NEW: malware developers added nuclear & biological weapons text to to their spyware.
Goal? To trigger LLM safety refusals... so that their spyware wouldn't be analyzed by an AI security scanner.
Cleanest practical example I can think of for why over-indexing on first order safety alignment is risky.
When closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover...and exploit.
We are only in the earliest days of attackers leveraging these features, and it wouldn't surprise me if users systems that need to handle complex cybersecurity issues demand that models be less safety-blunted.
In the weeds: @SocketSecurity's post also shows why intention matters in how you design a malware analysis pipeline to avoid prompt manipulation.
H/T to colleagues that shared this with me https://t.co/f3Aj9TYxU4
Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex.
Blog post: https://t.co/WO9MeExoun
PoCs: https://t.co/NpVgEHBHPl
🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI.
Top exposure by country:
- United States: 5,340,011
- China: 2,540,008
- Germany: 1,871,780
Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band.
The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash.
ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!
WhatsApp’s “E2E encryption by default” claim is a giant consumer fraud: ~95% of private messages on WhatsApp end up in plain-text backups on Apple/Google servers — not E2E-encrypted. Backup encryption is optional, and few people enable it — let alone use strong passwords.
Vulnerabilidad crítica en 🔀n8n (CVSS 9.9) permite la ejecución de código arbitrario en miles de instancias
CVE-2025-68613, CVSS de 9,9 sobre un máximo de 10,0
El paquete tiene alrededor de 57 000 descargas semanales, según las estadísticas de npm
https://t.co/T3dJALpp51
🚨 SuperSafe Audit is LIVE! 🔒✨
Our full security audit by @offensivepulse is now complete — a major milestone toward our public launch.
Transparency and security come first, so you can now review the audit report here:
👇 https://t.co/FMeBlPJL0t
This is a huge step for SuperSafe and for everyone building with us.
Onwards! 🚀
#SuperSafe #Web3Security #Audit #CryptoWallet #SecurityFirst #crypto
Super happy and proud of this. A few months ago, @SuiFoundation set us on a mission to onboard and educate developers on Sui. With @Panic_Community making sure we had all the resources we needed from the foundation, and with @josemvcerqueira’s expertise, we had everything required to deliver the best possible learning experience.
Long story short, we’ve onboarded dozens of devs, and some of them are already taking steps on their own.
Thanks to everyone who supported the @SuiPortugal initiatives - @IPXLabs@Scallop_io@web3narva
Huge THANK YOU to @web3narva and the W3N 2025 crew for the amazing hospitality and for letting us present on stage today! 🔥
The energy in Narva was unreal, one of the best web3 events we've been to 🤝
Massive thanks to @SuiPortugal for the continued support! 🫶
@levelsio@alexwestco Project Kamp did something similar and it has gone very well for them. They bought a land in Portugal and built a community. They are renovating the various ruins found on the land without any legal problems and also made a base camp with containers and several "constructions".
Just a month later and...
🇪🇺 ChatControl is back!
Now they're trying to pass an even more far reaching ChatControl law through the back door, in a form even more intrusive than the originally rejected plan, without needing any of the EU countries votes
The new proposal:
- total mandatory surveillance of ALL text chats, emails and social media in the EU
- obligatory registration of your ID/passport to your chat, email or social media account
- minimum age requirement for chat, email and social media apps of 16 (!)
The only way to stop this law is if EU countries veto it
Read more here by @echo_pbreyer:
https://t.co/Yg2iXX9uWs
Former Director of AI at Tesla Andrej Karpathy picked up his new Model X and reviews Tesla V13.2.9 with HW4:
“Basically... I'm amazed - it drives really, really well, smooth, confident, noticeably better than what I'm used to on HW3 (my previous car) and eons ahead of the version I remember driving up highway 280 on my first day at Tesla ~9 years ago, where I had to intervene every time the road mildly curved or sloped. (note this is v13, my car hasn't been offered the latest v14 yet)
On the highway, I felt like a passenger in some super high tech Maglev train pod - the car is locked in the center of the lane while I'm looking out from Model X's higher vantage point and its panoramic front window, listening to the (incredible) sound system, or chatting with Grok. On city streets, the car casually handled a number of tricky scenarios that I remember losing sleep over just a few years ago. It negotiated incoming cars in tight lanes, it gracefully went around construction and temporarily in-lane stationary cars, it correctly timed tricky left turns with incoming traffic from both sides, it gracefully gave way to the car that went out of order in the 4-way stop sign, it found a way to squeeze into a bumper to bumper traffic to make its turn, it overtook the bus that was loading passengers but still stopped for the stop sign that was blocked by the bus, and at the end of the route it circled around a parking lot, found a spot and... parked. Basically a flawless drive.”