OpenAI on March 25 launched a public Safety Bug Bounty program on Bugcrowd for AI abuse, agentic misuse, and platform-integrity reports. The company says the new track complements its existing Security Bug Bounty rather than replacing it.
UC Berkeley researchers say eight major AI agent benchmarks can be driven to near-perfect scores without actually solving the underlying tasks. Their warning is straightforward: leaderboard numbers are only as trustworthy as the evaluation design behind them.
Microsoft described a widespread device code phishing campaign that uses AI-driven automation to compromise organizational accounts at scale. The attack abuses legitimate OAuth device code flows, dynamic code generation, and backend polling infrastructure.
GitHub now lets repositories assign Dependabot alerts to Copilot, Claude, or Codex for remediation. The selected agent analyzes the advisory, opens a draft pull request, and tries to fix test failures introduced by the dependency update.
OpenAI said on April 10, 2026 that a compromised Axios package touched a GitHub Actions workflow used in its macOS app-signing pipeline. The company says no user data, systems, or software were compromised, but macOS users need updated builds signed with a new certificate before May 8, 2026.
OpenAI said a malicious Axios 1.14.1 package was executed in a GitHub Actions workflow used for macOS app signing. The company says it found no evidence of user-data exposure or tampered apps, but it is rotating certificates and requiring macOS users to update ChatGPT Desktop, Codex App, Codex CLI, and Atlas before May 8, 2026.
The Indie Stone says a malicious mod exploit affected Project Zomboid Build 42, leading to 14 Workshop uploads being removed and users being told to take extra security steps.
An HN discussion around Cloudflare’s roadmap highlights a security story with direct IT relevance: the company now targets 2029 for full post-quantum protection, including authentication, because recent quantum and algorithmic advances are compressing the migration timeline.
A Hacker News thread amplified Nicholas Carlini's report that Claude Code helped uncover remotely exploitable Linux kernel bugs, including one introduced in 2003. The case suggests frontier coding models are becoming useful vulnerability discovery tools even before they become strong automated exploit builders.
Hacker News pushed CVE-2026-33579 into wider view after NVD described a high-severity OpenClaw flaw in the `/pair approve` path. The issue could let a user without admin rights approve broader device scopes, which turned the thread into a discussion about why AI coding tools now need normal authorization engineering.
Hacker News is focusing on a GitHub write-up for CVE-2026-4747, a stack buffer overflow in FreeBSD’s RPCSEC_GSS path, and on the uncomfortable claim that Claude produced a full remote exploit chain in lab conditions. The discussion is as much about AI-assisted exploit development as it is about the bug itself.
A high-traffic Hacker News thread pushed Alex Kim's Claude Code leak analysis into the center of the developer-tools conversation. The exposed source map turned vague concerns about anti-distillation, telemetry, and hidden behavior into named flags and inspectable code paths.