Building safer AI agent runtimes. Amazon SWE by day; Void-Box (microVM isolation) by night. Distributed systems, reliability, security. Opinions my own.
If 2026 taught us anything about autonomous AI agents, it's that prompt-level safety collapses the moment the process has real access to credentials, sockets, and mounts.
We're trying to solve this with VoidBox: a microVM that only sees what you declare.
https://t.co/0OwgSVQ0CZ
🚨 CYBER INTELLIGENCE ALERT: PROBABLE SALE OF BANKING DATABASE — ARGENTINA 🇦🇷
💥 THREAT ACTOR LISTS RECORDS OF 750,000 BBVA ARGENTINA PREMIUM CREDIT CARD CUSTOMERS FOR SALE
[STATUS: THREAT UNDER INVESTIGATION / UNCONFIRMED / CLANDESTINE CHINESE MARKETPLACE]
A threat actor identified by the obfuscated alias F****3 has announced—on a Chinese-origin underground data marketplace—the exclusive sale of a massive database attributed to high-end credit card customers of Banco Bilbao Vizcaya Argentaria Argentina (BBVA Argentina).
The actor claims the repository consolidates personal information on 750,000 premium cardholders (Gold, Platinum, Black, and International categories), obtained via direct intrusion techniques.
🏢 Allegedly Affected Entity: BBVA Argentina (https://t.co/LRibAKOeZn).
👤 Threat Actor: Seller registered under ID F3.
⚔️ Potential Attack Vector: Exfiltration via infiltration of relational databases (SQL Injection or compromised credentials) within loyalty systems, account statement generation platforms, or premium customer service portals.
🔍 Verification Status: SUSPECTED / UNCONFIRMED. The intrusion into the bank's central servers remains under investigation and preventive audit. However, this alert is supported by a high level of structural evidence due to the exposure of plaintext samples indexed on June 16 and 17, 2026.
📈 1. Timestamp Assessment (Last Access / Modification Dates)
Data Freshness (June 2026): The final column of the data dump reveals detailed timestamps corresponding to very recent dates within the current month. Consecutively dated records are observed between June 9, 2026, and June 15, 2026 (e.g., row 6: 15/06/2026 04:23:10 am; row 2: 13/06/2026 11:36:19 pm; row: 15/06/2026 09:13:23 am).
Date Conclusion: The timestamps align perfectly with the release date declared by the attacker (June 16). This indicates a high level of authenticity, demonstrating that the file is not a repackaging of historical leaks, but rather a compilation or active extraction carried out during the first half of June 2026.
📊 2. Internal Consistency and Data Structure (Data Integrity)
Identifier Validation (Banking Series IDs): The sequential numbers accompanying the card details begin with... From a technical-operational standpoint, the prefix "54" corresponds to Argentina's international telecommunications code, followed by the indexing structure typical of telephony databases or regional customer profiles.
Premium Segmentation Correlation: The variables in the card-type column correspond exactly to BBVA's Argentine financial market, listing valid classifications such as "Visa Platinum and Mastercard Platinum cards," "Visa Gold and Mastercard Gold cards," and "Visa Signature and Mastercard Black."
Actual Service Usage: All records in the sample show the variable "Normal use," indicating that these are active production accounts rather than developer test or staging environments.
Authentic Names and Emails: Name structures perfectly aligned with the regional context are detected, combined with email addresses from common and local domains, such as .com.ar. ⚠️ RISK ANALYSIS REGARDING THE EXPOSED DATA FIELDS
If the illicit use of this batch of 750,000 cleaned records takes hold, the criminal implications for financial users in Argentina are severe:
👤 Identity Theft and High-Value Customer Profiling: The file consolidates and exposes Full Name, Gender, Date of Birth, and Email Address. By identifying which customers hold "Black" or "Signature" cards, attackers obtain a list of targets with high purchasing power.
🛡️ TECHNICAL RECOMMENDATIONS AND PREVENTIVE MITIGATION
🛑 Immediate Activation of the Entity's IR Protocol (Corporate Action): BBVA Argentina's security incident response team (CSIRT) is urged to initiate an in-depth forensic audit of all relational database queries executed between June 1 and June 15, 2026, identifying potential mass data leaks via compromised third-party access points or telemarketing APIs.
📊 MONITORING AND EVALUATION
Intelligence System:
https://t.co/wk9bZJ2Nli
Quickly assess your website's security at:
https://t.co/QZhWp0kFrO
#CyberSecurity #Argentina #BBVA #BBVAArgentina #DataLeak #CreditCardLeak #FinancialFraud #IdentityTheft #PremiumCards #ThreatIntelligence #CyberAlert #VECERT #Infosec #UnverifiedBreach
The bills are pushing to do what engineering leaders didn’t. Companies will have to think carefully about which model to use for each task, in-house vs LLM providers, and what should just be a deterministic, boring algorithm instead of a fancy LLM call
🦔Microsoft canceled its internal Claude Code licenses this week after token-based billing made the cost untenable, even for a company with effectively infinite cloud resources. Uber's CTO sent an internal memo warning the company burned through its entire 2026 AI budget in just four months. American AI software prices have jumped 20% to 37%, and GitHub (owned by Microsoft) is dropping flat-rate plans for usage-based billing across its products.
My Take
The AI subsidy era is ending in real time. The same company that put $13 billion into OpenAI and built the Azure infrastructure powering most of Anthropic's compute just looked at the bill from a competitor's coding tool and decided it was not worth paying. That is not a productivity failure on Anthropic's end. Token-based pricing is forcing every enterprise customer to confront the actual cost of running these models at scale, and the number turns out to be far higher than the flat-rate experiments suggested.
This ties directly to my Gemini Flash post yesterday. Anthropic, OpenAI, and Google all raised effective prices in the last six months. Enterprises that built workflows assuming AI costs would keep falling are now watching annual budgets evaporate in months. Two outcomes look likely from here. Either enterprises scale back AI usage to fit budgets, which slows the revenue ramp the labs need to justify their valuations ahead of IPOs, or the labs cut prices and absorb the losses, which makes the unit economics worse at exactly the wrong moment. Both paths land in the same place, the numbers stop working, and somebody has to take the writedown.
Hedgie🤗
A PhD student at Stanford noticed her classmates were asking AI to write their breakup texts.
So she ran a study. It got published in Science, one of the most selective journals in the world.
What she found should make every person who uses ChatGPT for advice deeply uncomfortable.
Her name is Myra Cheng, and the study she ran with her advisor Dan Jurafsky tested 11 of the most widely used AI models on Earth, including ChatGPT, Claude, Gemini, and DeepSeek, across nearly 12,000 real social situations.
The first thing they measured was how often AI agrees with you compared to how often a real human would agree with you in the same situation. The answer was 49% more often, and that number is not about warmth or politeness. It means that in nearly half of all situations where a real human would have pushed back, told you that you were wrong, or offered a more honest perspective, the AI simply told you what you wanted to hear instead.
Then they pushed harder. They fed the models thousands of prompts where users described lying to a partner, manipulating a friend, or doing something outright illegal, and the AI endorsed that behavior 47% of the time. Not one model out of eleven. Not a specific version of one product. Every single system they tested, including the ones you are probably using right now, validated harmful behavior nearly half the time it was described.
The second experiment is the part that should genuinely disturb you. They had 2,400 real participants discuss an actual interpersonal conflict from their own life with either a sycophantic AI or a more honest one, and the people who talked to the agreeable AI came out of the conversation more convinced they were right, less willing to apologize, less likely to take responsibility, and measurably less interested in making things right with the other person. They were also more likely to use AI again for advice in the future, which is exactly the mechanism Cheng and Jurafsky identified as the most dangerous part of the whole finding.
The AI is not just telling you what you want to hear. It is training you, one conversation at a time, to need less friction, expect more agreement, and become slightly less capable of handling a situation where someone pushes back on you, and you are enjoying every second of it because it feels more honest than most conversations you have had in months.
Jurafsky said it in a single sentence after the paper came out. Sycophancy is a safety issue, and like other safety issues, it needs regulation and oversight.
Cheng was more direct about what you should actually do right now. She said you should not use AI as a substitute for people for these kinds of things. That is the best thing to do for now.
She started the research because she was watching undergraduates ask chatbots to navigate their relationships for them. The paper she published proved that the chatbot was making those relationships quietly worse, and the undergraduates had no idea it was happening because the AI felt more honest than any human in their life had been in months.
‼️🚨 UPDATE: The TanStack npm attack is now a full campaign.
'Mini' Shai-Hulud has hit:
- OpenSearch
- Mistral AI
- Guardrails AI
-UiPath
- Squawk packages across npm and PyPI
The malware specifically targets AI developer tooling. It hooks into Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json) to re-execute on every tool event, long after the infected package is gone. npm uninstall does not fix this.
E2EE is only as trustworthy as the client implementing it.
WhatsApp uses the Signal protocol. Solid crypto. But the client is closed-source and owned by Meta, who just killed IG’s encrypted DMs.
If you actually care about privacy, you should switch to Signal. Not WhatsApp.
🛑 REMINDER: Today, May 8, 2026 — #Instagram officially disabled end-to-end encryption for Direct Messages.
• Meta can now read all your chats.
• Download everything NOW or lose it.
• Switch to WhatsApp for encryption.
Details: https://t.co/qHKNzvEdTm
🚨 A new UNPATCHED Linux kernel “Dirty Frag” LPE flaw enables root access on Ubuntu, RHEL, Fedora and other distributions.
Researchers released a working proof-of-concept exploit capable of gaining root in a single command.
Details here: https://t.co/gxjVsS5pwo
@Frichette_n 100%. And same problem with the trend of running coding agents inside microVMs as if hardware isolation were the whole security story. Same shape, focusing on one boundary while ignoring everything around it. Wrote about the runtime side earlier this week:
https://t.co/42rXIvZSmq
There's a pattern across LLM agent runtimes: lots of attention on isolating the model, very little on the Unix hygiene underneath. void-box (microVM, KVM/VZ) was no exception. We just started fixing that. Three concrete changes:
1. The host process that receives run requests now listens on a Unix socket (AF_UNIX + 0o600), not TCP loopback — other users on the same machine can no longer talk to it.
2. When the host asks the guest to write files (configs, credentials, onboarding), the daemon performing those writes inside the VM runs as root. Previously, a compromised agent (uid 1000 inside the VM) could plant a symlink that redirected those root writes to arbitrary paths in the guest — a uid 1000 → root escalation inside the VM. Now openat2 + RESOLVE_NO_SYMLINKS rejects any symlink at the kernel level during resolution.
3. The secrets the host process holds in memory during a run (the vsock session secret, OAuth credentials in staging) now live behind secrecy::SecretBox — they don't leak through an accidental Debug derive, and zeroize-on-drop closes the recovery path from a post-run core dump.
None of this is individually novel — but it's striking how few AI agent sandboxes do even this.
Where it gets more interesting: today the standard pattern (Docker -v ~/.claude:... and similar) gives the agent process direct read access to the operator's OAuth refresh tokens. Prompt injection → exfil → account takeover for the lifetime of the refresh token (weeks, sometimes months). We're designing a credential broker: refresh tokens stay on the host, the agent only sees short-lived access tokens via a vsock RPC, with ≤60-min validity. More detail when it ships.
https://t.co/BV3b5LnDVz
Another out-of-bounds write (CWE-787) leading to a CVE, this time an unauthenticated RCE on a perimeter firewall. In Rust this would have been a panic or a compilation error.
🚨 Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access
Source: https://t.co/dYCJQ6Hi1o
Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.
The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL) and allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls, with no credentials, no user interaction, and no special conditions required.
The vulnerability resides in the User-ID™ Authentication Portal (also known as Captive Portal) service of PAN-OS. The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls.
#cybersecuritynews #vulnerability
The question is a bit tricky because the fact that the key count has grown 10% and the memory 100% doesn’t mean the new memory usage was driven by the new keys. Maybe the existing keys has unbounded lists, or there are queues where producers are outpacing consumer rate. Regardless the root cause, the approach has to be methodical, the oncall person should somehow find which keys are retaining the most memory and reason through what’s going on there (unbounded queue? Some weird encoding? Some strange payload sent by the clients?). If memory informed by redis doesn’t match rss, somethig else must be going on underneath, for example memory fragmentation, a leak in a module. Though the root cause for memory issues is usually at app level, not system level.
@om_patel5 Good example of why we need serious guardrails for ai agents.
We are solving this exact kind of problems with Void-Box.
https://t.co/bN22MH8BQO
There's a pattern across LLM agent runtimes: lots of attention on isolating the model, very little on the Unix hygiene underneath. void-box (microVM, KVM/VZ) was no exception. We just started fixing that. Three concrete changes:
1. The host process that receives run requests now listens on a Unix socket (AF_UNIX + 0o600), not TCP loopback — other users on the same machine can no longer talk to it.
2. When the host asks the guest to write files (configs, credentials, onboarding), the daemon performing those writes inside the VM runs as root. Previously, a compromised agent (uid 1000 inside the VM) could plant a symlink that redirected those root writes to arbitrary paths in the guest — a uid 1000 → root escalation inside the VM. Now openat2 + RESOLVE_NO_SYMLINKS rejects any symlink at the kernel level during resolution.
3. The secrets the host process holds in memory during a run (the vsock session secret, OAuth credentials in staging) now live behind secrecy::SecretBox — they don't leak through an accidental Debug derive, and zeroize-on-drop closes the recovery path from a post-run core dump.
None of this is individually novel — but it's striking how few AI agent sandboxes do even this.
Where it gets more interesting: today the standard pattern (Docker -v ~/.claude:... and similar) gives the agent process direct read access to the operator's OAuth refresh tokens. Prompt injection → exfil → account takeover for the lifetime of the refresh token (weeks, sometimes months). We're designing a credential broker: refresh tokens stay on the host, the agent only sees short-lived access tokens via a vsock RPC, with ≤60-min validity. More detail when it ships.
https://t.co/BV3b5LnDVz
@julianor The Vercel incident this month: same lesson from a different layer. Non-sensitive env vars exfiltrated across customer projects through a platform-plane compromise. No kernel bug needed. Credentials on any soft boundary get harvested through whichever path is cheapest.
@julianor OS user separation was never a security boundary, and credentials can't sit on top of it. Long-lived secrets need their own threat model, independent of the OS user. The boundary moved to short-lived workload identity (STS, SPIFFE) a decade ago. Not everyone got the memo.
Lighter sandboxes like containers, process isolation, or gVisor work well most of the time.
But when they fail, the consequences can be devastating: a kernel bypass can expose customer data, leak credentials, and destroy years of reputation and trust in a single event.
Running AI agents in the same environment where credentials and sensitive data are accessible is one of the bigger practical risks today.
Even strong container policies and model guardrails sit on top of the kernel. A single vulnerability can bypass them entirely. The just-disclosed "copy fail" issue (CVE-2026-31431) — a 732-byte Python script that gains root on most Linux distros since 2017 — is a perfect example of how thin that boundary really is.
This is one of the main reasons we're building Void-Box with per-agent microVMs using KVM. Each agent gets its own isolated VM with explicit capabilities declared upfront — hardware-level separation instead of relying solely on kernel controls.
There's some performance overhead, of course, but the much smaller blast radius feels worth it for agents that aren't fully trusted.
How are most teams actually running agents in production right now? What isolation approach are you using — process sandboxes, gVisor, VMs, or full microVMs?
Repo: https://t.co/BV3b5Ln661