βοΈ Nvidia's next-gen Vera Rubin datacenter platform is now in full production. It pairs a CPU and GPU tightly linked over NVLink, and the CPU half means Nvidia is now coming for Intel and AMD's territory too.
The Rubin GPU (the Blackwell successor) delivers:
- up to 5x faster inference, 3.5x faster training
- 50 petaflops per system (vs 10 on Blackwell)
- inference cost cut to ~1/7
But the quieter big move is Vera, the new CPU half of the platform, now sold as a standalone server chip aimed directly at x86:
- "The CPU for Agents," claims 1.8x faster task completion than x86 on AI workloads
- 88 custom Arm cores, 176 threads, 227 billion transistors (Grace had 72 cores / 64B)
- 2x the memory bandwidth and 3x the bandwidth-per-core of x86 with DDR5
Early customers: Anthropic, OpenAI, xAI, ByteDance, CoreWeave, Oracle. Ships this fall.
The Rubin GPU (the Blackwell successor) delivers:
- up to 5x faster inference, 3.5x faster training
- 50 petaflops per system (vs 10 on Blackwell)
- inference cost cut to ~1/7
But the quieter big move is Vera, the new CPU half of the platform, now sold as a standalone server chip aimed directly at x86:
- "The CPU for Agents," claims 1.8x faster task completion than x86 on AI workloads
- 88 custom Arm cores, 176 threads, 227 billion transistors (Grace had 72 cores / 64B)
- 2x the memory bandwidth and 3x the bandwidth-per-core of x86 with DDR5
Early customers: Anthropic, OpenAI, xAI, ByteDance, CoreWeave, Oracle. Ships this fall.
π₯΄9π₯4β€2π1
βοΈ Over 30 official Red Hat npm packages were compromised. How they got in:
- A Red Hat employee's GitHub account was compromised.
- Attackers pushed "orphan commits" (detached from branch history) straight in, bypassing code review with no pull request.
- Payload "Miasma" (Mini Shai-Hulud variant) steals GitHub/cloud/Vault/SSH/npm secrets. Rotate everything since June 1.
- The commits added a workflow (ci.yaml) + script (_index.js) that abused npm trusted publishing, requesting a real OIDC token to publish backdoored versions.
Source: https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
- A Red Hat employee's GitHub account was compromised.
- Attackers pushed "orphan commits" (detached from branch history) straight in, bypassing code review with no pull request.
- Payload "Miasma" (Mini Shai-Hulud variant) steals GitHub/cloud/Vault/SSH/npm secrets. Rotate everything since June 1.
- The commits added a workflow (ci.yaml) + script (_index.js) that abused npm trusted publishing, requesting a real OIDC token to publish backdoored versions.
Source: https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm
π15π€£2π¨2β€1
βΌοΈπ¨ BREAKING: Yet another Instagram exploit exists due to Meta's AI chatbot having no proper guardrails. Sellers are now using it to grab premium one-letter usernames, by tricking the AI with hidden characters, then talking it into applying the change. Monitor bots already show OG handles getting swapped.
β€14π1
βΌοΈπ¨ BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs."
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Sources:
https://reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/
https://blog.ammaraskar.com/github-token-stealing/
The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can.
Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept.
He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."
Sources:
https://reddit.com/r/netsec/comments/1tuue57/1click_github_token_stealing_via_a_vscode_bug/
https://blog.ammaraskar.com/github-token-stealing/
π₯11β€2
βΌοΈπ¨ German police have been buying commercial location data, harvested from phone apps and resold by data brokers, to track phones without a warrant. An investigation confirmed at least two state criminal offices did it.
Experts call it likely unlawful; a data-protection authority is now investigating.
Source: https://netzpolitik.org/2026/daten-schwarzmarkt-deutsche-polizei-nutzt-offenbar-rechtswidrig-databroker/
Experts call it likely unlawful; a data-protection authority is now investigating.
Source: https://netzpolitik.org/2026/daten-schwarzmarkt-deutsche-polizei-nutzt-offenbar-rechtswidrig-databroker/
π±13π1
This media is not supported in your browser
VIEW IN TELEGRAM
π©οΈ This is so cool: A Redditor living under SFO's takeoff path built a ceiling projection that maps every plane flying over their house in real time, using ADS-B, the open radio signal aircraft broadcast on 1090 MHz. Same feed as FlightRadar24, picked up with a cheap SDR dongle and beamed onto the ceiling.
β€11π₯5
π¨π©πͺ Germany just fined a citizen up to a month's income for posting "LΓΌgenfritz" ("Lying Fritz") about Chancellor Friedrich Merz in a Facebook comment.
Politicians love to call themselves the guardians of democracy. But Germany has a special law that gives politicians MORE legal protection from insults than ordinary citizens get. The powerful, shielded from the powerless who criticize them.
Fining people for airing their opinion is how you take free speech away. It makes the government the editor of every sentence you publish.
π€‘ And here's the kicker: German MPs have "IndemnitΓ€t", near-total lifelong legal immunity for what they say in parliament.
https://www.welt.de/politik/deutschland/article6a1ee49d1f46a650bff5cf50/mehrere-verfahren-beleidigung-von-merz-unter-facebook-post-gericht-verhaengt-hohe-geldstrafe-fuer-luegenfritz.html
Politicians love to call themselves the guardians of democracy. But Germany has a special law that gives politicians MORE legal protection from insults than ordinary citizens get. The powerful, shielded from the powerless who criticize them.
Fining people for airing their opinion is how you take free speech away. It makes the government the editor of every sentence you publish.
π€‘ And here's the kicker: German MPs have "IndemnitΓ€t", near-total lifelong legal immunity for what they say in parliament.
https://www.welt.de/politik/deutschland/article6a1ee49d1f46a650bff5cf50/mehrere-verfahren-beleidigung-von-merz-unter-facebook-post-gericht-verhaengt-hohe-geldstrafe-fuer-luegenfritz.html
π©14π€¬8π€―2π1
βοΈ Peak slop achieved: Microsoft announced "Scout," an always-on AI agent that reads your email and chats and acts on your behalf unprompted. They call it an "Autopilot." It's the sloppification of work: AI slop now runs all day reading your inbox.
π©14π3π€¬2π€£2
βΌοΈπ¨ A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar.
The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at
Source: https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at
.claude, .cursor, .gemini, and .vscode paths, a separate persistence and repo-poisoning angle.Source: https://www.stepsecurity.io/blog/binding-gyp-npm-supply-chain-attack-spreads-like-worm
β€4
βοΈGoogle employees are flooding an internal meme board with posts about how bad the company's AI is.
A source says dozens of anti-AI memes post weekly, spiking when models update or their internal coding tool Jetski breaks. One showed Jetski admitting it fabricated report metrics with over 400 upvotes.
Engineers say AI removed the code-gen bottleneck but jammed everything else: testing, build times, and human review now drowning in code nobody wrote.
CEO Pichai says 75% of new code is AI-generated, btw.
Via 404Media https://www.404media.co/google-employees-internally-share-memes-about-how-its-ai-sucks/?ref=daily-stories-newsletter
A source says dozens of anti-AI memes post weekly, spiking when models update or their internal coding tool Jetski breaks. One showed Jetski admitting it fabricated report metrics with over 400 upvotes.
Engineers say AI removed the code-gen bottleneck but jammed everything else: testing, build times, and human review now drowning in code nobody wrote.
CEO Pichai says 75% of new code is AI-generated, btw.
Via 404Media https://www.404media.co/google-employees-internally-share-memes-about-how-its-ai-sucks/?ref=daily-stories-newsletter
β€9π3π1
βΌοΈ The alienation continues: more security researchers are sticking up the middle finger after feeling squeezed by Microsoft and GitHub. MSRC emailed Black Hat USA 2026 presenters asking which MSRC cases, VULN-IDs, or CVEs their talks would cover. GitHub told a researcher to delete his public PoC repos and flagged his accounts under ToS.
π©8β€4π1