Best of Security — January 2026

1
Video
AICodeKing·19w
Antigravity 3.0 (New Upgrades): These New Updates make ANTIGRAVITY REALLY GOOD!
Antigravity 3.0 introduces three major updates: Skills (custom workflows triggered on-demand similar to Claude's code commands), revised rate limits (now weekly instead of 5-hour refresh for Pro users, though Ultra users remain unaffected), and Secure Mode (terminal permission controls with allow/deny lists). Skills enable team-shareable custom agent behaviors for tasks like code reviews and testing. The rate limit change disadvantages Pro tier users who may exhaust quotas faster, though access to models like Opus 4.5 and Gemini 3 Pro remains. Secure Mode addresses security vulnerabilities through configurable command execution permissions, from fully automatic to manual approval for each command.
123
5
2
Article
Developer's Journey·18w
Small Observation That Changed How I See Everyday Tech
TOTP (Time-based One-Time Password) enables two-factor authentication without internet connectivity by using a shared secret key and time-based windows. Both the server and client independently generate identical OTPs by combining the secret key with the current 30-second time window step. The article includes a simplified JavaScript implementation demonstrating the core concept: dividing Unix time into intervals, multiplying by the secret, and applying modulus to generate a 6-digit code that refreshes every 30 seconds.
122
12
3
Article
Google Developers·17w
Tailor Gemini CLI to your workflow with hooks
Gemini CLI v0.26.0+ introduces hooks, a middleware-like system that lets developers customize the AI agent's behavior at specific lifecycle points. Hooks enable injecting custom context, enforcing security policies (like blocking secrets from being written to files), and automating workflows through scripts that run synchronously within the agent loop. The feature supports extensions, allowing bundled hooks to be installed with a single command. Examples include security scanners that prevent API keys from being committed and the "Ralph loop" extension that forces continuous iteration on difficult tasks.
81
5
4
Article
Auth0·19w
The API Authorization Hierarchy of Needs
API authorization must evolve through four progressive levels before supporting AI agents. Start with application-level authorization handling multi-tenancy and granular roles, then add service accounts for machine-to-machine access, implement delegated OAuth flows for third-party apps acting on behalf of users, and finally address AI-specific risks like data leakage and hallucination through intent-based permissions and RAG pipeline authorization. Without mastering human authorization first, AI agent integration will fail catastrophically.
78
1
5
Article
mouthtapedguy·19w
How the Iranian government blocked the internet throughout the country
A technical analysis examines the methods and infrastructure used by the Iranian government to implement nationwide internet blocking, detailing the technical mechanisms behind state-level network censorship.
74
6
6
Article
Addy Osmani·20w
AI writes code faster. Your job is still to prove it works.
AI-generated code is becoming mainstream, with over 30% of senior developers shipping mostly AI-written code by early 2026. However, AI-generated code contains 75% more logic errors and 45% security flaws compared to human code. The key shift is that code review now focuses on verification and accountability rather than line-by-line inspection. Solo developers can ship at "inference speed" by relying on comprehensive automated testing, while teams must maintain human oversight for security, context sharing, and maintainability. The bottleneck has moved from writing code to proving it works through evidence like tests, manual verification, and clear documentation of AI's role.
71
8
7
Article
Lobsters·20w
What Happened To WebAssembly
WebAssembly is actively used in production by companies like Figma, Cloudflare, and Godot, primarily as a compilation target that bridges language ecosystems. Its strength lies in security guarantees enabling sub-millisecond spinup times and safe execution of untrusted code, plus portability allowing C++/Rust libraries to run in browsers. Performance is comparable to JavaScript in browsers, with trade-offs in binary size and boundary crossing costs. Most developers encounter it transparently through library dependencies rather than directly, which contributes to the perception that "nothing happened" despite significant real-world adoption and ongoing standardization efforts.
58
5
8
Article
Node.js·19w
Node.js — Node.js 24.13.0 (LTS)
Node.js 24.13.0 LTS (Krypton) is a security release addressing six CVEs. The fixes include adding a default TLSSocket error handler, disabling futimes when permission model is enabled, requiring full read/write permissions for symlink APIs, handling stack overflow exceptions in async_hooks, refactoring unsafe buffer creation to remove zero-fill toggle, and routing TLS callback exceptions through error handlers. The release also updates c-ares to v1.34.6 and undici to 7.18.2.
56
9
Article
The Apache Software Foundation Blog·20w
The Apache Software Foundation Announces New Top-Level Projects
The Apache Software Foundation has promoted three projects to Top-Level Project status: HertzBeat (an AI-powered observability platform for monitoring and alerting), Teaclave (a secure computing platform using Trusted Execution Environments with Rust-based SDKs), and Training (a repository of open source educational materials for Apache projects). These promotions recognize mature communities that have adopted The Apache Way and demonstrate the foundation's commitment to sustainable open source development.
56
1
10
Article
Svelte Blog·19w
CVEs affecting the Svelte ecosystem
The Svelte team has released patches for 5 security vulnerabilities across devalue, svelte, @sveltejs/kit, and @sveltejs/adapter-node. The vulnerabilities include two DoS issues in devalue.parse causing memory/CPU exhaustion, a memory amplification DoS in SvelteKit's remote functions deserializer, a DoS and potential SSRF when using prerendering, and an XSS vulnerability via the hydratable feature. Users should upgrade to devalue 5.6.2, svelte 5.46.4, @sveltejs/kit 2.49.5, and @sveltejs/adapter-node 5.5.1. Most vulnerabilities affect applications parsing user-controlled input or using specific experimental features.
48
1
11
Article
Vercel·17w
Summary of CVE-2026-23864
Multiple high-severity denial of service vulnerabilities (CVE-2026-23864, CVSS 7.5) were discovered in React Server Components affecting versions 19.0.x through 19.2.x. The vulnerabilities can be triggered through specially crafted HTTP requests to Server Function endpoints, potentially causing server crashes, out-of-memory exceptions, or excessive CPU usage. Affected frameworks include Next.js versions 13.x through 16.x, along with other tools using React Server Components. Vercel deployed WAF mitigations automatically, but immediate upgrades to patched versions are required. Fixes are available in React 19.0.4+, 19.1.5+, 19.2.4+ and corresponding Next.js versions.
37
1
12
Video
Deno·19w
What's new in Deno 2.6
Deno 2.6 introduces several major improvements including a new `dx` subcommand (equivalent to npx), granular permission controls with ignore flags, a 2x faster experimental TypeScript type checker written in Go, sourcephase imports for WebAssembly modules, a new `audit` subcommand for scanning dependencies against GitHub CVE database and Socket.dev, enhanced bundler capabilities for web workers and multi-platform targets, and continued Node.js compatibility improvements across file operations, cryptography, and database APIs.
35
13
Video
Low Level Learning·18w
sounds about right.
Three critical vulnerabilities (all rated 9.9+) were discovered in n8n, a workflow automation platform. All three allow authenticated attackers to achieve remote code execution: one through improper control of dynamically managed code using constructor injection, another via sandbox bypass in the Python code node using Pyodide, and a third through unrestricted file upload in the git node. The core issue stems from the difficulty of properly sandboxing arbitrary code execution across multiple workflow nodes, especially when using blacklist-based rather than whitelist-based security approaches.
33
14
Video
John Hammond·18w
"I made an Evil MCP server" (and AI fell for it)
A security researcher demonstrates critical vulnerabilities in the Model Context Protocol (MCP) by creating a malicious MCP server that successfully tricks AI models into leaking sensitive data and injecting security vulnerabilities into code. The demonstration shows how Gemini 3 Pro falls for prompt injection attacks through MCP tools, exfiltrating prompts, code, and secrets while actively hiding malicious code changes from users. The researcher argues MCP is fundamentally insecure because it allows arbitrary prompt injection with no reliable defense, whether running locally or remotely. Claude Opus showed better resistance by recognizing the malicious intent, but the overall MCP ecosystem remains vulnerable to data exfiltration and code execution attacks through compromised or malicious servers.
31
15
Article
Ars Technica·16w
County pays $600,000 to pentesters it arrested for assessing courthouse security
Two penetration testers were arrested in 2019 while conducting an authorized red-team security assessment of an Iowa courthouse, despite having written authorization for physical security testing including lockpicking. They spent 20 hours in jail on felony burglary charges (later reduced to misdemeanor trespassing), and the county sheriff continued to publicly allege illegal activity. The case settled for $600,000 after the security professionals sued for wrongful arrest and defamation, highlighting the legal risks penetration testers face even when performing legitimate, contracted work.
30
5
16
Article
Supabase·17w
Supabase PrivateLink is now available
Supabase PrivateLink enables database connections through AWS private networks without public internet exposure. Using AWS VPC Lattice, it allows applications to connect to Supabase databases as if they're inside your own VPC. This addresses compliance requirements for regulated industries and reduces attack surface by eliminating public endpoints. Currently in Beta, it supports AWS VPCs in the same region, covers Postgres and PgBouncer connections (but not other Supabase services), and requires Team or Enterprise plans. Setup involves sharing AWS account details, accepting resource shares, creating VPC endpoints, and updating connection strings.
28
1
17
Article
Rust·18w
crates.io: development update
crates.io has added several new features over the past six months, including a Security tab displaying RustSec advisories, expanded Trusted Publishing support for GitLab CI/CD with enforcement options, source lines of code metrics on crate pages, and publication timestamps in the index. The team is also migrating the frontend to Svelte with TypeScript. Additional improvements include filtered download statistics to exclude bots, encrypted GitHub tokens, Fastly CDN integration serving 1.6 PB monthly, and various performance optimizations.
27
1
18
Article
Auth0·18w
Why Broken Access Control Still Dominates the OWASP Top 10 in 2026?
Broken Access Control (BAC) and Broken Object Level Authorization (BOLA) remain the top security risks in OWASP rankings because they are logical vulnerabilities that automated scanning tools cannot detect. Unlike technical vulnerabilities with recognizable patterns, access control flaws require understanding business context and intent. The problem persists due to distributed authorization complexity in microservices, confusion between authentication and authorization, identity sprawl with non-human identities, and ad-hoc evolution of controls. Solutions include centralizing authorization code using Policy Decision Point/Policy Enforcement Point patterns, implementing Policy as Code with tools like OpenFGA or OPA, using fine-grained authorization, scoping database access to user context, and applying schema-based validation to prevent mass assignment attacks.
25
19
Article
Socket·18w
Rust Support in Socket Is Now Generally Available
Socket has promoted Rust and Cargo support from Beta to General Availability after months of validation. The platform now provides dependency analysis, SBOM generation, and supply chain visibility for Rust projects. During Beta, Socket analyzed thousands of Rust projects and published research on supply chain threats including typosquatting, malicious build scripts, and credential harvesting. The service helps teams identify risks beyond memory safety, focusing on deception, hidden execution paths, and malicious dependencies before they reach production.
25
20
Article
OpenTelemetry·18w
OpenTelemetry JS Statement on Node.js DOS Mitigation
OpenTelemetry clarifies that a recent Node.js denial-of-service advisory involving async_hooks is not a vulnerability in OpenTelemetry itself. The issue stems from applications relying on unspecified stack space exhaustion behavior. Node.js has fixed this in version 20.20.0 and newer, but the fix won't be backported to Node.js 18. Users should upgrade to Node.js 20+ as the recommended mitigation, with no OpenTelemetry-specific changes required.
23
21
Article
Planet Golang·20w
You're using a too-old browser
A blog owner explains blocking old browser user agents to combat high-volume crawlers gathering data for LLM training. The blocking affects legitimate users with outdated browsers and archive services like archive.today that use old Chrome user agents and unidentifiable IP addresses. The author recommends archive.org as a better-behaved alternative and provides contact information for false positives.
23
3
22
Video
Tech With Tim·20w
I Asked an Uber Tech recruiter if CS Grads are Cooked...
An ex-Uber senior technical recruiter with 10 years of experience discusses the 2025 tech job market. The market has fewer roles with higher quality bars, though entry-level positions still exist at companies like Meta. AI is reducing some engineering roles, particularly affecting developer velocity teams, but humans are still needed for project leadership. Security and infrastructure engineering are exploding niches with 4x more backend roles than frontend at major companies. The bar has risen significantly—companies now scrutinize school pedigree, project impact articulation, and specialized skills beyond common JavaScript/React stacks. The market follows economic cycles and may improve but likely won't return to 2020-era compensation levels.
19
5
23
Article
Software Testing Magazine·17w
Threat Modeling Meets Agents: Security-Focused AI Agents for Hardening CI/CD Pipelines
AI agents are evolving from passive LLMs to autonomous systems that can actively secure CI/CD pipelines through threat modeling and self-healing capabilities. However, they introduce new security risks including indirect prompt injection, excessive privileges, and non-deterministic failures. Organizations can harden their pipelines through sandboxed runners, policy-as-code enforcement, human-in-the-loop workflows for high-impact actions, zero trust principles, and layered security defenses across user, LLM, agent, and orchestration layers. A risk-based threat modeling approach helps determine when autonomous action is safe versus requiring human intervention.
18
24
Article
Deleted user·18w
I am groot.
15
25
Article
Filippo Valsorda·20w
go.sum Is Not a Lockfile
go.sum is not a lockfile but a local cache for the Go Checksum Database, mapping module versions to cryptographic hashes without affecting version resolution. go.mod serves as both manifest and lockfile in Go, listing all dependencies (direct and transitive) with exact versions since Go 1.17. Unlike other ecosystems with separate manifest and lockfile systems, Go's single go.mod file uses minimal version selection and semantic versioning to avoid diamond dependency conflicts and ensure consistent builds. The Go modules system is simpler and faster than alternatives, with package resolution happening imperceptibly.
15

See all Security archives