Flux
Next.js moves to scheduled security releases
Nouveau

Next.js moves to scheduled security releases

Vercel announced that Next.js is adopting a formal security release program, replacing the ad-hoc patches the framework has shipped until now. Going forward, the team will publish advance notice of security releases on the Next.js blog roughly once a month. Each notice will state the expected release date and the highest anticipated severity of the fixes it covers. The first scheduled release is slated for July 20. It will ship patch releases for Next.js 16.2 and 15.5 and addresses 4 high and 5…

Socket
Mermaid to Unicode box art (grok-mermaid)
Nouveau

Mermaid to Unicode box art (grok-mermaid)

Tool: Mermaid to Unicode box art (grok-mermaid) While exploring the codebase for the newly open-sourced Grok CLI coding agent I came across xai-grok-markdown/src/mermaid.rs, a "self-contained terminal renderer for Mermaid diagrams" written in Rust. I figured it would be fun to try that out in a browser via WebAssembly. Here's the prompt I ran in Claude Code for web (Fable 5), and this is what the resulting tool looks like: Tags: tools, rust, webassembly, mermaid, grok, xai

Simon Willison's Weblog
xai-org/grok-build, now open source
Nouveau

xai-org/grok-build, now open source

xai-org/grok-build, now open source xAI's grok CLI tool faced severe community backlash yesterday when it became apparent that running the command in a directory could upload that entire directory to xAI's Google Cloud buckets. One user reported running it in their home directory and seeing it upload "my SSH keys, my password manager database, my documents, photos, videos, everything". I've not seen an official explanation for why it was doing this, but xAI did respond to the feedback (Musk:…

Simon Willison's Weblog
Don’t Neglect the Operational Groundwork
Nouveau

Don’t Neglect the Operational Groundwork

Autonomous agents are moving faster than the field’s ability to govern them, and catching up requires more than better prompts or bigger sandboxes. At O’Reilly’s recent AI Superstream focused on OpenClaw and the broader ecosystem of locally run and self-hosted AI agents, five speakers, each working at a different layer of the stack, explored patterns […]

O'Reilly Radar — AI/ML
How I tricked Claude into leaking your deepest, darkest secrets
Nouveau

How I tricked Claude into leaking your deepest, darkest secrets

How I tricked Claude into leaking your deepest, darkest secrets I've been impressed by the way the Claude web_fetch tool is designed to avoid data exfiltration attacks. Ayush Paul found a hole in that design. To recap: regular Claude chat is at risk of lethal trifecta attacks, because it has access to private data (in the form of memories of your past interactions) and has a tool for accessing online content which can both read hostile instructions and exfiltrate data through the URLs it…

Simon Willison's Weblog
simonw/pedalican
Récent

simonw/pedalican

simonw/pedalican Clearly I wasn't paying attention when these were first announced back in May, but today I accidentally activated a "pet" in Codex Desktop - a little animated robot, reminiscent of Clippy - and then learned you can create your own. So I did, and now I have a cute little pelican on a bicycle bouncing around my desktop giving me updates on my Codex tasks. Your browser does not support HTML5 video. The most interesting thing about this process was watching how the custom pet was…

Simon Willison's Weblog
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload Récent

11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload

Socket’s Threat Research Team analyzed 11 malicious NuGet packages published as .NET command-line tools (DotnetTool package type) that present themselves as game utilities, bots, and “panels”. Every package is a first-stage downloader that fetches and executes a second-stage Windows payload named pepesoft.exe from GitHub Releases and Hugging Face paths under the username pepegit666, with dormant BitTorrent fallback code built in. The campaign splits cleanly into two stages: A .NET downloader…

Socket
lobste.rs is now running on SQLite
Récent

lobste.rs is now running on SQLite

lobste.rs is now running on SQLite Community site Lobsters has been planning a migration away from MariaDB since August 2018 - originally targeting PostgreSQL, but last year they decided to investigate SQLite instead. This weekend they completed the migration, and now consider it stable enough that it looks like this is the permanent architecture for the site going forward: SQLite seems to have passed with flying colors: cpu usage is down, memory usage is down, site seems to be snappier at…

Simon Willison's Weblog