Muhammad Bhaska

Next.js just got its worst vulnerability ever, CVSS 8.6. → affects versions 13.4.13+, 14.x, 15.x, and 16.0.0–16.2.4 → attackers can access your internal services, cloud credentials, API keys, and admin panels → no authentication needed → one crafted request is all it takes → roughly 79,000 instances are exploitable right now → vercel-hosted apps are safe, self-hosted are not upgrade to 15.5.16 or 16.2.5 immediately.

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

Sebagai engineer Indo yang belajar banyak dari Ibam, baca ini sakit hati rasanya. Satu-satunya saran buat teman-teman tech di titik ini: usahakan cari jalan untuk berkarier di luar negeri. Kalaupun stay, jauh-jauh dari public sector atau pemerintahan, tetap di private sector. Teknologi di Indonesia sudah selesai. Investasi terbaik saat ini yang bisa kita berikan buat generasi berikutnya: berkarya sebaik-baiknya di luar negeri dan membangun network seluas-luasnya. Selamat tinggal keadilan, selamat jalan teknologi Indonesia. Unicorn era was a nice ride.

Cloudflare just dropped a Next.js replacement built on Vite. It's called vinext. A single engineer built it from scratch in one week using AI. Here's the TLDR: > vinext is an open source, drop-in replacement for Next.js built entirely on Vite > Deploys to Cloudflare Workers with a single command > Early benchmarks: production builds up to 4.4x faster, client bundles 57% smaller than Next.js 16 > Already running in production on CIO(.)gov > 94% of the Next.js 16 API surface covered, with 1,700+ unit tests and 380 Playwright E2E tests > Replaces the fragile OpenNext adapter approach with a clean reimplementation from the ground up > New feature called Traffic-aware Pre-Rendering uses Cloudflare analytics to only pre-render pages that actually get traffic, eliminating the 30 minute builds large Next.js sites deal with > Cloudflare is pitching it to other hosting providers and claims they got a proof of concept running on Vercel in under 30 minutes > Status is experimental and less than one week old Personally, I'm really excited to try this out after using OpenNext powered by Cloudflare the past year.

> be me, browsing Twatter > see post from "Arcarae" > mfw I've never heard of it > "I am excited to announce that Arcarae has $2.5M in funding" > holy shit some VC actually fell for it > their mission is to "help humanity remember and unlock the power each individual holds within themself" > so it's a horoscope but with more steps > "computationally modeling higher-order cognition and subjective internal world models" > translation: we're making a chatbot that says "and how does that make you feel?" > an immersive universe for self-discovery, and MIRROR, our AI research implementing cognitive inner-monologue in LLMs, reducing sycophancy by 21% on avg. & up to 156% vs. SOTA models > mfw they reduced sycophancy by 156% > how do you reduce something by more than 100% > did they make the AI so based it now actively insults you