Claude Code sometimes emits a stray court token and raw <invoke> as plain text instead of running Read/Edit/Bash — a malformed tool call that never executes. How to tell it from a hung shell or a 'could not be parsed' error, on long Opus 4.8 sessions.
At Itaú, a staff engineer delivered a 4-person, 18-week project in 9 weeks with 4 AI agents — but it worked only because they knew the codebase deeply. What the case study really says about AI and team size.
TrapDoor planted 34 packages across npm, PyPI and Crates.io to steal Solana/Sui/Aptos wallet keys. Each registry fires differently: postinstall, import-time, and Rust build.rs.
Calif's Vibe Hacking: a compromised SSH host runs commands on your local terminal via VS Code/Cursor Remote-SSH. No CVE — Microsoft calls it by design. How to check and isolate instead.
Claude's new Microsoft Purview connector surfaces ~30 audit event types and on-demand chat/file access — but not prompts, model names, or tool calls. Claude Code goes through OpenTelemetry separately. Enterprise plan only; Team and consumer plans excluded.
Tested Hermes Agent x_search on a basic X Premium plan (M4 Mac mini). Docs require Premium+ but the basic tier worked. Covers uvx + OAuth setup, the 8.4s vs 58.4s timing gap, and prompts that never invoke X search.
Tested MinishLab/semble on a 1595-md Astro blog: warm bm25 returns symbol definitions in 0.84s, hybrid mode loses `seasonalBanner` to the article corpus.
What to patch, rotate, and grep after OpenClaw 2026.4.22. Walks CVE-2026-44112/44113/44115/44118 as one chain on agent runtime, with detection log fields and 24h/1w response steps.
158K lines of AI-generated C# for a Cities: Skylines II total conversion mod. CivicRAG for codebase indexing, 300+ custom Roslyn analyzers as compile-time design rules, and manual visual debugging for render bugs AI couldn't see.
CVE-2026-26268, fixed in Cursor 2.5, allowed AI agents to rewrite insufficiently protected .git config and Git hooks, leading to out-of-sandbox RCE on the next Git operation.
ZDI-26-305 discloses a sandbox bypass in OpenAI Codex. Processing a repository containing malicious JavaScript can lead to code execution under the user's privileges outside the sandbox.
Designing field-level confidence thresholds for human-in-the-loop document extraction, and the OCR and threshold walls hit when automating journal entries with freee MCP.