A CVSS 9.3 unauthenticated RCE in the Marimo Python notebook was exploited within hours of advisory disclosure. Meanwhile, Astral published its comprehensive supply chain security posture for uv and ruff, covering CI/CD pipeline hardening, Trusted Publishing, and Sigstore attestation.
A research project reverse-engineered Google DeepMind's SynthID image watermark using FFT-based spectral analysis. The V3 bypass achieves 91% phase removal while maintaining SSIM 0.997. Is removing an invisible watermark copyright infringement? Analysis from DMCA, EU AI Act, and Japanese law perspectives.
The full picture of Operation Masquerade as disclosed by the FBI and NCSC. APT28 tampered with SOHO router DNS to intercept Outlook auth tokens — the techniques and countermeasures.
An Adobe Reader/Acrobat zero-day actively exploited since November 2025. A two-bug chain achieves sandbox bypass and RCE, affecting all versions including the latest. No patch available.
Anthropic's unreleased Claude Mythos Preview discovered thousands of zero-day vulnerabilities including a 27-year OpenBSD bug and a 16-year FFmpeg bug. Deemed too dangerous for public release, it ships exclusively through Project Glasswing to 12 founding partners.
The fix for CVE-2024-41110 missed the upper bound — request bodies over 1MB bypass AuthZ plugins. All Docker Engine versions before 29.3.1 are affected.
CVE-2025-59528: A Function() constructor-based arbitrary code execution vulnerability in Flowise's CustomMCP node is being actively exploited. Over 12,000 instances remain exposed on the internet.
A security scan of 50 open-source MCP servers found 61% lacked input validation. This article covers real vulnerabilities in high-profile servers like Playwright MCP and Puppeteer MCP, and examines when to skip MCP entirely and use CLI tools directly.
Google Drive's AI ransomware detection and recovery feature is now generally available with 14x improved detection. But Google's history of false-positive account bans raises questions about relying on Drive as primary storage.
An Anthropic researcher used Claude Code to scan the entire Linux kernel source and unearthed a 23-year-old remotely exploitable heap overflow in NFSv4.0. Technical breakdown plus a reality check on what it costs for ordinary users to replicate this.
36 malicious npm packages disguised as Strapi CMS plugins were published by 4 sock-puppet accounts. 8 payload variants deployed Redis crontab injection, PostgreSQL direct access, reverse shells, and persistent implants. The target appears to be crypto exchange Guardarian.
Follow-up to the axios compromise. Public reporting from GitHub, Socket, Google, and Microsoft shows UNC1069/Sapphire Sleet used the same social-engineering playbook against maintainers tied to Mocha, Fastify, Lodash, dotenv, and Node.js core.
