Digest · 21 stories · 44 sources
2026-06-13
Updated
Top stories
- Anthropic suspends Fable 5 and Mythos 5 after US export directive Anthropic received a US government export control directive at 17:21 ET on 2026-06-12 to suspend all access to Fable 5 and Mythos 5 by any foreign national, inside or outside the United States, including foreign-national Anthropic employees. Anthropic disabled both models for all customers to comply; access to all other Anthropic models is unaffected. Anthropic states the letter gave no specific national security detail and that its understanding is the government is concerned with a method of jailbreaking Fable 5, which it describes as narrow and non-universal and consisting of asking the model to read a codebase and fix software flaws, a capability it says is available in other models including OpenAI GPT-5.5.
- Oracle PeopleSoft CVE-2026-35273 zero-day actively exploited; CISA KEV CVE-2026-35273 (CVSS 9.8) is an unauthenticated remote vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools, classified as server-side request forgery and leading to remote code execution. It was exploited as a zero-day between 2026-05-27 and 2026-06-09, two weeks before Oracle's 2026-06-10 out-of-band advisory; Google attributes exploitation to ShinyHunters. PeopleTools 8.61 and 8.62 are affected. CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-12 and ordered federal agencies to patch.
- AI agent finds 21 zero-days in FFmpeg for about $1,000 DepthFirst reports its autonomous security agent found 21 previously unknown vulnerabilities in FFmpeg at a cost of about $1,000, spanning the TS demuxer, VP9 decoder, swscale, RTP depacketizers, DASH demuxer, RTSP server, RTMP client, and the option parser. Nine carry CVE identifiers (CVE-2026-39210 through CVE-2026-39218); the remainder are fixed upstream and awaiting numbers. The most severe, DFVULN-127, is a heap buffer overflow in the AV1 RTP depacketizer where a single 183-byte packet over a network-reachable RTSP stream can redirect execution to an unauthenticated RCE primitive. Several bugs had been latent for 15 to 20 years.
- Claude Sonnet 4 and Opus 4 retire 2026-06-15 claude-sonnet-4-20250514 and claude-opus-4-20250514 are removed from the Claude API at 09:00 PT on 2026-06-15 with no grace period; requests to the retired model IDs fail immediately. Successors are claude-sonnet-4-6 and claude-opus-4-8. The Agent SDK credit split from subscription usage also takes effect 2026-06-15.
- Linux 7.1 stable expected 2026-06-14 Linus Torvalds released Linux 7.1-rc7 on 2026-06-07 and stated he expects it to be the last release candidate, with the 7.1 stable release on 2026-06-14 unless an eighth candidate is needed. The biggest area of late-cycle fixes was GPUs, followed by networking, with the rest spread across architecture, driver, filesystem, and build fixes. The cycle ran heavier than usual due to an uptick in AI-agent-generated patches.
AI
Agentic coding
Security
- Arch Linux AUR supply-chain attack hits more than 1,500 packages Attackers hijacked orphaned packages in the Arch User Repository (AUR) by claiming them through the standard adoption process, then modified each package's PKGBUILD build script to silently fetch and install malicious npm packages (reported as atomic-lockfile and js-digest) during installation, delivering a Linux infostealer with credential-harvesting, anti-debugging, and data-exfiltration functionality plus an optional eBPF rootkit. The affected count grew from more than 400 packages on 2026-06-11 to more than 1,500 by 2026-06-12. Arch published an official incident notice on 2026-06-12 stating it was actively tracking down malicious commits, with AUR account creation, package updates, and package adoption disrupted during cleanup; by the end of 2026-06-12 maintainers believed they had removed all known malicious commits and consider the incident under control. The official Arch binary repositories are unaffected.
- AMD denies $10,000 bounty for auto-updater RCE; CVE-2026-40677 A researcher (MrBruh) reported a remote code execution flaw in AMD's auto-update software, exploitable via a man-in-the-middle attack because the downloaded executable was validated only with a CRC32 check rather than a cryptographic signature. AMD initially closed the report as out of scope and paid no bounty; the issue was later assigned CVE-2026-40677 (CVSS 7.7) and took 124 days to patch, with the embargo ending 2026-06-09. After the write-up reached HN, AMD's bulletin acknowledged the vulnerability and credited the researcher.
Outages
- Meta global outage on 2026-06-12 Facebook, Instagram, WhatsApp, and Messenger went down worldwide starting shortly before 10:00 ET on 2026-06-12, with Downdetector logging over 100,000 reports by 10:00 ET. Facebook was hardest hit, logging users out and blocking re-login; Instagram showed loading and "query error" failures. The outage lasted about four hours. Meta communications VP Andy Stone confirmed the disruption. A Meta spokesperson later said the technical issue was resolved as quickly as possible and apologized; Meta has not published a root cause.
- Cloudflare Dashboard and API control-plane incident resolved Cloudflare reported Dashboard and API service issues on 2026-06-12. CDN edge serving and security features were unaffected; the impact was on the control plane. Cloudflare identified the issue and implemented a fix at 14:56 UTC, began monitoring at 15:03 UTC, and marked the incident resolved at 15:27 UTC. Cloudflare has not published a root cause. Details were gathered through aggregators and discussion because cloudflarestatus.com returns 403 from the unattended harness.
Developer tools
- tmux 3.7-rc adds floating panes tmux published a 3.7 release candidate on 2026-06-12. The headline feature is floating panes, which sit above the tiled layout like non-modal popups, are created with a new new-pane command bound to by default, and behave like ordinary panes. Other changes include a copy-mode-line-numbers option with off, default, absolute, relative, and hybrid modes, run-shell argument expansion as #{1}, #{2}, and a -g flag for kill-session that kills all sessions in a session group.
- Homebrew 6.0.1 patches the 6.0.0 rollout Homebrew shipped 6.0.1 on 2026-06-12, a bug-fix patch on the 6.0.0 major release from 2026-06-11. Changes include including the cask tap in core taps on all platforms, fixing brew bundle kwargs handling for taps and installing taps before packages, and simplifying Bubblewrap sandbox handling for Linux builds.
Languages and runtimes
- Spring Boot 4.1.0 released Spring Boot 4.1.0 reached general availability on 2026-06-10. New features include first-class gRPC server and client support with standalone Netty and HTTP/2 servlet options, auto-configuration of Jackson read and write features through spring.jackson.read. and spring.jackson.write. properties, expanded OpenTelemetry configuration (SDK disable toggle, batch log processor, sampler, span and log limits, OTLP exemplars), and SSRF mitigation via an InetAddressFilter for both reactive and blocking HTTP clients. The release deprecates Derby database support, removes the deprecated layertools jar mode, and changes Maven so -DskipTests no longer skips AOT processing (use maven.test.skip). It bundles Spring Framework 7.0.8, Spring Security 7.1.0, Netty 4.2.15, Tomcat 11.0.22, and Hibernate 7.4.1.
- WASI 0.3 ratified with first-class async The WASI Subgroup ratified WASI 0.3.0 on 2026-06-11. The release moves async into the WebAssembly Component Model canonical ABI, making stream<T> and future<T> first-class constructs and replacing the WASI 0.2 pollable and resource-based stream patterns. The model shifts from readiness-based to completion-based async, with the host managing one shared event loop for all components instead of each component carrying its own. wasi:http is reorganized into service and middleware worlds, enabling component-to-component service chaining without network calls. Wasmtime 45 supports the release candidate; Wasmtime 46 will ship WASI 0.3.0 with async enabled by default. The jco JavaScript toolchain supports it, and guest toolchain support for Rust, Go, JavaScript, Python, and C is in progress.
Apple platforms
Infrastructure
Engineering posts
Markets and companies
Hacker News
- If you are asking for human attention, demonstrate human effort A high-discussion front-page essay (1554 points) argues that low-effort, AI-generated requests for human time should be deprioritized. HN discussion connected it to maintainer burden from AI-generated bug reports and pull requests, echoing the FFmpeg AI-disclosure thread.
- Open source AI must win An opinion piece arguing for open-weight AI drew 661 points the same day as the Fable 5 and Mythos 5 suspension. Commenters debated funding models for open-weight training, what "open source" means for hosted models, and whether open weights insulate users from government access controls; several noted the best open weights are roughly at Sonnet level.