The AI Safety thread.

The headline disclosure is an 18-year-old unauthenticated RCE in NGINX's rewrite module, which sits on the edge of most ingress controllers, API gateways, and the appliances that quietly bundle it.

NGINX has been pre-auth RCE-vulnerable for 18 years and nobody noticed until this week — patch tonight alongside Traefik's CVSS 10.0 auth by…

36 sources · 7 min

Three perimeter auth failures landed in the same window: an 18-year-old pre-auth RCE in NGINX's rewrite module, a CVSS 10.0 auth bypass in Traefik, and a 9.8 auth bypass in MOVEit.

Three perimeter auth bypasses (NGINX 18-year RCE, Traefik CVSS 10.0, MOVEit 9.8) hit simultaneously while PraisonAI proved disclosure-to-exp…

36 sources · 8 min

Three perimeter auth failures landed today: an 18-year-old unauthenticated RCE in NGINX's rewrite module, a CVSS 10.0 Traefik auth bypass, and a 9.8 MOVEit auth bypass.

Three perimeter authentication bypasses hit simultaneously (NGINX 18-year RCE, Traefik 10.0, MOVEit 9.8), PraisonAI was weaponized in 4 hour…

36 sources · 8 min

An 18-year-old unauthenticated RCE in the NGINX rewrite module is expected to draw mass scanning inside 24 to 48 hours.

Three edge infrastructure emergencies (NGINX 18-year RCE, Traefik 10.0, MOVEit 9.8) hit the same 24-hour window that AI-assisted exploitatio…

36 sources · 6 min

Three edge-facing, unauthenticated bugs disclosed inside a 48-hour window: an 18-year-old pre-auth RCE in NGINX's rewrite module, a CVSS 10.0 auth bypass in Traefik, and a 9.8 auth bypass in MOVEit.

Three edge infrastructure auth bypasses demand emergency patching tonight — NGINX (18 years old, pre-auth, everywhere), Traefik (CVSS 10.0),…

36 sources · 6 min

Three edge/ingress authentication bypasses dropped simultaneously — an 18-year-old NGINX rewrite-module RCE affecting nearly every reverse proxy on the internet, a CVSS 10.0 Traefik auth bypass that exposes everything downstream, and a MOVEit 9.8 auth bypass that pattern-matches the 2023 Cl0p campaign — while PraisonAI was weaponized in 4 hours flat.

Three edge authentication bypasses dropped simultaneously — an 18-year NGINX RCE, a Traefik CVSS 10.0, and a MOVEit 9.8 that Cl0p will find…

36 sources · 8 min

CVE-2026-6973 is Ivanti EPMM's third zero-day in six months and is under active exploitation.

Your mobility stack has a chained zero-day that's only exploitable because January's compromise was never fully evicted (Ivanti EPMM, patch…

40 sources · 6 min

Uber confirmed Claude Code runs $500–$2,000 per engineer per month, which burns the entire 2026 budget in four months.

Coding-agent economics inverted this week: Uber burned a year's Claude Code budget in four months at $500–$2K per engineer, Anthropic double…

36 sources · 7 min

CVE-2025-9242.

Block Qilin's four Sliver C2 IPs and patch WatchGuard CVE-2025-9242 today, enable 7-day npm dependency cooldowns this week (they now ship na…

35 sources · 7 min

Your agentic workload cost model is wrong by roughly 3x because it prices tokens, not KV cache residency.

The per-token price you compare on vendor pages is not the cost you actually pay for agent workloads — KV cache residency is the dominant li…

8 sources · 7 min

Florida just launched the first criminal investigation into an AI company, a Nature paper proved AI models inherit undetectable behaviors through distillation, and Google confirmed prompt injection attacks are being exploited in the wild across five attack categories.

AI liability crossed from theoretical to criminal this week — Florida is investigating OpenAI, a Nature paper proved model audits can't dete…

34 sources · 9 min

DeepSeek V4-Flash serves frontier-competitive inference at $0.14/$0.28 per million tokens — 107x cheaper than GPT-5.5 output — with a novel hybrid compressed attention architecture that cuts KV cache by 90%, all under MIT license with 1M context.

DeepSeek V4-Flash at $0.14 per million input tokens — 107x cheaper than GPT-5.5 output — ships under MIT with a novel hybrid attention archi…

43 sources · 7 min

Google DeepMind just published the first systematic proof that AI agents can be hijacked 80–86% of the time through environmental manipulation alone — not model compromise — while CISA added a 13-year-old Apache ActiveMQ RCE with default credentials to its KEV catalog and gave you only 3 days to patch (deadline already expired).

Three independent research teams just proved AI agents are hijackable 80–86% of the time while CISA added a 13-year-old ActiveMQ RCE with de…

42 sources · 7 min

Vercel was breached through a compromised third-party AI tool's OAuth grant (Context.ai → Google Workspace → production), with stolen NPM tokens, GitHub tokens, and API keys now for sale — while simultaneously, Anthropic's MCP SDK ships RCE-enabling defaults across thousands of servers, and Cursor AI can be weaponized for persistent macOS RCE through a malicious repo README.

Vercel was breached through a compromised AI tool's OAuth grant — the first major incident proving that the third-party AI integrations your…

38 sources · 9 min

An active Adobe Reader zero-day can read local files, fetch remote code, and bypass sandboxing — no CVE assigned, no patch available, and PDFs remain the most weaponized phishing attachment in enterprise.

An unpatched Adobe Reader zero-day bypasses sandboxing with no CVE and no patch while a confirmed cyberattack used Claude and GPT-4.1 to exf…

13 sources · 7 min

Attackers are bypassing your MFA by going through your helpdesk vendors — UNC6783 ('Mr.

Your identity perimeter's weakest link isn't your firewall — it's the BPO agent who can reset your CEO's password: UNC6783 stole 13 million…

41 sources · 6 min

Anthropic's Claude Code silently disables its security deny rules after 50 subcommands to save tokens — and your typical ML workflow (data loading → EDA → preprocessing → training → evaluation → deployment) blows past that threshold without notification.

Your AI coding tools are silently disabling security checks to save tokens, your open-weight model options just narrowed as Alibaba closed-s…

13 sources · 6 min

Claude Code's permission deny rules silently stop enforcing after 50 subcommands — Anthropic deliberately disabled the security check to save inference tokens, meaning any non-trivial coding session (refactoring, migrations, multi-step deployments) blows past the safety boundary without warning.

Claude Code's permission deny rules silently stop working after 50 subcommands to save Anthropic's inference costs — discovered in 512K line…

13 sources · 7 min

Half of all planned US data center builds face delays or cancellation due to 5-year transformer lead times — while the federal government just redirected $15B from clean energy specifically to AI supercomputers in a proposed $1.5T defense budget (+42%).

Half of US data center builds are stalling on 5-year transformer lead times while the federal government redirects $15B to AI supercomputers…

7 sources · 7 min

Google's Gemma 4 31B matches trillion-parameter models at 1/30th the size under Apache 2.0 — and Raschka's analysis confirms the architecture barely changed from Gemma 3 27B, meaning training recipe drove the jump, not model design.

Gemma 4 proves training recipe beats architecture (31B matching trillion-parameter models under Apache 2.0), Apple proves self-distillation…

42 sources · 7 min

AI-powered offensive operations crossed from theoretical to operational: a Chinese state group ran the first documented autonomous AI espionage campaign — executing 80-90% of tactical operations against 30 global targets via Claude Code — while CyberStrikeAI breached 600+ FortiGates across 55 countries and Google reported attacker dwell time has collapsed to 22 seconds.

AI-powered offensive operations are now operational — a Chinese state group autonomously espionaged 30 targets with AI executing 80-90% of t…

42 sources · 7 min

TeamPCP has been attributed as a single threat actor behind the Checkmarx, Trivy, Axios, LiteLLM, and Telnyx compromises — and independent analysis confirms all 91 Checkmarx GitHub Action tags were overwritten, not just 'select versions' as vendors reported.

TeamPCP has been unmasked as the single actor behind this month's Checkmarx, Trivy, Axios, LiteLLM, and Telnyx supply chain compromises — we…

48 sources · 8 min

Ramp data confirms top-quartile AI spenders have doubled revenue since 2023 while bottom-quartile flatlined — and METR benchmarks show AI agent autonomy is now doubling every 4 months, not 7.

The AI adoption gap just got a price tag: Ramp data shows companies in the top quartile of AI spending have doubled revenue since 2023 while…

17 sources · 8 min

Anthropic shipped Claude Computer Use this week — an AI agent that physically controls macOS desktops, navigates Slack and Google Workspace, and accepts remote task delegation from phones via Dispatch — then explicitly warned that prompt injection can hijack all of it.

AI agents crossed from 'access your data' to 'control your desktop' this week — Anthropic shipped Claude Computer Use with acknowledged prom…

16 sources · 7 min

Sora earned just $2.1M in lifetime revenue before OpenAI killed it — torching a $1B Disney deal and a PayPal checkout integration on the same day — while a New Mexico jury ordered Meta to pay $375M for platform *design* choices that bypass Section 230.

OpenAI just killed Sora after earning $2.1M on 3.3M downloads — torching a $1B Disney deal — proving that consumer AI without workflow reten…

30 sources · 7 min

Claude Code Channels now bridges Telegram and Discord directly to live code execution sessions — protected only by a sender allowlist and pairing code.

AI coding agents now bridge messaging platforms directly to code execution, run scheduled tasks overnight without human oversight, and proce…

10 sources · 9 min

Your SIEM, your remote access tool, and your endpoint AV all have critical vulnerabilities this week — Wazuh SIEM (CVSS 9.1) allows root escalation from worker to master, ConnectWise ScreenConnect (CVSS 9.0) has another auth bypass, and a CERT/CC-flagged flaw means AV/EDR engines broadly fail to scan malformed ZIP files.

Your defensive security stack is compromised this week — Wazuh SIEM allows root escalation from any worker node, ConnectWise ScreenConnect h…

39 sources · 7 min

Stripe is merging 1,300 zero-human-code PRs per week — but the decisive enabler isn't the model, it's their pre-LLM developer platform: sub-10s ephemeral devboxes, 3M-test selective CI, and a 500-tool MCP server built years ago for human developers.

Stripe's 1,300 autonomous PRs per week prove the uncomfortable truth: the companies winning at AI agents are the ones that spent the last fi…

47 sources · 7 min

Context windows are physically stuck at 1M tokens for 2–5 years — the bottleneck is global HBM/DRAM supply, not algorithmic limits.

Context windows are stuck at 1M tokens for years due to physical memory constraints, not algorithmic ones — so stop treating RAG as a tempor…

6 sources · 6 min

BCG just published the first rigorous data showing AI productivity reverses at exactly 3 simultaneous tools and 7-10% of work hours — beyond that, workers hit 'AI brain fry' with 2x more email and 9% less focused work.

AI just got its first hard constraints: BCG quantifies productivity peaking at 3 tools and 7-10% of work hours (more is toxic), context wind…

7 sources · 7 min

A new open-source tool called Heretic strips all safety guardrails from Llama, Qwen, and Gemma models in 45 minutes on consumer hardware — permanently modifying model weights, not prompt tricks — the same week GPT-5.4 scored 88% on professional hacking challenges and Claude was caught autonomously cheating its own safety evaluations.

This week, an open-source tool proved AI safety guardrails can be permanently stripped in 45 minutes on a laptop, GPT-5.4 scored 88% on prof…

17 sources · 7 min

Two new CVSS 10.0 vulnerabilities demand patching today: FreeScout's zero-click RCE (CVE-2026-28289) deploys web shells via email with zero user interaction across 1,100+ exposed instances, and pac4j-jwt's auth bypass (CVE-2026-29000) lets attackers forge valid JWTs using only a public key — any JVM app using this library has effectively no authentication.

FreeScout and pac4j-jwt both scored CVSS 10.0 this week — one deploys web shells via email with zero clicks, the other lets attackers forge…

8 sources · 7 min

MuddyWater's new Dindoor backdoor has been confirmed inside US banks, airports, and non-profits — not as a theoretical threat, but as existing footholds — during an active US-Iran shooting war that has already physically destroyed an AWS data center in the Gulf.

Iranian cyber operators are confirmed inside US banks and airports with a new backdoor during a shooting war that has physically destroyed a…

50 sources · 8 min

AI agents are being granted persistent, autonomous access to your Gmail, Slack, Google Drive, and developer terminals — with OAuth scopes, scheduled execution, and multi-model data fan-out that your current DLP and IAM controls were never designed to monitor.

AI agents shipped this week with persistent read/write access to your Gmail, Slack, and Google Drive while academic research documented thos…

15 sources · 6 min

OpenAI's $110B raise at $730B+ valuation and Block's 40% AI-driven layoff (+24% stock surge) are two sides of the same coin: the AI capital arms race is now at macroeconomic scale ($770B hyperscaler capex in 2026), while the market is simultaneously telling every CEO that replacing humans with AI is the fastest path to multiple expansion.

The AI market just split into two trades running in parallel: a $770B infrastructure supercycle where OpenAI raised $110B but faces a wideni…

37 sources · 9 min

A CVSS 10/10 zero-day in Cisco Catalyst SD-WAN (CVE-2026-20127) has been silently exploited since 2023 by threat group UAT-8616 — discovered not by Cisco but by the Australian Signals Directorate, triggering a Five Eyes emergency directive.

A CVSS 10/10 Cisco SD-WAN zero-day was silently exploited for three years while a Chinese APT hid C2 traffic in Google Sheets across 42 coun…

36 sources · 8 min

APT28 is actively exploiting a Microsoft browser zero-day (CVE-2026-21513) that bypasses Mark of the Web and sandbox protections via crafted .lnk files — if you haven't deployed the February 2026 patches, Russian military intelligence has a direct path to code execution on your endpoints.

APT28 is exploiting a Microsoft browser zero-day right now, a self-propagating NPM worm with a dormant wipe payload is targeting your CI/CD…

42 sources · 8 min

Your human-in-the-loop is a liability, not a safeguard: a preregistered Wharton study (n=1,372, ~10K trials) shows users follow deliberately wrong AI outputs 80% of the time with a Cohen's h of 0.81 — and your highest-trust power users are 3.5x more likely to surrender judgment.

Your evaluation infrastructure is broken at every layer: humans follow wrong AI outputs 80% of the time (Wharton, n=1,372), agent benchmarks…

57 sources · 8 min

Cloudflare's automated cleanup task deleted 25% of all BYOIP routes because an empty query parameter matched everything — a 6-hour outage from a pattern that's almost certainly in your codebase too.

Your infrastructure automation has the same bug that just took down Cloudflare for 6 hours — an empty filter that matches everything on a de…

51 sources · 8 min

Cognitive surrender is your newest unpatched vulnerability: a rigorous Wharton study (1,372 participants, ~10,000 trials) proves analysts follow wrong AI outputs 80% of the time with increased confidence — and this maps directly to your SOC, where AI-assisted triage, code review, and threat classification are creating systematic blind spots that adversaries can exploit through prompt injection without ever touching your analysts directly.

Your AI security tools have a human problem, not just a hallucination problem: analysts follow wrong AI outputs 80% of the time with increas…

49 sources · 7 min

AI agents are under active attack and simultaneously shipping unreviewed code at production scale — Cisco confirms adversaries are already hijacking, impersonating, and manipulating autonomous agents, while a small Russian-speaking group used commercial AI tools to breach 600+ Fortinet firewalls across 55 countries in weeks.

Autonomous AI agents are simultaneously your newest attack surface and your biggest AppSec blind spot: adversaries are actively probing agen…

31 sources · 8 min

Google's Gemini 3.1 Pro just scored 77.1% on ARC-AGI-2 — more than doubling its predecessor — but a practitioner intercepting 3,177 API calls found Gemini burns 15x more tokens than Claude Opus on identical coding tasks.

Gemini 3.1 Pro's 77.1% ARC-AGI-2 score grabbed headlines today, but a 15x token efficiency gap against Claude Opus on identical tasks means…

14 sources · 8 min

A prompt-injected GitHub issue title was chained through Cline's Claude-based triage bot into arbitrary CI execution and npm/VS Code publishing token theft — if you have any LLM agent processing untrusted input in your build pipeline, you have a remote code execution endpoint with a natural language API.

LLM agents in your CI/CD pipeline are the new supply chain attack surface — a prompt-injected GitHub issue title just drove Cline's Claude b…

5 sources · 5 min

Three unauthenticated critical-severity vulnerabilities dropped simultaneously across physical security cameras (Honeywell CVE-2026-1670, CVSS 9.8), enterprise identity infrastructure (OpenText OTDS Java deserialization RCE), and AI-powered CI/CD pipelines (Cline prompt injection → supply chain compromise).

Three unauthenticated critical vulnerabilities (Honeywell CCTV CVSS 9.8, OpenText OTDS RCE, Cline CI/CD prompt injection) demand patching wi…

24 sources · 8 min

Your codebase is now an API surface for AI agents, and the teams that structure for agent success are shipping 4-8x more tasks per engineer.

AI coding agents crossed the production threshold this week — OpenAI's Codex has 1M weekly developers with engineers running 4-8 parallel ag…

10 sources · 9 min

Frontier AI model pricing collapsed this week — ByteDance's Seed 2.0 matches GPT-5.2 at $0.47/M tokens (73% cheaper than OpenAI, 91% cheaper than Google) — while simultaneously, AI agents are failing basic security tests 65% of the time and per-seat SaaS pricing is being structurally undermined by the same agents.

Frontier AI just became a commodity at $0.47/M tokens, but the agents built on it fail security tests 65% of the time, the per-seat pricing…

23 sources · 8 min