Cyber Kendra

Researcher Drops PoC for 1-Click GitHub Token Theft via VSCode Bug — Skips MSRC Entirely

protalweb@gmail.com (Vivek Gurung) — Wed, 3 Jun 2026 07:24:01 +0530

Security researcher Ammar Askar has publicly released a fully working proof-of-concept (PoC) exploit that can steal a victim's GitHub OAuth token — granting read and write access to every repository they own, including private ones — with nothing more than a single link click. No phishing page. No social engineering beyond "click this." Just a malicious GitHub repository opened in GitHub.

Askar made no attempt to coordinate disclosure with Microsoft's Security Response Center (MSRC). He's done that before, and he says the experience was bad enough that he won't do it again.

The Attack Chain: A Cleverly Chained Exploit

The vulnerability lives inside github.dev, GitHub's browser-based version of Visual Studio Code (VSCode). When a user opens any repository through github.dev, GitHub's servers silently POST an OAuth token to the editor — a token that isn't scoped to just that one repo. It has full access to everything the user can touch on GitHub.

To get that token out, Askar exploited a subtle but significant flaw in how VSCode handles its sandboxed "webviews" — the isolated iframes (inline frames) used to render content like Jupyter notebooks and Markdown previews.

While these iframes run in a separate browser origin to prevent untrusted code from accessing VSCode's internals, VSCode deliberately punches a hole through this boundary so that keyboard shortcuts keep working from inside a webview. When you press a key inside a webview, a did-keydown event gets relayed to the main editor window.

The problem: nothing stops JavaScript running inside a webview from dispatching synthetic keyboard events — events that VSCode's main window treats as genuine user input.

Askar's PoC exploits this with a repo containing a Jupyter notebook and a local workspace extension. The notebook's JavaScript payload waits a few seconds for VSCode to surface a notification prompting extension installation, then fires a simulated Ctrl+Shift+A keystroke to accept it.

The extension — which lives inside .vscode/extensions and bypasses VSCode's publisher trust check because local workspace extensions are considered implicitly trusted — then registers a custom keybinding.

One more simulated keystroke later, a second extension installs silently, retrieves the GitHub OAuth token from the editor's session, queries the GitHub API for private repo names, and displays them in an information box alongside the stolen token.

The entire attack runs in under 30 seconds. A user needs only to open the malicious notebook link.

The vulnerability also affects the desktop version of VSCode, where an attacker would need to convince a target to clone a repo and open the notebook — a higher bar, but still achievable. If there's any other XSS in a desktop VSCode webview, the same technique delivers full remote code execution.

Why He Didn't Tell MSRC First

Askar's disclosure is a direct consequence of accumulated frustration with how Microsoft handles VSCode security reports.

In a previous report, he says MSRC silently patched the issue, gave him no credit, and classified it as having no security impact.

He points to a pattern: a command injection in VSCode's built-in Git extension reported by SonarSource was marked ineligible. A researcher named Justin Steven found an XSS in the built-in Jupyter Notebook extension — also ineligible. MSRC's position, according to Askar, is that even first-party extensions that ship with VSCode are out of scope.

"In the future, I am going with the public disclosure route for any VSCode-related bugs I find," he wrote. "I would encourage other security researchers to do the same until there is some improvement," — Askar wrote in his previous blog post.

This disclosure arrives in the middle of a larger, louder argument about exactly this dynamic. In April and May 2026, a researcher operating as Nightmare Eclipse dropped six Windows zero-day exploits in rapid succession — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — all without coordinating with Microsoft.

Three were exploited in live attacks before patches arrived; CISA added them to its Known Exploited Vulnerabilities catalog.

Microsoft responded by threatening to involve its Digital Crimes Unit, hinting at criminal referrals. The security community largely reacted with dark amusement. Jason Lang, a Team Lead at TrustedSec, called Microsoft's position "hilarious" given the horror stories researchers routinely share about MSRC. Kevin Beaumont, a former Microsoft employee and respected security voice, described the situation as "a dumpster fire of their own making."

It is into this environment that the github.dev token theft PoC landed. The timing is not coincidental.

The Bigger Picture: VSCode Is a High-Value Target

According to the researcher, the GitHub.dev attack surface is particularly sensitive because the OAuth token it issues isn't limited in scope. It isn't a read-only token for one repo — it's a broad credential that can clone private repositories, push commits, alter settings, and trigger workflows across everything a user has access to. In a corporate environment, that can mean access to an entire organization's private codebase.

This arrives weeks after TeamPCP, a financially motivated threat group, breached roughly 3,800 of GitHub's own internal repositories via a poisoned VS Code extension installed on a GitHub employee's device. That breach, confirmed by GitHub in May 2026, underscored how completely the extension ecosystem has become a primary attack surface for credential theft and supply chain intrusion.

VSCode's security team does deserve partial credit: the existing defenses — strict Content Security Policy, DOMPurify-sanitized Markdown rendering, and the script-src 'none' directive in extension views — prevented the attack from becoming considerably worse. Without those controls, the same technique could have enabled one-click remote code execution on every desktop VSCode user who clicked a link.

How to Protect Yourself Right Now

Microsoft has since mitigated this issue on its end and says no customer action is required. However, if you previously ran Askar's PoC to test your own exposure, you should still uninstall the proof-of-concept extension from your github.dev environment — otherwise it will persist across every github.dev session you open.

There are no CSRF tokens or other protections that limit which links on the internet can redirect you into github.dev. Until Microsoft patches the webview keydown relay behavior and properly scopes the OAuth token issued to github.dev, the attack surface remains open.

The PoC repository and installed extension code are publicly available. Microsoft, in a statement to Cyber Kendra, said: "This issue has been mitigated for our services, and no customer action is required."

Update (June 2026): Microsoft has confirmed the issue has been mitigated. See the statement at the end of this article.

Ways to improve your rank and quickly understand the main principles of Fortnite

protalweb@gmail.com (Vivek Gurung) — Thu, 29 Feb 2024 10:26:00 +0530

Fortnite is one of the most popular projects in the battle royale genre, which allows players to compete for the status of the last survivor with other players and for the overall rank in the gaming system. The project is implemented in cartoon graphics and has unique construction mechanics and various weapons and grenades with fun effects, such as dancing and other mechanics.

You can increase your rank on your own, gradually mastering shooting, the speed of collecting weapons and other drops, proper landing and gradual survival techniques, remaining alive as long as possible or order the this service from the Skycoach service to learn how to play immediately against difficult opponents and not easy and understandable.

This format is suitable for players who want to try their hand at new enemies or quickly regain rank after returning to Fortnite after a long absence.

You shouldn’t worry about the level of players at higher ranks; on the one hand, they will have a more automated construction mode and increased accuracy, but at the same time, you won’t always lag behind.

In any case, the game system will gradually calibrate you to the real value of experience and Fortnite rank.

Landing

The most important factor in your game and survival in the early stages of the round is not to suffer an initial defeat and not sacrifice your Fortnite rank boosting.

You need to immediately find good and fast-firing weapons that will help you fight in the very first minutes of the game, before the formation of a circle and the direction of narrowing and reduction to the final battle zone.

If you choose large areas of cities, then you risk suffering a quick defeat and lowering your rating.

This format is more suitable for players who want to fight and train their aim and ability to quickly look for equipment and weapons, but at the same time are ready to both die quickly and survive the first stage and continue their path to the title of top 1 player.

If you land in any zone where there are two or three houses, then you will be in a more advantageous situation because a large number of enemies rarely land in such zones, but it is important to take into account before jumping the number of enemies who jumped out at that second and make a decision about the jump.

In such locations, you can collect good starting equipment and the first weapon, various medicines and just wait for the first narrowing of the circle to advance to the preliminary zone of the final battle, where the degree of your cheap rank boost in Fortnite will be decided.

Try to avoid landing points where your drop may be minimal - usually, these are single and lonely buildings. Yes, such assistance will most likely be safe, but the chance that you will find good starting equipment there, and not a pistol without armour and a helmet, is quite small. In addition, such zones are often disadvantageous due to the intersection with other places that will be affected by the narrowing of the map, and if you need to quickly get far away, you will simply be in a very disadvantageous situation.

Quick collection

You need to learn to quickly analyze and select really useful items and ammo and not take anything unnecessary, because your inventory is far from endless, and you can’t always find a good-quality backpack right away.

Fortunately, the Fortnite developers changed the colours of items by rank, which greatly simplifies your understanding of their value.

The most profitable is the gold type of items or purple. In the initial stages, this is not very important, because you will take everything you have, but later on, you learn to analyze to quickly select all the most powerful types of weapons.

Collect medicines, armour & helmets, and grenades. All this will be useful in the future, as they increase your survivability and allow you to restore strength and resources after difficult battles.

Mine wood, stone and metal as you move to open access to instant construction on the location, which will repeatedly save your life when you learn how to do it quickly and efficiently.

Airdrop

Periodically, an airdrop will be dropped at a random place on the map, with random weapons and equipment, but other players will also be aware of its presence, which significantly increases the likelihood of death when picking it up, but in such a drop, there is a high probability of receiving a legendary level item. It is important to quickly collect it and leave, or take an ambush and simply shoot active enemies and then move on.

The alternative is to ignore this aspect of the match and take advantage of the shift in priorities among many players to improve their position on the map, wait for the next stage, and engage in battle at will, so as not to take unnecessary risks.

Construction

You can accumulate resources as you survive and rank up in Fortnite and use them to improve your safety and defense against enemies.

You can quickly build vertical and horizontal fortifications, which depend on the strength and type of materials you use for construction.

When you start the process, you will see the silhouette of the future building, which you can activate and then build on top and sides at your discretion. When you understand the basics, you will gradually begin to increase the speed of construction, and then have time to shoot.

The most interesting duels are the shooting of two players who instantly build up the territory, destroy each other’s barricades, and restore their shelters, where the player who loses all resources first will lose or will be inattentive and miss a bullet, which will end their boosting in Fortnite.

Keep in mind that stone and metal are denser and more durable than other types of resources, and wood is easily mined, but is literally shot through by most types of weapons.

Accumulate metal and stone at the first opportunity, because they are the ones who can save your life at the beginning of a critical battle and shelling at Fortnite.

FC 24: What's New in EA Sports' Latest Football Simulation Game

protalweb@gmail.com (Vivek Gurung) — Thu, 18 Jan 2024 00:05:00 +0530

EA Sports' FC 24 is the newest iteration in their long-running FIFA soccer video game franchise. With the loss of the FIFA name and license, EA has rebranded the game as FC 24 but it still retains the same great gameplay and modes that fans have come to know and love.

Let players not be confused by the new name, because FC 24 is essentially FIFA 24, but with a new name, because the publishing house EA Sports could not agree with the football organization FIFA to continue using their name in their game and the project that had Over the last 20 years, the abbreviation has changed its name to the simple and understandable FC 24.

FC 24 includes new features, gameplay enhancements, and discussion around the game's strengths and potential limitations. While the name has changed due to licensing issues, FC 24 delivers the same realistic simulation gameplay that fans have come to expect from the franchise over the past two decades.

Game Modes and Formats

At its core, FC 24 delivers the same smooth, responsive gameplay the FIFA series is known for along with incremental graphics improvements. Player animations have been polished with more lifelike runs, tackles, and goal celebrations. Stadium atmospheres have also been enhanced with 3D crowds and more broadcast-style camera angles for an immersive TV-style presentation. EA promises even more gameplay fluidity and responsiveness, especially on next-gen consoles, for bone-crunching tackles and precision dribbling.

While the graphics step up is noticeable, some may argue it's not a huge generational leap compared to other next-gen sports titles. However, the polished animations and enhanced atmospheres still make for an excellent overall soccer experience.

Online Mode

This is the most popular and widespread format for playing football for many players, in which it all comes down to personal skill and luck, because even if you choose a titled club, you will not receive players with valid contracts, and the first squad will be formed randomly when opening the first sets.

Online play allows you to take your favorite club and test your skills against opponents from around the world. When you first start, your squad will be filled with random players until you earn more stars through matches and tournaments.

The key to building a competitive online team is acquiring FIFA coins, which can be earned through gameplay or purchased. Coins allow you to obtain packs with new player cards or buy specific players at auction. An active ranking and league system matches you against similarly skilled opponents as you build your team.

FIFA coins play an important role in getting the right football players, and you can get them through various matches, tournaments, and events, or simply buy FC 24 coins here.

Tournaments

To ensure that players don’t get bored, and they get the opportunity not only to grind and earn FC 24 coins but also to have fun and play games against difficult opponents, a system of tournaments was organized, where all interested players who are active enough to qualify can enter, and technical enough to win the right number of matches. Tournaments provide another avenue to earn prizes and coins outside regular online matches.

You'll need to gain 1500 qualification points per week to enter tournaments where you can win coins, packs, stadium customizations, and more. Even if you don't advance past the qualifying round, you still earn rewards.

If you get to the main stage, then you are already guaranteed to receive several large sets with random golden football players and now have to play 20 matches, where each victory will allow you to receive additional FIFA 24 coins, football player cards and various decorations for stadiums and goal celebration cards, in including the style of Ronaldo and other famous football players.

Moments

Relive famous moments from football history by completing in-game scenarios and objectives. This provides a fun diversion from normal matches while allowing you to earn more FIFA coins.

FC24 System Requirements

Challenges

New challenges are assigned each week by the FC 24 board. Completing these unlocks coins and can level up your existing player cards.

Career Mode

This is a match format that is familiar to everyone who has ever played any of the versions of FIFA that have been released over the past 20 years.

Career mode lets you take control of a club as the manager. You oversee all aspects of running the team from training to transfers as you guide them over multiple seasons. This provides a deeper experience beyond just match play.

In this format, no matter which club you choose, you will receive a current playing roster comparable to the real contracts of the players who are in it.

It’s more interesting, of course, to take a club from weak leagues and bring them to the Champions League, but everyone chooses their own gameplay.

Pro Mode

Pro mode is a newer addition that lets you create a single player and control just them. Start in the youth squad and work your way up through the senior team as you develop your player. You directly control your pro in matches while your AI teammates play around you. This provides a unique experience as you chase glory for your virtual pro.

Remember that you can only control your player, and you can contact your teammates through passes and requests to pass, but the players themselves will play for you if you are a forward, interact as a defender, or playback if you are a goalkeeper.

Gameplay Improvements

In addition to new modes, FC 24 also delivers improved realism and graphics:

Enhanced physics, animations, and ball mechanics provide even more realistic gameplay
Individual players, crowds, and managers react intelligently to match events
Playing styles for over 19,000 players are tuned to match their real-life counterparts
Motion capture from professional players results in smooth, lifelike movements
Photorealistic graphics make it feel like you're watching a live broadcast

Managing Your Club

As a manager in career mode, you have full control over your club. Here are some of the key responsibilities:

Transfers and Contracts

Buy, sell, and loan players in the transfer windows
Offer contracts to negotiate salaries and contract length
Balance team needs, budgets, and player morale

Tactics and Training

Set formations, positions, and tactical styles
Train players to improve attributes like passing, pace, and shooting
Develop customized training plans

Finances

Manage budgets and club value
Invest in facilities like training grounds and stadiums
Balance profitability with on-field performance

Youth Development

Scout for promising prospects around the world
Sign youth academy players and nurture their development
Promote top prospects to the senior squad

With comprehensive management systems, career mode allows you to inhabit the role of manager. Your choices shape the club over months and years as you chase the thrill of victory.

Take Your Game to the Next Level

For soccer gaming fans, FC 24 represents an exciting new chapter for the long-running EA series. The renamed franchise shows evolution in the key areas that matter - smoother core gameplay animations, enhanced visuals and presentation, improved ball physics and deepened career progression. EA has clearly invested heavily in HyperMotion 2 technology to really up the realism factor this year for a true next-gen feel.

The loss of the FIFA brand may sting initially but the licensing situation remains largely status quo outside of the World Cup. And EA reassures they will continue pursuing partnerships to deepen the content and licensing in future updates. While some visuals like crowds and environments still have room for improvement, there's no denying FC 24 delivers where it matters most - incredible pitch action more lifelike than ever before. Overall FC 24 feels like a needed incremental upgrade to appeal to both casual kick-off fans and hardcore FUT enthusiasts alike.

Whether you're aiming to lead a storied club to European glory or take a minnow to the top, FC 24 offers deeper gameplay options than ever before in the FIFA series. Sharper graphics, improved realism, and new modes provide a varied experience for football fans.

Document Security: What Every Business Needs to Know

protalweb@gmail.com (Vivek Gurung) — Thu, 4 Jun 2026 22:09:22 +0530

Documents are the lifeblood of any business. Contracts, financial records, customer data, intellectual property, and internal communications all flow through files that move between devices, inboxes, and cloud services dozens of times a day.

Yet document security is often treated as an afterthought, addressed only after something goes wrong. In an era of relentless data breaches and tightening regulation, that is a dangerous gamble. Here is what every business needs to understand about keeping its documents secure.

Why Documents Are a Prime Target

Cybercriminals understand something many businesses overlook: documents are where the valuable information lives. A single leaked contract can expose pricing, terms, and client relationships. A compromised spreadsheet can reveal financial data or personal information covered by data protection law. Attackers often go after documents precisely because they are rich in sensitive content and frequently poorly protected.

The threat is not only external. Accidental exposure, an email sent to the wrong recipient, a file left on an unsecured drive, or a document uploaded to a careless third-party service, accounts for a large share of data incidents. Understanding that documents themselves are an attack surface, not just the systems that store them, is the first step towards taking their security seriously.

The Fundamentals Every Business Should Have

Strong document security begins with a few non-negotiable basics. Sensitive files should be encrypted both when stored and when sent, so that even if they fall into the wrong hands, the contents remain unreadable. Access should be controlled on a need-to-know basis, with permissions limiting who can view, edit, or share a given document.

Password protection on critical files, secure and regular backups, and clear policies about how documents are handled all form part of a solid foundation. None of this is exotic or expensive, yet a surprising number of businesses neglect these fundamentals. Getting them right dramatically reduces risk and is well within reach of even the smallest organisation.

The Hidden Risk in Everyday Tools

Some of the most overlooked document risks come from the convenient online tools employees use to get their jobs done. Free file converters, online editors, and web-based translation services are enormously handy, but they often involve uploading a document to an unknown third-party server. For a confidential file, that is a genuine security concern, as the business loses control over where its data goes and how it is handled.

Translation is a perfect example. When an employee needs to understand a foreign-language contract or supplier document, the temptation is to paste it into the nearest free online translator, with little thought about what happens to that sensitive text afterwards. A safer approach is to use trusted, established software that is transparent about data handling.

With Adobe Acrobat, for instance, you can translate a document into PDF by opening it, selecting the PDF translate option, and converting it into your chosen language through Adobe Express, with the source language detected automatically and the option to translate whole files or just specific passages.

Crucially for security-conscious businesses, Adobe is clear that it does not train its AI models on the documents you process, which is exactly the kind of data-handling transparency a business should look for before feeding any confidential file into a tool. The broader lesson holds regardless of the specific software: always know what a service does with your data before you upload sensitive material to it.

Building a Culture of Security

Technology alone cannot secure a business's documents. The most sophisticated tools are undermined by a single employee who reuses weak passwords, falls for a phishing email, or carelessly shares a confidential file. This is why building a genuine culture of security awareness is just as important as any software you deploy.

Regular training, clear and practical policies, and a workplace where employees feel able to report mistakes without fear all contribute to stronger document security.

People are often described as the weakest link in security, but with the right culture, they become the strongest defence. A team that understands why document security matters and knows how to handle files responsibly is worth more than any single piece of technology.

Practical Steps to Take Today

For businesses wanting to improve their document security, the path forward is clearer than it might seem. Start by identifying your most sensitive documents and ensuring they are encrypted and access-controlled. Review the tools your team uses, paying particular attention to any online services that involve uploading files, and replace risky ones with trusted alternatives.

Establish clear policies for how documents are shared, stored, and disposed of, and back them up with practical training. Ensure you have secure, tested backups so that a ransomware attack or accidental deletion does not become a catastrophe. None of these steps requires a vast budget, just a deliberate commitment to treating document security as the priority it deserves to be.

Compliance Is Not Optional

Beyond the direct threat of breaches, businesses face a legal landscape that demands proper document security. Data protection regulations such as the UK GDPR impose serious obligations on how personal data is stored, processed, and protected, with significant penalties for failures. Documents containing customer or employee data fall squarely within these rules.

According to the National Cyber Security Centre, organisations of all sizes should take a proactive, risk-based approach to protecting their information, treating security as an ongoing business priority rather than a one-off technical task.

For documents, this means understanding what sensitive data you hold, where it lives, who can access it, and how it is protected throughout its lifecycle. Compliance is not merely about avoiding fines; it is about maintaining the trust of the customers and partners who rely on you to safeguard their information.

Security as a Business Advantage

Ultimately, strong document security is not just a defensive necessity; it is a competitive advantage. Customers and partners increasingly want to work with businesses they can trust to handle their information responsibly. A demonstrable commitment to security can set a business apart and build the kind of trust that wins and retains clients.

In a world where data breaches make headlines with depressing regularity, the businesses that take document security seriously stand to gain far more than they spend. Protecting your documents protects your customers, your reputation, and your future. It is one of the smartest investments any business, large or small, can make, and there has never been a more important time to make it.

XRP Derivatives Platforms in 2026: Leverage, Margins & Fees Compared

protalweb@gmail.com (Vivek Gurung) — Thu, 4 Jun 2026 21:56:18 +0530

Most platform comparisons rank exchanges on spot-trading basics—deposit methods, coin selection, maybe a UI screenshot. That's not particularly useful if you're trading XRP perpetual futures.

Open interest on XRP perps has climbed steadily through 2025 and into 2026, but plenty of platforms that list XRP spot still don't offer the derivatives infrastructure active futures traders actually rely on. Margin types, hedging modes, fee scaling, risk controls—these are the things that matter, and they're often missing from the conversation.

Here's a closer look at what separates strong XRP derivatives venues from the rest, with one Canada-registered exchange founded in 2020—now serving over 1,000,000 registered users across 190+ countries—examined in detail as a platform worth considering.

What XRP Derivatives Traders Actually Need

Brand recognition tells you almost nothing about a derivative's depth. The criteria that matter for XRP perpetual contracts are specific, measurable, and often buried in fine print:

Margin type diversity. If a platform only offers USDT-margined contracts, you're locked into a single settlement currency. Traders hedging multi-asset portfolios or holding XRP as collateral need COIN-M or USDC-M alternatives. Leverage range.

Maximum leverage makes for good marketing copy. What actually matters is granularity—can you set 5x, 20x, or 75x to match a specific trade setup? Fee tiers at your volume. Base fees are just the starting line.

Volume-based discounts determine your real cost across hundreds of trades, and the gap between tiers can be substantial. Risk tooling. Isolated vs. cross margin, bi-directional hedging, and liquidation safeguards.

These are separate, purpose-built derivatives platforms from exchanges that bolted futures on as an afterthought. Execution quality. Spread width and slippage during fast XRP moves can quietly eat into returns more than fee schedules suggest.

Not every platform advertising "XRP futures" checks these boxes. Some cap XRP leverage well below their advertised platform maximum. Many still don't offer USDC-M or COIN-M pairs for altcoins at all.

Leverage Ceilings and Margin Flexibility: Where Platforms Diverge

Margin type is where the real separation happens for XRP traders—and it's an area where six years of continuous operation (2020–2026) show in the product build-out.

BYDFi supports three perpetual contract margin types: USDT-M, USDC-M, and COIN-M. USDC-M launched in August 2025, adding settlement flexibility that many mid-tier platforms still haven't matched. Across 500+ derivatives pairs, leverage ranges from 1x up to 200x. That 200x figure is the platform-wide ceiling, though—individual pairs, including XRP, may carry different caps.

Having three margin types means XRP derivatives traders can manage margin in whichever settlement currency suits their strategy. If you're already holding USDC or want coin-margined exposure without converting, that flexibility cuts out unnecessary steps.

A December 2024 engine upgrade introduced bi-directional long/short hedging and shared funds in full-margin mode, reducing liquidation risk when opposing positions move against each other. During testing, switching between isolated and cross margin on an open position worked smoothly—no need to close the position first, which isn't always the case elsewhere.

Fee Structures That Quietly Compound

A few basis points feel trivial on one trade. Over a month of active XRP perpetual trading, they compound into a real drag on your returns.

Base-tier fees sit at maker 0.02% / taker 0.06% at VIP 0. A 7-tier VIP program (VIP 0 through VIP 6) scales discounts up to 60%, bringing VIP 6 rates down to maker 0.008% / taker 0.032%. Competitive, especially among platforms listing 600+ trading pairs across spot and derivatives.

But fee rates alone don't tell the whole story. Funding rates, spread width, and slippage during volatile XRP moves all affect total cost. The only honest comparison involves checking multiple platforms at your expected volume tier. Anything else is guesswork.

Lowering the Entry Barrier for New XRP Futures Traders

Derivatives trading has a steep learning curve. Combine leverage with XRP's price volatility, and inexperienced traders can get punished fast.

One way the platform addresses this: no-KYC access. Traders can register with just an email and start spot and futures trading immediately within tier-based limits. No document uploads, no waiting periods. For users in regions where KYC processes drag on for days, that's a genuine advantage.

A demo account preloaded with 50,000 USDT replicates live market conditions and supports both USDT-M and Coin-M perpetual contracts. For anyone exploring XRP perpetuals for the first time, that zero-risk sandbox—paired with a streamlined sign-up—makes it a practical crypto exchange for beginners looking to learn derivatives mechanics before committing real capital. Not a bad place to make your first mistakes.

Copy Trading launched in January 2025, followed by Perpetual Smart Copy Trading in August 2025, letting users automatically follow professional traders with proportional order sizing. The feature supports multi-asset contracts—BTC, ETH, XRP, SOL, DOGE—with a minimum entry of just $10. Low enough that newer traders can test the mechanism without sweating over capital exposure.

A Futures Grid bot rounds out the automation options, handling range-bound strategies with leveraged positions.

How BYDFi Stacks Up in the Broader XRP Derivatives Landscape

Founded in 2020, the exchange now serves over 1,000,000 registered users across 190+ countries and lists XRP for both spot and derivatives. The platform is available on iOS, Android, and APK in 22 languages.

In August 2025, BYDFi became the Official Crypto Exchange Partner of Premier League club Newcastle United through a multi-year deal. That kind of partnership doesn't just boost visibility among Newcastle's global fanbase; it signals a longer-term operational commitment that fly-by-night exchanges typically can't make.

The exchange holds multi-jurisdictional licenses and publishes Hacken-audited Proof of Reserves with ratios of BTC 157%, ETH 171%, and USDT 154%. Solid numbers.

Choosing an XRP Derivatives Platform: What to Evaluate

The right platform depends on your margin preference, leverage needs, fee sensitivity, and how much risk tooling you require. Shortlist platforms that support your preferred margin type.

Compare fee tiers at your actual volume—not the base rate, your rate. Test execution quality before you scale up. A new user welcome package worth 8,100 USDT is available as one onboarding incentive to evaluate.

As XRP derivatives infrastructure matures through 2026, margin type availability and fee competition will only get tighter. The platforms whose contract specs hold up under scrutiny—not just their brand names—are the ones that'll retain active traders.

Google Allegedly Pays Play Store Developers for App Code to Train AI

protalweb@gmail.com (Vivek Gurung) — Wed, 3 Jun 2026 23:16:02 +0530

Google is quietly paying Android developers for access to their app source code — including abandoned prototypes and archived side projects — to fuel its AI model training, according to a report by 404 Media.

The program, framed internally as a "confidential content offer pilot," targets a select group of Google Play developers with an email from the Google Partnerships team.

The pitch positions it as an easy revenue opportunity: sell your codebase (the full working source code behind an app), and Google will put it to work. What the email conspicuously omits is any mention of artificial intelligence — though a link buried in the message leads directly to a page about "partnerships to improve our AI products."

It acknowledges that Google is now actively paying for non-public content beyond what it can scrape freely from the web, calling it a chance to create "mutually beneficial collaborations." Developers who participate retain 100% of their intellectual property rights under a non-exclusive license, meaning they can still monetize or publish their code elsewhere.

The significance here goes beyond one company's data shopping. Most AI training data is sourced from public content scraped across the internet — usually without compensation to creators. Android app code, by contrast, is inherently private.

Google's willingness to pay for it signals that the industry's freely available training data pool may be running dry. The company paid Reddit $60 million for a similar arrangement back in 2024, with uneven results.

Anthropic's Claude Code has surged in developer adoption, and Microsoft's GitHub Copilot remains deeply embedded across enterprise workflows.

Google's Gemini-based coding tools have struggled to keep pace, and buying real-world, production-tested Android codebases could help close that gap — particularly for understanding complex application logic and building coding benchmarks (standardized tests that measure how well an AI model writes or completes code).

For developers receiving the email, the decision is nuanced. The IP protections appear solid on paper, but handing proprietary production code to a major platform partner carries its own risks — particularly for developers whose apps compete with Google's own ecosystem products.

Google has not publicly commented on the program.

Apple Agrees to Submit India Financials to Antitrust Regulator

protalweb@gmail.com (Vivek Gurung) — Wed, 3 Jun 2026 22:48:36 +0530

For four years, Apple played a careful legal game in India — deny wrongdoing, challenge the law, delay the paperwork. That strategy appears to be running out of road.

Apple has agreed to submit India-specific financial data to the Competition Commission of India (CCI), the country's antitrust watchdog, by June 25. A confidential CCI order reviewed by Reuters confirms the move, which came at a May 21 hearing where Apple's lawyer formally requested a "final extension" to file the figures. The commission granted it.

It's a notable reversal. Apple had previously refused to hand over any financial information, arguing the entire case should be put on ice while it separately fought India's revised antitrust penalty law in court. That law is the crux of Apple's resistance — it allows fines based on a company's global revenue, not just what it earns in India. Under that framework, Apple's exposure could reach as high as $38 billion.

The CCI repeatedly rejected Apple's delay tactics, insisting it only needed India-specific financials to begin with. Last month, a Delhi High Court judge told Apple plainly to cooperate. It seems that message landed.

The case itself dates back to 2021, brought by a coalition including Match Group (owner of Tinder) and the Alliance of Digital India Foundation, which represents Indian startups. The complaint centred on Apple's App Store policies — specifically, forcing developers to use Apple's proprietary in-app billing system and blocking any third-party payment alternatives.

The CCI wrapped up its investigation in 2024, concluding that Apple had abused its dominant position and that the App Store functioned as an "unavoidable trading partner" for developers.

The timing matters beyond the courtroom. India is one of Apple's fastest-growing markets, with iPhone now commanding 9% of the smartphone market — up from just 2% five years ago. Apple has also been aggressively ramping up manufacturing in India to reduce its dependence on China. Picking a prolonged regulatory fight with New Delhi was always an awkward position to hold.

With financial data now on the table, the CCI has what it needs to move toward a penalty decision. Whether Apple contests the eventual fine is another question — but the stalling phase, for now, appears to be over.

OpenAI's Codex AI Discovers "HTTP/2 Bomb" That Can Crash Major Web Servers in Seconds

protalweb@gmail.com (Vivek Gurung) — Wed, 3 Jun 2026 22:28:06 +0530

An AI model just found a decade-old attack that human security researchers somehow missed — and it works against almost every major web server on the internet.

OpenAI's Codex AI has discovered a remote denial-of-service exploit that researchers are calling the HTTP/2 Bomb. The attack silently drains a server's memory to the point of collapse, and the most alarming part: one home computer on a standard broadband connection can render a vulnerable server inaccessible in under 20 seconds.

The exploit targets nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora — in their default configurations — and a Shodan scan puts the number of exposed internet-facing servers at over 880,000.

What Codex Actually Did

The attack chains two HTTP/2 features that security researchers had separately flagged as dangerous back in 2016, but never combined into a working exploit against modern servers. Codex read the codebases, recognized that the two techniques compose into something far more destructive, and built it.

The first piece is an HPACK indexed-reference bomb: HPACK is HTTP/2's header compression system. An attacker seeds it with one header entry, then fires thousands of 1-byte references to it. Each byte on the wire forces the server to allocate a full copy of the header in memory — up to 4,000 bytes per reference against Apache and Envoy.

The second piece is an HTTP/2 window stall: the attacker advertises a zero-byte flow-control window, which prevents the server from ever finishing its response — and therefore never freeing any of that allocated memory. Occasional 1-byte keep-alive frames reset the server's timeout indefinitely, pinning every byte in RAM for as long as the attack runs.

Against Apache httpd and Envoy, a single client can consume and hold 32 GB of server memory in roughly 18–20 seconds.

Patches and Mitigations

nginx patched the issue in version 1.29.8 by introducing a max_headers directive (default: 1000). Apache httpd's fix landed in mod_http2 v2.0.41 with a CVE assigned as CVE-2026-49975. Microsoft IIS, Envoy, and Cloudflare Pingora have been notified but have no patches available yet.

If you can't update immediately, the safest fallback across all affected servers is to disable HTTP/2 entirely (http2 off for nginx; Protocols http/1.1 for Apache). For unpatched deployments of IIS, Envoy, or Pingora, placing the server behind a reverse proxy that enforces a hard cap on per-request header count offers partial protection.

The researchers also note a broader architectural lesson: HTTP/2's spec accounts for amplification ratios, but not for memory that stays pinned — and fixing one without the other leaves the door open.

An AI Security Tool Dug Up a 2-Year-Old Redis Bug That Lets Attackers Take Over Servers

protalweb@gmail.com (Vivek Gurung) — Wed, 3 Jun 2026 21:58:01 +0530

A flaw that sat undetected in Redis for over two years — silently present in every stable release since version 7.2.0 — has been patched after an AI-powered security tool demonstrated a working remote code execution exploit against it.

The vulnerability, tracked as CVE-2026-23479 and rated 7.7 (High), was discovered by Team Xint Code using Xint Code, a fully autonomous AI security analysis tool. A live exploit was demonstrated at the ZeroDay.Cloud 2025 conference in London last December. Redis shipped patches on May 5, 2026.

What's the bug?

The flaw lives inside unblockClientOnKey() in Redis's blocked.c source file — a function responsible for handling clients that were waiting on a key to become available. When that blocked client gets evicted from memory at exactly the wrong moment, the function continues using a pointer to memory that has already been freed.

This class of bug is known as a use-after-free (UAF) — the program keeps accessing a memory address after the data at that address has been discarded, which an attacker can exploit by filling that address with their own crafted data.

How bad is it in practice?

The exploit chain runs in three stages: first, a one-line Lua script leaks a heap memory address; next, the attacker deliberately balloons a client's memory buffer, parks it on a stream command, then drops memory limits to trigger the eviction mid-call; finally, a SET command reclaims the freed memory slot with a fake client structure.

Redis then uses that fake structure to perform an out-of-bounds write, which the attacker redirects to overwrite the function pointer for strcasecmp() in the Global Offset Table, swapping it with system(). The next Redis command parsed effectively becomes an OS shell command.

The result: full code execution as the Redis daemon — meaning every key, every credential in config files, and network access to adjacent services.

Wiz's analysis found that 80% of cloud environments run Redis, and nearly 85% of those instances are configured without a password — substantially widening the real-world attack surface beyond what the CVSS score alone suggests.

Who needs to act?

The bug was introduced in Redis 7.2.0 and affects every stable release up through 7.2.13, 7.4.8, 8.2.5, 8.4.2, and 8.6.2. Fixed versions are 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. Redis Cloud customers are already protected — patches were deployed automatically.

For self-managed deployments, upgrade immediately. If patching isn't immediately possible, restrict CONFIG, @scripting, and stream commands to roles that strictly need them — the full exploit requires all three in a single session.

As of publication, there is no evidence of active exploitation in the wild.

K2view vs MOSTLY AI for Synthetic Data Generation

protalweb@gmail.com (Vivek Gurung) — Tue, 2 Jun 2026 10:33:26 +0530

Synthetic data generation has gone from “nice experiment” to “real necessity” for many engineering and data teams. Compliance requirements are tightening, customer data is more sensitive than ever, and organizations need faster access to safe, realistic datasets for testing, analytics, and AI initiatives.

At the same time, purely artificial datasets do not always behave like real-world data. Tests may pass, models may train successfully, and demos may look convincing, only for production environments to expose gaps later. The challenge is creating data that is both safe and realistic.

That is where K2view and MOSTLY AI enter the conversation. They are frequently compared in a Mostly AI vs K2view evaluation, yet they approach synthetic data generation from different perspectives. Understanding those differences is essential when deciding which platform best aligns with your goals.

Why synthetic data is hard (even when it sounds easy)

Many people assume synthetic data generation is simply about creating random users or transactions. In practice, the scenarios that expose defects are rarely random. They are usually highly specific combinations of events and relationships:

A customer with multiple addresses across countries
A policyholder with a lapse and reinstatement history
An account with unusual transaction timing
An e-commerce customer with refunds, chargebacks, and partial shipments

Synthetic data must preserve relationships, behaviors, and dependencies without exposing real individuals. If relationships are lost, the data becomes unrealistic. If too much information is retained, privacy risks increase.

Every synthetic data platform attempts to balance realism and privacy.

K2view: enterprise-scale synthetic data with lifecycle automation

K2view approaches synthetic data generation as part of a broader enterprise data delivery framework. Rather than focusing only on generating synthetic records, K2view manages the entire lifecycle of preparing, protecting, generating, and provisioning production-like data.

Its business entity architecture organizes information around real-world entities such as customers, policies, patients, or accounts. This allows relationships across multiple systems to be preserved automatically, helping ensure that synthetic datasets remain realistic and usable.

Consider a QA team testing a customer onboarding journey that spans CRM, billing, support, and identity systems. The challenge is not simply generating records. The challenge is maintaining consistency across every connected system. K2view's entity-based approach is designed specifically for these complex enterprise scenarios.

Where K2view typically resonates:

Large enterprises with multiple interconnected systems
Teams requiring repeatable, self-service data provisioning
Organizations with strict governance and compliance requirements
Testing, analytics, and AI initiatives that depend on relational accuracy
Environments where synthetic data, masking, and subsetting must work together

K2view also supports multiple synthetic data generation approaches, including rules-based, cloning-based, masking-based, and GenAI-based methods, allowing organizations to choose the most appropriate technique for each use case.

MOSTLY AI: synthetic data generation focused on privacy and analytics

MOSTLY AI is known primarily for synthetic data generation designed to preserve statistical properties while protecting privacy. The platform is particularly popular among organizations that need to share data safely or build machine learning models without exposing sensitive information.

A common example is a company that wants to provide data to external partners, researchers, or business units but cannot share production data due to privacy concerns. In these situations, synthetic data can provide useful patterns without exposing actual individuals.

Where MOSTLY AI is often a good fit:

Privacy-first initiatives
Data sharing and collaboration projects
Analytics and AI model development
Organizations seeking a straightforward synthetic data workflow
Teams focused primarily on tabular datasets

MOSTLY AI's no-code interface and emphasis on statistical fidelity make it attractive for data science and analytics teams. However, organizations working with highly interconnected enterprise systems may require additional effort to maintain relationships and operational consistency across complex environments.

The key difference: enterprise data operations vs synthetic data specialization

The most practical way to compare the two platforms is to focus on the primary business objective.

If your goal is generating privacy-preserving synthetic datasets for analytics, model training, and data sharing, MOSTLY AI offers a focused synthetic data platform with strong statistical fidelity.

If your goal is delivering realistic, production-like data across testing, analytics, AI, and enterprise operations while preserving relationships across multiple systems, K2view provides broader lifecycle coverage and operational control.

This distinction explains why many evaluations should not focus on which platform is universally better, but rather which platform is better aligned with the organization's requirements.

A practical evaluation checklist

When comparing synthetic data platforms, consider these questions:

1. Does the dataset support real business processes?

A. Can users execute critical workflows and test scenarios successfully, or does the data require significant remediation?

2. How much manual effort is required?

A. Do teams spend time fixing relationships, constraints, and data quality issues after generation?

3. Can datasets be regenerated consistently?

A. Repeatability is essential for testing, troubleshooting, and governance.

4. Will privacy and compliance teams approve it?

A. Technical capability matters only if the solution satisfies security, privacy, and regulatory requirements.

5. Can the approach scale across the enterprise?

A. A solution that works for one department may not work effectively across multiple teams, applications, and environments.

Bottom line

K2view and MOSTLY AI both address the growing demand for synthetic data, but they solve different challenges.

MOSTLY AI is often a strong choice for organizations seeking privacy-focused synthetic datasets for analytics, AI, and data sharing.

K2view is often a stronger fit for enterprises that need realistic, production-like synthetic data across complex environments, along with lifecycle automation, governance, and cross-system relational consistency.

The best choice depends on the use case. Organizations focused primarily on synthetic analytics data may prefer MOSTLY AI, while enterprises requiring scalable, end-to-end synthetic data operations are likely to find K2view better aligned with their long-term requirements.

Red Hat Cloud Services npm Packages Hijacked to Steal Developer Secrets in Sophisticated Supply Chain Attack

protalweb@gmail.com (Vivek Gurung) — Tue, 2 Jun 2026 09:06:37 +0530

Attackers compromised the official Redhat cloud services npm namespace on June 1, 2026, injecting a sophisticated credential-harvesting worm into 95 package versions used by thousands of developers building Red Hat Insights and Hybrid Cloud Console applications. The payload fired automatically the moment anyone ran npm install — no import, no function call required.

The attack, documented independently by Socket and StepSecurity within hours of detection, traces back to a compromised CI/CD pipeline in the RedHatInsights/javascript-clients GitHub repository. Every malicious version was published through the project's own GitHub Actions OIDC workflow — a trusted automation token used to push real releases — meaning the packages carried legitimate provenance signatures that most security tools would not question.

What Made This Unusually Dangerous

The malicious index.js weighed 4.2 MB — dozens of times heavier than a normal library file — and buried its payload under four distinct obfuscation layers: ROT-21 character encoding, AES-128-GCM encryption, a custom base64 string table requiring 284 rotation cycles to decode, and a PBKDF2-based cipher with 200,000 iterations to prevent brute-forcing. The real payload only materialised in memory at runtime, making static package scanners largely blind to it.

Once triggered, the malware downloaded the Bun JavaScript runtime silently from GitHub, decrypted the main payload into a randomly named /tmp/p*.js file, executed it, and deleted the file — all before a developer could notice anything amiss. On developer workstations, it detached into a background process so credential harvesting continued after the install command finished.

The credential sweep was exhaustive: GitHub tokens, npm publish tokens, AWS access keys, Azure service principals, GCP application credentials, Kubernetes service account tokens, HashiCorp Vault tokens, SSH private keys, .npmrc, .pypirc, .netrc, Docker registry authentication, and even cryptocurrency wallet files were all targeted. On GitHub Actions runners, it went further — reading /proc/<pid>/mem to extract live secrets directly from the Runner.Worker process memory, including secrets masked in workflow logs that never touch disk.

Perhaps most alarming: the worm was self-propagating. Using any stolen npm token and the bypass_2fa publish parameter, it autonomously republished backdoored versions of other packages the victim account could publish to — even overriding two-factor authentication — seeding the next wave of infections without any attacker involvement.

For persistence on developer machines, the malware injected a SessionStart hook into ~/.claude/settings.json (Claude Code's configuration) and a folderOpen task into .vscode/tasks.json, ensuring attacker code ran on every IDE session even after node_modules was deleted.

Attribution and Scope

Socket linked the campaign's tactics — install-time execution, CI/CD targeting, encrypted exfiltration, and downstream propagation — to the Shai-Hulud attack framework, which the threat group TeamPCP open-sourced recently alongside a BreachForums contest rewarding package compromises. Because the tooling is now public, attribution to any single actor remains unclear.

What You Should Do Now

If your projects or CI pipelines installed any @redhat-cloud-services package between approximately 10:54 UTC and 15:25 UTC on June 1, treat the environment as compromised. Immediately rotate all credentials accessible to those jobs: GitHub tokens, npm tokens, cloud provider keys, Kubernetes tokens, and any secrets stored in environment variables or CI secret stores. Search lockfiles and build logs for the affected versions, inspect ~/.claude/settings.json and .vscode/tasks.json for injected hooks, and hunt for /tmp/p*.js and tmp.0987654321.lock artefacts. Do not rely on uninstalling the npm package — the persistence mechanisms survive it.

Instagram Accounts Are Being Stolen via Chat With Meta AI

protalweb@gmail.com (Vivek Gurung) — Tue, 2 Jun 2026 08:34:14 +0530

Hundreds of Instagram accounts — including the dormant Obama White House profile, the official Sephora page, and the Instagram of U.S. Space Force Chief Master Sergeant John Bentivegna — were hijacked over the weekend using a shockingly low-effort method: attackers simply asked Meta's AI support chatbot to hand over access. It complied.

The critical logical flaw in Meta's AI-powered Instagram account recovery assistant allowed threat actors to redirect password reset links to unauthorised email addresses, effectively seizing control of high-value Instagram accounts without ever triggering a traditional two-factor authentication challenge.

How the Attack Worked

The method required no malware, no phishing kit, no access to the victim's inbox. Hackers tricked Meta's AI support chatbot into adding their email to victims' Instagram accounts and resetting passwords. The hacker simply asked the chatbot to add a new email address to someone else's account.

The full attack chain was almost insultingly simple. The exploit appears to have involved using a VPN connection with an IP address in or near the target's usual hometown, requesting a password reset, and then choosing to chat with Meta's AI support assistant.

From there, attackers told the bot to link the target account to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset.

The AI then sent an eight-digit code to the attacker's email address. The attacker entered that code and received a password reset link, giving them full access to the account. At no point did the legitimate owner receive an SMS alert, push notification, or warning of any kind.

The vulnerability had reportedly been quietly circulating in underground Telegram channels since at least late March. Neowin found that the exploit had been active in the wild for months, going as far back as February of this year, with hackers compromising thousands of accounts.

A Textbook "Confused Deputy" Problem — With an AI Twist

Security researchers were quick to identify what went wrong at the architectural level. The AI assistant held privileged write access to account management APIs that an average user could not invoke directly. An attacker with zero credentials fed the assistant a natural language command, and the assistant, lacking any deterministic authentication checkpoint, executed the API call without question.

This is technically known as a "confused deputy" vulnerability — a privilege escalation class first documented in 1988 — but with a dangerous modern twist. What made this structurally worse than a traditional confused deputy scenario is that the "deputy" here was a probabilistic language model, not a deterministic application. A traditional program requires bypassing hard-coded conditional logic; an LLM can be redirected with words alone.

Ian Goldin, a threat researcher at Lumen's Black Lotus Labs, put it plainly: "AI chatbots create interesting new attack surface, and we're likely going to see a lot more of these kinds of attacks."

A Second Bypass — Even With MFA Enabled

While Meta's emergency patch late Friday night blocked the primary exploit, in some cases, users were asked to verify their identity with a selfie — which was bypassed using AI.

Reports circulating on social media and security forums describe a second method where attackers grabbed a publicly visible photo of the target, ran it through an AI video generator to produce a deepfake selfie, and submitted it to Meta's video verification flow. Prominent developer Gergely Orosz noted that Meta — a company going all-in on AI — somehow missed the memo on how AI can generate images and videos that renders "take a selfie" verification utterly useless.

This second method reportedly affected even accounts with MFA enabled, raising questions about whether Meta's patch was truly comprehensive.

Meta's Response and the Bigger Problem

Meta VP of Communications Andy Stone stated: "This issue has been resolved and we are securing impacted accounts." Internally, however, the incident landed awkwardly: it surfaced eleven days after Meta cut roughly 8,000 employees — including staff from its integrity division and cybersecurity teams specifically.

The stolen accounts moved fast. Premium short-handle accounts such as @hey and @jowo, valued at over $1 million combined, were quickly flipped through private Telegram channels before Meta could intervene.

What You Should Do Right Now

The primary exploit only worked on accounts without multi-factor authentication. Security experts strongly recommend enabling app-based 2FA — such as Google Authenticator or Authy — instead of SMS-based verification. Additionally: use a private email address not publicly linked to your Instagram profile, generate fresh backup recovery codes and store them offline, and audit active login sessions under Settings → Accounts Center → Password and Security.

Account recovery is specifically attractive as an attack target because it's designed to work when normal authentication is unavailable — meaning any AI-mediated recovery flow is already operating in a context where the system is relaxing its usual verification requirements, making it a natural target for exploitation. Meta may be the first major platform caught in this trap. It almost certainly won't be the last.

Nvidia's N1 and N1X Are Actually Four Chips — Full Spec Sheet Leaks Hours Before Computex

protalweb@gmail.com (Vivek Gurung) — Sun, 31 May 2026 18:28:04 +0530

Nvidia has spent years teasing its way into the laptop market, and now — one day before Jensen Huang takes the Computex stage in Taipei — a Geekbench result from a mystery HP prototype gave the internet its first look at N1X CPU performance.

But that benchmark leak has just been overshadowed by something more revealing: a full four-SKU spec sheet for the entire N1 family, courtesy of Videocardz, sourced from documents dating back to 2024.

Together, the two leaks paint a clearer picture than either does alone. The Geekbench result tells you where the top-end chip lands on CPU throughput. The spec sheet tells you what you're actually buying at each price point — and reveals that Nvidia's Windows PC ambitions span a much wider range than the single flagship chip most coverage has focused on.

Four chips, not two

The N1 family splits into two product lines with two SKUs each. The premium N1X targets performance laptops and mobile workstations at a projected $2,000-plus price point, directly competing with the MacBook Pro. The mainstream N1 aims at the sub-$1,500 midrange — an area where Qualcomm's Snapdragon X Elite has struggled to find traction despite strong efficiency credentials.

Full N1 Family Specification Comparison

Model	CPU Cores	GPU (CUDA)	PCIe Lanes	Memory	TDP
N1X (1) — GB10	20 (10P + 10E)	6,144	12× PCIe 5.0 + 5× PCIe 4.0	16GB–128GB / 16-channel	45–80W
N1X (2)	18 (9P + 9E)	5,120	12× PCIe 5.0 + 5× PCIe 4.0	16GB–128GB / 16-channel	45–80W
N1 (1)	12 (8P + 4E)	2,560	8× PCIe 5.0 + 3× PCIe 4.0	8GB–64GB / 8-channel	18–45W
N1 (2)	10 (7P + 3E)	2,048	8× PCIe 5.0 + 3× PCIe 4.0	8GB–64GB / 8-channel	18–45W

The N1X flagship is a rebranded GB10 — that's a big deal

The top-end N1X (20-core, 6,144 CUDA cores) is not a new design. Jensen Huang already confirmed it is the same GB10 silicon found inside Nvidia's DGX Spark — a $3,000 mini-PC positioned as a personal AI supercomputer. Putting that chip inside a consumer Windows laptop is a different proposition entirely.

The GB10 in the DGX Spark runs at a fixed power envelope; in a laptop chassis with thermal constraints and a battery to preserve, achieving the same throughput will require careful firmware and thermals work from OEM partners.

The N1X also arrives in an 18-core (9+9) variant with 5,120 CUDA cores — the same TDP range of 45W to 80W, but presumably hitting lower sustained clocks and with modestly less GPU compute. Both N1X SKUs share a generous connectivity spec: 12 PCIe 5.0 lanes, 5 PCIe 4.0 lanes, and support for up to three M.2 SSDs.

What the Geekbench leak tells us — and doesn't

The benchmark result uploaded on June 10, 2025, from an HP 8EA3 prototype running Ubuntu 24.04.1 LTS represents the top N1X SKU: 20 cores, 119.59 GB reported (128 GB LPDDR5X), at 2.81 GHz base frequency. It scored 2,821 single-core and 17,152 multi-core on Geekbench 6.

Chip	Single-Core (GB6)	Multi-Core (GB6)
Nvidia N1X (Linux, pre-prod)	2,821 ★	17,152 ★
AMD Ryzen AI MAX+ 395	3,125	21,035
Intel Core Ultra 9 285HX	3,078	22,104
Qualcomm Snapdragon X Elite	2,693	13,950
Apple M4 Max (macOS)	4,054	25,913

The critical caveat: this result is from Linux, not Windows. ARM chips consistently score higher on Linux than on Windows 11 due to overhead from the x86 emulation layer (Prism) and immature Windows-side driver stacks.

When Qualcomm's Snapdragon X Elite was benchmarked on Linux before launch, it too posted scores that did not carry over to shipping hardware. The N1X multi-core result sits roughly 10–15% behind AMD's Ryzen AI MAX+ 395 and Intel's Core Ultra 9 285HX — but both those chips were benchmarked on Windows 11, not Linux, further skewing the apparent gap.

Memory: 8,533 MT/s could be the quiet headline

The N1X supports 16 LPDDR5X channels versus the base N1's 8, and a previous leak suggests both families are running memory at 8,533 MT/s.

That would make N1X's memory subsystem faster than AMD's Strix Halo platform in raw bandwidth terms — a potentially significant advantage for the GPU workloads and local AI inference scenarios where memory bandwidth is the primary bottleneck. The N1 tops out at 64 GB; the N1X can scale to 128 GB, making it competitive with Apple's top-tier MacBook Pro configuration.

Why this matters more than the benchmark scores suggest

CPU figures are the least interesting part of the N1X story. Every Windows ARM chip benchmarks respectably on CPU throughput. What none of them have offered — until now — is a genuine CUDA-capable GPU in a thin laptop form factor.

The N1X's Blackwell GPU with 6,144 CUDA cores is estimated to land between RTX 4070 and RTX 5070 laptop performance in compute workloads, and it brings the full CUDA software stack: PyTorch, TensorRT, RAPIDS, and every other Nvidia-ecosystem AI tool that developers have been locked to data centers or thick gaming laptops to access.

This is Nvidia's second attempt at an ARM-based PC chip. The first came in 2011, then again with Windows RT tablets in 2012 — both efforts stalled due to software ecosystem immaturity. The difference in 2026 is that the software ecosystem has reorganized itself around Nvidia's CUDA toolchain. Developers don't need to be convinced to support it; they already depend on it.

"From an industry perspective, it's a good thing. Qualcomm has struggled to grab a significant chunk of the PC market despite offering excellent battery life, in part because developers didn't see a need to focus scarce resources on a somewhat different version of Windows." — Carolina Milanesi, analyst at Current Strategies, speaking to Axios

Which laptops are coming and at what price

Dell XPS, Lenovo Legion 7, ASUS ProArt, and Microsoft Surface have all signaled N1X or N1 variants ahead of the show. With the N1 family's TDP floor at 18W, ultrabook-class devices are feasible alongside workstation replacements running at 80W.

The sub-$1,500 N1 tier in particular could be genuinely disruptive if OEMs price it competitively — it offers more GPU compute than anything Qualcomm or Intel currently puts in that category.

The one unsolved variable is pricing during what Videocardz describes as an ongoing RAM supply crunch. A 128 GB LPDDR5X configuration at 8,533 MT/s will not be cheap. Nvidia has never competed primarily on price, and it will not start now. The question is whether the CUDA premium justifies the premium ticket — and for developers and AI-native workloads, the answer is likely yes.

Apple's Smart Glasses Just Slipped to Late 2027 — And That Delay Could Cost It Everything

protalweb@gmail.com (Vivek Gurung) — Sun, 31 May 2026 22:18:52 +0530

Apple's first smart glasses — internally codenamed N50 — won't arrive until the end of 2027, according to Bloomberg's Mark Gurman. Originally slated for a late 2026 reveal and early 2027 shipping window, the timeline has slipped again, and this time the stakes are genuinely high.

The delay matters more than a year on a product roadmap usually would. Meta sold over 7 million Ray-Ban smart glasses in 2025 alone and now commands roughly 82% of the smart glasses market.

By the time Apple's frames hit store shelves, Meta will have had a four-year head start — with new Oakley AI performance glasses and a display-equipped model already shipping alongside LensCrafters retail partnerships firmly in place.

Why the Delay, and What We Know About the Hardware

The holdup traces back to Siri. Apple's N50 glasses won't function as a standalone device — they pair with an iPhone over Bluetooth, offloading heavier AI processing to the phone.

That makes the new, significantly upgraded Siri (expected with iOS 27) a hard dependency for the product. Siri's overhaul has itself been delayed repeatedly, pushing back not just the glasses but also camera-equipped AirPods and a suite of smart home devices.

The glasses themselves are hardware-first: two cameras (one for photos/video, a second dedicated to computer vision), speakers, microphones, and a custom N401 chip derived from Apple Watch silicon — optimized for all-day battery life over raw performance.

Four frame styles are reportedly being tested in premium acetate, including a Wayfarer-style rectangular and a slimmer version resembling Tim Cook's own frames. Oval-shaped cameras with LED indicator lights give the design a signature look distinct from Meta's circular modules. No display. No AR overlay. Just a wearable that sees, listens, and connects.

The $200 Billion Playbook

Apple isn't framing this as a tech gadget play — it's going after the traditional eyewear industry the same way the Apple Watch dismantled the mid-tier watch market. The comparison carries weight: Swatch revenue dropped 28% between 2014 and 2025, while Fossil's sales collapsed roughly 70% over the same period. The Apple Watch did that to a market valued in the tens of billions.

The eyewear market is valued at roughly $200 billion annually, and the WHO estimates that 2.2 billion people worldwide have some form of vision impairment. Apple is reportedly targeting the $200–$500 price bracket — the same segment occupied by EssilorLuxottica's Ray-Ban and Oakley, Safilo, and Warby Parker.

The Uncomfortable Truth Apple Has to Reckon With

Even with a 2-billion-device ecosystem and global retail presence, Apple faces a challenge the Apple Watch never did: consumers already have a preferred brand on their faces. Meta's Ray-Ban partnership gave smart glasses immediate cultural legitimacy — Wayfarers were desirable objects before any chip was inside them. Apple's N50 will launch into a market where millions of users are already comfortable with a competitor's product.

There's also the Android problem. Apple's longstanding refusal to support Android locks out the majority of the global smartphone market, effectively handing Meta a permanent lane. Ironically, Apple's entry could accelerate the entire category's mainstream adoption — and Meta will be right there to capture every Android user who gets curious.

The project has full commitment from the top: Tim Cook has reportedly called it his highest priority, and his likely successor, John Ternus, has been leading the Vision Products Group through development for two years. That's not a side project.

But with Meta already scaling production capacity toward 20–30 million units per year, Apple is fighting for second place on day one — and will need its best-ever Siri to close the gap.

A Forged Kernel Key and a Rootful Helper: Inside the CIFSwitch Linux Privilege Escalation

protalweb@gmail.com (Vivek Gurung) — Sun, 31 May 2026 17:41:57 +0530

A security researcher has disclosed a Linux local privilege escalation — dubbed CIFSwitch — that lets any unprivileged user silently escalate to root on a wide range of distributions, including Linux Mint, Debian, Rocky Linux, CentOS Stream, Kali Linux, SLES, and several others. The kernel-side bug has sat quietly in the codebase since 2007.

The vulnerability lies at the boundary between the Linux kernel's CIFS client — the component that handles SMB network filesystems — and a userspace helper provided by cifs-utils. Alone, neither piece is obviously broken. Together, their misplaced trust becomes a clean path to the root.

How the attack actually works

When the kernel needs to authenticate a Kerberos-backed SMB mount, it offloads the credential work to a userspace binary called cifs.upcall, which runs as root. To coordinate, the kernel builds a description string and requests a cifs.spnego-type key via the Linux keyring subsystem. The request-key daemon sees the key type, finds its rule, and fires cifs.upcall as root.

The critical oversight: the kernel never checked whether the description actually originated with it. Before the fix, the cifs_spnego_key_type definition had no .vet_description hook — the function that would have enforced ownership. Without it, any unprivileged process could call request_key("cifs.spnego", fake_description, ...) with fully attacker-crafted fields. The rootful helper launches regardless—and crucially, even if the kernel ultimately rejects the key. The exploit window opens the moment cifs.upcall starts, not when it succeeds.

From there, the chain is elegant. The attacker supplies a fake pid pointing to a process in their own mount namespace and sets upcall_target=app. The helper reads those fields as trusted kernel output and switches into the attacker's namespace. Before dropping privileges, it calls getpwuid() to look up the target UID — which goes through NSS (the Name Service Switch, Linux's mechanism for resolving users and groups). In the attacker's mount namespace, NSS can be configured to use a custom nsswitch.conf and a malicious shared library. That library runs inside the root helper, writes a permissive entry to sudoers.d, and the attacker has unrestricted root.

Who is affected

Full exploitation requires three conditions: a vulnerable kernel (any version since 2007), an affected cifs-utils version (6.14 or newer, or older versions that backported other CVE fixes), and the ability to create unprivileged user namespaces — a capability that is enabled by default across most modern desktop and server distributions.

By default, the exploit works immediately on Linux Mint 21.3 and 22.3, Kali Linux from 2021.4 through 2026.1, CentOS Stream 9, Rocky Linux 9, Debian 11 through 13, Ubuntu 18.04 through 22.04, AlmaLinux 9.7, and SLES 15 SP7. Fedora 40–44, CentOS Stream 10, Rocky Linux 10, and Ubuntu 26.04 are blocked by their default SELinux or AppArmor policies — but relaxing those policies re-enables the attack. Amazon Linux 2 and Kali Linux 2019/2020 ship with older cifs-utils versions that lack the namespace-switching code entirely, leaving them unaffected.

The fix and immediate mitigations

The kernel-side patch adds a .vet_description hook to cifs_spnego_key_type that returns -EPERM unless the requesting credential matches CIFS's internal spnego_cred. That single check breaks the exploit chain. The patch has been queued for stable kernels following a coordinated embargo on the linux-distros mailing list, which expired on May 27, 2026.

If patching immediately isn't possible, administrators can block the cifs kernel module from loading if SMB mounts aren't in use, remove cifs-utils if Kerberos-authenticated mounts aren't required, override the default cifs.spnego request-key rule to negate keys instead of launching the helper, or disable unprivileged user namespace creation entirely.

Why this one is different

The researcher behind CIFSwitch, Asim Manizada, found the bug not by manually auditing code, but by directing LLM agents equipped with a semantic graph traversal tool — one that maps security-relevant kernel objects, their consumers, and where assumptions between creation time and consumption time can drift. The approach let the model reason cleanly across the kernel/userspace boundary in a way traditional static analysis tools struggle with at higher abstraction levels.

What makes the finding stand out isn't the primitives — none of them are novel individually. It's that the chain involves no memory corruption, no race condition, and no exotic kernel feature. It is a pure logic bug, quietly composing three independently benign design decisions into a local root that has apparently gone unnoticed for nearly two decades. That's the kind of vulnerability that tends to be everywhere once you know what to look for.

The proof-of-concept is now public. Check your distribution's security channel and apply patches or mitigations without delay.

BadHost (CVE-2026-48710): One Rogue Header Line Unlocks Your Entire AI Stack

protalweb@gmail.com (Vivek Gurung) — Tue, 26 May 2026 23:14:21 +0530

A single, malformed HTTP header is all it takes to walk past the front door of thousands of Python-powered AI applications — no credentials, no token, no noise.

That's the blunt reality of BadHost, a newly disclosed authentication bypass vulnerability (CVE-2026-48710) in Starlette, the ASGI framework that quietly underpins the majority of modern Python AI infrastructure, from FastAPI to vLLM to LiteLLM and beyond.

Researchers at X41 D-Sec uncovered the flaw during an OSTIF-sponsored audit and published coordinated advisories on May 22, 2026, with additional credit going to independent reporters ehhthing and Nicolas Lamoureux. The reach is staggering: Starlette alone counts more than 400,000 dependent repositories on GitHub.

What Actually Happens

When your browser visits https://example.com/admin, it sends a request with Host: example.com. Starlette rebuilds the full URL by stitching together the scheme, the Host header, and the request path—but versions before 1.0.1 never checked whether the Host header was valid.

An attacker exploits this by crafting a request like:

GET /admin HTTP/1.1
Host: example.com/health?x=

Starlette dutifully reconstructs the URL as http://example.com/health?x=/admin. The router still delivers the request to /admin (routing uses the real HTTP path), but request.url.path — the value that middleware reads to decide who gets in — now returns /health. Auth middleware checking "is this path on my public allowlist?" sees /health, thinks it's a harmless public endpoint, and waves the request through. The attacker attempts to access /admin without any valid credentials.

The exploit works against both allowlist-style ("let /health through") and denylist-style ("block everything except /health") middleware patterns. Raw TCP sockets are required to deliver the attack, since standard HTTP clients automatically normalise the Host header.

Why AI Infrastructure Is the Bullseye

This isn't generically bad — it's specifically, acutely bad for AI deployments. The MCP (Model Context Protocol) specification, now widely adopted across agent frameworks, mandates the use of unauthenticated OAuth discovery endpoints. Those known public paths become a reliable, pre-built skeleton key: inject one into the Host header, and any Starlette-based MCP server's protected tools, API keys, and internal tooling are accessible without authentication.

vLLM (LLM inference server), LiteLLM (AI gateway proxy), Google ADK-Python, Ray Serve, BentoML, and virtually every custom FastAPI-based agent backend built on Starlette middleware are potentially in scope. Consequences range from free model access and leaked API keys to, in some confirmed cases identified through X41's CodeQL scanning, remote code execution.

Notably, FastAPI's built-in Depends() and Security() decorators are not affected — they enforce auth at the route level, not at the path string level. The danger is a custom BaseHTTPMiddleware that trusts request.url.path for access decisions.

Why It Went Undetected

The vulnerability doesn't live in any single codebase. ASGI servers pass the raw Host header along. Starlette trusted it to reconstruct URLs. Middleware authors assumed request.url.path was a safe, canonical value. Each layer behaved correctly in isolation — the exploit only emerges at their intersection. That cross-layer, cross-spec nature is exactly why automated tooling missed it.

Fix It Now

Update Starlette to 1.0.1 or later. The patch validates the Host header against the grammar in RFC 9112/3986 and falls back to scope["server"] for malformed values.
Switch middleware to scope["path"] instead of request.url.path. The ASGI scope path comes from the HTTP request line and cannot be poisoned via Host injection.
Deploy a reverse proxy (nginx, Caddy, Traefik, HAProxy) in front of your ASGI server. RFC-compliant proxies reject malformed Host headers before they reach your app.
Prefer endpoint-level auth. Starlette's requires() decorator and FastAPI's Depends()/Security() are enforced at the actual route, making them immune to this class of attack.
Scan your exposure using the free BadHost scanner at badhost.org, or run the open-source Semgrep rules and CodeQL queries from the X41 repository against your own codebase.

If you're running any Python AI infrastructure without a reverse proxy in front — dev environments, staging, self-hosted inference servers — treat this as urgent. The PoC is public, the attack is trivially automatable, and the AI API keys sitting behind your middleware are worth far more than the cost of an upgrade.

Malicious Packages on npm, PyPI, and Crates.io Steal Crypto Wallets, SSH Keys, and Cloud Credentials

protalweb@gmail.com (Vivek Gurung) — Sun, 24 May 2026 21:49:28 +0530

Security researchers at Socket have uncovered an active supply chain attack that poisoned 34 packages and more than 384 versions across three major package registries — npm, PyPI, and Crates.io — in what appears to be one of the most broadly targeted credential theft campaigns seen this year.

Dubbed TrapDoor, the campaign has been quietly building since at least May 19, with attackers pushing wave after wave of malicious releases over the long weekend.

The packages appear harmless at first glance — names like token-usage-tracker, prompt-engineering-toolkit, eth-wallet-sentinel, and sui-sdk-build-utils read exactly like the kind of tools crypto, DeFi, AI, and security developers install without a second thought.

That calculated familiarity is the point.

Once installed, the packages get to work immediately. The npm variants fire during installation via postinstall hooks, executing a 1,149-line credential harvester called trap-core.js. The script doesn't just grab whatever's lying around — it actively validates stolen AWS and GitHub tokens through live API calls, filtering out expired credentials and prioritising the useful ones for the attacker.

The Crates.io packages take a different path. Malicious build.rs scripts — which run automatically during Rust compilation, before a developer even uses the package — search for local keystores, encrypt them using a hardcoded XOR key (cargo-build-helper-2026), and quietly ship the data to GitHub Gists.

The Python packages on PyPI go further still, fetching and executing a remote JavaScript payload via node -e at import time, letting the attacker update behaviour without touching the published package.

What TrapDoor steals is comprehensive: SSH keys, Sui, Solana, and Aptos wallet keystores, AWS credentials, GitHub tokens, browser profile and login databases, crypto wallet extension data, environment variables, and API keys.

But the campaign's most unusual angle is its AI-targeting capability. According to the Socket, the npm payload plants .cursorrules and CLAUDE.md files — configuration files read by AI coding assistants like Cursor and Claude — and injects hidden instructions using zero-width Unicode characters.

The goal is to trick AI tools into running what appears to be a routine "security scan" that actually exfiltrates local secrets. The same attacker account, ddjidd564, also opened pull requests against major open-source AI projects, including LangChain, LlamaIndex, and browser-use, attempting to slip campaign-linked files into widely-used repositories under the guise of development standards documentation.

Socket detected the earliest TrapDoor package — eth-security-auditor on PyPI — within roughly two minutes of publication, and flagged subsequent releases at an average detection window of under six minutes.

What developers should do: Audit any recently installed packages matching the names listed in Socket's indicators of compromise. Check your projects for unexpected .cursorrules, CLAUDE.md, Git hooks, shell hooks, or new cron/systemd entries.

Rotate AWS credentials, GitHub tokens, and SSH keys if any of the listed packages were installed. Consider enabling lockfiles and dependency review workflows in CI/CD pipelines to catch unexpected registry activity before it reaches production environments.

LiteSpeed cPanel Plugin Flaw Lets Any Shared Hosting User Take Over the Entire Server

protalweb@gmail.com (Vivek Gurung) — Sat, 23 May 2026 22:46:17 +0530

A critical privilege escalation bug in LiteSpeed's user-end cPanel plugin — now confirmed as actively exploited in the wild — can hand any ordinary hosting account unrestricted root access to the server it sits on.

Tracked as CVE-2026-48172 and carrying a perfect CVSS score of 10.0, the flaw stems from an incorrect privilege assignment that allows an attacker to run arbitrary scripts with elevated permissions.

That threat model is what makes this one particularly uncomfortable for shared hosting providers. Because exploitation only requires access to a valid cPanel user account, a malicious tenant or an already-compromised shared hosting account can pivot to a full server takeover.

In practice, that means a successful PHP exploit against any website on a server could chain straight into root, through a plugin most administrators probably never thought twice about.

What's Actually Broken

The issue is related to the mishandling of the Redis enable/disable features inside the plugin. The vulnerability resides in the lsws.redisAble function exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges. Redis (an in-memory data store commonly used for caching) is a standard component on many cPanel servers, making this attack surface widely accessible.

Importantly, LiteSpeed's WHM (Web Host Manager) plugin, used by server administrators, is not affected. The vulnerable component is the tenant-facing, user-end plugin only.

Security researcher David Strydom reported the flaw to LiteSpeed on May 19, 2026. Following the initial report, LiteSpeed and the cPanel/WebPros team initiated an urgent response cycle.

cPanel's emergency patch, released 12 hours ahead of schedule, included an automated fix that uninstalls the plugin entirely. That's an unusually aggressive response — but given active exploitation was already underway, removing the code entirely was the fastest available defense.

A Pattern Worth Noticing

This is the third cPanel emergency security release in just over three weeks. April 28 brought CVE-2026-41940, an authentication bypass actively exploited as a zero-day since February. May 13 brought a planned but substantial patch covering five additional CVEs.

And May 19 brings the LiteSpeed plugin emergency, plus two additional cPanel security issues. The earlier CVE-2026-41940 (CVSS 9.8) was exploited by unknown threat actors to deploy Mirai botnet variants and a ransomware strain called Sorry.

For any hosting business running cPanel, monthly patching cycles no longer cut it.

What You Need to Do

All versions of the LiteSpeed user-end plugin between v2.3 and v2.4.4 are at risk. The recommended action is to upgrade to LiteSpeed WHM Plugin v5.3.1.0, which bundles cPanel plugin v2.4.7 and includes both the original fix and patches from a broader security review LiteSpeed conducted after the initial disclosure.

If an immediate upgrade isn't possible, uninstall the vulnerable plugin using:

/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall

To check whether your server has already been hit, run:

grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null

No output means you're clean. Any output warrants an immediate review of the flagged IP addresses and system logs to assess the extent of access.

If you're a managed hosting provider, assume your customers haven't patched themselves — push the update at the infrastructure level and verify.

NGINX Hit by Second Unauthenticated RCE —'nginx-poolslip'

protalweb@gmail.com (Vivek Gurung) — Sat, 23 May 2026 22:06:49 +0530

F5 has rushed out a security advisory for a second critical heap overflow vulnerability in NGINX's URL rewriting engine this month — and this one, nicknamed nginx-poolslip, allows an unauthenticated remote attacker to crash your web server or execute arbitrary code without a single login credential.

Tracked as CVE-2026-9256 and carrying a CVSS v4.0 score of 9.2 (Critical), the flaw was publicly teased by Nebula Security on May 20 and formally disclosed by F5 on May 22.

It sits inside ngx_http_rewrite_module — the same component that was at the center of the NGINX Rift flaw (CVE-2026-42945) patched just nine days earlier. The vulnerability affects both NGINX Plus and NGINX Open Source and can be triggered by a remote, unauthenticated attacker over plain HTTP.

What Goes Wrong

The bug is rooted in NGINX's handling of a specific regular expression pattern in rewrite directives. The vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping PCRE (Perl-Compatible Regular Expression) captures — for example, ^/((.*))$ — paired with a replacement string that references multiple such captures, like $1$2, in a redirect or arguments context.

When an attacker sends a specially crafted HTTP request into such a configuration, the NGINX worker process suffers a heap buffer overflow (CWE-122), causing it to crash and restart. DirectAdmin

The damage doesn't stop at a service disruption. Attackers can also execute code on systems with Address Space Layout Randomization (ASLR) disabled, or when they can bypass ASLR entirely — a realistic scenario in some legacy or improperly hardened deployments. CVE

Who Is Exposed

The scope is substantial. NGINX Open Source versions 0.1.17 through 1.31.0 are vulnerable, while 1.31.1 and 1.30.2 carry the fix. NGINX Plus releases R32 through R37.0.0 are affected; fixes land in R37.0.1.1, R36 P5, and R32 P7. NGINX Instance Manager versions 2.17.0 to 2.22.0 are also flagged, though no fix has been released for that product line yet. nginx

Notably, F5 BIG-IP, BIG-IQ, F5OS, and F5 Distributed Cloud Services are all listed as not vulnerable. The exposure is squarely in the NGINX software layer itself.

Second RCE in NGINX

CVE-2026-9256 lands barely a week after NGINX Rift (CVE-2026-42945) — a separate heap overflow in the same rewrite module that had been quietly lurking in the codebase for 18 years.

Two critical bugs in the same component within the same month are an uncomfortable signal that the rewrite engine has been under-scrutinised for a long time. F5 credited the discovery of nginx-poolslip to Mufeed VH of Winfunc Research, Nebula Security, and Vexera AI for coordinated disclosure.

What You Should Do Right Now

Upgrading is the definitive fix. If patching immediately isn't an option, F5 offers a practical configuration-level mitigation: replace unnamed PCRE capture groups with named captures in every affected rewrite directive. For example, swap:

rewrite ^/users/([0-9]+)/profile/(.*)$ /profile.php?id=$1&tab=$2 last;

…for:

rrewrite ^/users/(?<user_id>[0-9]+)/profile/(?<section>.*)$
/profile.php?id=$user_id&tab=$section last;

That single configuration change neutralises the vulnerable code path. Given that NGINX powers roughly one-third of the world's web servers, administrators should treat this as a priority patch rather than a scheduled maintenance item.

How Data Rooms Became Decision-Making Tools

protalweb@gmail.com (Vivek Gurung) — Fri, 22 May 2026 23:08:08 +0530

Over the years, data rooms were considered simple storage platforms — a secure location where companies posted documents for audit, fundraising, or mergers.

The role of the virtual data room (VDR) has evolved greatly today. It becomes a key node in data room decision-making, assisting the business in interpreting data, monitoring stakeholder activity, and making faster, higher-stakes decisions.

This shift reflects a more radical change in how modern organizations operate: no longer is it a matter of decisions being made purely on documents, but of insights derived from them.

From Document Storage to Strategic Infrastructure

Traditional data rooms were designed to resolve a narrow problem: secure document collaboration.

They allowed companies to:

Store confidential files
Restrict access to authorized users
Organize documents for due diligence

However, they lacked analytical capabilities.

Modern virtual data room platforms function as strategic infrastructure. They integrate:

Secure storage
Activity tracking
Reporting tools
Workflow automation

This combination transforms static files into actionable intelligence. Instead of simply hosting documents, today’s platforms actively support data room decision-making by revealing how information is used and by whom.

Virtual Data Room Analytics: Turning Activity into Insight

The introduction of virtual data room analytics has radically transformed how companies evaluate deals.

These tools monitor user behavior on an ongoing basis, and these include:

Document views
Time spent per file
Download activity
User engagement patterns

This data generates valuable virtual data room insights.

For example:

A potential investor who repeatedly reviews financial projections is likely serious
Low engagement with legal documents may signal overlooked risks
High activity from multiple stakeholders may indicate competitive interest

These lessons can enable companies to prioritize and allocate resources effectively.

Secure Document Collaboration in Complex Transactions

Modern deals involve multiple stakeholders working across different locations.

A virtual data room enables secure document collaboration by providing:

Role-based permissions
Encrypted file sharing
Real-time document updates
Detailed audit trails

This ensures that sensitive information is not lost while remaining available to the appropriate individuals.

Centralization is key. Instead of scattered communication across emails and third-party tools, all collaboration happens within a controlled environment.

Why Data Room Providers Focus on Intelligence

Leading data room providers have shifted their focus from storage capacity to intelligence.

Today’s platforms compete based on their ability to deliver:

Advanced virtual data room analytics
Clear dashboards and reporting
Customizable workflows
Seamless user experience

This reflects growing demand for virtual data room insights that directly support business outcomes.

Organizations no longer want tools that simply store files.

They want platforms that:

Highlight risks early
Reveal opportunities
Accelerate decision-making

As a result, the virtual data room becomes a decision-support system rather than just a storage solution.

A Practical Example of Data Room Decision Making

Consider a startup raising capital.

Using a modern virtual data room, the team can:

Track which investors access the platform
Monitor which documents they review
Measure how long they engage with specific files

Consistently reviewing financial forecasts and market analysis indicates a strong intent.

The startup can then:

Prioritize communication with that investor
Prepare tailored responses
Anticipate questions

This is a clear data-driven decision-making case, driven by real-time data. Without analytics, this level of insight would not be possible.

Regional Considerations and Market Practices

The implementation of data rooms is not consistent across geographies, particularly in regulated markets.

For example, many companies look for certifications such as:

ISO 27001 for information security management
SOC 2 Type II for operational and security controls
GDPR compliance for handling personal data within the European Union
ISO 27701 for privacy information management
HIPAA compliance when relating to healthcare data

These regional differences are critical for understanding cross-border transactions and international deals, especially when selecting a data room in the UK or other highly regulated markets.

Automation and Workflow Efficiency

Another major advantage of modern virtual data room platforms is automation.

Automation features include:
Automatic document indexing
Bulk file uploads
Predefined permission templates
Activity-triggered notifications

This software reduces manual labor and minimizes errors. It is also because they enhance process uniformity.

Consequently, teams will be able to focus on more valuable activities, including data room decision-making and analysis, rather than on administrative tasks.

Risk Reduction Through Visibility and Control

Risk management is a core function of any transaction.

A virtual data room enhances risk control by providing:

Detailed audit logs
User activity tracking
Document access history
Security functions as watermarking and two-factor authentication

All this is made possible by these capabilities.

In case of a problem, teams can discover:

Who accessed a document
When it was accessed
What actions were taken

Such visibility minimizes the uncertainty and helps to make better decisions.

Competitive Advantage in High-Stakes Environments

Data rooms help organizations to gain a competitive advantage.

They can:

Respond to stakeholder requests more quickly
Put information in an organized manner
Identify high-priority opportunities
Accelerate deal timelines

These advantages can directly influence results in competitive situations such as M&A or fundraising.

A well-organized virtual data room also signals professionalism. It builds trust with investors, partners, and advisors — often a decisive factor in closing deals.

The Future: Intelligent Data Rooms

The evolution of data rooms is ongoing.

Many platforms are now integrating:

Artificial intelligence
Machine learning
Predictive analytics

These technologies enhance virtual data room analytics by:

Identifying missing or incomplete documents
Detecting inconsistencies in data
Recommending relevant files
Predicting user behavior

This represents the next stage of data room decision-making.

Companies can foresee needs and be proactive rather than respond to user activity. Modern virtual data room providers offer far more than storage.

They deliver:

Actionable virtual data room insights
Advanced virtual data room analytics
Reliable, secure document collaboration
Strong support for data room decision-making

These capabilities transform how organizations manage complex transactions.

Conclusion

The role of data rooms has evolved from passive storage to active decision support.

Today’s virtual data room is a strategic tool that helps businesses:

Understand stakeholder behavior
Reduce risk
Improve efficiency
Make faster, smarter decisions

This change will only intensify as business environments become more data-driven. Organizations that are effective users of data room providers will handle information efficiently, make better decisions, and achieve better outcomes.

Trend Micro's Own Security Tool Turned Against Enterprises — Apex One Zero-Day Actively Exploited

protalweb@gmail.com (Vivek Gurung) — Fri, 22 May 2026 21:10:40 +0530

The endpoint security software meant to protect enterprise networks from attackers has itself become a target. Trend Micro has patched a zero-day vulnerability in Apex One — its flagship corporate endpoint protection platform — after its own incident response team caught threat actors actively exploiting the flaw against Windows systems.

Tracked as CVE-2026-34926, the vulnerability is a directory traversal flaw (a weakness that lets attackers access files and directories outside intended boundaries) in the Apex One on-premises server.

A local attacker who has already obtained admin credentials can exploit it to tamper with a core server table and silently push malicious code out to all endpoint agents deployed across the organization — effectively hijacking the security infrastructure itself to distribute malware.

The attack does carry prerequisites: the target must be running the on-premise version of Apex One, and the attacker must already hold administrative access to the server. That said, those conditions are far from theoretical — TrendAI's incident response team, which discovered the vulnerability, confirmed at least one real-world exploitation attempt before the patch was even released.

CISA has added CVE-2026-34926 to its Known Exploited Vulnerabilities (KEV) catalog and ordered all U.S. federal agencies to apply fixes no later than June 4.

The same update bundle addresses seven additional high-severity local privilege escalation flaws (CVE-2026-34927 through 34930 and CVE-2026-45206 through 45208), all carrying CVSS scores of 7.8. These were reported by researcher Lays (@_L4ys) of TRAPA Security through Trend Micro's Zero Day Initiative program. Each flaw exploits origin validation errors across different inter-process communication mechanisms in the Apex One agent.

Apex One has been exploited in zero-day attacks repeatedly — in August 2025, September 2023, and September 2022. SecurityWeek notes that some past Apex One attacks have been attributed to Chinese state-sponsored APT groups, and given the level of access required to trigger CVE-2026-34926, a sophisticated threat actor is the most plausible culprit here, too.

What you should do now:

On-premises Apex One SP1 users should update to CP Build 18012 (or 17079 for fresh installs)
SaaS and Vision One SEP customers need Security Agent build 14.0.20731 or later
Review who has remote administrative access to your Apex One server and audit perimeter policies immediately

Windows Kernel Bug Breaks Every Browser Sandbox — And It Almost Stayed Secret Until Pwn2Own

protalweb@gmail.com (Vivek Gurung) — Thu, 21 May 2026 23:28:28 +0530

A security researcher prepared a devastating Windows kernel exploit for Pwn2Own Berlin 2026 — then had to watch it go public days before the contest even started.

CVE-2026-40369 is an unprivileged arbitrary 12-byte kernel write primitive in nt!ExpGetProcessInformation, reachable from any context that can call NtQuerySystemInformation — including Chrome, Edge, and Firefox renderer sandboxes. That part that makes this stand out is that browser sandboxes (the isolation layer that's supposed to contain a compromised browser tab) are completely bypassed.

The researcher — Paolo Stagno — had originally prepared the bug for Pwn2Own Berlin. A couple of days before the contest, the CVE was assigned, and the bug went public. That timing effectively ended any competition entry, but the disclosure gave the security community something arguably more valuable: a meticulous technical breakdown of how the flaw works and exactly how far an attacker can take it.

What the Bug Actually Does

The vulnerability resides in ntoskrnl.exe, in the function ExpGetProcessInformation, and is triggered by calling NtQuerySystemInformation with information class 253 (SystemProcessInformationExtension), passing a kernel address as the output buffer and a length of zero.

The trick here is brutally simple. ProbeForWrite — the Windows kernel's own mechanism for validating that a buffer pointer is safe to write — is a complete no-op when the supplied length is zero. The entire function body is gated by if (Length), so passing Length=0 slides an unvalidated kernel pointer straight through into ExpGetProcessInformation.

Once inside, the function iterates over all running processes on the system and, for class 253, increments three DWORD values at the attacker's chosen kernel address — providing a reliable 12-byte write primitive. Critically, even though ExpGetProcessInformation detects the length mismatch and sets STATUS_INFO_LENGTH_MISMATCH, it does not return early — it stores the error and continues executing the write loop for every process before returning.

The exploit's reliability is described as 100% deterministic. And because NtQuerySystemInformation is not blocked by Chrome's win32k lockdown, restricted tokens, or untrusted integrity-level checks, the primitive is fully reachable from the renderer sandboxes of Chrome, Edge, and Firefox.

From Sandbox to SYSTEM

VoidSec's full write-up chains this primitive into a complete local privilege escalation, lifting a Medium-integrity non-administrator process all the way up to NT AUTHORITY\SYSTEM via NtCreateToken. For KASLR (kernel address space layout randomization) bypass, the exploit can be paired with the open-source prefetch-tool, meaning an attacker operating entirely from within a sandboxed browser tab could, in theory, reach full system ownership in two chained steps.

Microsoft assigned it a CVSS score of 7.8 and classified the flaw as an Elevation of Privilege vulnerability affecting Windows 11 versions 24H2 and 25H2.

The Patch Is Already Out

Microsoft's May 2026 Patch Tuesday, released on May 12, includes a fix for CVE-2026-40369. Researcher Ori Nimron (@orinimron123) has since published three tiers of working exploit code on GitHub — a basic PoC, a full exploit, and a variant with a Chrome sandbox emulator — making it accessible to both defenders testing their own environments and, inevitably, those with less benign intentions.

What You Should Do

If you manage Windows 11 24H2 or 25H2 endpoints and haven't applied the May 2026 cumulative update yet, that should move to the top of your patch queue immediately.

The combination of sandbox reachability, deterministic reliability, and publicly available exploit code means this vulnerability has crossed the threshold where "we'll get to it next cycle" is no longer a safe posture. Enterprise teams should also verify that endpoint detection rules are in place for anomalous NtQuerySystemInformation class 253 calls, which have no legitimate user-space use case.

PoC Exploit Released for Drupal's Critical SQL Injection CVE-2026-9082

protalweb@gmail.com (Vivek Gurung) — Thu, 21 May 2026 22:28:15 +0530

A day after Drupal's emergency patches landed, security researchers at Searchlight Cyber have published a full technical breakdown of CVE-2026-9082 — complete with two working proof-of-concept exploits. If your PostgreSQL-backed Drupal site isn't patched yet, consider this the final warning.

Drupal's database abstraction API exists for one reason: to sanitise queries and prevent SQL injection. The flaw is inside that very layer — specifically in the PostgreSQL-specific override that handles case-insensitive comparisons.

Researcher at Searchlight Cyber shows that PostgreSQL is case-sensitive by default, so Drupal wraps query comparisons in a LOWER() function to normalise them. When processing an IN (...) list — say, matching a username against multiple values — it loops through each value and builds SQL placeholder names by combining a field prefix with an array key. The assumption was that those keys would always be sequential integers (0, 1, 2). They aren't.

If an attacker sends a JSON object instead of a plain string for the name field on the login endpoint, PHP decodes it into an associative array with attacker-controlled keys. Those keys land directly inside the SQL text before PDO (PHP's database layer) ever gets to bind and sanitise them. The fix? Three array_values() calls across three files — roughly seven lines of code — that forcibly reset array keys to sequential integers before they reach the vulnerable loop.

Two Entry Points, Both Unauthenticated

Researchers confirmed two separate paths to trigger the injection:

Variant 1 — JSON Login endpoint (/user/login?_format=json): An attacker sends the name field as a JSON object with an injected key containing a divide-by-zero subquery. When the boolean predicate is true, the server returns HTTP 500 with a SQLSTATE[22012] division-by-zero error. When false, it returns HTTP 400. That clean status-code split means an attacker can extract arbitrary database content one bit at a time — at scanning speeds. No session, no CSRF token, no credentials required.

Variant 2 — JSON:API filter parameters (/jsonapi/node/{bundle}): A single GET request with a backtick in a filter key is enough to produce a SQLSTATE[HY093] error on a vulnerable host. This variant doesn't even need a POST body — it's a one-shot fingerprinting probe that works against any publicly accessible node bundle. JSON:API isn't enabled by default, but it's a standard addition on API-driven Drupal deployments.

What's Actually at Risk

Both exploit variants are fully anonymous — no account needed. On a vulnerable PostgreSQL-backed site, an attacker can quietly extract usernames, password hashes, private content, and any other data the database user can access. From there, privilege escalation and remote code execution are realistic next steps depending on the site configuration.

MySQL and SQLite installations are not reachable via these specific paths, but the same Drupal release bundle includes Symfony and Twig security fixes that apply to every backend — so there's no justification for skipping the update.

What You Should Do Right Now

Update to the patched releases: Drupal 11.3.10, 11.2.12, 11.1.10 or Drupal 10.6.9, 10.5.10, 10.4.10
If you can't patch immediately, disable the JSON:API module to close Variant 2
Review which user roles can edit Twig templates — a separate exposure path flagged in the same advisory
Check server logs for unexpected HTTP 500 responses on /user/login or /jsonapi/ routes — that's your indicator of active scanning

With working exploits now public, automated scanning of Drupal installations has almost certainly already begun. The patch window is effectively closed.

Nine-Year-Old Linux Kernel Flaw CVE-2026-46333 Lets Attackers Steal SSH Keys, Shadow Passwords, and Root Access

protalweb@gmail.com (Vivek Gurung) — Thu, 21 May 2026 09:38:12 +0530

The Qualys Threat Research Unit (TRU) has released the full advisory for CVE-2026-46333, a logic flaw in the Linux kernel's __ptrace_may_access() function that lets an unprivileged local user disclose sensitive files and execute arbitrary commands as root on default installations of several major Linux distributions. The bug has been sitting quietly in mainline Linux since November 2016 — nearly nine years.

This marks the fourth Linux kernel security issue demanding emergency attention in just three weeks, following Copy Fail (April 29), Dirty Frag (May 7), and Fragnesia (May 13). At this rate, Linux administrators aren't patching vulnerabilities anymore — they're running a triage ward.

What the Bug Actually Does

TRU identified a narrow timing window in which a privileged process that is dropping its credentials remains reachable through ptrace-family operations (a set of kernel interfaces used for process inspection and debugging), even though its dumpable flag should have closed that path. By pairing this window with pidfd_getfd() — a syscall that lets one process grab file descriptors from another — an attacker can essentially pickpocket a dying privileged process before it finishes cleaning up.

The proof-of-concept races against ssh-keysign, a setuid binary that ships on every Linux system with OpenSSH installed. During its brief lifetime, ssh-keysign holds the SSH host private key files open as root. The exploit races against its exit, calls pidfd_getfd on its file descriptor table, and steals the open handles to /etc/ssh/ssh_host_ecdsa_key, ssh_host_ed25519_key, and ssh_host_rsa_key. A second variant targets chage — another setuid binary — and steals the open handle to /etc/shadow, which contains every user's password hash on the system.

Qualys built four working exploits in total — targeting chage, ssh-keysign, pkexec, and accounts-daemon — confirming root command execution or credential theft across default installs of Debian 13, Ubuntu 24.04, Ubuntu 26.04, Fedora 43, and Fedora 44.

Why "Local-Only" Doesn't Mean Low Priority

The bug matters because modern intrusions rarely stop at the first foothold. A web RCE running as www-data, a compromised CI job, a stolen developer shell account, an abused shared-hosting account, or a container workload with access to the host kernel may not start as root. A local kernel bug that reads root-owned secrets can turn that foothold into credential theft, host impersonation, password hash cracking, lateral movement, or a stronger privilege-escalation path.

In a shared-hosting environment, the distinction between credential disclosure and direct root is one without much practical difference — either of those files gets an attacker the rest of the way trivially.

What to Do Right Now

The fix is Linus Torvald's upstream commit 31e62c2ebbfd — already backported by Debian, Fedora, Red Hat, SUSE, AlmaLinux, CloudLinux, and others. Three concrete steps:

1. Patch and reboot. Install your distribution's updated kernel and actually reboot — installing the package without rebooting leaves the vulnerable kernel still running.

2. Apply the interim mitigation if patching must wait. Raise kernel.yama.ptrace_scope to 2 via sysctl. This blocks the public exploits since their pidfd_getfd path is gated by __ptrace_may_access(). Be aware: this breaks non-root use of gdb -p, strace -p, and some container debug tooling, and the setting cannot be lowered without a reboot.

3. Treat SSH host keys as potentially compromised. If your host allowed untrusted local users during the exposure window, rotate SSH host keys and review any administrative material that lived in the memory of set-uid processes. Silent credential theft is the scariest part of this bug — there's no reliable way to prove after the fact that nothing was exfiltrated.

Working public exploits are already circulating. The window for being ahead of this one is closing fast.

Drupal Patches Highly Critical SQL Injection That Lets Anonymous Attackers Hijack PostgreSQL-Backed Sites

protalweb@gmail.com (Vivek Gurung) — Thu, 21 May 2026 00:29:13 +0530

Drupal has pushed emergency security updates for a highly critical SQL injection vulnerability in its core database abstraction layer — the kind of flaw that lets an unauthenticated attacker walk straight into your database without needing a username or password.

The vulnerability, tracked as CVE-2026-9082 and disclosed under advisory SA-CORE-2026-004, scores 20 out of 25 on Drupal's risk scale. That "Highly Critical" rating isn't an exaggeration: the scoring breakdown shows zero access complexity, no authentication required, and full confidentiality and integrity impact — meaning an attacker can read everything and modify anything.

What's broken and why

Drupal's database abstraction API is supposed to act as a safety net — a layer between PHP code and the database that automatically sanitizes queries to block injection attacks. But a flaw in this API allows specially crafted HTTP requests to slip past that sanitization entirely, enabling arbitrary SQL to execute directly against the database.

The vulnerability only affects sites running PostgreSQL databases, not MySQL or MariaDB backends. That's a narrowing factor, but PostgreSQL is common among enterprise Drupal deployments — government portals, university sites, and large media organizations frequently run it for performance and compliance reasons.

The consequences of successful exploitation range from data exfiltration (leaking user records, private content, credentials) to privilege escalation and, in some configurations, remote code execution — full server takeover.

Broader blast radius: Symfony and Twig

The patches do more than fix the SQL injection. The releases for all supported branches also bundle upstream security updates for Symfony and Twig, two PHP libraries that Drupal depends on heavily.

Drupal's advisory explicitly warns that depending on your site's configuration and installed modules, you may be independently vulnerable to those upstream issues — even if PostgreSQL isn't in the picture. All sites should update regardless.

The advisory specifically recommends reviewing which user roles have the ability to update Twig templates, for example through Views or contributed modules — a Twig template injection path could compound the risk significantly.

Who is affected and what to do

Every supported Drupal branch is in scope: Drupal 10.4 through 11.3. The Drupal Security Team went further and issued best-effort patches for end-of-life Drupal 8 and 9 installations, acknowledging the severity warrants the exception — though those patches come without guarantees and those sites remain exposed to prior unpatched vulnerabilities.

Patched versions are:

Drupal 11: 11.3.10, 11.2.12, 11.1.10
Drupal 10: 10.6.9, 10.5.10, 10.4.10

Sites using Drupal Steward (Drupal's WAF-based protection service) are already shielded from known attack vectors, but should still upgrade promptly in case additional exploitation paths surface.

Two days before release, the Drupal Security Team issued an advance public notice — rare, and a signal of how seriously they treated this. The team explicitly warned that "exploits might be developed within hours or days" of the advisory going public, urging administrators to reserve time the same day patches dropped.

If your Drupal site runs PostgreSQL and hasn't been updated yet, that window is closing fast. Update now.