OpenCode launches as open-source AI coding agent, Trivy supply chain attack exposes CI/CD pipelines, and Super Micro co-founder charged in $2.5B chip smuggling plot

StepSecurity

Trivy Compromised a Second Time — Malicious v0.69.4 Release

Trivy, one of the most widely used open-source vulnerability scanners, suffered its second supply chain attack in three weeks on March 19. Attackers published malicious v0.69.4 binaries containing credential-stealing code targeting three repositories including the main Trivy tool and related GitHub Actions. The injected code harvested SSH keys and cloud credentials from process environment variables and GitHub Actions Runner memory, exfiltrating them to a C2 domain. Thousands of CI/CD pipelines were exposed, requiring immediate credential rotation across affected organizations.

Hacker News

Super Micro Shares Plunge 25% After Co-Founder Charged in $2.5B AI Chip Smuggling Plot

Super Micro Computer (SMCI) stock crashed 25% following charges against co-founder Wally Lau in connection with a $2.5 billion operation to smuggle AI chips to China in violation of U.S. export controls. The development compounds the company's prior controversies, including a 2024 accounting restatement scandal and months of delisting threats. The case highlights ongoing efforts by foreign actors to illicitly acquire advanced semiconductors despite tightening U.S. sanctions.

Hacker News

H&R Block Tax Software Installs TLS Root Certificate with Bundled Private Key

H&R Block Business 2025 installs a hidden root certificate authority called 'WK ATX ServerHost 2024' (valid until 2049) with its private key embedded in a DLL file. Anyone with network access and knowledge of the key can intercept and decrypt encrypted TLS traffic from the application. The certificate doesn't identify itself as H&R Block and persists after uninstalling the software. Researchers published a test to verify the vulnerability and H&R Block acknowledged awareness but has not released a fix.

Windows Insider Blog

Microsoft Commits to Improving Windows 11 Quality

Microsoft's Windows leadership outlined a three-pillar strategy to address growing user frustration with Windows 11: improving performance through reduced resource usage and faster file operations, strengthening reliability via better driver handling and update experiences, and improving 'craft' through better personalization and more thoughtful AI integration. Immediate changes include flexible taskbar repositioning, reduced Copilot integration, enhanced Windows Update controls, and a redesigned Feedback Hub — with broader improvements planned throughout 2026.

OpenUI

Rewriting a Rust WASM Parser in TypeScript Made It 2–4x Faster

OpenUI rewrote their Rust WebAssembly parser in TypeScript and achieved 2.2–4.6x performance improvements. The team discovered the bottleneck wasn't computation but the 'WASM boundary tax' — the overhead of copying strings between heaps and serializing/deserializing results between JavaScript and WASM. A naive TypeScript implementation with incremental caching outperformed all WASM approaches, demonstrating that algorithmic improvements and reducing interop complexity can matter more than language-level optimizations.

Linuxiac

Germany Mandates ODF for Public Administration

Germany has mandated the Open Document Format (ODF) across its public administration systems as part of a broader sovereign digital infrastructure initiative. The policy aims to reduce dependency on proprietary software, ensure long-term document accessibility across government agencies, and align with European efforts toward technological independence. ODF support will be required across all federal systems.

Vercel Blog

Vercel Chat SDK: Deploy AI Agents Across Slack, Teams, Discord, and More

Vercel released Chat SDK, a TypeScript library for deploying AI agents across Slack, Microsoft Teams, Google Chat, Discord, Telegram, GitHub, Linear, and WhatsApp from a single codebase. The SDK abstracts platform API differences and handles formatting, streaming, context translation, and state management automatically — letting agents integrate into the platforms where users already work, without platform-specific rewrites per deployment target.

Vercel Blog

Build Knowledge Agents Without Embeddings Using a Filesystem and Bash

Vercel proposes replacing vector databases and embedding pipelines with a filesystem-based approach for knowledge agents: the agent uses grep, find, and cat inside isolated sandboxes to retrieve information. This approach is more transparent, easier to debug, and significantly cheaper — Vercel reports reducing their own sales call summarization agent cost from $1.00 to $0.25 per call. It leverages LLMs' existing proficiency with filesystems, eliminating the need for chunking pipelines, embedding models, and retrieval tuning.

GitHub / ghostty-org

Ghostling: A Full-Featured Terminal Emulator in a Single C File

Ghostling is a minimal terminal emulator built entirely in a single C file using the libghostty C API and Raylib. The project serves as a proof-of-concept for embedding terminal emulation in applications, supporting text reflow, 24-bit color, Unicode, keyboard modifiers, mouse tracking, and scroll wheels. It comes from the creators of Ghostty and prioritizes demonstrating the power of libghostty's embeddable API over production-readiness.