‼️ BREAKING: xAI's Grok Build CLI was uploading entire Git repositories to a Google Cloud bucket, private codebases and unredacted secrets included. The uploads quietly stopped via a hidden server-side flag, and xAI still has not said a word about scope, retention, or deletion.
The scale is staggering. On a 12 GB test repo, 5.1 GB flew out the door to xAI's grok-code-session-traces bucket while the actual coding task needed just 192 KB. The tool grabbed whatever repository it ran in, not the files it needed.
The fix arrived as a hidden flag, disable_codebase_upload: true, a day after a researcher's wire-level analysis. The "Improve the model" opt-out never stopped the uploads.
Still no advisory, no scope, no word on whether already-uploaded code gets deleted. For anyone pointing AI coding agents at proprietary code, what crosses the wire matters more than what the settings page says.
Claude Code is probably the biggest productivity leap I’ve experienced as a programmer.
I still use it every day for work, and I don’t see that changing.
But I also think every programmer should have one project they build without AI writing the code.
Not because AI is bad, but because if it solves every implementation detail, you slowly stop exercising the muscles that made you a good engineer in the first place.
The ability to hold a system in your head. To debug from first principles. To recognize patterns without asking. To know why something works, not just that it works.
Those skills decay if you don’t use them.
So I picked up a new programming language and started building a project I’ve wanted to make for a long time. Just reading docs, writing code, making mistakes, and learning.
AI should amplify craftsmanship, not replace it.
NEW: malware developers added nuclear & biological weapons text to to their spyware.
Goal? To trigger LLM safety refusals... so that their spyware wouldn't be analyzed by an AI security scanner.
Cleanest practical example I can think of for why over-indexing on first order safety alignment is risky.
When closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover...and exploit.
We are only in the earliest days of attackers leveraging these features, and it wouldn't surprise me if users systems that need to handle complex cybersecurity issues demand that models be less safety-blunted.
In the weeds: @SocketSecurity's post also shows why intention matters in how you design a malware analysis pipeline to avoid prompt manipulation.
H/T to colleagues that shared this with me https://t.co/f3Aj9TYxU4
Introducing the new Stripe Treasury:
• Hold funds in multiple currencies and stablecoins.
• Instantly transfer money to US businesses on Stripe for free.
• Pay anyone in 160 countries with just their email address.
• Earn credits on balances to apply towards Stripe fees.
• Spend funds with a Stripe card.
• Get 2% cash back on card purchases.
• View balances in the Stripe mobile app.
• Use Treasury from any AI app with the Stripe MCP.
VERCEL GOT HACKED
ShinyHunters - the group behind the Ticketmaster breach - is selling Vercel's internal database for $2M on BreachForums
here's why every developer should care:
- they have NPM tokens and GitHub tokens
- Vercel owns Next.js - 6 million weekly downloads
- one malicious push = global supply chain attack
- Vercel confirmed the breach today, April 19
- they literally DMed the hackers on Telegram asking them to stop
rotate your env variables RIGHT NOW
🚨 MASSIVE CYBERATTACK: The EU Commission, ENISA, and the DG for Digital Services have been compromised by threat actor ShinyHunters.
Leaked data includes:
▪️ Emails & attachments
▪️ Full SSO user directory
▪️ DKIM signing keys
▪️ AWS config snapshots
▪️ NextCloud/Athena data
▪️ Internal admin URLs
It's a mess!
some thoughts after recently reviewing some highly complex exploits (yETH, balancer, kyberswap elastic):
while the actual mechanism of exploit, i.e. the steps taken to steal funds, is quite sophisticated, the actual underlying vulnerability tends to be quite simple: rounding error, precision loss, insufficiently constrained invariant, etc.
imo each of these vulnerabilities were simple enough that most experienced researchers could have identified them at least as low/info findings, but only elite researchers would have been able to craft them into critical exploits
the takeaway that i've gathered from this is that to better secure protocols, we need to have a clearer understanding of the boundaries of a system so that we can clearly define and enforce constraints
under the model of bug bounties and competitive audits, we prioritize actual exploits, via an offensive approach to security. so much so that we may fail to protect the systems against both known AND unknown exploits, via a defensive approach to security
while the offensive approach is thrilling and glamorous, it's much more limiting imo. if you find a critical bug, it doesn't tell you anything about whether you've protected the system against other bugs, but if you add a carefully considered constraint, an entire class of exploits may be prevented
The U.S. government just made bitcoin part of its national reserves. Let that sink in. Nearly 200,000 BTC, seized from criminals and lawsuits, will now sit in a permanent stockpile they’re calling a “Strategic Bitcoin Reserve.” No sales allowed. No taxpayer funding. Just pure confiscated coins taken off the market forever.
This changes everything. For decades, governments treated bitcoin like contraband. Now they’re locking it up as a reserve asset, the same way they hoard gold. That’s not just symbolic; it’s a $17 billion reduction in potential selling pressure and a loud endorsement of bitcoin’s scarcity narrative.
But here’s what really matters: when the world’s largest economy starts treating bitcoin as strategic infrastructure, it forces every other nation to rethink their stance. The “digital gold” thesis just got a federal seal of approval.
Still blows my mind that Howard Lutnick, a guy who literally sat on MicroStrategy’s board, is now in charge of figuring out how to get more coins into this reserve.
This isn’t a win for crypto.
This is a win for bitcoin.
People ask me why I quit my high-paid job as a senior engineering manager to become a security researcher.
The answer is simple: web3 security is one of the few spaces where merit truly reigns.
Forget who you are, where you’re from or which connections you have. Here you’re judged solely on your skills and results.
Just look at those 18-year-old young guns treating this like a game and becoming millionaires like it's nothing.
In the corporate world, talent often gets buried under layers of politics and nepotism. In web3, your ability to execute, learn and adapt is your only currency. No fancy titles, no inherited privilege - just raw hustle and hard work.
Are you ready to ditch outdated systems and prove what you’re made of? Grind hard, master your craft and let your results speak for themselves!
We’re so early and being here now is a once-in-a-lifetime opportunity.