中村 謙一

The US government, citing national security authorities, has issued an export control directive to suspend all access to Fable 5 and Mythos 5 by any foreign national, whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance. Access to all other Claude models is not affected. We apologize for this disruption to our customers. We believe this is a misunderstanding and are working to restore access as soon as possible. Read our full statement: https://t.co/bwn0sximKZ

🚨 TL;DR: Attackers are sending fake Sentry bug alerts to projects using public Sentry DSNs. The fake alert is designed to trick AI agents into running a malicious `npx` command that looks like a Sentry profiling diagnostic. Do NOT run commands from Sentry issues/logs/alerts unless verified. These are not legitimate Sentry fix commands. The malicious package reportedly steals environment variables/secrets and sends them to advisory-tracker[.]com.

VoidZero is joining Cloudflare. Our mission stays the same: to make JavaScript developers more productive than ever before. Vite, Vitest, Rolldown, Oxc, and Vite+ remain MIT-licensed. Evan and the VoidZero team will continue leading them. Cloudflare shares our commitment to open source. Together, we can keep investing in the tooling developers rely on every day, while bringing the Vite ecosystem and Cloudflare’s platform even closer together.

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

ClaudeのChrome拡張に重大欠陥が見つかり、外部スクリプトからAIを乗っ取り私的ファイル窃取やメール送信が可能になるとLayerXが報告した。単純な拡張でも権限なしで悪用できる点が深刻だ。 問題の根本はメッセージ送信元の検証不備にあり、https://t.co/ox7kZEoLBW上の任意スクリプトが拡張へ命令できる設定により信頼境界が崩���した。結果として拡張は正当な指示と誤認し不正操作を実行する「混乱した代理人」と化す。修正では内部チェックが追加されたが、拡張を特権モードに切り替えることで回避可能と判明した。研究では偽拡張によりGoogle Drive内の機密ファイル共有やGmail内容の要約・削除を強制し、承認ループやDOM改変でガードレールも突破できることを実証。Anthropicはバージョン1.0.70で許可ポップアップを導入したが、特権モードで無効化でき、サイドパネル初期化経路の問題も残る。AI機能拡張の急速な実装が基盤的セキュリティの欠落を招き、同様の欠陥が広がる危険性が指摘されている。 https://t.co/Rd9j6aJabt

Multiple security vulnerabilities affecting React Server Components and Next.js have been disclosed. We strongly recommend updating your applications immediately. Cloudflare WAF managed rules already mitigate the disclosed denial-of-service vulnerabilities, and we are investigating additional coverage for several other CVEs. https://t.co/mT9ujk1H7c