Google extended Binary Transparency to its Android apps and Mainline modules starting May 2026. How the public log and verification tools differ from code signing, what's actually covered, and what the ADB-based verification workflow looks like for researchers.
Android's May 2026 bulletin patches CVE-2026-0073, a Wireless ADB auth bypass from mishandled EVP_PKEY_cmp return values. Adjacent network attackers bypass mutual TLS and get shell-level RCE on Android 14 through 16-qpr2. AOSP diff and impact breakdown included.
Next.js 16.2.6 / 15.5.18 dropped 13 security advisories at once. The impact depends on whether you use App Router, Middleware, RSC, or self-hosted Node.js server — here's where to look before upgrading.
CVE-2026-26268, fixed in Cursor 2.5, allowed AI agents to rewrite insufficiently protected .git config and Git hooks, leading to out-of-sandbox RCE on the next Git operation.
ZDI-26-305 discloses a sandbox bypass in OpenAI Codex. Processing a repository containing malicious JavaScript can lead to code execution under the user's privileges outside the sandbox.
How much does periodic password rotation or character-class enforcement actually help? A look at the numbers: leak probability, entropy, and user behavior.
APIs generated by Cursor and Claude Code often include authentication middleware but skip per-resource ownership checks. A look at IDOR/BOLA basics, typical patterns, and the fix of scoping DB queries by owner.
ERC-8128 emerged as a standard for proving the origin of AI agent communications when agents handle crypto assets. Walks through ERC and message signing basics, how it differs from API keys and OAuth, and the implementation flow.
An LLM safety monitor's evaluator can be tricked into clearing dangerous sessions when the attacker plants fake analysis text in the monitored conversation. Experimental results, defense limits, and structural separation points.
In its April 23 update, Vercel disclosed customer accounts compromised prior to and independently of the Context.ai incident. Covering the Lumma Stealer infection path, the ShinyHunters $2M BreachForums listing, and what non-sensitive environment variables actually mean.
A regression in cryptographic signature validation introduced a CVSS 9.1 flaw into .NET 10.0. The Data Protection API implemented HMAC verification incompletely, opening the door to padding oracle attacks and forged authentication tokens.
Vercel's official incident disclosure published on April 19, 2026. A walk-through of how a compromise of Context.ai's Google Workspace OAuth app led to Vercel employee account takeover and access to environment variables in some customer projects, plus the checks users should run right now.