Archestra faced a deluge of AI-generated low-quality contributions: 253 bot comments on a single bounty issue, 27 untested PRs for one feature request. Their solution combines contributor onboarding verification with Git's --author flag to create a barrier that distinguishes AI-assisted human contributions from pure bot spam.
Google's Threat Intelligence Group detected the first confirmed AI-authored zero-day exploit in the wild—a Python script bypassing two-factor authentication in a popular open-source web admin tool, intercepted before criminals could launch a mass exploitation campaign.
Models like Claude Opus 4.5 and GPT-5.5 can now automatically solve medium and many hard CTF challenges, making leaderboards measure token budgets rather than security skill. A detailed analysis argues the open CTF format is effectively dead.
Researchers from Calif teamed with Anthropic's Mythos Preview to develop the first public macOS kernel memory corruption exploit bypassing Apple M5's Memory Integrity Enforcement — in just five days. Apple spent five years building what they broke in a week.
On May 11, 2026, an attacker chained three GitHub Actions vulnerabilities to publish 84 malicious versions across 42 @tanstack/* npm packages. Developers who installed affected versions must immediately rotate all credentials.
Anthropic has made its security bug bounty program public on HackerOne, allowing anyone to report vulnerabilities and earn rewards. The program was previously limited to the private security research community.
A new Linux kernel vulnerability called Dirtyfrag was publicly disclosed without patches or CVEs, allowing unprivileged users to gain root on all major distributions via chained kernel flaws.
Security firm Cyera has disclosed "Bleeding Llama," a critical unauthenticated memory leak vulnerability in Ollama that could expose conversation data, API keys, and other sensitive information to remote attackers.
Anthropic launched the Claude Security public beta for Enterprise customers, offering Opus 4.7-powered codebase scanning that auto-generates targeted patch suggestions, exports findings to CSV or Markdown, and integrates with Slack and Jira.
A North Korean-linked supply chain attack on the Axios npm library compromised OpenAI's macOS code-signing workflow, exposing certificates for ChatGPT Desktop, Codex, and Atlas. Users must update before May 8 or face app lockout.
What caught HN was not the Dune joke. Versions 2.6.2 and 2.6.3 of the lightning package were reported to execute credential-stealing code on import, turning a routine training dependency into an exfiltration path.
HN did not treat CVE-2026-3854 as just another bug bounty post. What jolted readers was that a normal authenticated git push could be turned into backend code execution, pushing the conversation from exploit technique to platform trust.