Wednesday, 08 July 2026

The EU mandates driver-monitoring cameras in every new car with no clear data policy; researchers trick GitHub's AI agent into leaking private repos through a poisoned Issue; a new paper asks whether Claude can meaningfully consent to its own constitution

Engineering

Noma Security, via Hacker News

GitLost: How We Tricked GitHub's AI Agent into Leaking Private Repos

Security researchers at Noma Labs found a critical prompt injection flaw in GitHub's Agentic Workflows: an unauthenticated attacker can open a GitHub Issue containing hidden instructions, and if a repository's AI agent later processes that issue, it follows the buried commands and exfiltrates private repository contents back to the attacker. The root cause is a familiar one wearing new clothes — insufficient separation between trusted system instructions and untrusted user-supplied content — except the "input" here is an ordinary public Issue anyone can file, and the "execution" is an LLM agent with legitimate read access to private code. It's a clean illustration of why treating agent context as just another string to interpolate into a prompt keeps reproducing the injection vulnerability class that input sanitization solved for SQL and shell decades ago, just relocated to a new interpreter. As agentic tools get wired directly into issue trackers, PR reviews, and CI, this kind of injection surface will keep appearing faster than teams can audit for it.

Read →

blog.yossarian.net, via Lobsters

You Shouldn't Trust Trusted Publishing

Trusted Publishing — the OIDC-based mechanism that lets CI systems like GitHub Actions authenticate to registries such as PyPI without long-lived API tokens — solves a real credential-management problem, but the post argues it's being misread as something it isn't: a signal that a package is safe. The mechanism only proves that a specific, minimally-scoped, short-lived machine identity did the uploading; it says nothing about what code that identity uploaded, and PyPI deliberately avoids surfacing it as a visible trust badge for exactly that reason. The conflation matters because as more registries roll out Trusted Publishing and market it as a supply-chain security win, the temptation to treat "published via Trusted Publishing" as a proxy for "reviewed and safe" will grow — and any attacker who compromises a repo's CI config inherits that same trusted, badge-worthy publishing path. It's a specific case of a general failure mode: a mechanism built to solve one problem (credential leakage) quietly gets repurposed as evidence for a different, unrelated claim (code trustworthiness) it was never designed to support.

Read →

zkSecurity, via Hacker News

AI Meets Cryptography 1: What AI Found in Cloudflare's CIRCL

zkSecurity turned an AI audit agent loose on Cloudflare's CIRCL cryptographic library and came away with seven real vulnerabilities, including precision loss in RSA operations, a proof-forgery path, and flaws in key derivation — exactly the kind of subtle, math-heavy defect where automated fuzzing typically struggles and human cryptographers are scarce and expensive. But the report is refreshingly honest about the agent's failure modes: it was inconsistent at assessing how severe a given bug actually was, and it couldn't chain individual findings into a working end-to-end exploit, so a human still had to do the triage and impact analysis before anything could responsibly be disclosed. That division of labor — AI as a wide-net first pass, humans doing judgment calls on severity and exploitability — looks like a more durable model for security work than either "AI replaces auditors" or "AI is a toy," and it fits a broader pattern this week of AI turning up real, unglamorous bugs across sqlite-utils, Rust services, and now cryptographic libraries.

Read →

anthonyhobday.com, via Hacker News

Notes on Software Quality

The essay frames software quality as fundamentally negative — the absence of problems rather than the presence of any particular feature — and argues that this absence gets exponentially harder to sustain as an organization scales, because quality depends on a level of shared design coherence and leadership follow-through that gets diluted with every additional team, handoff, and reporting layer. It's a useful corrective to quality conversations that focus entirely on individual engineering practices like testing and code review without acknowledging that most quality erosion at scale is organizational, not technical: nobody owns the seams between systems, and short-term commercial pressure reliably beats long-term design coherence unless leadership actively spends political capital defending it. The piece doesn't offer a tidy fix — it explicitly concedes perfect quality is unreachable — but treats that as a reason to keep pursuing it deliberately rather than a reason to stop measuring it, a harder and more honest position than either complacency or process-theater.

Read →

Martin Fowler

Viability of Local Models for Coding

Martin Fowler's Birgitta Böckeler spent a month running local LLMs for real programming tasks and lays out the practical factors that actually determine viability, rather than benchmark scores: available RAM, inference speed on consumer hardware, and — the one that broke the most workflows — how reliably a model can execute tool calls, since agentic coding assistants depend on that far more than raw code-generation quality. Her pick for best local option, Qwen 3.6 35B MoE, still lagged well behind frontier proprietary models and required real setup effort; the overall experience was functional rather than "plug-and-play," meaning local models are viable today mainly for people with a specific reason to avoid sending code to a cloud provider — compliance, IP sensitivity, cost at scale — rather than a free upgrade path for everyone else. It's a useful, hype-free data point in a week that's otherwise been full of both AI-coding triumphalism and AI-coding backlash: the honest state of local models is "usable with real tradeoffs," not a verdict in either direction.

Read →
Humanities

JSTOR Daily

Rudyard Kipling's Buddhism

Literature scholar Deanna K. Kreisel traces how Kipling's Kim — a novel about an Irish boy recruited as a British intelligence asset in colonial India — reflects a specific late-Victorian shift: from dismissing Buddhism as evidence of Asian irrationality and passivity to treating it as a source of disciplined willpower potentially compatible with Western science and psychology. Kim's own strength in the novel comes not from racial superiority but from trance states and esoteric practice learned from a Tibetan lama, a detail Kreisel reads as Kipling absorbing this newer, more respectful (if still thoroughly orientalist) framing even while remaining a committed imperialist. The piece is a small case study in how colonial-era Western engagement with a foreign belief system was never a single, static attitude — it tracked contemporary anxieties back home, in this case Darwinian evolution and the birth of psychology, which made "the mind studying itself" newly fashionable and made Buddhist meditative traditions look less alien and more like fellow travelers.

Read →