Zero-click backdoor (CVSS 9.8) hits millions of budget Android phones; WordPress SQLi and 78 AI tool data leaks follow
Security dominated the month's headlines, beginning with Operation Silent Rescue, an attack chain that leaves millions of budget Android phones running on Unisoc T606/T616 chipsets—including Motorola Moto G04s, G24, G34, and E24—wide open to zero-click remote compromise. Rated CVSS 9.8, the chain pairs an unpatchable BootROM flaw (CVE-2022-38694) with a modem RCE triggered over rogue LTE signals, requiring no user interaction and gaining deep access through pre-installed system apps.
WordPress administrators were also put on alert after researchers detailed two pre-auth SQL injection vulnerabilities (CVE-2026-63030 and CVE-2026-60137) in the REST batch endpoint. A desynchronization in the parallel arrays tracking sub-request validation and dispatch allows attackers to redirect handlers and inject SQL by nesting batch requests—a reminder that even mature core systems can harbor severe, exploitable logic bugs.
The risk extends to the AI supply chain. A source review of over 200 self-hosted multi-tenant AI and SaaS products uncovered 84 cross-tenant data exposures in 78 projects, all stemming from the same pattern: write endpoints enforce authorization, but the neighboring read endpoints for the same objects do not. Verified on isolated Docker instances, these findings highlight the fragility of authorization in rapidly assembled stacks. Meanwhile, Mozilla's 2026 State of Open Source AI report noted that while open-weight models now process the majority of tokens on OpenRouter and the capability gap with closed models has narrowed to about 3%, only 51% of teams using open models reach production, often due to operational and security hurdles.
On the practical engineering front, teams pushing AI into infrastructure shared hard-won lessons. Porting Google's Gemma-4 family to AWS Inferentia2 ran into three architectural mismatches—cross-layer KV-sharing, mixed query/KV head counts under GQA, and interleaved attention windows—that the vendor's stack couldn't express; the fix bypassed static graph builders and traced the Hugging Face forward pass directly. Bun's massive codebase rewrite saw 535,000 lines moved from Zig to Rust using Anthropic's Fable model steered by a 600-line porting guide, solving memory safety issues without stalling the 22-million-download project. Similarly, FreeCAD's 2.2-million-line WebAssembly port was completed in days with the help of the same Fable agent, overcoming block-synchronous calls for Qt and emulating threading to bring a full parametric CAD suite to the browser.
Delving into application layers, the React 19 Server Component boundary got a thorough inspection: it's not a type system but a Flight serializer that accepts Date, Set, Map, Promise, typed arrays, and even Error objects (which arrive empty), while rejecting RegExp, URL, WeakMap, and class instances based on prototype checks—a set of rules every full-stack dev needs to internalize to avoid silent failures. The underexplored WebAuthn PRF extension demonstrated how a single passkey ceremony can both authenticate and derive an AES-256 encryption key, enabling master-passwordless E2EE apps like pknotes through a clean HKDF key hierarchy.
Finally, a cause-of-the-month style investigation into vanishing AI agent memory broke down a single symptom—a written lesson disappears on next read—into four distinct root causes: key mismatches, lossy compaction, concurrency races with last-write-wins, and another trace-only application layer failure. It's a succinct reminder that debugging agentic systems demands tracing the full lifecycle, not just the API call logs.
» Statistics
- Posts
- 1827
- Reads
- 6
- Avg. score
- 7.7
» Most read
- Cloudflare Improves Smart Tiered Cache for Public Cloud Regions
- As LLMs Write More Code, Compiler Focus Shifts to Verification
- How Bun rewrote 535K lines from Zig to Rust with 64 AI agents
- Rewritten Google Play Scraper for Modern Node: Typed Results and Validation
- SigLIP 2 Text Embedding Server on CPU with Rust and ONNX
- Scenario Tests for Distributed Systems Using AI
- Pre-Auth SQL Injection in WordPress Core via Batch API Desync
- Celly Brings 100% Conformant CEL to Native C#/.NET
- Three Open Memory Leaks in Next.js: Identify Which One You're Facing
- TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years
» Top scored
- Unisoc T606/T616 Backdoors Enable Zero-Click Root on Budget Androids
- Porting Gemma-4 (2B/4B/12B) to AWS Inferentia2: A Field Report
- What Actually Crosses the React Server Component Boundary
- How Bun rewrote 535K lines from Zig to Rust with 64 AI agents
- Beyond login: encrypting data with passkeys and WebAuthn PRF
- FreeCAD Ported to the Browser: 2.2M Lines of CAD via WASM
- Pre-Auth SQL Injection in WordPress Core via Batch API Desync
- Mozilla Report: Open-Source AI Wins Tokens, Lags in Production
- The four hidden causes behind an AI agent's vanishing memory writes
- Source review of 200 self-hosted AI tools finds 78 leak tenant data