| Twitter (former) | https://x.com/josephzengx |
| Github (For Verification) | https://josz5930.github.io/ |
CVE-2025-24091 - sending Darwin notifications to DoS iPhone
POC: Widget extension VeryEvilNotify š
Blog Post:
https://rambo.codes/posts/2025-04-24-how-a-single-line-of-code-could-brick-your-iphone
The writer exposed a critical vulnerability in Hugging Faceās smolagentsāa lightweight AI agent framework. By leveraging prompt injection to bypass āsafeā module restrictions, attackers can execute arbitrary OS commands, highlighting mounting security risks for autonomous AI systems. - o3-mini summary
This write-up reveals how attackers exploited Go's module proxy caching to maintain persistent malicious code distributionāeven after repository updates. This sophisticated attack remained undetected for years, highlighting a serious supply chain vulnerability.
Takeaways:
ā¢ Proxy caching features can be weaponized
ā¢ Traditional security measures may miss these attacks
ā¢ Urgent need for enhanced package verification
š” Action Items for Dev Teams:
https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
Microsoftās AI red team has tested over 100 generative AI products and uncovered three essential lessons. First, red teaming is the starting point for identifying both security vulnerabilities and potential harms as part of responsible AI risk management. This includes spotting bias, data leakage, or other unintended consequences early in product development Second, human expertise is indispensable for addressing complex AI threats While automated tools can detect issues, they canāt fully capture the nuanced misuse scenarios and policy gaps that experts can identify Third, a defense-in-depth strategy is crucial for safeguarding AI systems Continuous testing, multiple security layers, and adaptive defenses collectively help mitigate risks, as no single measure can eliminate vulnerabilities in ever-evolving models. By combining proactive stress testing, expert analysis, and layered protections, organizations can better navigate the opportunities and challenges presented by generative AI. - LLM Summary
A Cloud Guru terminates "lifetime" course access for reasons of "plan being retired".
Neural Fictitious Self-Play (NFSP) for Imperfect-Information Games
Reinforcement learning "improviser" and supervised learning "planner"
Blog post and explanation: https://ai.gopubby.com/neural-fictitious-self-play-nfsp-for-imperfect-information-games-0a8189770240
Research paper (not recent):
https://arxiv.org/abs/1603.01121v2
Series on "Beyond XSS" including topics such as Cross-site leaks and CSTI
https://aszx87410.github.io/beyond-xss/en/
Very appropriately, it was built using docusaurus, a static site generator 
As a software engineer, you must be familiar with information security. In your work projects, you may have gone through security audits, including static code scanning, vulnerability scanning, or penetration testing. You may have even done more comprehensive red team exercises. Apart from that, you may have heard of OWASP and have a general idea of what OWASP Top 10 includes and what common security vulnerabilities exist.
