Digest · 19 stories · 41 sources
2026-07-08
Updated
Top stories
- TypeScript 7.0 ships the native Go compiler as a stable release Microsoft released TypeScript 7.0 as a stable version on 2026-07-08, the native port of the compiler rewritten in Go after a Beta on 2026-04-21 and an RC on 2026-06-18. Microsoft reports full-build speedups of roughly 8 to 12 times on typical hardware, editor file-open times cut about 13 times (17.5 seconds to 1.3 seconds for the VS Code codebase), and memory use 6 to 26 percent lower across tested projects, and cites production testing at companies including Slack, Figma, and Vanta. The release changes several defaults from TypeScript 6.0: strict is now true, types defaults to an empty list rather than every installed @types package, and rootDir defaults to the project root. It removes emit support for the ES5, AMD, UMD, and SystemJS module formats and turns several deprecated flags into hard errors. It installs through the usual npm install -D typescript.
- AI-assisted audit finds seven real bugs in Cloudflare's CIRCL zkSecurity published on 2026-07-07 an account of an AI-assisted audit of Cloudflare's CIRCL advanced and post-quantum cryptography library that surfaced seven genuine bugs. The findings include a Float64 precision loss in threshold RSA share computation, a DLEQ proof forgery through attacker-controlled security parameters, a BLS aggregate-signature rogue-key weakness from a missing message-distinctness check, an HPKE pre-shared-key validation bypass, an integer overflow in Lagrange coefficient computation, and a CP-ABE access-control break. Cloudflare fixed each issue and paid bounties through HackerOne. The team said humans validated every finding before disclosure.
- Adobe ColdFusion path traversal CVE-2026-48282 is exploited within hours CVE-2026-48282 is a CVSS 10.0 path traversal in the ColdFusion Remote Development Services FILEIO handler that can reach arbitrary code execution. Adobe patched it in the APSB26-68 bulletin on 2026-06-30 with ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10. Reaching code execution requires RDS enabled with its authentication disabled, which is not the default configuration. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-07-07 on confirmed active exploitation. Reporting states exploitation began within about two hours of public disclosure.
- OpenAI clears GPT-5.6 Sol, Terra, and Luna for public release on 2026-07-09 OpenAI said the GPT-5.6 model family will become publicly available on 2026-07-09 after the US Department of Commerce Center for AI Standards and Innovation completed additional testing, lifting the staggered-release restriction that had limited the models to about 20 partner organizations. The family has three tiers. Reporting states Sol, the flagship, is priced at $5 per million input tokens and $30 per million output tokens, Terra at $2.50 and $15, and Luna, the fastest and cheapest, at $1 and $6. Preview access is now open globally through the API and Codex, with consumer access in ChatGPT stated to follow general API availability.
- GitLost tricks GitHub agentic workflows into leaking private repositories Noma Security published on 2026-07-08 an account of a prompt-injection attack, called GitLost, against GitHub Agentic Workflows, the feature that pairs GitHub Actions with Copilot or Claude agents driven by natural-language Markdown files. An attacker files an issue in a public repository of an organization that uses the workflows, hiding instructions in the issue text. When the workflow runs on an event such as issue assignment, the agent treats the issue content as trusted instructions, reads private repository contents such as README files, and posts them as a public comment on the attacker's issue. The researchers bypassed output guardrails by reframing the leak with the word "Additionally." The attack needs no credentials or code, only the ability to open an issue. Noma says it disclosed the issue to GitHub before publishing.
- Anthropic extends included Fable 5 access to 2026-07-12 Anthropic said on 2026-07-08 that Fable 5 stays included on all paid Claude plans through 2026-07-12, past the previously stated 2026-07-07 cutoff. The 50 percent weekly usage cap on Fable 5 remains in place. After 2026-07-12 access moves to prepaid usage credits, reported at $10 per million input tokens and $50 per million output tokens. Anthropic said it aims to restore Fable 5 as a standard subscription model once capacity allows.
Conferences and events
AI
Security
- GhostLock CVE-2026-43499 gives local root and container escape on most Linux distributions Nebula Security disclosed GhostLock (CVE-2026-43499) on 2026-07-07, a stack use-after-free in the Linux kernel rtmutex priority-inheritance code. The removewaiter() path in kernel/locking/rtmutex.c clears the wrong task's piblockedon pointer during a proxy-lock rollback when rtmutexstartproxylock() returns -EDEADLK. The bug was introduced in Linux 2.6.39 and reachable through 7.1-rc1 on any kernel built with CONFIGFUTEXPI enabled, which is the default in mainstream distributions. It needs no special capabilities, user namespaces, or network access. Nebula published a working exploit it reports as 97 percent reliable that gains root and escapes containers, and says Google awarded $92,337 through kernelCTF. The fix landed in Linux 7.1 in April 2026. No in-the-wild exploitation is known, and distributions are still shipping updates.
- Tenda router firmware ships an authentication backdoor CVE-2026-11405 CERT/CC published VU#213560 on 2026-07-06 describing an undocumented authentication backdoor in multiple Tenda networking-device firmware images. The /bin/httpd login function checks an alternate plaintext password stored in device configuration and accepts it with any username, bypassing normal password verification to grant administrative access to the web management interface. Listed images include USFH1201, USW15E, USAC10, USAC5, and USAC6 builds. No patch is available, and CERT/CC reports the vendor could not be reached for coordination. Tracked as CVE-2026-11405.
- OpenBSD sysv_sem use-after-free allows local root CVE-2026-57589 CVE-2026-57589 is a use-after-free in sys/kern/sysvsem.c in OpenBSD through 7.9 that allows local privilege escalation to root. NVD describes it as a context-switch use-after-free after tsleep in syssemget(). It carries CVSS 7.4 with vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, so it needs local access and has high attack complexity but no prior privileges, and is classified CWE-416. NVD published the record on 2026-06-24 and references fix commit 1957873d2063 without naming a patched release. The thread reached the Hacker News front page on 2026-07-08. No active exploitation is reported.
Developer tools
- Astro 7.0 rewrites its compiler and Markdown pipeline in Rust Astro 7.0 shipped on 2026-06-22 and returned to the Hacker News front page on 2026-07-08. The release moves the .astro component compiler to Rust, replaces the JavaScript unified Markdown and MDX pipeline with a Rust processor, and makes a queued rendering engine the default. Astro reports build-time improvements in the 15 to 61 percent range. Breaking changes include removal of automatic HTML correction, so unclosed tags now error instead of being fixed silently, and JSX-style whitespace collapsing between inline elements. A src/fetch.ts entrypoint adds request-pipeline control, and a platform-agnostic route cache targets Netlify, Vercel, and Cloudflare.
- chezmoi 2.71.0 adds init revision pinning and Windows MSIX packages chezmoi 2.71.0 released on 2026-07-07. It adds --revision and --tag flags to the init command for pinning a dotfiles checkout, an --error-on-conflict flag, KeePassXC open mode on Windows, Windows MSIX package builds, and a switch to a new HTTP caching library.
Languages and runtimes
Infrastructure
- PgDog routes Postgres session state through a Rust proxy The PgDog project published a post on why it built another Postgres connection pooler. PgDog is written in Rust on the Tokio runtime and parses SQL to track per-client session state, so that SET statements and LISTEN/NOTIFY keep working through transaction pooling, which PgBouncer-style poolers drop. It handles each client as an async task across cores rather than sharding pools across separate processes, and adds load balancing and sharding. The post cites pooling at 2 million queries per second in production deployments.
- Cloudflare details Meerkat, a global consensus service built on QuePaxa Cloudflare published on 2026-07-08 an introduction to Meerkat, a global consensus service that keeps control-plane state consistent across its 330-plus datacenters as a strongly consistent, fault-tolerant key-value store. Meerkat implements QuePaxa, a 2023 consensus algorithm from EPFL researchers, which Cloudflare states is its first industrial deployment at global scale. Unlike Raft, QuePaxa runs without a required leader, lets all replicas propose writes concurrently, and does not stall on timeouts, which Cloudflare frames as removing the "tyranny of timeouts" that slows Raft on wide-area networks. Cloudflare reports about 10 times higher throughput than Raft under adverse network conditions, tests with up to 50 globally distributed replicas, and 1 to 3 or more round trips per consensus decision. Meerkat is described as experimental and internal-only for now, and is not open source.
Hacker News
- EU Parliament Chat Control votes draw heavy discussion Several Chat Control threads reached the Hacker News front page on 2026-07-08, including an explainer at 507 points and coverage of a 2026-07-07 European Parliament procedural vote at 542 points. Reporting describes members approving through an urgent procedure a plan to vote again on extending the temporary voluntary message-scanning regime, with the Parliament position stated to exclude end-to-end encrypted communications. Framing conflicts across outlets, and the outcome is not final.
- Decoding the obfuscated bash script on a Uniqlo t-shirt A write-up published on 2026-07-04 reverse-engineers an obfuscated, self-evaluating bash script printed on the back of a Uniqlo t-shirt from Akamai's "Peace for All" collection. The back carries a base64-encoded payload starting with a #!/bin/bash shebang; decoded and run, it animates the text "PEACE FOR ALL" scrolling in a sine wave with a cyan-to-orange color gradient. The author transcribed the print using several OCR tools, including Tesseract, phone circle-to-search, and an LLM, then corrected the output by hand. The thread reached the top of the Hacker News front page on 2026-07-08 with over 1,000 points.