Bailey Pumfleet

Three researchers used Anthropic's Mythos to build a working macOS kernel exploit that bypasses Apple's M5 Memory Integrity Enforcement, a security system Apple spent five years and billions of dollars building. Bug found April 25. Working exploit May 1. Walked into Apple Park to deliver the report in person. MIE was the flagship security feature of the M5 and A19, designed to kill the entire memory corruption bug class. According to Apple's own research, it disrupted every known public exploit chain against modern iOS. Calif didn't break MIE. They walked around it. Data-only attack, no pointer manipulation, standard syscalls from an unprivileged user to root. The 55-page technical report drops after Apple patches. This is the story of the year in cybersecurity.

CVE-2026-44578  ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6)  A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler.  By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data.  Affected: Next.js 13.4.13+, 14.x, 15.x <15.5.16, 16.0.0–16.2.4  Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.   Modat Magnify Query:  technology="Next.js"  The platform:  https://t.co/qJfEh7giE9  #threatintel #vulnerability #CVE202644578 #Nextjs #SSRF #WebSocket #CloudSecurity #infosec #Critical #ModatMagnify

Saw a photo of a Korean banana pack today and it changed the way I thought about product. Seven bananas, each at different stages of ripeness. One ready to eat, one ready Wednesday, and one still green that it needs a few days. This is better product thinking than 90% of the roadmaps I've reviewed this year. We obsess over the yellow banana. The ICP. The user in the demo video who clicks the right buttons in the right order while smiling at a MacBook. We A/B test their button color into the ground. We ignore the green banana: the user who showed up 30 seconds ago, has no idea what the product does, and is one confusing modal away from closing the tab forever. And we ignore the spotted banana: the long-time power user who has outgrown the happy path and is now duct-taping workarounds together in a Notion doc titled "things [your product] can't do." This Korean grocer designed for all seven bananas. You're designing for one and wondering why retention is flat. Your user journey is a bunch, not a banana.