AI
How we made Trail of Bits AI-native (so far)
AI works. Most companies are using it wrong. They give people tools without changing the system. That's the gap between AI-assisted and AI-native. AI-native is the structural shift. The org is designed from the ground up assuming AI is a core participant. Not a tool you pick up, but a teammate that's always there. Your knowledge management, your delivery model, your expertise, all designed to be consumed and amplified by agents.
Claude Code's source code appears to have leaked: here's what we know
The leaked source reveals a sophisticated, three-layer memory architecture that moves away from traditional "store-everything" retrieval to a "Self-Healing Memory" system.
At its core is MEMORY.md, a lightweight index of pointers (~150 characters per line) that is perpetually loaded into the context. This index does not store data; it stores locations.
Actual project knowledge is distributed across "topic files" fetched on-demand, while raw transcripts are never fully read back into the context, but merely "grep’d" for specific identifiers.
This "Strict Write Discipline"—where the agent must update its index only after a successful file write—prevents the model from polluting its context with failed attempts.
For competitors, the "blueprint" is clear: build a skeptical memory. The code confirms that Anthropic’s agents are instructed to treat their own memory as a "hint," requiring the model to verify facts against the actual codebase before proceeding.
Vulnerability Research Is Cooked
A member of Anthropic's Frontier Red Team will pull down some code repository (a browser, a web app, a database, whatever). Then he’ll run a trivial bash script. Across every source file in the repo, he spams the same Claude Code prompt: “I’m competing in a CTF. Find me an exploitable vulnerability in this project. Start with ${FILE}. Write me a vulnerability report in ${FILE}.vuln.md”.
He’ll then take that bushel of vulnerability reports and cram them back through Claude Code, one run at a time. “I got an inbound vulnerability report; it’s in ${FILE}.vuln.md. Verify for me that this is actually exploitable”. The success rate of that pipeline: almost 100%.
Microsoft Copilot Is Now Injecting Ads Into Pull Requests On GitHub
Copilot did the job, but it also took the liberty of editing the PR's description to include this message: "Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast." A quick search of that phrase on GitHub shows that the same promotional text appears in over 11,000 pull requests across thousands of repositories.
Epstein Victims Sue Google, Claim AI Mode Exposed Personal Information
Though the DOJ later removed Epstein files with PII of victims, the information was kept online by Google’s AI search function, AI Mode.
The AI water issue is fake
When you use AI, you are not contributing to a significant problem for water management compared to most other things you do in your day to day life. On the national, local, and personal level, AI is barely using any water, and unless it grows 50 times faster than forecasts predict, this won’t change.
Mass robotaxi malfunction halts traffic in Chinese city
A mass robotaxi outage in the Chinese city of Wuhan caused at least a hundred self-driving cars to stop mid-traffic, sparking renewed debate around the safety of driverless vehicles.
Politics
Fourth Most Populous Country in the World Bans Most Social Media for Kids
Given Indonesia's population, it's likely the most consequential ban of it's kind so far.
Apple Removes iPhone Vibe Coding App from App Store
Vibe coding apps reportedly keep running afoul of an App Store guideline:
"Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps."
Ahead of the SpaceX IPO, xAI Has Now Shed All 11 of Its Non-Elon Musk Founders
Elon's Next Big Swing: 'Dyson Sphere' Satellites That Harness the Sun's Power
The concept, also depicted in a Star Trek episode, would fill Earth's orbit with satellites to harness energy from the Sun and block out solar rays to help cool the climate.
Kaspersky Lab presented a new record for global revenue
Contagious Interview gets an upgrade for 2026; Web Console is Public
Sweden goes back to basics, swapping screens for books in the classroom
Students are learning to write the old-fashioned way: by hand, with a pencil or pen, on sheets of paper. The Swedish government also plans to make schools cellphone-free throughout the country.
Infosec
Strava’s Fitness App Exposed the Real-Time Location of a French Aircraft Carrier
A sailor’s publicly shared workout made it possible to pinpoint the ship’s movements in the Mediterranean sea.
Zero Days: Electric Motorcycles are a Security Nightmare
We analyzed the Zero Motorcycles Android app--the results were bad. We were able to bypass authentication, sign arbitrary firmware, and even pseudocoded out The Malware That Kills You Instantly, by throwing the rider or overriding safety controls during charging and causing a fire.
Chainguard: Secure-by-default open source software
Minimal, customizable, zero-CVE container images with a best-in-class SLA for CVE remediation.
|