Today, we’re announcing Bonsai 27B: the first 27B-class model to run on a phone.
Bonsai 27B is the new multimodal flagship of the Bonsai family. Based on Qwen3.6 27B, it brings a new capability tier to local AI: multi-step reasoning, structured tool use, long-context workflows, and coherent agentic loops.
Until now, models in this class have been impractical to deploy locally. A 27B model occupies roughly 54 GB in 16-bit precision, and even a strong 4-bit build is around 18GB - too large for a phone and for most laptops.
Bonsai 27B changes that.
It comes in two variants:
• Ternary Bonsai 27B: 5.9 GB, 1.71 effective bits per weight, optimized for laptop-class quality.
• 1-bit Bonsai 27B: 3.9 GB, 1.125 effective bits per weight, optimized for phone-class footprint.
Everything is open-sourced today under the Apache 2.0 license.
This is an important email I sent today to all employees at XBOX:
Team,
We are beginning the most significant restructure in XBOX history. After careful consideration, I've made the difficult decision to reduce our team by approximately 3,200 throughout FY27. This will include approximately 1,600 role eliminations today, and in addition, four studios will leave XBOX to new management. I recognize that a year-long restructuring creates additional challenges. Unfortunately, it is not possible to make all the necessary changes in a single day, and I wanted to be direct about the scale.
I know this is painful. These changes will directly affect people who have poured their creativity into building XBOX. Many joined us through acquisitions, while others were recruited here, or sought us out because they loved this industry and loved XBOX. Today's decisions do not reflect their talent or dedication.
Our business today is not healthy. We are operating at margins that are 3–10x lower than comparable platform and publishing businesses. We entered Gen 9 with a smaller install base and a higher cost structure. To grow, we bet on Game Pass, multi-platform, and a broader portfolio of content. While those businesses have created meaningful value, they did not grow at the pace we expected. As that happened, our core business weakened, and we added more teams, more investment, and more time, hoping for a better outcome. And now the industry is facing the most severe hardware crisis in its history. We must reset XBOX.
First, we will reset our content portfolio.
Since 2018, we have aggressively expanded our studio portfolio while the number of games created each month across the industry now outpaces the last ten years combined. We now find ourselves competing not only with the largest publishers, but also with smaller independent studios. It is neither possible nor desirable to own every great independent studio. We have also learned that we are not the best home for every type of studio; in a typical year, we lost 64 cents for every dollar we invested. As we reset XBOX, we will help independent creators succeed by providing open development tools and audiences to realize their vision.
Compulsion Games and Double Fine Productions will return to management and transition to independent studios with their IP, catalog, and runway for their next games. Ninja Theory and Undead Labs have entered terms to join new ownership with funding to complete and grow Senua and State of Decay 3. In France, Arkane’s management is beginning required consultation with its Works Council to review potential strategic options.
We are also making reductions across other units, and in some cases, shifting investment to focus on higher priority projects. These changes vary in size across Activision, Bethesda/ZeniMax, Blizzard, King, Mojang, and XBOX Game Studios. None of our first party publicly announced games or projects are being cancelled as part of these reductions.
In addition, Mojang and King will now report directly to me. These two studios have increasingly become platforms and are our largest by monthly active players. They bring critical geographic, demographic, and differentiation to XBOX.
Second, we will reset our platform.
We know that great technology gets better when it gets simpler, not bigger. Today, in some parts of the company, work passes through as many as 14 layers of management. Our platform teams are 40% larger than they were at the start of this generation, even as our player base and playtime have declined. That complexity has slowed decisions, blurred accountability, and made it harder to deliver for players. As we reset XBOX, we will simplify.
We will reduce management layers to no more than 5, and where possible, 3. We will deliver success through a flatter organization that is built around makers (individual contributors focused on building), player-coaches (leaders who remain deeply involved in the work while developing their teams), and directly responsible individuals (DRIs) who own key decisions and outcomes. And we will streamline how we work across our tools, with a cleaner code base, shared services, and 50% reduced vendor spend.
Third, we are resetting how we operate.
As XBOX grew our headcount, we became more fragmented. Teams, studios, and functions often operate independently, and it became harder to work towards a shared goal, make the right tradeoffs, and get things done.
For the first time, we are establishing a Chief Operating Officer with end-to-end P&L responsibility across content, hardware, platform, and services. Helen Chiang has been promoted to this role and will report directly to me. Over nearly two decades at XBOX, Helen has helped build some of our most important businesses, from XBOX Live to leading Mojang and the Minecraft franchise. She will bring our businesses together under one operating model, making sure we make clear investment decisions, learn from our successes and failures, and hold ourselves accountable for results.
Thank you, Dave McCarthy, who is retiring after 17 years with XBOX. Dave has played a defining role in building the platform that millions of players rely on every day and has been a trusted partner through many of the biggest moments in XBOX's history. We wish him all the best.
These changes are about a bigger future for XBOX, not a smaller one. The next decade of gaming will be larger, more global, and more creative than anything we've seen before. This year, we'll invest as much in XBOX as we ever have, but we'll invest with greater focus, greater discipline, and greater clarity, all in service of making XBOX where the world plays and creates.
I want XBOX to be one of the few companies that entertains more than a billion people each day and gives everyone the opportunity to create and connect. I know we can achieve this goal. XBOX has many of the most beloved franchises in entertainment history, talented studios around the world, and we will return to growth in 2027.
History is full of companies that mistake longevity for inevitability. We will not be one of them.
Asha
Android CLI 1.0 is now stable. 🚀
Whether you use Gemini, Antigravity, Claude, or Codex, the CLI provides the programmatic interface agents need to build, test, and deploy alongside you.
Bring Android expertise to the agent of your choice → https://t.co/aQni6WsVk8
#GoogleIO
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
🚨 Urgent Windows Security Update
Hey everyone, just a heads-up to check your Windows Updates today! Microsoft just patched a really serious flaw (CVE-2026-41096) that could let hackers take over a computer through a fake Wi-Fi or network connection.
It’s a "9.8 out of 10" on the danger scale, so don't click "remind me later" on this one.
⚠️ PoC Exploit Released for Android 0-Click Flaw that Enables Remote Shell Access
Source: https://t.co/9ZHRqf0PkZ
Google's May 2026 Android Security Bulletin has revealed a critical zero-click vulnerability in the core Android System. The CVE-2026-0073 flaw in Android’s adbd daemon lets nearby threat actors remotely gain full shell access without victim interaction.
An attacker must first establish a TCP connection, successfully negotiate the STLS upgrade sequence, and then supply the malicious cross-algorithm certificate.
To proactively reduce attack surfaces, users should turn off wireless debugging on untrusted networks and revoke authorizations for unknown debugging hosts.
#cybersecuritynews #Android
⚠️ BitUnlocker Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes
Source: https://t.co/dq8KjmuHtP
A new tool, BitUnlocker, reveals a practical downgrade attack against Microsoft's BitLocker encryption, allowing attackers with physical access to decrypt protected volumes on patched Windows 11 machines in under 5 minutes by exploiting a crucial gap between patching and certificate revocation.
The attack is rooted in CVE-2025-48804, one of four critical zero-day vulnerabilities. Systems that have completed the KB5025885 migration, moving the boot manager signature to the newer Windows UEFI CA 2023 certificate, are also protected against this downgrade path.
#cybersecuritynews #Windows11
‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP.
The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years.
Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box.
The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root.
Result: the next time anyone runs that program, it lets the attacker in as root.
What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk.
Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants.
The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today.
This vulnerability affects the following:
🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root
🔴 Kubernetes and container clusters: one compromised pod escapes to the host
🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner
🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root
Timeline:
🔴 March 23, 2026: reported to the Linux kernel security team
🔴 April 1: patch committed to mainline (commit a664bf3d603d)
🔴 April 22: CVE assigned
🔴 April 29: public disclosure
Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module:
echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
rmmod algif_aead 2>/dev/null || true
For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...
1️⃣ We’re bringing back Android CLI.
It’s a lightweight, programmatic interface that allows you to leverage any agent of your choice for Android development. In our tests, it made tasks 3x faster and reduced LLM token usage by over 70%.
Try it out → https://t.co/wqYFHPLLYU
知らん間にDataStoreに暗号化機能付いとるやんけ。Tink使ってる。
Encryption Support: Introduced the new androidx.datastore:datastore-tink artifact which provides support for encryption of your datastore using the Tink library.
https://t.co/jOjOhjEa7U
Androidの開発のskillsがGitHubでリリースされたみたい
XML -> Jetpack Compose移行やAGP9移行、Nav3、R8、Billingライブラリのアプデ、Edge to edge対応など、一時的だけどちょっと痛みがありそうなタスクのskillが揃っている
https://t.co/MqkK0oSPZT