Nx Console version 18.95.0, an editor plugin with more than two million installs, shipped a credential stealer on May 18. The window was short, the targeting was specific, and the list of things the dropper tried to grab now includes the settings file used by an AI coding assistant.
CVE-2026-44338 is a missing authentication default in an open-source orchestration framework called PraisonAI, not a remote-code-execution bug in anything you have heard of. The speed at which an internet-scale scanner arrived on its doorstep, less than four hours after the GitHub advisory went live, is what should hold attention.
CVE-2026-42897 lets a crafted email run JavaScript inside Outlook Web Access on every supported on-prem version. Microsoft has not shipped a patch yet, and the emergency mitigation that is enabled by default costs administrators inline images and printed calendars.
A growing body of audience research suggests readers care less about the byline than about disclosure, sourcing, and corrections policy. Researchers say the findings should be read carefully.
DeepSeek V4 Pro, Kimi K2.6, GLM-5.1, and MiniMax M2.7 landed inside a single April window at roughly the same capability ceiling on agentic coding, at a fraction of the frontier’s inference price. The interesting question is not which model wins. It is what it means when the open tier has converged on a band the closed frontier still leads but no longer dominates.
OpenAI stopped reporting SWE-bench Verified in February. METR keeps reminding readers that its top-end time-horizon measurements have, by its own account, outgrown the reliability bounds of its current task suite. The interesting question is no longer which frontier model leads. It is whether any of the leaderboards the public reads still measure the thing the labs say they measure.
Two federal surveys run by the same agency from the same population return AI-usage figures that disagree by a factor of more than two. The discrepancy is not a contradiction. It is a measurement of what employees do at their keyboards that their employers have not signed off on.
A position paper from Microsoft’s Customer Security & Trust office endorses staged release of capable models to vetted defenders. The reasoning is sound. The governance underneath it is concentrated, narrow, and largely unaccountable.