DAILY NEWS

Google raises top Android exploit bounty to $1.5M and updates Chrome VRP

Google increased maximum rewards for Android exploit chains and refreshed its Chrome vulnerability reward program to reflect newer attack surfaces.

Running plain Docker Compose in production in 2026: what breaks and how to close the gaps

A practical field guide argues Docker Compose can still run production workloads—if teams explicitly handle operational gaps like orphan containers, disk/log growth, healthcheck behavior, and mutable tags. The post outlines concrete commands and guardrails for safer single-host deployments.

Google releases Gemma 4 MTP drafters to speed up local LLM inference

Google introduced Gemma 4 MTP drafters aimed at improving on-device and local LLM inference throughput and latency.

DAEMON Tools installers allegedly trojanized in supply-chain attack, Kaspersky says

Kaspersky reports that some DAEMON Tools installers were trojanized, raising fresh supply-chain security concerns.

Benchmark: Vision-based computer-use agents can cost ~45 more than API tools

A new benchmark suggests GUI-driving, vision-based agents can be dramatically more expensive than structured API tool use for equivalent tasks.

CISA warns exploited “CopyFail” Linux kernel bug: what admins should patch now

CISA added a Linux kernel vulnerability dubbed CopyFail to its known-exploited list, urging admins to patch promptly and review systems for signs of compromise.

Nvidia CEO Jensen Huang says AI is creating jobs, but anxiety persists

Nvidia CEO Jensen Huang argues AI will create new roles and boost productivity, while acknowledging worker concerns about displacement and the need for reskilling.

CloudZ malware hijacks Microsoft Phone Link to steal SMS one-time passwords

Researchers report CloudZ malware can abuse Microsoft Phone Link to intercept SMS-based one-time passwords, raising risks for accounts relying on SMS MFA.

Actively exploited Weaver E-cology RCE (CVE-2026-22679) puts enterprise servers at risk

Security agencies warn an actively exploited remote-code-execution flaw in Weaver E-cology. Organizations running affected versions should prioritize patching and exposure reduction.

OpenAI explains its low-latency voice stack: relay + transceiver WebRTC architecture

OpenAI detailed how it reworked WebRTC at global scale to keep voice interactions responsive. The design splits packet routing (relay) from session termination (transceiver) to reduce public UDP surface area while preserving session ownership.

“Copy Fail” (CVE-2026-31431): why rootless containers can blunt Linux privilege escalation

A detailed lab write-up shows how the “Copy Fail” Linux vulnerability can be exploited via page cache corruption, and why user-namespace-based rootless containers can prevent host-level privilege escalation. The post highlights practical hardening lessons for CI runners and containerized workloads.

Bun begins port from Zig to Rust, signaling a major runtime transition

Bun maintainers have started a structured “Phase A” effort to port parts of the JavaScript runtime from Zig to Rust. The move could reshape Bun’s performance, contributor base, and long-term maintenance story for web developers.

Bun starts moving from Zig to Rust—what it means for developers

Bun has begun a phased migration from Zig to Rust, a shift that could affect performance, tooling, and long-term maintenance for the runtime.

“CopyFail” Linux kernel bug exploited in the wild—patch now

Security researchers say a Linux kernel flaw dubbed “CopyFail” is being actively exploited, making rapid patching and mitigations urgent.

Critical cPanel flaw mass-exploited to deploy “Sorry” ransomware

Attackers are exploiting a serious cPanel vulnerability at scale to compromise Linux servers and deploy “Sorry” ransomware.

Ubuntu and Canonical services hit by sustained DDoS, disrupting updates and communications

Ubuntu’s web infrastructure experienced an extended outage tied to a sustained cross-border attack, pushing users to rely on mirrors while Canonical worked on mitigation.

PyTorch Lightning supply-chain incident shows how fast malicious package releases can spread

Malicious Lightning (PyPI) releases briefly introduced credential-stealing behavior, underscoring why teams must lock dependencies and rapidly rotate secrets after exposure.

Bluekit phishing platform adds AI-assisted drafting, signaling a new phase of “all-in-one” cybercrime kits

PyTorch Lightning hit by malicious PyPI releases that steal developer credentials

Researchers say attackers published malicious Lightning (PyTorch Lightning) versions 2.6.2 and 2.6.3 to PyPI, triggering credential theft when the module is imported. The campaign appears tied to a broader supply-chain effort affecting developer ecosystems.

cPanel/WHM auth bypass (CVE-2026-41940) exploited as zero-day; patches and PoC released

A reported zero-day authentication bypass in cPanel/WHM (CVE-2026-41940) is being exploited; admins should apply patches and review published PoC details.

GitHub patched critical RCE bug (CVE-2026-3854) tied to a single malicious git push

GitHub disclosed a severe remote code execution issue in its git push handling that could have enabled access to millions of private repositories. GitHub.com was patched rapidly, but GitHub Enterprise Server admins should ensure they’ve upgraded to fixed releases.

Critical GitHub flaw (CVE-2026-3854) could enable RCE via a single git push

Security researchers reported a command-injection vulnerability in GitHub.com and GitHub Enterprise Server that could allow authenticated attackers with push access to trigger remote code execution. Teams should review access controls and apply vendor mitigations/patches as they become available.

AWS Bedrock adds OpenAI models, Codex, and managed agents after Microsoft exclusivity ends

TechCrunch reports AWS has begun offering OpenAI’s latest models inside Bedrock, including Codex and a new managed-agent capability. The move signals intensifying competition among cloud platforms for AI workloads and enterprise developer adoption.

Lovable launches its vibe-coding app on iOS and Android amid Apple’s tighter rules

TechCrunch reports Lovable’s AI-powered no-code builder is now available on mobile, enabling voice/text prompting and autonomous builds with notifications. The launch highlights how “vibe-coding” tools are adapting to App Store restrictions around downloading or executing generated code in-app.