Two months ago I was fired by Google for creating the Google Workspace CLI. It went viral, hit #1 on Hacker News, gained thousands of GitHub stars and many thousands of actual users in just a couple days.
It was an incredible, confusing journey, from directors and leaders asking what they could learn from the tool to getting grilled by legal about why the Google logo and brand colors are on the Google Workspace GitHub code repositories.
I think the cause was that Workspace and certain leaders (and projects) were afraid of being disrupted. But the fear wasn't specific to my CLI, it was a broader fear in what agents meant for Workspace. Either way, the irony of my termination was the announcement at Google Cloud Next two days before I was fired that an official Workspace CLI was coming.
I want this out there because it is easier for me to explain my story and it is an experience I want to fully own. It's also part of my healing.
Nearly 7 years at Google was an incredible opportunity for me and I was fortunate to have wonderful teammates and a manager that fully supported me through these last few months. Thank you.
Apple just made Docker Desktop optional on Mac.
And it is completely free.
This is apple/container. 26.5k stars no Github.
You can now run Linux containers natively on your Mac without installing Docker Desktop, without a background daemon hogging your RAM, and without paying $21 a month per developer for a commercial license.
Here is what it does:
โ Runs Linux containers as lightweight VMs directly on Apple Silicon using macOS 26 virtualization
โ Fully OCI compatible. Pull any image from Docker Hub, GitHub Container Registry or anywhere else
โ Written in Swift and optimised specifically for Apple Silicon. Faster and lighter than anything Docker Desktop does on Mac
โ Standard container CLI syntax. If you know Docker commands you already know how to use this
โ Push images you build to any standard container registry and run them anywhere
Docker Desktop charges $21 per developer per month for commercial use. Apple's version costs nothing and ships as open source under Apache-2.0.
Microsoft made Docker Desktop optional on Windows with WSL Containers last month.
Apple just did the same on Mac.
Docker is not going anywhere. But the era of paying for a GUI wrapper around containers on your own machine is quietly ending.
Repo here: https://t.co/uFJ867sul6
claude mythos just broke Apple's $2 billion defense system. it did so by discovering a completely different attack vector to break in
only took it 5 days costing ~$35K of mythos api time (the same exploit class costs $5-10M on grey market)
the researchers that commandeered the exploit produced a 55-page report that was delivered to Apple HQ in-person (hoping they release it after patching).
most shocking part for me is apple's MIE worked as intended. mythos just discovered a new way to side-step it entirely by poisoning the data the M5 chip ingested.
at this point i think we have to accept that mythos walks the walk.
As the anthropic red-team explicitly confirmed this week - this is NOT a compute resource issue. its national defense.
Security things from the last few days:
- CopyFail (linux pwn'd)
- CopyFail 2/Dirty Frag
- 13 advisories in Next.js
- Over 70 CVEs addressed in MacOS 26.5
- ~50 CVEs addressed in iOS 26.5
- YellowKey (Windows Bitlocker pwn'd entirely)
- GreenPlasma (Windows privilege escalation)
- CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE
- CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access
- Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning)
- Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too"
- Canvas (popular LMS used in most schools) pwn'd entirely
- PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300
Are you scared yet?
๐๐ฎ๐ฑ ๐ง๐ฒ๐ฎ๐บ๐ ... NOBODY reminds anyone of the standards.
๐๐๐ฒ๐ฟ๐ฎ๐ด๐ฒ ๐ง๐ฒ๐ฎ๐บ๐ ... COACHES remind the team of the standards.
๐๐ผ๐ผ๐ฑ ๐ง๐ฒ๐ฎ๐บ๐ ... PLAYERS remind the team of the standards.
๐๐ต๐ฎ๐บ๐ฝ๐ถ๐ผ๐ป๐๐ต๐ถ๐ฝ ๐ง๐ฒ๐ฎ๐บ๐ ... EVERYONE reminds each other of the standards
ODAC Flo Network games is a total money grab. I donโt want to pay a monthly or annual fee. I am willing to pay a per game fee. This is dumb and hurts ODAC sports; cant even support your own teams at Championship time unless its in person.
๐จ SaaS platform ClickUp, used by 85% of the Fortune 500, has been leaking customer emails through its homepage for at least 465 days, and counting.
ClickUp has a $4 billion valuation. They are SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. The fix takes about 90 seconds.
Security researcher @weezerOSINT noticed a hardcoded Split[.]io SDK token sitting in plain text inside ClickUp's production JavaScript bundle. The bundle loads before you log in. View source, copy key, send one unauthenticated GET request, and 4.5MB of ClickUp's internal configuration is exposed: 959 customer emails and 3,165 internal feature flags.
The customer list consists of Home Depot. Fortinet, who sells enterprise firewalls. Tenable, who makes Nessus, the vulnerability scanner half the industry runs on. Autodesk. Rakuten. Mayo Clinic. Permira. Akin Gump. A Microsoft contractor. 71 ClickUp employees. Government workers from Wyoming, Arkansas, North Carolina, Montana, Queensland, and New Zealand.
It gets worse, ClickUp has a flag named "enable-missing-authz-checks." It is active in production. It lists five ClickUp API endpoints the company itself documented as having no authorization. They wrote down their own holes in a config anyone with a browser can read.
At first disclosure, another flag carried a live ClickUp API token tied to Fairfax County Public Schools, one of the largest school districts in the US, serving 180,000 students. The token pulled 1,066 staff records, including Chief Financial Services data. ClickUp removed that one token. They never rotated the SDK key that exposed it.
While that report rotted, the same researcher found a second bug. ClickUp's webhook API has zero SSRF protection. Reported via HackerOne on April 8, 2026. Status: "New." 19 days, zero response.
The original report was filed by @weezerOSINT on January 17, 2025 (!). The key is still live. The emails still drop with one GET. ClickUp has had 465 days to rotate a single token. Zero response...
The fix is one click in the Split[.]io dashboard... ClickUp still hasn't replied to the researcher.
Why is no one talking about this?
@nvidia is offering around 80 AI models via hosted APIs absolutely for free.
You get access to MiniMax M2.7, GLM 5.1, Kimi 2.5, DeepSeek 3.2, GPT-OSS-120B, Sarvam-M etc.
This plugs straight into OpenClaude, OpenCode, Zed IDE, Hermes agent and even with Cursor IDE.
Setup:
โ Grab API key: https://t.co/Wfdclm0hY2
โ base_url = "https://t.co/VOGC10LmGP"
โ api_key = "$NVIDIA_API_KEY"
โ select model (e.g. minimaxai/minimax-m2.7)
If youโre building or experimenting, this is basically free inference.
Lock in and start building today anon.
Thank me later.
I've taught European history for 30 years. Americans have always asked me how the Holocaust was possible, how Germans could have enabled a madman reveling in mass murder to carry out his plans. Now we can see in real time how this is enabled; now we have front-row seats.
PSA:
If you still want to use Claude Max subscription Opus 4.6 with your openClaw/Clawbot,
You saw this "models auth login --provider anthropic --method cli --set-default"
IT WON'T GIVE YOU THE 100% OPENCLAW AGENT YOU HAD
But here's what nobody is telling you: your agent loses its soul.
All your custom skills? Gone.
Your memory architecture? Gone.
Exec approvals, cron jobs, delivery queue, browser automation, Telegram bindings, subagent spawning?
All of that is OpenClaw gateway infrastructure.
Claude CLI doesn't know any of it exists. You're left with a raw Claude brain inside a hollow shell.
What makes OpenClaw lobsters special isn't the model behind them. It's the skills you built and installed, the workflows you configured, the memory you trained over weeks and months. Swapping to Claude CLI strips all of that away. You get Opus 4.6 responses but you lose everything that made your agent yours.
Maintaining security patches for abandoned npm packages that still get millions of weekly downloads.
So far: AngularJS 1.x, json-schema, xml2js โ all with critical CVE fixes.
Free to use. No $50K/yr enterprise contract required.
https://t.co/7fsFpWVPlC
Still using xml2js? The original package is abandoned with an unpatched prototype pollution CVE (CVSS 9.8).
Just shipped @brickhouse-tech/xml2js โ drop-in replacement, CVE patched, actively maintained.
npm i @brickhouse-tech/xml2js
https://t.co/fsu4SGbJYI
NEWS: Amazonโs internal AI coding assistant determined the engineersโ existing code was inadequate so it deleted it to start from scratch.
Parts of AWS were down for 13 hours as a result.