Top stories

  1. Developer-targeted npm backdoor delivered through a fake LinkedIn job offer In a post dated 2026-06-15, developer Roman Imankulov describes a targeted attack that reached him through a LinkedIn recruiter using a stolen identity, asking him to review a "broken proof-of-concept" repository for a crypto startup. The repository hid a backdoor in app/test/index.js: about 250 lines dressed up as sloppy beginner test code assembled the URL https://rest-icon-handler.store/icons/77 and executed arbitrary commands fetched from that remote server. The payload runs automatically on npm install, because the package's npm prepare lifecycle script invokes node app/index.js, which requires the malicious test file. The repository's commit history and the recruiter profile both reused real people's identities. Imankulov inspected the project with a read-only AI agent under restricted permissions rather than running it directly.
  2. Cisco Catalyst SD-WAN Manager zero-day CVE-2026-20262 exploited, added to CISA KEV Cisco patched CVE-2026-20262, a path-traversal flaw in Catalyst SD-WAN Manager (formerly vManage) exploited as a zero-day. Insufficient validation of user-supplied input during file uploads lets a low-privilege remote attacker run arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint. Cisco PSIRT said it became aware of exploitation earlier this month and published indicators of compromise: check vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files. The flaw affects all deployment types, including on-prem, SD-WAN Cloud-Pro, Cisco-managed cloud, and the FedRAMP government offering. CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (catalog version 2026.06.15).
  3. US directive suspending Fable 5 and Mythos 5 stays in force as Anthropic lobbies in Washington The US export-control directive issued 2026-06-12, which forced Anthropic to block all foreign-national access to Fable 5 and Mythos 5 and which the company implemented by disabling both models for every customer worldwide, remains in effect with no restoration timeline. Axios reported on 2026-06-14 that Anthropic flew staff to Washington to manage the dispute with the White House over the directive. A Stratechery analysis published this cycle frames Anthropic's safety posture and the code-analysis capability at the center of the directive. Anthropic has said it disagrees with the recall and is working to restore access; other Anthropic models remain unaffected.
  4. SpaceX to acquire Anysphere, maker of the Cursor coding agent, for $60B SpaceX agreed on 2026-06-16 to acquire Anysphere, the company behind the Cursor AI coding agent, in an all-stock deal at a $60B implied valuation. A SpaceX subsidiary (X67 Inc.) will merge with Anysphere, leaving it a wholly owned SpaceX subsidiary; outstanding Anysphere shares convert into SpaceX Class A stock priced on SpaceX's seven-day volume-weighted average ahead of close. The transaction is expected to close in Q3 2026 subject to regulatory approval. The deal exercises an option SpaceX secured in April to either buy Anysphere for $60B or pay $10B for a partnership. Reuters and CNBC report Cursor at roughly $2.6B in annualized B2B revenue. SpaceX, public since its 2026-06-12 Nasdaq listing as SPCX, disclosed the agreement in an 8-K filing.

AI

  1. Cohere releases North Mini Code, an open-weight agentic coding model Cohere published North Mini Code 1.0 on 2026-06-09, a mixture-of-experts coding model with 30B total and 3B active parameters, a 256K context window, and up to 64K generation. It is released under Apache 2.0 and is available on Hugging Face, the Cohere API, Model Vault, and OpenRouter. Cohere reports a 33.4 score on the Artificial Analysis Coding Index and, in internal testing, up to 2.8x higher output throughput and a 30 percent inter-token-latency advantage over Devstral Small 2, with evaluation on SWE-Bench Verified, SWE-Bench Pro, Terminal Bench v2, and Terminal Bench Hard using SWE-agent and ReAct harnesses. Minimum stated hardware is a single H100 at FP8. The throughput and benchmark figures are the vendor's own and are not independently reproduced.
  2. OpenRouter adds Fusion, a multi-model deliberation API OpenRouter published Fusion, a routing model that runs a prompt through a panel of expert models in parallel with web search and web fetch enabled, then has a judge model synthesize their outputs into a structured response covering consensus, contradictions, partial coverage, unique insights, and blind spots. It is accessed by model slug through OpenRouter's existing OpenAI-compatible API, with preset panels (Quality, Budget, General-High) or a custom panel set via the fusion plugin's analysismodels and model fields. Requests are billed as the sum of the underlying model completions rather than a single model price. The feature is described on OpenRouter's own product page with no usage data shown yet and no independent evaluation.

Security

  1. CISA adds two exploited vulnerabilities on 2026-06-15 CISA's Known Exploited Vulnerabilities catalog moved to version 2026.06.15 (count 1621) with two additions dated 2026-06-15: CVE-2026-20262 (Cisco Catalyst SD-WAN Manager path traversal, covered in Top stories) and CVE-2026-54420, a UNIX symbolic-link (symlink) following vulnerability in the LiteSpeed cPanel plugin. Both carry active-exploitation evidence per the catalog.

Developer tools

  1. Typst 0.15.0 released The Typst typesetting system released 0.15.0 on 2026-06-15. New features include variable-font support with custom axis variations, bundle export producing multiple output files (HTML, PDF, PNG, SVG, assets) from one project, MathML in HTML export for accessible equations, multiple bibliographies per document, spot colors for offset printing, a project-relative file-path type that crosses package boundaries, and a within selector. Breaking changes: file paths must use forward slashes (backslashes no longer allowed), non-Unicode input paths are dropped, several deprecated elements are removed (path, pattern, pdf.embed, scoped decode functions), HTML/SVG/PDF output is now minified by default (use --pretty), a new typst eval CLI command supersedes typst query, and the minimum supported Rust version rises to 1.92.
  2. Homebrew 6.0.2 hardens the install sandbox Homebrew published 6.0.2 on 2026-06-15, a patch release continuing the 6.0.0 sandbox and tap-trust work: the sandbox now denies access to all of $HOME except Homebrew directories, Bubblewrap can auto-install on Linux, and several tap-trust and redirected-tap-trust handling paths were fixed, alongside fixes for sandboxed-home crashes and brew irb/brew dry-run regressions.

Languages and runtimes

  1. Project Valhalla value classes (JEP 401) reach preview, targeting JDK 28 JEP 401, Value Classes and Objects, the central language feature of the long-running Project Valhalla, is set to land as a preview in JDK 28. The Register reported on 2026-06-15 that Oracle engineer Lois Foltan confirmed the change will merge into the OpenJDK mainline early in July 2026; the first-preview pull request adds more than 197,000 lines across 1,816 files. Value classes create objects with no identity, distinguished only by their field values rather than their location in memory, which lets the JVM flatten and inline them for performance instead of forcing heap allocation and pointer indirection. The feature ships as an opt-in preview, not enabled by default, and JEP 401 migrates some existing JDK classes such as Integer to value classes, with more to follow over later releases. JDK 28 is expected in March 2027.

Engineering posts

  1. How memory-safety CVEs differ between Rust and C/C++ In a post dated 2026-06-15, Jakub Beranek (Kobzol) argues that raw CVE counts mislead when comparing Rust and C/C++ memory safety because the two ecosystems apply different reporting standards. Using curlgetenv() as the worked example, he notes that in C/C++ a crash caused by "wrong usage" such as passing NULL is treated as caller error and usually not reported as a library CVE, whereas in Rust, if safe (non-unsafe) code can trigger memory unsafety without misuse, it is a library bug and a reportable CVE. The claim is that Rust's unsafe boundary makes a soundness obligation explicit, so Rust libraries may file more memory-safety CVEs without being less safe.
  2. How TimescaleDB compresses time-series data A write-up walks through TimescaleDB's Hypercore compression: row data in a hypertable chunk is reorganized into columnar batches of up to 1,000 rows, each column compressed with a type-appropriate scheme (delta and delta-of-delta for ordered integers and timestamps, dictionary encoding for low-cardinality text, Gorilla-style encoding for floats), trading per-row update cost for large storage and scan-throughput gains on append-mostly time-series workloads. It surfaced on Hacker News (133 points).
  3. Raymond Chen on an x86 emulator team patching bad code during emulation A 2026-06-15 Old New Thing post recounts an x86-on-ARM emulator team encountering code pathological enough for the emulator's just-in-time translator that they special-cased it and effectively fixed it during emulation rather than translating it faithfully. The post is a short engineering anecdote on emulation and JIT-translation edge cases.

Hacker News

  1. Ask HN: replacing cloud models with a local model for daily coding A 1,053-point Ask HN thread asks whether anyone has replaced Claude or GPT with a locally run model for everyday coding. The consensus in the comments is "not yet for interactive use."