Tuesday, 26 May 2026

Pope Leo XIV issues first AI ethics encyclical; Claude finds Apple macOS zero-day; California exempts Linux from age verification

Today's Lead

Simon Willison

Pope Leo XIV's Encyclical on AI: Magnifica Humanitas

Pope Leo XIV's 2026 encyclical 'Magnifica Humanitas' addresses AI ethics through a social justice framework, drawing parallels to Leo XIII's 1891 labor encyclical. The Pope describes AI systems as 'more cultivated than built' — developers cannot fully explain their internal representations — and warns of baked-in cultural biases, sycophancy, and environmental costs. Concrete proposals include treating data as a common good rather than private property, requiring clear accountability chains in automated decision-making affecting employment and credit, and resisting the concentration of AI power among a small wealthy elite. Simon Willison notes the document also validates a January prediction he made on the Oxide and Friends podcast: 'How about the Pope?' has aged well as a way to get credible, trusted voices into the AI policy debate.

Read →

Also today

Apple Security

CVE-2026-28952: Claude Finds Apple macOS Kernel Vulnerability

Apple's security release for macOS Tahoe 26.5 credits researchers at Calif.io working in collaboration with Claude and Anthropic Research for discovering CVE-2026-28952, an integer overflow in the kernel that could allow an application to cause unexpected system termination. Apple addressed the vulnerability by improving input validation. The credit is notable: this appears to be one of the first publicly acknowledged cases of an AI system contributing meaningfully to the discovery of a kernel-level zero-day, suggesting AI-assisted vulnerability research is maturing from a theoretical capability to a practical one.

Read →

PromptArmor

Microsoft Copilot Cowork Exfiltrates Files via Indirect Prompt Injection

PromptArmor researchers demonstrated a 100%-reliable file exfiltration attack against Microsoft Copilot Cowork using indirect prompt injection. Malicious instructions embedded in skill files cause Copilot to generate Teams messages with hidden image tags linking to attacker-controlled servers and pre-authenticated SharePoint/OneDrive download URLs — all without requiring user approval. When the message is opened, files are silently exfiltrated. Administrators can partially mitigate via SharePoint policies, but the researchers frame this as a systemic design flaw in agentic systems with broad cross-enterprise permissions rather than an isolated bug.

Read →

Tom's Hardware

California Moves to Exempt Linux from Its Age Verification Law

California's AB 1043 (Digital Age Assurance Act) required all operating systems to collect user age during setup and expose age-bracket signals to apps by January 2027. Privacy advocates, the EFF, and Linux developers raised alarms: Linux distributions are decentralized volunteer projects with no centralized user accounts or telemetry infrastructure, and compliance would be practically impossible for infinitely forkable open-source code. The same lawmaker who authored the original bill now proposes AB 1856, which would exempt operating systems distributed under licenses permitting modification and redistribution — covering Ubuntu, Fedora, Debian and most mainstream distributions.

Read →

Krebs on Security

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Russian Cyberattacks

Dutch financial crime agency FIOD arrested Andrey Nesterenko (MIRhosting) and Youssef Zinad (WorkTitans BV) on May 18 for operating hosting infrastructure that supported Russian state-sponsored DDoS attacks, disinformation campaigns, and election interference operations. Evidence showed the networks were heavily used in attacks on Danish government bodies during the November 2025 elections. The operation seized over 800 servers across data centers in Dronten and Schiphol-Rijk, disrupting a key node in the technical backbone of Russia's hybrid warfare capability in Europe — the same infrastructure Krebs traced back to Stark Industries, a hosting provider that materialized two weeks before Russia invaded Ukraine.

Read →

Nolan Lawson

Using AI to Write Better Code, More Slowly

Nolan Lawson argues the default instinct to use AI coding tools for speed maximization is the wrong frame. Instead, he runs multiple models in parallel to review AI-generated output, ranked by bug severity, deliberately slowing down in exchange for higher-quality results. The post is a counterpoint to velocity-first narratives: treating AI output as a starting point for rigorous review rather than deployable work produces better codebases, at the cost of throughput. The piece resonated broadly — 517 points on Hacker News — suggesting many developers share a quiet skepticism about the 'ship faster with AI' premise.

Read →

Blocks and Files

Norway's National Library Builds Sovereign Norwegian LLM on 2 Petabytes of Huawei Storage

Norway's National Library is training a sovereign Norwegian-language LLM to process 60 petabytes of Norwegian cultural content, using 2 petabytes of Huawei OceanStor Dorado flash as a preprocessing layer before training on the national supercomputer. Library leadership frames AI sovereignty as a national priority: non-English-speaking nations that rely solely on English-centric models risk their cultural and linguistic heritage being underrepresented or distorted. The Huawei storage choice adds a geopolitical layer to a project already notable for its scale and ambition.

Read →

ochagavia.nl

Fully In-Browser Container Builds

A proof-of-concept demonstrates building OCI-compliant container images entirely in the browser: client-side JavaScript downloads base images, unpacks layers, manipulates the filesystem, and repacks distributable artifacts — no server required. Beyond the demo, the post makes a broader point about tooling: deep understanding of container internals enables custom implementations that dramatically outperform standard tools, with real examples showing multi-gigabyte image creation reduced to seconds through architectural control and optimized caching.

Read →

jsx.lol

Does Anybody Actually Like React?

JSX.lol is a curated collection of developer criticism arguing that React's dominance stems from network effects and default adoption rather than technical merit. Recurring complaints: performance degradation at scale, maintenance complexity, and an ecosystem with constant churn that creates a confusing developer experience. The site frames the industry as entering a 'post-React era' where alternatives like Svelte or LiveView merit honest evaluation before teams default to React for a new project. 155 points and 195 comments on Hacker News suggest the frustration is widespread, even if the conclusions remain contested.

Read →