Digest · 17 stories · 38 sources
2026-07-02
Updated
Top stories
- SharePoint deserialization RCE CVE-2026-45659 added to CISA KEV CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog on 2026-07-01 (catalog version 2026.07.01, count 1631), confirming active exploitation. The flaw is a CWE-502 deserialization of untrusted data in on-premises SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, CVSS 8.8, network-reachable with low attack complexity and no user interaction. An attacker with Site Member permissions can execute code on the server. Microsoft patched it in the May 2026 Patch Tuesday (KB5002863, KB5002870, KB5002868).
- Anthropic redeploys Fable 5 with a new jailbreak classifier Anthropic began restoring Claude Fable 5 globally on 2026-07-01 after the US lifted the export controls imposed 2026-06-12. The redeployment ships a new safety classifier that Anthropic says blocks the reported jailbreak technique in over 99 percent of cases; the jailbreak, reported by Amazon researchers, had prompted the model to identify and in one case show how to exploit a software vulnerability. Anthropic says it is drafting a cross-industry jailbreak-severity framework with Amazon, Microsoft, Google, and other partners. Mythos 5, the same underlying model with fewer restrictions, is being restored to approved US organizations.
- Google Android developer verification begins blocking unverified app installs Google's Android Developer Verification requirement reaches its first enforcement milestone on 2026-09-30, when certified Android devices in Brazil, Indonesia, Singapore, and Thailand block installation of apps whose developer has not registered a legal identity with Google; wider rollout follows in 2027. The requirement applies to every install path, including sideloaded APKs and third-party stores such as F-Droid. Google states that advanced users can still install unverified apps after a one-time risk acknowledgment, a free account tier lets students and hobbyists distribute to a limited number of devices without a government ID, and installs over Android Debug Bridge for development are unaffected. An F-Droid post on 2026-07-01 (599 points on Hacker News) argues the program is gatekeeping rather than security, on the grounds that the Developer Console terms let Google decide what counts as "malware" without a published standard.
- Cloudflare Monetization Gateway charges for any resource over x402 Cloudflare announced the Monetization Gateway on 2026-07-01, a control plane that lets customers charge for any Cloudflare-protected resource: web pages, datasets, APIs, or MCP tools. Payment verification and enforcement run at the edge to shield origins from payment volume. At launch, payments settle in stablecoins over x402, an open pay-over-HTTP protocol built around the 402 status code where a server answers a request with a price and payment target and the client repeats the request with proof of payment. Customers can price per REST verb or charge variable amounts by task complexity.
- Vite+ enters beta as an MIT-licensed unified JavaScript toolchain VoidZero announced the Vite+ beta on 2026-07-02, a single toolchain that manages the runtime, package manager, and frontend tooling for a web project behind one CLI. It bundles Vite 8 for the dev server and build, Vitest for tests, Rolldown and tsdown for bundling, and Oxlint and Oxfmt for linting and formatting, plus a built-in task runner with monorepo support and caching, exposed through commands such as vp dev, vp check, vp test, vp build, and vp run. VoidZero states it decided to release Vite+ fully open source under the MIT license after initially considering a paid licensing model, and reports over 1,300 public repositories already depending on the package since the alpha. VoidZero was acquired by Cloudflare on 2026-06-04 and is building Void, a Vite-native deployment platform on top of Cloudflare.
- Jujutsu 0.43.0 adds jj run and drops Git-symbol resolution The jj version control system released 0.43.0 on 2026-07-02. The headline feature is jj run, which runs a command over a set of changes, each with its own private working copy, and propagates working-copy edits and conflicts back into the changes, so jj run -- cargo fix behaves as expected. Breaking changes: the deprecated githead() and gitrefs() revset and template functions are removed, Git-like symbols such as refs/heads/main no longer resolve to revisions (use bookmark or tag syntax), the ui.revsets-use-glob-by-default option is removed, and jj bookmark track/untrack no longer accept <kind>:<bookmark>@<remote> patterns. It also adds jj show --reversed, config discovery in /etc/jj, and jj config gc.
ML research
Agentic coding
- Z.ai ships ZCode, an official coding harness for GLM-5.2 Z.ai (Zhipu) released ZCode, its own coding-agent harness for the GLM-5.2 model, for macOS, Windows, and Linux with no manual endpoint configuration. It organizes work as "Goals" with continuous plan, execute, and verify loops, exposes the model's 1M-token context, and can launch and monitor tasks remotely from chat apps including WeChat, Feishu, and Telegram. It is part of the GLM Coding Plan. Capability claims are the vendor's.
- Kimi K2.7 Code reaches general availability in GitHub Copilot GitHub made Moonshot AI's open-weight Kimi K2.7 Code model generally available in Copilot on 2026-07-01, rolling out to Copilot Pro, Pro+, and Max plans with Business and Enterprise to follow in the coming weeks. The model appears in the Copilot model picker across VS Code, Visual Studio, JetBrains, Xcode, Eclipse, the Copilot CLI, the cloud coding agent, github.com, and GitHub Mobile. For Business and Enterprise it is off by default until an administrator enables the Kimi K2.7 Code policy, and usage bills under Copilot usage-based billing at provider list pricing.
- Senior SWE-Bench scores coding agents on senior-level tasks Researchers at Princeton and the University of Wisconsin-Madison with Snorkel AI published Senior SWE-Bench, an open benchmark (dataset snorkel-ai/senior-swe-bench-v2026.06) that evaluates coding agents on 50 tasks across more than 15 repositories in Python, TypeScript, Go, Rust, Elixir, and other stacks. Tasks use natural-language instructions rather than fully specified requirements, bug and performance tasks are drawn from pull requests that required runtime investigation from logs and behavioral reports, and a "taste" score combines correctness tests with code-quality metrics derived from each codebase's own conventions. Reported solve rates are Claude Opus 4.8 at 24.0 percent, Claude Sonnet 5 at 19.4 percent, and GPT-5.5 at 16.0 percent, and the authors state frontier models fail senior-level correctness on more than 75 percent of tasks.
Developer tools
Linux and kernel
Infrastructure
- Prometheus 3.13.0 LTS ships security fixes Prometheus 3.13.0, a Long Term Support release, shipped on 2026-07-01. It bumps sanitize-html to fix a UI cross-site scripting issue (CVE-2026-44990) and, via prometheus/common v0.69.0, stops forwarding credentials (Authorization header, basic auth, bearer token, OAuth2, configured headers) when an HTTP client follows a redirect to a different host, affecting scraping, remote read and write, alerting, and service discovery (CVE-2025-4673, CVE-2023-45289). The API now uses SHA-256 instead of SHA-1 for rule-group pagination tokens, and third-party npm license texts are embedded in the binary at /assets/third-party-licenses.txt.
- Grafana 13.1.0 feature release Grafana 13.1.0 shipped on 2026-07-01 with accessibility work, including colorblind-safe line-style fill patterns and added ARIA states, and alerting improvements such as Mimir Alertmanager auto-sync configuration on the settings page.
Engineering posts
Hacker News
- Monthly hiring threads for July 2026 The recurring monthly Ask HN hiring threads for July 2026 are live, with the "Who is hiring?" thread at 164 points and the "Who wants to be hired?" thread at 108 points at run time.
- Ask HN discussion on becoming a graphics programmer A "What to learn to be a graphics programmer" thread reached the front page (247 points), collecting practitioner recommendations on math, rendering fundamentals, and project paths into graphics work.