devtake.dev
AI Security Hardware Open Source Policy Apple

#security

RSS

Vulnerabilities, breaches, and defensive-security research across the platforms devs actually use.

Related: #supply-chain · 22 #credential-theft · 14 #ai-security · 9 #dev-tools · 7 #microsoft · 6 #rce · 6 #zero-day · 6 #github · 5 #ai-agents · 4 #anthropic · 4
An illustration of the Claude Code deeplink vulnerability, showing a malicious URL handler triggering a shell prompt.
Security·

A bad command-line parser turned every claude-cli:// link into a remote shell

Joernchen of 0day.click found a deeplink RCE in Claude Code. Anthropic shipped the fix in 2.1.118 the same week.

A technician at a server rack with a laptop, standing in for the SQL infrastructure Opexus ran for 45 federal agencies.
Security·

Twin contractors deleted 96 federal databases in 56 minutes. One asked an AI how to clear the logs.

A federal jury convicted Sohaib Akhter on May 7 of wiping 96 government databases at Opexus. His twin Muneeb queried an AI: 'how do I clear system logs from SQL servers.'

Stylized illustration of remote code execution attack flow
Security·

F5 patched an 18-year-old NGINX bug. Attackers can RCE a third of the web with one crafted request.

F5 disclosed CVE-2026-42945 on May 13 after depthfirst's analyzer found a heap overflow in a 2008 commit. NGINX 1.31.0 ships the patch, every Plus tier needs an upgrade.

Windows logo composite with security-warning overlay
Security·

A USB stick now opens a BitLocker drive in 60 seconds. The researcher calls it a backdoor.

A pseudonymous researcher dropped two unpatched Windows zero-days on May 12. YellowKey bypasses BitLocker via WinRE; Microsoft has not acknowledged either bug.

Glowing DNS server illustration above a darkened network rack
Security·

Six new bugs hit dnsmasq, the DNS daemon in every Linux router. One gives a local attacker root.

CERT VU#471747 lists six dnsmasq CVEs disclosed May 11. The DHCPv6 flaw is local-root code execution. Simon Kelley credits 'a revolution in AI-based security research.'

TanStack website header with logo
Security·

TanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.

Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.

Cyera Research disclosure illustration for the Bleeding Llama vulnerability in Ollama's model execution pipeline
Security·

A crafted Ollama model file leaks the whole server's memory. 300,000 instances are exposed.

Cyera disclosed CVE-2026-7482 on May 1, a CVSS 9.1 unauthenticated heap read in Ollama. Three API calls dump prompts, env vars, and API keys from any open instance.

Wiz Research's disclosure page for the Dirty Frag Linux kernel privilege escalation vulnerability
Security·

A nine-year-old Linux kernel bug gives root in one command. No patch exists yet.

Dirty Frag chains two page-cache flaws in the ESP and RxRPC subsystems into a deterministic privilege escalation that hits every major distro. A PoC exploit is public.

Abstract visualization of data exposure through code
Security·

380,000 vibe-coded apps are sitting on the open web. 5,000 of them are leaking real data.

RedAccess found that AI coding tools like Lovable, Base44, and Replit default to public hosting, leaving medical records, bank internals, and corporate secrets indexed by Google.

Illustration of students affected by a cybersecurity breach
Security·

ShinyHunters hit Canvas LMS for the second time. 275 million student records, 9,000 schools.

ShinyHunters breached Canvas LMS again, claiming 275 million records from 9,000 schools. Names, emails, student IDs, and private messages exposed.

Abstract Kaspersky illustration of a tampered software disk for the DAEMON Tools supply chain attack writeup
Security·

DAEMON Tools shipped a signed backdoor for almost a month. Kaspersky says one school in Russia got the second stage.

Kaspersky pinned a supply-chain attack on the DAEMON Tools installer dating to April 8. Thousands hit globally, dozens upgraded to a QUIC RAT implant via signed binaries.

A padlock on a chain, illustrating credential security.
Security·

Microsoft Edge keeps every saved password in cleartext memory. Microsoft calls it 'by design'.

A researcher showed Edge decrypts the entire password vault at launch and leaves it in process memory. Chrome decrypts on demand. Microsoft says it's intentional.

Composite image of a PC gaming setup with overlay text suggesting cracked DRM, accompanying a Tom's Hardware report on Denuvo's full bypass.
Gaming·

Denuvo's single-player DRM is fully cracked. 2K is forcing 14-day online check-ins to fight back.

Pirate trackers hit zero uncracked Denuvo titles for the first time in 12 years. 2K's response: a token that expires every fortnight and locks you out offline.

DHS senior official Kristie Canegallo presenting awards at the CISA Annual Award Ceremony in Arlington, Virginia.
Security·

Five Eyes intel agencies publish first joint agentic AI security guide. Their advice: slow down.

CISA, NSA, GCHQ, ASD, CSE and NCSC-NZ jointly tell organizations agentic AI isn't ready for fast rollout. The 23-page guide names five risk categories.

Canonical Ubuntu logo on the canonical.com homepage, illustrating the company affected by the May 2026 DDoS attack.
Security·

A DDoS knocked Ubuntu's update servers offline. The Copy Fail patch landed in the same 24-hour window.

The 313 Team flooded Canonical's infrastructure starting May 1, blocking apt updates and the Ubuntu security API just as admins needed both.

Lightning AI logo on a dark background, illustrating the PyPI supply chain compromise of the lightning Python package.
Security·

Mini Shai-Hulud hit PyTorch Lightning. The 11.6M-download PyPI package shipped a credential stealer.

Two malicious lightning releases hit PyPI on April 30. The 42-minute window was enough to ship an RSA-encrypted infostealer to ML developers worldwide.

WatchTowr Labs disclosure illustration for the cPanel and WHM authentication bypass CVE-2026-41940
Security·

70 million domains had a no-password root bypass. cPanel rushed an emergency patch.

cPanel shipped fixes April 28 for a CVSS 9.8 auth bypass that walks attackers into shared-hosting panels with no password. WatchTowr says exploitation started before the patch.

The Copy Fail launch graphic showing a stylized terminal prompt and the title text on a dark background.
Security·

'Copy Fail' lets a 732-byte script grab root on Ubuntu, RHEL, and SUSE. Patched April 29.

CVE-2026-31431 chains AF_ALG and splice() to write into the page cache of /usr/bin/su. Xint Code disclosed it on April 29, nine years after the bug shipped.