« All posts

» Summary

July 2026

July 2026
live

Zero-click backdoor (CVSS 9.8) hits millions of budget Android phones; WordPress SQLi and 78 AI tool data leaks follow

Security dominated the month's headlines, beginning with Operation Silent Rescue, an attack chain that leaves millions of budget Android phones running on Unisoc T606/T616 chipsets—including Motorola Moto G04s, G24, G34, and E24—wide open to zero-click remote compromise. Rated CVSS 9.8, the chain pairs an unpatchable BootROM flaw (CVE-2022-38694) with a modem RCE triggered over rogue LTE signals, requiring no user interaction and gaining deep access through pre-installed system apps.

WordPress administrators were also put on alert after researchers detailed two pre-auth SQL injection vulnerabilities (CVE-2026-63030 and CVE-2026-60137) in the REST batch endpoint. A desynchronization in the parallel arrays tracking sub-request validation and dispatch allows attackers to redirect handlers and inject SQL by nesting batch requests—a reminder that even mature core systems can harbor severe, exploitable logic bugs.

The risk extends to the AI supply chain. A source review of over 200 self-hosted multi-tenant AI and SaaS products uncovered 84 cross-tenant data exposures in 78 projects, all stemming from the same pattern: write endpoints enforce authorization, but the neighboring read endpoints for the same objects do not. Verified on isolated Docker instances, these findings highlight the fragility of authorization in rapidly assembled stacks. Meanwhile, Mozilla's 2026 State of Open Source AI report noted that while open-weight models now process the majority of tokens on OpenRouter and the capability gap with closed models has narrowed to about 3%, only 51% of teams using open models reach production, often due to operational and security hurdles.

On the practical engineering front, teams pushing AI into infrastructure shared hard-won lessons. Porting Google's Gemma-4 family to AWS Inferentia2 ran into three architectural mismatches—cross-layer KV-sharing, mixed query/KV head counts under GQA, and interleaved attention windows—that the vendor's stack couldn't express; the fix bypassed static graph builders and traced the Hugging Face forward pass directly. Bun's massive codebase rewrite saw 535,000 lines moved from Zig to Rust using Anthropic's Fable model steered by a 600-line porting guide, solving memory safety issues without stalling the 22-million-download project. Similarly, FreeCAD's 2.2-million-line WebAssembly port was completed in days with the help of the same Fable agent, overcoming block-synchronous calls for Qt and emulating threading to bring a full parametric CAD suite to the browser.

Delving into application layers, the React 19 Server Component boundary got a thorough inspection: it's not a type system but a Flight serializer that accepts Date, Set, Map, Promise, typed arrays, and even Error objects (which arrive empty), while rejecting RegExp, URL, WeakMap, and class instances based on prototype checks—a set of rules every full-stack dev needs to internalize to avoid silent failures. The underexplored WebAuthn PRF extension demonstrated how a single passkey ceremony can both authenticate and derive an AES-256 encryption key, enabling master-passwordless E2EE apps like pknotes through a clean HKDF key hierarchy.

Finally, a cause-of-the-month style investigation into vanishing AI agent memory broke down a single symptom—a written lesson disappears on next read—into four distinct root causes: key mismatches, lossy compaction, concurrency races with last-write-wins, and another trace-only application layer failure. It's a succinct reminder that debugging agentic systems demands tracing the full lifecycle, not just the API call logs.

» Statistics

Posts
1827
Reads
6
Avg. score
7.7

» Most read

  1. Cloudflare Improves Smart Tiered Cache for Public Cloud Regions37.5
  2. As LLMs Write More Code, Compiler Focus Shifts to Verification27.8
  3. How Bun rewrote 535K lines from Zig to Rust with 64 AI agents19.1
  4. Rewritten Google Play Scraper for Modern Node: Typed Results and Validation07.9
  5. SigLIP 2 Text Embedding Server on CPU with Rust and ONNX07.3
  6. Scenario Tests for Distributed Systems Using AI07.0
  7. Pre-Auth SQL Injection in WordPress Core via Batch API Desync09.0
  8. Celly Brings 100% Conformant CEL to Native C#/.NET08.3
  9. Three Open Memory Leaks in Next.js: Identify Which One You're Facing07.9
  10. TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years08.3

» Top scored

  1. Unisoc T606/T616 Backdoors Enable Zero-Click Root on Budget Androids09.6
  2. Porting Gemma-4 (2B/4B/12B) to AWS Inferentia2: A Field Report09.3
  3. What Actually Crosses the React Server Component Boundary09.3
  4. How Bun rewrote 535K lines from Zig to Rust with 64 AI agents19.1
  5. Beyond login: encrypting data with passkeys and WebAuthn PRF09.1
  6. FreeCAD Ported to the Browser: 2.2M Lines of CAD via WASM09.1
  7. Pre-Auth SQL Injection in WordPress Core via Batch API Desync09.0
  8. Mozilla Report: Open-Source AI Wins Tokens, Lags in Production09.0
  9. The four hidden causes behind an AI agent's vanishing memory writes09.0
  10. Source review of 200 self-hosted AI tools finds 78 leak tenant data09.0

» Sources

Dev.to1173Hacker News — Front Page106Hashnode #895Hashnode #952Hashnode #1536Artificial Intelligence Reddit32Hashnode #1026Hashnode #1319Hashnode #1717Hashnode #1215Hashnode #1614Backend Development Reddit13Sentry Blog13Frontend Development Reddit12Hashnode #112Hashnode #1412Hashnode #1111Hashnode #311Hashnode #1811Programming Languages Reddit11Database Reddit9Cyber Security Reddit8İşletim Sistemi Reddit8Hashnode #207Netflix TechBlog7Airbnb Tech Blog6Cloudflare Blog6Github Engineering6Hashnode #26The Go Blog6AWS Architecture Blog6Hashnode #76Hashnode #55Martin Fowler5The Rust Programming Language Blog4ByteByteGo Newsletter4Slack Engineering4Trendyol Tech3Hashnode #43Pragmatic Engineer3Insider Engineering2Hashnode #192Midas Engineering1Hepsiburada Tech1Hashnode #61Continuous Delivery1Onat Mercan's Blog1Stripe Engineering1Sahibinden Technology1