Tuesday, 16 June 2026
A fake LinkedIn recruiter hid a backdoor in a code review; a security researcher nearly owned the FIFA World Cup broadcast; Anthropic launches a $150M nonprofit fellowship
Today's Lead
Roman Imankulov (roman.pt)
A Backdoor in a LinkedIn Job Offer
Roman Imankulov received a suspicious LinkedIn message from a recruiter posing as a crypto startup employee, offering him code to review on GitHub. The repository contained malicious code hidden in test files that would execute arbitrary commands when npm install was run, using a fake profile and falsely attributed commits to legitimate developers. Rather than cloning the repo directly, he cautiously examined it using a throwaway VPS and AI agent, demonstrating how even security-conscious developers can be targeted by sophisticated social engineering attacks.
Also today
Bob Da Hacker
I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.
A security researcher discovered critical client-side authorization vulnerabilities in FIFA's systems while registering as a football agent. By exploiting these flaws, they gained unauthorized access to live World Cup 2026 streaming controls, broadcast management systems, and sensitive operational data including RTMP stream keys for all camera feeds. The researcher demonstrated that an attacker could have compromised the entire World Cup broadcast globally across all TV networks. The vulnerability was patched overnight after escalation through MediaKind, CISA, and FBI contacts, with FIFA implementing server-side authorization checks without formally acknowledging the report.
Read →Anthropic
Anthropic is launching Claude Corps, a national fellowship program that will train 1,000 early-career professionals in AI skills and place them at nonprofits across America for one-year positions. Fellows receive $85,000 annual salary plus benefits and participate in weekly training while working full-time at host organizations. The program involves a partnership with CodePath and Social Finance, with at least 400 nonprofits set to participate across sectors like food security, veteran support, and environmental work. Anthropic is investing $150 million initially, with applications open through July 17, 2026 for the first cohort of 100 fellows starting in October.
Read →Richard Osgood (richardosgood.com)
Banned Book Library in a Wi-Fi Smart Light Bulb
Rick Osgood describes an ingenious hardware hacking project that repurposes WiFi-enabled smart LED bulbs into 'digital dead drops' for distributing banned and censored books. By flashing custom firmware onto IoTorero bulbs with ESP32C3 chips, he created devices that broadcast open WiFi networks allowing nearby users to anonymously access hosted ebooks. The project involved extensive reverse engineering, firmware dumping, creative storage partitioning to maximize the 4MB capacity, and building a custom web interface with a captive portal, administrative controls, and OTA update functionality.
Read →Iroh blog (b5)
Iroh has released version 1.0, a stable networking library that enables devices to connect using cryptographic keys instead of IP addresses, providing secure direct connections regardless of location or network conditions. The platform has achieved significant scale with over 200 million endpoints created in the last 30 days alone. Version 1.0 now officially supports multiple languages including Python, Node.js, Swift, and Kotlin, and guarantees wire protocol and API stability across minor versions. The system incorporates advanced features like QUIC multipath connections, NAT traversal, and custom transport support including Bluetooth Low-Energy and Tor integration.
Read →Typst
Typst 0.15 Contains Multitudes
Typst 0.15 represents the project's largest update, introducing variable fonts for parametric typefaces, MathML support for accessible mathematical expressions, and a generalized bundle export system for creating multiple output files. The release also adds support for multiple bibliographies with automatic citation assignment, dual PDF standards compliance (PDF/A-2a and PDF/UA-1), and enhanced diagnostic messages to help with layout issues.
Read →The Old New Thing (Raymond Chen)
The Time the x86 Emulator Team Found Code So Bad They Fixed It During Emulation
Raymond Chen recounts how a compiler optimization backfired catastrophically, unrolling a simple stack memory initialization loop into 65,536 individual write instructions that consumed 256KB of code instead of a tight loop. The x86 emulator team encountered this egregiously inefficient code during binary translation and decided to add special detection logic to replace the horrible function with its equivalent loop at the emulation layer. This anecdote demonstrates how optimization heuristics can produce the opposite of their intended effect and showcases the pragmatic problem-solving of systems engineers dealing with legacy code.
Read →Kobzol
How Memory Safety CVEs Differ Between Rust and C/C++
Memory safety CVEs are reported and classified very differently in Rust versus C/C++. In C/C++, bugs from incorrect API usage aren't typically reported as CVEs because unsafe behavior is so easy to trigger accidentally. In Rust, however, any memory bug that occurs in a safe (non-unsafe) function is considered a library bug because Rust's type system provides clear guarantees about what's safe. This fundamental architectural difference means Rust CVEs focus strictly on soundness holes in safe APIs, while C/C++ CVEs focus on actual misuse in real-world code.
Read →Will Larson (lethain.com)
Revised Rules of Engineering Leadership
Engineering leadership is evolving with five core principles in the AI era: individual engineers can now drive complex migrations that once required whole teams, development infrastructure and testing remain critical even as code generation becomes cheaper, routine processes should be automated to free humans for edge cases, durable teams with domain expertise are essential for maintaining context, and organizations must make rapid decisions to capitalize on the increased execution pace. The author illustrates these principles through concrete examples from Imprint, including a 20–30x improvement in deployment frequency and full-company adoption of AI coding tools within two months.
Read →LeadDev (Michael Hill)
The 8 Software Engineering Metrics AI Broke
AI tools have compromised eight traditional software engineering metrics—from deployment frequency to lines of code—by making output artificially cheap while masking real engineering practices. When code generation is trivial, volume-based metrics now measure the tool's capability rather than engineer quality, making accountability and actual productivity assessment increasingly difficult. The article argues that only three metrics remain reliable: time to recover, business outcomes, and escaped defect rate—metrics that reflect genuine engineering health beyond superficial activity measures.
Read →