Cisco restructures despite record earnings, critical zero-days hit NGINX and BitLocker, and Anthropic targets small business

Depth First Research

NGINX Rift: Unauthenticated RCE via an 18-Year-Old Heap Overflow

Researchers disclosed CVE-2026-42945, a critical remote code execution vulnerability in NGINX that has been present since version 0.6.27 in 2008 and affects all versions through 1.30.0. The flaw is a heap buffer overflow in ngx_http_rewrite_module triggered by an interaction between rewrite and set directives: improper state tracking causes undersized memory allocation during configuration parsing, which an attacker can exploit to achieve unauthenticated RCE. A working proof-of-concept was published, using heap feng shui techniques that take advantage of NGINX's deterministic memory layout across worker processes. The vulnerability's age is particularly significant: NGINX is the most widely deployed web server in the world, and a bug that has existed since 2008 — across the entire modern web's growth phase — means the exposure surface is essentially every NGINX installation running today. The combination of unauthenticated exploitation, a working PoC, and ubiquitous deployment makes this a high-urgency patch for any organization running NGINX. The disclosure joins a pattern this month of long-dormant critical vulnerabilities being surfaced, likely accelerated by AI-assisted code auditing tools that can analyze large codebases at a scale manual review cannot match.

Tom's Hardware

YellowKey: BitLocker Encryption Bypassed With Files on a USB Stick

A zero-day exploit called YellowKey has been published demonstrating that Microsoft BitLocker-protected drives can be unlocked using only specially crafted files placed on a USB stick — no brute-force cryptography required. The exploit suggests the presence of an apparent backdoor in BitLocker's implementation rather than a conventional cryptographic weakness. BitLocker is the primary disk encryption solution shipped with Windows and widely deployed in enterprise environments for endpoint data protection; a bypass that requires only a USB stick and no knowledge of the user's credentials represents a severe threat to physical-access security assumptions. The YellowKey disclosure comes alongside separate Microsoft zero-day releases from an unnamed disgruntled security researcher who has been publishing Windows vulnerabilities on a recurring basis, creating an unusually active period of Windows-specific public exploit disclosure. Organizations relying on BitLocker as their sole layer of disk encryption for sensitive devices should treat this as requiring immediate response — particularly for devices that may be physically accessible to adversaries in unattended environments such as laptops and kiosks.

Anthropic

Anthropic Launches Claude for Small Business

Anthropic launched Claude for Small Business, a package of 15 ready-to-run agentic workflows that integrate Claude directly into common small-business tools including QuickBooks, PayPal, HubSpot, and Google Workspace. The workflows cover finance, operations, sales, marketing, and customer service, and are designed to be deployable without technical staff — a deliberate positioning against the common critique that enterprise AI adoption requires dedicated engineering resources. Anthropic is pairing the product launch with a free AI Fluency course and a Claude SMB Tour across more than 10 cities beginning May 14. The small business push represents Anthropic's most direct move to compete in the segment that has historically been dominated by Microsoft Copilot through the existing Microsoft 365 distribution channel. The product strategy — pre-built workflows rather than raw API access — reflects a broader industry recognition that the bottleneck for most business AI adoption is not model capability but deployment friction; the value proposition is that the integration work is already done. Whether Anthropic can build meaningful distribution reach into the small business segment without the kind of existing software relationships Microsoft has with Office will be the test of this launch's long-term traction.

Wasp

Wasp Abandons Its Custom Language After Five Years and $5M

Wasp, a full-stack web framework, published a candid postmortem on their decision to abandon their custom programming language after five years of development and $5 million in funding. The core value proposition Wasp was built around — giving the framework compile-time understanding of the entire application structure, enabling features like automatic type-safe routing and schema-synced database bindings — turned out to require a custom language syntax less than the founders assumed. TypeScript, with appropriate tooling and conventions, can serve as the medium for the same structural declarations. The custom language created adoption barriers that were genuinely significant: developer concerns about IDE support quality, widespread misperception that Wasp would replace JavaScript entirely, and the Haskell-based compiler positioning that deterred mainstream web developers who associated it with an unfamiliar ecosystem. The switch to TypeScript is presented not as a retreat but as a refinement of the actual product hypothesis — that the value is in whole-app comprehension at the framework level, not in novel syntax. The piece is worth reading not just for the Wasp-specific decisions but as an unusually honest account of how a reasonable technical bet (custom DSL for structured problems) can generate friction that outweighs its benefits when the target audience is not language enthusiasts but working developers who need to ship products.

Jorijn Schrijvershof's blog

Leaving GitHub for Forgejo: Self-Hosting as a Response to AI Training Concerns

A developer documents his migration from GitHub to self-hosted Forgejo, citing Microsoft's opt-out AI training policy as the trigger for a broader reassessment of data ownership. The migration gains external validation from an unexpected source: the Dutch government officially adopted Forgejo for its code.overheid.nl platform in April 2026, citing digital autonomy and open-source governance concerns that closely mirror the author's reasoning. The technical implementation goes beyond a simple host change — the author configured a multi-layered runner setup using KVM virtualization and gVisor containerization for CI workloads, accepting reduced ecosystem compatibility and increased operational complexity in exchange for meaningful isolation of build processes. The Dutch government adoption is the most significant data point in the piece: when a national government's official code platform makes the same migration decision that individual developers are making on sovereignty grounds, it signals that the GitHub/Microsoft AI training concern has moved from niche developer anxiety to mainstream institutional policy. The Forgejo project has benefited from this dynamic; it has been receiving increasing investment from public institutions across Europe as a credible self-hosted alternative that maintains compatibility with GitHub's workflow model.

Pyrefly Blog

Pyrefly v1.0: Meta's Python Type Checker Reaches Production Stability

Pyrefly, Meta's open-source Python type checker, reached v1.0 stable release with a performance profile that significantly outpaces competing tools: full type checking on the PyTorch codebase runs 34% faster than previous versions, and incremental editor updates — the latency a developer experiences on each keypress in an IDE — are up to 125x faster. The project is already deployed as the default type checker for Instagram's Python codebase at Meta, and is in use across major Python projects including PyTorch, NumPy, and Pandas. The v1.0 release includes a 'basic preset' mode designed to lower the adoption barrier for projects without existing type coverage, and automatic configuration migration from mypy and pyright to reduce switching cost. The roadmap items are well-targeted for Python's current usage landscape: tensor shape checking for ML frameworks addresses a real gap in current type systems that matters enormously for PyTorch and JAX code, and AI-assisted coding integration acknowledges that the primary use case for editor-side type checking in 2026 is increasingly feedback to AI code generation rather than direct developer feedback. Pyrefly enters a competitive space alongside pyright (Microsoft) and mypy (the original), but its performance advantage and backing from a large-scale production deployment make it a credible alternative for teams where type-checking latency has been a friction point.

LeadDev

How LLMs Became Walmart's On-Call Engineer

Walmart deployed an LLM-based incident triage system across its 5,000+ store checkout infrastructure, integrating with Model Context Protocol (MCP) to connect the model to real-time telemetry, error logs, and system state from multiple sources simultaneously. The result reduced mean triage time from more than 15 minutes to under 2 minutes — a 7x improvement — while allowing non-technical store support staff to diagnose and resolve checkout system failures without waiting for engineering escalation. The system synthesizes data from sources that previously required an engineer to manually correlate and outputs plain-language diagnostics with suggested remediation steps. The Walmart deployment is notable for what it reveals about where LLMs are genuinely useful in operations: not replacing senior engineers doing novel problem-solving, but compressing the time required for the well-defined, high-frequency, high-stakes pattern-matching tasks that constitute the bulk of operational incident triage. The MCP integration is the technical enabler — it allows the model to pull structured context from live systems rather than relying on static documentation, which is the difference between 'explains what this error code means' and 'tells you that checkout lane 7 in store 4821 has a network partition affecting card terminals.' For engineering organizations evaluating AI in on-call workflows, the Walmart case provides a concrete benchmark: checkout system triage is a narrow, structured, high-volume problem that maps well onto the LLM capability profile, and the results justify the integration complexity.

Cloudflare Blog

Cloudflare Browser Run Migrates to Containers: 4x Capacity, 50% Faster

Cloudflare migrated its Browser Run headless browser platform from shared Browser Isolation infrastructure to dedicated Cloudflare Containers, achieving more than 50% reduction in Quick Action response times and 4x the previous concurrent browser capacity (120 concurrent vs. 30). The migration involved solving a non-obvious real-time state management problem at scale: with thousands of containers each updating their state every 5 seconds, the team outgrew Workers KV's eventual consistency model (30-second minimum cache TTL creates race conditions when assigning browsers to requests) and migrated container state to D1 with batched writes via Queues — achieving P95 write latency of 0.1ms with batches of 100 rows. The architectural detail worth noting is their regional pre-warming pool pattern: Durable Object-backed Container creation places the DO near the user but may spin up the container elsewhere; by maintaining regional pools of pre-warmed pairs, they bound the worst-case latency on both hops. The migration was also motivated by demand growth from AI agent builders who discovered Browser Run as a platform for web interaction, driving usage spikes that the shared-infrastructure architecture couldn't scale to accommodate. The upgrade also unlocked faster browser version iteration — previously requiring coordination across multiple product teams — enabling the launch of WebGL support and WebMCP (Model Context Protocol for the web), the latter positioning Browser Run as infrastructure for AI agents that need to interact with web pages through a browser rather than raw HTTP.

Fortune

AI Data Centers Threaten to Sever Power to 50,000 Lake Tahoe Residents

NV Energy is ending electrical service to approximately 49,000 Lake Tahoe residents by May 2027 as surging electricity demand from AI data centers in Northern Nevada overwhelms the regional grid. Twelve planned data center projects — from Google, Apple, Microsoft, and others — could drive 5,900 megawatts of new demand by 2033, a figure that dwarfs the region's current capacity and forces grid operators to make allocation decisions that pit residential customers against industrial compute loads. Lake Tahoe's isolated grid position compounds the problem: the community lacks a direct high-capacity grid connection, reducing its negotiating leverage when NV Energy reallocates transmission capacity. Utility rates have already increased 11.4% in 2025, and the planned solution — routing power through the new Greenlink West transmission line — is cutting the May 2027 deadline extremely close. The story is an unusually direct illustration of a dynamic that has been building across the US: AI infrastructure investment is consuming electrical capacity at a rate that creates genuine competition with residential and commercial loads, and communities without strong regulatory leverage or alternative grid connections face the sharpest end of that competition. The Lake Tahoe case may be the most visible example so far, but the underlying dynamic — utilities prioritizing large industrial contracts over residential service in capacity-constrained regions — is playing out in multiple markets simultaneously.