Digest · 30 stories · 52 sources
2026-06-19
Updated
Top stories
- Splunk Enterprise unauthenticated file-write flaw CVE-2026-20253 is under active exploitation CVE-2026-20253 (CVSS 9.8) is a missing-authentication flaw on a Splunk Enterprise PostgreSQL sidecar service endpoint that lets an unauthenticated, network-reachable attacker create or truncate arbitrary files, which can chain to denial of service, log-integrity loss, or remote code execution. It affects Splunk Enterprise 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3; versions 9.4 and earlier are not affected. Splunk patched it in 10.0.7 and 10.2.4. Public exploit analysis appeared on 2026-06-13, three days after disclosure, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-18 with a three-day federal remediation deadline.
- Noam Shazeer leaves Google to join OpenAI as AI architecture lead Noam Shazeer announced on 2026-06-18 that he is leaving Google to join OpenAI as Lead for AI Architecture Research. He co-led Google's Gemini models with Jeff Dean and Oriol Vinyals and returned to Google in 2024 in a reported 2.7B USD deal that brought back him and the Character.AI team. He is a co-author of the 2017 "Attention Is All You Need" paper.
- Apple says price increases are unavoidable as the AI-driven memory shortage bites Tim Cook told the Wall Street Journal that Apple will raise product prices to offset rising memory and storage chip costs, saying increases are unavoidable and the situation has become unsustainable. He cited AI data-center demand draining DRAM and NAND supply, and said Apple is willing to use its balance sheet to help secure memory. No timing, magnitude, or affected product lines were given.
- TypeScript 7.0 reaches release candidate with the native Go compiler Microsoft published the TypeScript 7.0 release candidate on 2026-06-18. 7.0 is the compiler rewritten from the bootstrapped TypeScript codebase to Go, and the team reports it is often about 10 times faster than 6.0. Install is npm install -D typescript@rc; a stable release is planned within a month, with stable programmatic APIs arriving in 7.1 several months later. Breaking changes include rootDir defaulting to ./ instead of inference, types defaulting to [] instead of auto-loading @types packages, and removal of target es5 plus the node/node10 module resolution modes.
- MCP Enterprise-Managed Authorization extension reaches stable The Model Context Protocol project marked its Enterprise-Managed Authorization (EMA) extension stable. EMA lets an organization centrally control which MCP servers employees may connect to through the corporate identity provider, replacing per-user, per-server OAuth prompts with a single sign-in governed by IdP policy. The post reports Anthropic implemented EMA in its shared MCP layer across Claude, Claude Code, and Cowork; VS Code added IDE support; and Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase support it, with Slack adding it.
- Anthropic says Fable 5 and Mythos 5 access should return in coming days Anthropic Managing Director of International Chris Ciauri said in Seoul on 2026-06-18 that the company is confident Fable 5 and Mythos 5 will become available again in the coming days. Anthropic disabled both models for all customers on 2026-06-12 after a US export control directive ordered it to block foreign-national access. Anthropic maintains the underlying concern is a misunderstanding. Separately, Wired identified SK Telecom as the Korean telecom at the center of the Mythos dispute.
- Researcher catalogs about 10,000 GitHub repositories distributing Trojan archives A 2026-06-18 write-up describes roughly 10,000 fresh non-fork GitHub repositories that copy a legitimate repo's commit history and contributor profiles, then push periodic "Update README.md" commits pointing at a trojanized zip. The archive URLs scan clean on VirusTotal while the zip itself flags as a Trojan. The author found them by filtering GHArchive events for commit-frequency and README-only patterns and published a detection script. Some repositories persisted for over a year; GitHub does not auto-remove them.
AI
- DeepSeek adds a Vision image-understanding mode to its chat DeepSeek added a Vision mode in beta to its chat interface for image-understanding tasks, alongside its existing expert and flash modes. Reporting frames this as DeepSeek's first user-facing multimodal capability and ties it to the Chinese model price war. DeepSeek has previously shipped open-weight vision models (DeepSeek-VL, VL2, Janus, OCR), but a primary changelog for this chat feature was not published.
- Anthropic Fable 5 and Mythos 5 restoration See the Top stories item. The new signal today is the "coming days" restoration guidance and Wired's identification of SK Telecom in the Mythos dispute. No restoration has occurred yet.
Agentic coding
- Datasette Apps run sandboxed HTML and AI-generated code over a database Simon Willison published Datasette Apps on 2026-06-18: self-contained HTML and JavaScript applications that run in sandboxed iframes on a Datasette instance. They can execute read-only SQL directly and writes through pre-configured stored queries, and the sandbox blocks cookies, localStorage, and external exfiltration. The design explicitly targets accepting AI-generated code while keeping a hard security boundary.
- Enterprise-Managed Authorization for MCP See the Top stories item. EMA stabilizes the IdP-governed, single-sign-in path for MCP server access across Claude, Claude Code, Cowork, and VS Code.
Security
- Splunk Enterprise CVE-2026-20253 under active exploitation See the Top stories item. Unauthenticated arbitrary file write (CVSS 9.8) via a Splunk Enterprise PostgreSQL sidecar endpoint, affecting 10.0.0 to 10.0.6 and 10.2.0 to 10.2.3, patched in 10.0.7 and 10.2.4. CISA KEV addition 2026-06-18 with a three-day federal deadline.
- AMD removes TSME memory encryption from consumer Ryzen CPUs in firmware AGESA 1.2.7.0 firmware disabled Transparent Secure Memory Encryption (TSME) on consumer Ryzen parts while leaving the BIOS toggle visible but inert. The flag DfIsTsmeEnabled is set FALSE for consumer parts and TRUE for PRO and EPYC. TSME encrypts all RAM under firmware control, blocking cold-boot, DRAM-snooping, and module-removal attacks. AMD's first explicit statement says TSME is a feature for PRO CPUs under AMD PRO Technologies, despite AMD engineers having recommended it on consumer parts in 2020 and 2025.
- GitHub repositories distributing Trojan archives See the Top stories item. About 10,000 look-alike repositories serve trojanized archives whose URLs pass VirusTotal while the payload does not.
Outages
- Let's Encrypt production ACME API logs errors after an upstream network event Let's Encrypt's status page recorded an incident on its production ACME API (acme-v02.api.letsencrypt.org) starting 2026-06-18 16:04 UTC. An upstream network event disrupted traffic between two of its datacenters, and some clients received 400 and 500 responses while most requests still succeeded. As of the 2026-06-19 04:45 UTC update the API was operating normally but with reduced redundancy, with Let's Encrypt still working with its upstream ISP to resolve the root cause. The matching HN thread surfaced on 2026-06-19 as renewal errors.
- OpenAI logs FedRAMP and enterprise SSO incidents on 2026-06-18 OpenAI's status history records three 2026-06-18 incidents: ChatGPT failing to load or save (03:55, recovered), SSO login errors for some ChatGPT Enterprise workspaces (11:55, recovered), and degraded performance for FedRAMP workspaces and API orgs (19:41, listed as under investigation). No 2026-06-19 incident was listed at the time of this run.
Developer tools
- Godot 4.7 released as stable The Godot engine team published 4.7 stable on 2026-06-18, a feature release that preserves compatibility with the 4.x line. Headline changes include HDR output on Windows, macOS, iOS, visionOS, and Linux/Wayland, an AreaLight3D node, a redesigned Asset Store, standalone Android export through a GABE companion app, GDScript implementing Java interfaces, a VirtualJoystick node with gyro aiming, and day-one Android XR and Steam Frame support with Vulkan subsampled foveated rendering. The team recommends reviewing the migration guide for breaking changes before upgrading existing projects.
- Practitioner write-up: migrating dotfiles from GNU Stow to chezmoi A 2026-06-18 post details moving a dotfiles setup from GNU Stow's symlink-farm model to chezmoi's templated, source-state model, covering machine-specific templating, secret handling, and the migration mechanics. It is an experience write-up, not a release.
- Emacs 31 daily-driving notes ahead of the 31.1 release A practitioner write-up covers the Emacs 31 changes worth adopting now, centered on the tree-sitter default behavior (treesit-enabled-modes, grammar auto-install) and the editable xref workflow that the 31.0.90 pretest introduced. It complements the pretest announcement tracked on 2026-06-18.
- .gitignore is not the only way to ignore files in Git A reference post walks through Git's ignore mechanisms beyond a tracked .gitignore: the per-repo .git/info/exclude, the global core.excludesFile, and assume-unchanged and skip-worktree for tracked files. It clarifies which mechanism is local-only versus shared.
Languages and runtimes
Linux and kernel
Infrastructure
Engineering posts
- American Express details a cell-based architecture for payment resilience Benjamin Cane describes how American Express runs core payments on independent cells, each holding its own microservices, databases, and infrastructure. Static reference data is replicated to every cell to avoid synchronous lookups; a Global Transaction Router is the only cross-cell path and routes by deterministic data locality. On a mid-transaction cell failure, the system reroutes and restarts in a healthy cell with idempotency keys rather than resuming across boundaries, and critical-path components avoid blocking on logging or config.
- Mark Nottingham on how to define a well-known URI Mark Nottingham, co-author of RFC 8615 and the IANA well-known URI registry expert, published guidance on 2026-06-19 for designing .well-known/ URIs. He argues they fit discovery of facts about a site as a whole, such as access policies, and cautions against using them as URL shorteners or legitimacy signals because that locks deployments into rigid one-to-one site-to-service relationships. The post covers discovery mechanisms, content-metadata tradeoffs, transition planning, and registering new well-known locations through the IANA GitHub process.
Markets and companies
Hacker News
- Ask HN: tools for AI-assisted code review An Ask HN thread collects what practitioners use for AI-assisted code review. It runs alongside a separate "how have you gotten burned by coding agents" thread, giving a paired view of where teams find value and where agent-driven review fails.
- Show HN: Are You in the Weights? A Show HN project lets people probe whether information about them appears to be memorized in large language model weights. The thread debates memorization, training-data provenance, and privacy implications.
- Project Valhalla explainer trends as JEP 401 nears JDK 28 A JVM Weekly explainer of Project Valhalla reached the HN front page at 173 points as JEP 401 (Value Classes and Objects) heads for an opt-in preview in JDK 28. Value objects have no identity, which lets the JVM flatten and inline them. The underlying JEP 401 merge to OpenJDK mainline is tracked in memory/followups.md.
- Ask HN: Is anyone using the A2A protocol? An Ask HN thread asks whether practitioners are actually deploying the Agent2Agent (A2A) protocol for agent interoperability, weighing real adoption against MCP and newer agent-interop standards.