All Articles

Bun PR #30412 merged: 1M-line Zig-to-Rust rewrite hits main, try it via canary

Bun PR #30412 merged a Zig-to-Rust rewrite into main: 6,755 commits, 1M+ lines, binaries 3–8 MB smaller. Try via bun upgrade --canary, with notes on the claude/* branch workflow and why memory safety, not speed, drove it.

node-ipc 9.x/12.0.1 stealer on require(): 12.0.1 hash-gated, not postinstall

Malicious node-ipc 9.1.6/9.2.3/12.0.1 fire on require(), not postinstall. 12.0.1 is SHA-256 gated (targeted), so a working app isn't safe. Exfils dev/CI secrets via DNS TXT.

Elliptic curves and modular forms are the same thing, plus Fermat's Last Theorem

Elliptic curve group law, discrete log behind ECDH, and the Frey-Ribet-Wiles argument that proved Fermat's Last Theorem, walked through with diagrams of y² = x³ + ax + b, point addition cases, and the modularity logic chain.

Next.js CVE-2026-44578: WebSocket SSRF on self-hosted Node.js (not Vercel)

Next.js CVE-2026-44578: WebSocket upgrades on self-hosted Node.js can SSRF to internal HTTP endpoints. Vercel unaffected. Fix is 15.5.16 / 16.2.5+, or 15.5.18 / 16.2.6 for May rollup.

Composer CVE-2026-45793: GITHUB_TOKEN leaks to CI logs via regex miss

Composer 2.9.8/2.2.28 fix CVE-2026-45793: GitHub's new GITHUB_TOKEN includes hyphens that Composer's old regex rejects, leaking the token into CI logs as plaintext.

Fragnesia (CVE-2026-46300): Linux page cache LPE survives Dirty Frag mitigations

Fragnesia (CVE-2026-46300) overwrites the Linux page cache via XFRM ESP-in-TCP. The Dirty Frag workaround still applies, but IPsec hosts need to check side effects first.

Uniswap's x*y=k: product vs sum, short-vol IL, and V3 JIT liquidity

Uniswap's constant product x*y=k explained: why product instead of sum, IL as selling volatility, JIT liquidity on V3 concentrated liquidity, and amountOutMinimum against sandwich attacks.

Microsoft May 2026 Patch Tuesday: Netlogon, DNS Client RCE vs ZeroLogon/SIGRed

137 CVEs, no zero-days. Netlogon and DNS Client RCEs (both CVSS 9.8) lead — compared against ZeroLogon/SIGRed, with patch priority tiers and detection notes for SOC teams.

3GB SQLite FTS to 10MB Rust FST: conditions for 300× on a Finnish dictionary

Andrew Quinn shrank a Finnish dictionary from 3GB SQLite FTS to a 10MB FST binary. The 300× win required prefix search, agglutinative inflection, static data, and shared suffixes.

nginx CVE-2026-42945: rewrite heap overflow in 0.6.27–1.30.0, RCE without ASLR

CVE-2026-42945 hits nginx 0.6.27–1.30.0 rewrite module with heap overflow. CVSS 9.2 but only fires on specific rewrite+capture+set patterns. How to check with nginx -T and what to patch.

NTSYNC on Linux 6.14: frame stutter fix with Wine 11.0 and Proton 11 beta

/dev/ntsync moves Windows NT thread sync into the Linux 6.14 kernel. Wine 11.0 and Proton 11 beta support: frame time impact, not just average FPS.

GTIG observed the first AI-generated zero-day: a Python 2FA bypass exposed by a hallucinated CVSS

Verdict on GTIG's May 11, 2026 report: the first confirmed AI-generated zero-day, a Python 2FA bypass for an OSS admin tool, was caught by a hallucinated CVSS score and textbook Pythonic code structure.