Cerebras closes a $60B IPO serving OpenAI's trillion-parameter models, Google Project Zero drops a Pixel 10 zero-click exploit, and Bun's Rust rewrite is found to allow undefined behavior in safe code

Google Project Zero

A 0-Click Exploit Chain for the Pixel 10

Google Project Zero researchers disclosed a zero-click exploit chain for the Pixel 10, combining an updated Dolby audio decoder exploit with a critical VPU driver vulnerability that enables arbitrary kernel memory access. The VPU driver flaw improperly validates memory mapping sizes, allowing attackers to map physical memory into userland and achieve root access — all without any user interaction. Google's Android team patched the vulnerability within 71 days and rated it 'High' severity, demonstrating improved turnaround from the days when driver bugs sat unpatched for months. The disclosure is a reminder that driver attack surfaces — often written by third-party chip vendors with less security scrutiny than core OS code — remain fertile ground for zero-click chains on fully patched flagship hardware.

GitHub / oven-sh/bun

Bun Rust Rewrite: Codebase Fails Basic Miri Checks, Allows UB in Safe Rust

A GitHub issue reports that Bun's ongoing Rust rewrite contains undefined behavior that violates Miri's safety checks — including a dangling reference pattern where a Box is dropped while a reference to its contents remains live, and use of core::slice::from_raw_parts() on memory with invalid provenance after the original allocation is freed. These are the classes of bug Rust's ownership model is specifically designed to prevent, yet they appear in code marked as safe. The issue submitter argues this reflects 'vibe coding' with AI-assisted generation without the depth of Rust expertise needed to uphold the safety invariants. The report joins a broader pattern of high-profile projects discovering that Rust's type system catches only what the programmer presents to the compiler — misuse of unsafe blocks and improper memory lifetime reasoning can still produce UB that passes compilation but fails at runtime or under formal verification.

MacDailyNews

DOJ Demands Apple and Google Unmask Over 100,000 Users of Car-Tinkering App

The U.S. Department of Justice issued subpoenas to Apple, Google, Amazon, and Walmart demanding personal information on over 100,000 users of EZ Lynk's Auto Agent app, alleging the software helps diesel vehicle owners bypass emissions controls. Apple and Google are reportedly challenging the requests as unconstitutionally overbroad — legal experts note the government does not need to identify individual users to investigate the company's alleged 'defeat device' operation. The scale is unprecedented: roughly ten times larger than any previous digital data demand in regulatory enforcement. The case establishes a troubling pattern: app stores and platforms as mass-surveillance instruments, with the burden of resisting overbroad government demands falling on private companies rather than individuals who cannot know their data is being sought.

Reclaim the Net

London Police Deploy Facial Recognition at Protest for First Time

London's Metropolitan Police deployed live facial recognition technology at a political protest for the first time on May 15, 2026, scanning attendees at a rally in Camden. The deployment created a digital record of protest participation without parliamentary authorization and drew immediate condemnation from civil liberties groups. Previous Metropolitan Police facial recognition pilots scanned over 470,000 faces and returned a 99.96% false positive rate — meaning the system incorrectly flagged thousands of innocent people. The expansion to protest surveillance crosses a qualitative line: using mass biometric scanning to document who attends lawful political assembly is categorically different from deploying the technology in commercial districts, and sets a precedent that rights groups warn will have a chilling effect on free assembly.

Zulip Blog

Announcing the Zulip Foundation

Zulip is transitioning to an independent nonprofit foundation structure after founder Tim Abbott and several senior team members joined Anthropic. Kandra Labs, the company that has commercially supported Zulip's development, is being donated to the newly established Zulip Foundation, with Kim Vandiver stepping in as Interim President. The 12-person development team continues without disruption. The foundation structure enables grant funding and ensures long-term sustainability independent of the commercial entity's fate — a model increasingly common among open-source projects that outlive their founding companies. The move also signals that key infrastructure projects can survive principal departures when organizational structure is planned in advance rather than handled reactively.

kevinpatel.xyz

'No Way to Prevent This,' Says Only Package Manager Where This Regularly Happens

This satirical piece — modeled on The Onion's gun violence headline formula — critiques the npm ecosystem's recurring supply chain vulnerabilities by contrasting npm's repeated breaches with the stronger architectural safeguards in Go and Rust package ecosystems. The argument: while the JavaScript community treats supply chain compromises as inevitable cost-of-doing-business incidents, other ecosystems demonstrate that robust verification systems, module mirroring, sandboxing, and reduced reliance on arbitrary third-party dependencies can systematically reduce the attack surface. The piece landed 303 points on Hacker News because it names what practitioners already know — that the design choices embedded in npm's architecture make these attacks structurally more likely — in a format too sharp to ignore.

GitHub Blog

Building a General-Purpose Accessibility Agent — and What We Learned

GitHub's experimental accessibility agent has reviewed 3,535 pull requests with a 68% resolution rate, catching and auto-remediating WCAG violations before they reach production. A key architectural finding: a monolithic agent was replaced by two sandboxed sub-agents — a passive reviewer and an active implementer — communicating only through structured templates, which improved accuracy, traceability, and token efficiency. A critical insight for teams adopting LLMs for accessibility: models trained on decades of inaccessible code are strongly biased toward producing accessibility antipatterns, so a curated corpus of manually audited and remediated issues becomes the most valuable training signal. The agent deliberately refuses to generate code for high-risk patterns (drag and drop, rich text editors, data grids) that require human specialist judgment — a design choice that prevents false confidence more than it limits capability.

Erlang.org

Erlang/OTP 29.0

Erlang/OTP 29.0 ships with its most significant security upgrade in years: post-quantum cryptography support with x25519mlkem768 as the default key exchange algorithm, and a 'secure by default' posture that disables SSH shell/exec and SFTP services unless explicitly enabled. Language additions include native records and multi-valued comprehensions, while the io_ansi module provides terminal styling primitives. Binary matching and map comprehension performance both improve meaningfully. The post-quantum default is the headline: OTP 29 ships PQC-ready SSH out of the box with no configuration required, positioning Erlang systems — including large-scale telecom and financial infrastructure — ahead of the cryptographic transition curve before NIST's post-quantum standards become mandatory guidance.

laurent.le-brun.eu

A History of IDEs at Google

A Google engineer documents the decade-long arc from fragmented editor choices to Cider V, Google's standardized web-based IDE now used for 80% of main codebase development. The journey started with a 2011 leadership belief that standardization wasn't worthwhile — a costly assumption that produced repeated integrations across incompatible platforms. Around 2013, the team built a powerful backend indexing the entire monorepo for intelligent features. By 2020, they pivoted to VSCode as the frontend while maintaining the custom backend, combining VSCode's maturity with Google-scale integrations. Standardization unlocked compounding returns: once 80% of development happens in one environment, investments in tooling — including ~100 internal extensions and AI-powered features — apply at scale. The post makes a case that IDE standardization, often resisted as an ergonomic imposition, is an infrastructure investment with returns that only become visible years later.