking campaign.Â
Google said it notified more than 100 organizations worldwide that they had exposed and vulnerable PeopleSoft servers, most of them colleges and universities.Â
Broken official patches for Windows Shell Spoofing Vulnerability (CVE-2026-32202)
https://0patch.com/blog/micropatches-released-for-windows-shell-spoofing-vulnerability-cve-2026-32202