Cassidy's blog·25wA pretty good email scam
A detailed account of a sophisticated email scam that used hidden forwarding rules and reply-to settings to maintain access after password changes. The attacker set up forwarding to a fake email address labeled as 'Default Forwarding' and configured reply-to addresses to intercept all communications. The incident highlights the importance of checking email account settings beyond just changing passwords when recovering from compromised accounts.
80 LEVEL·29wProgrammer Discovers His Smart Vacuum Was Spying on Him
A programmer discovered his ILIFE A11 smart vacuum was sending unencrypted data including Wi-Fi credentials and home maps to manufacturer servers. When he blocked the data transmission, the device was remotely bricked by the manufacturer. After disassembling it and accessing its unprotected Android Debug Bridge, he found the manufacturer had root access via pre-installed software. The same hardware powers devices from multiple brands including Xiaomi and Wyze, suggesting widespread vulnerability. He successfully restored the device with full local control by removing manufacturer access.
Javarevisited·28wWhy I Implemented a Custom Serializer/Deserializer for JJWT Instead of Using jjwt-jackson
A developer explains their decision to build a custom JSON serializer/deserializer for JWT handling instead of using the popular Jackson library. The custom implementation reduces security vulnerabilities from external dependencies, maintains framework consistency with existing tooling, provides better control over predictable JWT payloads, and eliminates unnecessary complexity. The lightweight codec integrates seamlessly with JJWT through its SPI mechanism while keeping the codebase transparent and maintainable.
Laravel News·26wBuild Production-ready APIs in Laravel with Tyro
Tyro is a zero-config Laravel package that provides production-ready API functionality including authentication via Sanctum, role-based access control, privilege management, and 40+ Artisan commands. It offers built-in middleware for protecting routes with roles and privileges, supports user suspension workflows, and includes factories, seeders, tests, and a Postman collection for immediate use.
TechCrunch·28wMeta estimates that it earns 10% of its revenue from scams, report says
Reuters reports that Meta projected $16 billion (10% of annual revenue) would come from fraudulent ads in the previous year. Internal documents reveal Meta's fraud detection system only deactivates advertisers when 95% certain of fraud, otherwise charging suspected fraudsters higher rates. The company has allegedly failed to adequately protect users from scam ads promoting illegal gambling, investment schemes, and banned medical products for three years. Meta claims to have reduced scam ad reports by 58% over 18 months and removed 134 million fraudulent ads.
Embrace The Red·26wAntigravity Grounded! Security Vulnerabilities in Google's Latest IDE · Embrace The Red
Security researcher discovers five critical vulnerabilities in Google's new Antigravity IDE, including remote code execution via indirect prompt injection, data exfiltration through multiple vectors, and hidden instruction execution using invisible Unicode characters. These issues were previously reported in Windsurf (which Antigravity is based on) but remain unpatched. The vulnerabilities exploit the IDE's auto-execute features, lack of human-in-the-loop controls for MCP tool invocations, and over-reliance on LLM output for security decisions. Practical mitigations include disabling auto-execute, carefully managing MCP server permissions, and considering alternative IDEs until fixes are deployed.
.NET Blog·27wPost-Quantum Cryptography in .NET
.NET 10 introduces post-quantum cryptography support with four new algorithms: ML-KEM, ML-DSA, SLH-DSA, and Composite ML-DSA. The implementation breaks from the traditional AsymmetricAlgorithm base class pattern, introducing a new design where instances represent keys rather than algorithms, with improved disposal semantics and extensive use of the Template Method Pattern. The new classes minimize code duplication in derived types, use Span-based APIs for performance, and include platform-specific implementations for Windows (CNG) and Linux (OpenSSL 3.5+). Integration extends to X.509 certificates, TLS 1.3, SignedCms, and COSE, though some methods remain experimental pending final specification publication.
Google Open Source Blog·28wAnnouncing Magika 1.0: now faster, smarter, and rebuilt in Rust
Google released Magika 1.0, an AI-powered file type detection system completely rewritten in Rust. The stable release doubles file type support to over 200 formats, including specialized types for data science, modern programming languages, and DevOps configurations. The new Rust engine processes hundreds of files per second on a single core using ONNX Runtime and Tokio. Training challenges were addressed using SedPack for handling 3TB datasets and Gemini for generating synthetic samples of rare file types. Available as a native CLI tool and library for Python, TypeScript, and Rust.
DuckDB·28wAnnouncing DuckDB 1.4.2 LTS
DuckDB 1.4.2 LTS is now available with critical security fixes for database encryption vulnerabilities, new Iceberg extension support for insert/update/delete operations, enhanced logging and profiling capabilities including HTTP request timing, and Vortex file format support. The release also includes performance optimizations for WAL index operations and database detachment, plus fixes for crashes, incorrect results, and storage issues.
SingleStore·26wIntroducing singlestore-auth-iam for Server Authentication
SingleStore introduces singlestore-auth-iam, a library enabling passwordless server authentication for databases and management APIs. Building on their 2022 singlestore-auth-helper for human users, this new tool integrates with cloud IAM systems (AWS, Azure, GCP) to use short-lived tokens instead of static passwords. Servers authenticate by requesting signed identity tokens from IAM, exchanging them for SingleStore-signed JWTs. This eliminates credential storage, enables automatic rotation, and reduces security risks across CI/CD pipelines and applications while maintaining role-based authorization through SingleStore's existing permissions system.
Low Level Learning·28wI Never Thought I’d See This
A remote code execution vulnerability was discovered in tokio-tar, an unmaintained Rust library for async tar file processing. The flaw stems from a logic bug in how the library parses tar headers, allowing attackers to smuggle malicious files inside archives that bypass security scanners. The vulnerability affects tools like UV (Python package manager) and container images, enabling file overwrites during extraction. This case highlights that while Rust prevents memory safety issues, logic bugs remain possible, and abandoned dependencies pose significant security risks.
PostgreSQL·28wPostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 Released!
PostgreSQL has released security updates across all supported versions (18.1, 17.7, 16.11, 15.15, 14.20, and 13.23), addressing two security vulnerabilities and over 50 bugs. The first vulnerability allows unauthorized denial of service through CREATE STATISTICS commands, while the second involves integer wraparound in libpq that can cause memory corruption. PostgreSQL 13 reaches end-of-life with this final release, and users should plan upgrades to supported versions.
Golang Weekly·29wGolang Weekly Issue 577: November 5, 2025
Go 1.21+ enables reproducible builds with byte-for-byte identical outputs, now with independent third-party verification for enhanced security. The Dolt database demonstrates dependency management patterns for large Go projects with 762k lines of code. Claude Code successfully debugged complex low-level cryptography issues in an ML-DSA post-quantum signature implementation. Recent releases include Crush 0.15 AI coding agent, Vitess 23.0 MySQL scaling system, and Lazygit 0.56 terminal UI.
Tech Lead Digest·29wMy AWS Account Got Hacked - Here Is What Happened
A cloud architect shares a detailed account of how their personal AWS account was compromised through an exposed access key in a NextJS application. The attacker created IAM users, launched EC2 instances for crypto-mining, flooded the victim's inbox with spam to hide AWS notifications, and attempted to use SES for phishing. The post walks through the detection process, containment steps, timeline reconstruction using CloudTrail, and root cause analysis. Key lessons include proper secret management, enabling GuardDuty, avoiding root user access, and responding quickly to suspicious activity.