Vercel confirms breach via third-party AI tool, Notion quietly leaks editor emails for years, and Claude Desktop silently installs browser extensions

Hacker News

Notion Privacy Vulnerability: Email Addresses of Page Editors Publicly Exposed

Notion publicly leaks the email addresses and profile information of all users who have edited public pages, making this data accessible to anyone via public endpoints. The vulnerability has existed for 4–5 years and was first reported in 2022, yet remains unfixed despite Notion's acknowledgment that it exposes personally identifiable information. This means users publishing legitimate public pages unknowingly expose their contributors' identities and email addresses, enabling potential doxing or targeted harassment. A Notion representative stated they are exploring fixes but claimed it is not a quick change, drawing criticism for the years-long delay in addressing a significant privacy issue.

That Privacy Guy

Claude Desktop Installs Undocumented Browser Extensions Across Chromium Browsers

Claude Desktop automatically installed three pre-authorized Chrome extensions into seven Chromium-based browsers — Chrome, Edge, Brave, Arc, Vivaldi, Opera, and Chromium — without user awareness or documentation from Anthropic. These extensions establish a native messaging bridge that enables browser automation capabilities including opening tabs, accessing authenticated sessions, extracting webpage data, and automating form interactions. The installation is entirely undocumented despite Anthropic's public documentation claiming Chrome integration does not yet support Brave, Arc, or other Chromium-based browsers. This contrasts with Claude Code's separately documented native messaging implementation and raises questions about Anthropic's transparency regarding browser integration capabilities.

War on the Rocks

The Bromine Chokepoint: How Middle East Instability Could Halt Memory Chip Production

Israel has emerged as a critical single point of failure in global memory chip production due to its dominance in bromine supply — the essential chemical used to etch transistor structures in virtually every DRAM and NAND flash chip produced worldwide. South Korea's chip manufacturers source 97.5% of their bromine imports from Israel's ICL Group facility near the Dead Sea, which operates at the lowest cost of any global producer. With memory suppliers holding only 2–3 weeks of inventory and ongoing Middle East tensions including Iranian ballistic missile strikes near Israeli infrastructure, even a temporary disruption could create severe global shortages affecting everything from consumer electronics to military systems. The vulnerability highlights a critical supply chain concentration risk where geopolitical instability in one region can cascade throughout the semiconductor industry.

The Verge

The Creative Software Industry Has Declared War on Adobe

Adobe faces mounting competition from a diverse ecosystem of rivals leveraging free and perpetual-license alternatives including Blender, DaVinci Resolve, the now-free Affinity Suite (after Canva's acquisition), Krita, and Inkscape. The shift is driven by subscription fatigue as users resist Adobe's recurring fees, AI feature commoditisation across tools, and the reality that most users do not need Adobe's advanced capabilities. Schools increasingly adopting free alternatives threatens to erode Adobe's traditional educational pipeline advantage. The trend suggests a structural change in the creative software market rather than a cyclical dip, as open-source and low-cost alternatives reach professional-grade quality across the full Adobe workflow.

SWI swissinfo.ch

Swiss Authorities Move to Reduce Dependency on Microsoft

Swiss authorities are pursuing a long-term strategy to reduce their reliance on Microsoft by exploring open-source software alternatives, prompted by data security concerns over US government access under the Cloud Act. A feasibility study examined whether replacement with open-source solutions is possible, with Switzerland looking to Germany's model where independent alternatives have been successfully developed. The German state of Schleswig-Holstein has already transitioned its administration to open-source platforms, serving as a template for Switzerland's efforts, though the transition will occur gradually and faces internal resistance. The move reflects a broader European push for digital sovereignty as geopolitical uncertainty heightens concerns about reliance on US technology infrastructure.

Simon Willison

Headless Everything: The Next Wave of API-First Services for AI Agents

Services are increasingly becoming headless — API-first architectures without graphical interfaces — because AI agents interact more efficiently with APIs than GUI-based applications. Personal AIs provide better user experiences by interfacing directly with headless services, which are faster and more reliable than bot-controlled mouse navigation of traditional UIs. This shift is redefining how software wins in the market: API availability is becoming the crucial deciding factor between competing products, as Salesforce's announcement of Salesforce Headless 360 illustrates. The trend threatens traditional per-seat SaaS pricing models and echoes the early 2010s API economy, with the key difference that agents — not developers — are the primary consumers.

GitHub

TRELLIS.2 Image-to-3D Model Now Runs Natively on Apple Silicon

Microsoft's TRELLIS.2 four-billion-parameter image-to-3D model has been ported to Apple Silicon by replacing all CUDA dependencies with pure-PyTorch implementations, including a custom gather-scatter approach for sparse 3D convolution and a Python-based mesh extraction replacing CUDA hashmap operations. The project required changes across nine files to eliminate dependencies on flash_attn, nvdiffrast, and custom sparse convolution kernels that previously prevented the model from running outside CUDA environments. On Apple's M4 Pro with 24 GB of unified memory, the port generates meshes with over 400,000 vertices from a single photo in approximately 3.5 minutes — roughly 10× slower than an H100 GPU but fully offline with no cloud dependency. The work demonstrates that complex 3D generative AI workloads can run end-to-end on consumer Apple Silicon hardware.

neugierig.org

Theseus: A Static Windows Emulator That Translates .exe Files to C or Rust

Theseus is a Windows/x86 emulator that uses static binary translation rather than traditional runtime interpretation or JIT compilation — it translates entire .exe files into C or Rust source code ahead of time, which is then compiled by standard optimising compilers into native machine code. This approach gives developers native debugging, stack traces, and profiling tooling for free, while the compiler can aggressively optimise translated code and in some cases compute entire sequences at compile time. The technique is particularly useful for running old Windows games and productivity software without a Windows installation, and sidesteps many compatibility and performance challenges of dynamic emulation. The name references the Ship of Theseus, since the original program is entirely replaced instruction by instruction.

bernat.tech

Defense in Depth: A Practical Guide to Python Supply Chain Security

This practical guide advocates a layered approach to Python supply chain security, combining multiple controls so that when one fails the others catch it. Key techniques include pinning all dependencies with cryptographic hashes using uv lock or uv pip compile --generate-hashes, scanning for known CVEs with pip-audit in CI, and adopting Trusted Publishing with OIDC to replace long-lived API tokens with short-lived credentials that generate Sigstore attestations automatically. Additional safeguards include linting with security-focused Ruff rules, generating Software Bill of Materials with CycloneDX for rapid vulnerability response, and implementing a 7-day delay for dependency ingestion on internal mirrors to let the community act as an early warning system. The guide is explicit that no single control is sufficient and that the goal is defence-in-depth rather than a silver bullet.