colleague.skill, yourself-skill, nuwa-skill and other 'human distillation' OSS tools are exploding in popularity, primarily in China. Seeing a tool that distills colleagues, I wondered 'what if I distilled myself?' and researched how.
CVE-2026-40175: unrelated to the March supply-chain compromise. axios's config merge picked up tainted Object.prototype values and passed them through as HTTP headers without CRLF validation, chaining to SSRF. Fixed in 1.15.0.
UC Berkeley's RDI team demonstrated that major benchmarks including SWE-bench and WebArena can be manipulated to near-perfect scores without completing any tasks. They identified 7 vulnerability patterns and released BenchJack, an automated benchmark attack tool.
Anthropic's Claude Cowork moves from research preview to general availability, adding RBAC, group spend caps, usage analytics, OpenTelemetry support, Zoom MCP connector, and per-tool access control.
Adobe released a patch on April 11, 2026 for a Prototype Pollution RCE in Acrobat Reader that had been exploited since December 2025. CVSS 8.6, Priority 1. Apply within 72 hours.
Four Japanese tech giants form a new company backed by mega-banks and Nippon Steel to build a trillion-parameter foundation model for physical AI, with roughly ¥3 trillion in combined public-private funding.
A 32-bit integer overflow in macOS's XNU kernel renders all new TCP connections impossible after 49.7 days of continuous uptime. Apple has not implemented the workaround defined in RFC 7323 over two decades ago.
The latest GlassWorm wave bundles Zig-compiled native binaries in an Open VSX extension and silently installs a second-stage payload across VS Code, Cursor, Windsurf, VSCodium, and Positron.
Google officially ships Device Bound Session Credentials (DBSC) to all Windows users in Chrome 146. By locking private keys inside the TPM, stolen cookies become useless on any other device.
Based on the 2025 Maintainers Summit consensus, coding-assistants.rst was merged into the Linux kernel, establishing rules for AI-assisted contributions: no Signed-off-by for AI, Assisted-by tag attribution, and full human responsibility.
A CVSS 9.3 unauthenticated RCE in the Marimo Python notebook was exploited within hours of advisory disclosure. Meanwhile, Astral published its comprehensive supply chain security posture for uv and ruff, covering CI/CD pipeline hardening, Trusted Publishing, and Sigstore attestation.
A research project reverse-engineered Google DeepMind's SynthID image watermark using FFT-based spectral analysis. The V3 bypass achieves 91% phase removal while maintaining SSIM 0.997. Is removing an invisible watermark copyright infringement? Analysis from DMCA, EU AI Act, and Japanese law perspectives.
