Friday, May 15
Friday, May 15
An AI Just Found an 18-Year-Old Hole in the Internet's Front Door
A critical RCE vulnerability (CVSS 9.2) has been sitting in NGINX's rewrite module since 2008, and it took an AI to find it. Depthfirst's automated security system onboarded the NGINX source code, clicked go, and surfaced a heap-based buffer overflow affecting every version through 1.30.0 plus NGINX Plus R32–R36. The vulnerable config pattern covers WordPress permalinks, PHP front controllers, and API gateways. Basically the production web. F5 has patched. A proof-of-concept exploit is already live on GitHub. And here's the truly uncomfortable detail: NGINX's celebrated multi-process architecture, where crashed workers respawn with identical heap layouts, gives attackers unlimited retries.
An AI Just Found an 18-Year-Old Hole in the Internet's Front Door
A critical RCE vulnerability (CVSS 9.2) has been sitting in NGINX's rewrite module since 2008, and it took an AI to find it. Depthfirst's automated security system onboarded the NGINX source code, clicked go, and surfaced a heap-based buffer overflow affecting every version through 1.30.0 plus NGINX Plus R32–R36. The vulnerable config pattern covers WordPress permalinks, PHP front controllers, and API gateways. Basically the production web. F5 has patched. A proof-of-concept exploit is already live on GitHub. And here's the truly uncomfortable detail: NGINX's celebrated multi-process architecture, where crashed workers respawn with identical heap layouts, gives attackers unlimited retries.
AI Rewrites the Security Playbook on Both Sides
The average critical software vulnerability historically sat undiscovered for about five years. Five years. Patch cycles, disclosure norms, team structures, hiring plans, even the economics of bug bounties. The entire security apparatus evolved around that leisurely pace. AI just hit fast-forward on the whole system.
- AI-assisted vulnerability discovery is compressing that five-year window into days and weeks
- Offensive and defensive capabilities are accelerating together, but the infrastructure between them hasn't caught up
- The old model assumed skilled attackers were scarce. That assumption is evaporating.
- Supply chains remain the softest target, because your dependencies have dependencies, and the attack surface is everyone else's code
What's striking about this moment is the sheer density of it all. The comfortable assumption that you'd have breathing room between incidents didn't age well.
The average critical software vulnerability historically sat undiscovered for about five years. Five years. Patch cycles, disclosure norms, team structures, hiring plans, even the economics of bug bounties. The entire security apparatus evolved around that leisurely pace. AI just hit fast-forward on the whole system.
- AI-assisted vulnerability discovery is compressing that five-year window into days and weeks
- Offensive and defensive capabilities are accelerating together, but the infrastructure between them hasn't caught up
- The old model assumed skilled attackers were scarce. That assumption is evaporating.
- Supply chains remain the softest target, because your dependencies have dependencies, and the attack surface is everyone else's code
What's striking about this moment is the sheer density of it all. The comfortable assumption that you'd have breathing room between incidents didn't age well.
Power Plays and Plot Twists Shaping AI Today
Anthropic is in advanced talks to buy Stainless for $300M+. Stainless builds the SDKs that OpenAI, Google, Meta, Groq, and others depend on daily, with millions of weekly downloads. Separately, Anthropic is targeting a $900B valuation, more than double February's $380B.
The U.S. cleared about ten Chinese firms to buy H200 chips, but Beijing told buyers to pause. Chips must transit U.S. territory first, and China fears tampering. Jensen Huang joined Trump's delegation to Beijing today. Nobody's budging.
Final approval hearing for the largest AI copyright settlement ever. Anthropic reportedly downloaded 7 million book copies; roughly 500,000 titles are in the class. Authors can expect at least $3,000 per title. The precedent here will echo for years.
SpaceX placed a $60 billion buyout option on the AI coding tool, pre-empting Cursor's planned $2B fundraise. Whatever you thought the ceiling was for AI developer tools, multiply by thirty. The valuation conversation just changed permanently.
The two companies are in talks to build orbital data centers for AI compute. Google's Project Suncatcher targets prototype satellites by 2027. SpaceX is pitching space as the cheapest long-term option, ahead of its planned $1.75T IPO later this year. Yes, trillion.
Notion launched a developer platform for building and connecting AI agents across its workspace. Over one million custom agents built since February. Launch partners include Claude Code, Cursor, and Codex. The note-taking app keeps drifting toward something much bigger.
92% of undergrads use AI tools. 59% worry it's eroding their critical thinking. A viral essay argues higher education is producing graduates who can generate outputs without developing genuine understanding. The comments sections are predictably on fire.
Samsung's Android XR smart glasses leaked ahead of the event: Ray-Ban-style frames, $379-$499, codename "Jinju." Treasury Secretary Bessent teased a "step-function jump" in upcoming LLM releases from both Google and OpenAI. Monday could be interesting.
Favorite Featured Stories
Researchers found tens of thousands of exposed OpenClaw agent instances and over a million compromised API tokens. The e...
Your browser introduces itself to every server it contacts. The introduction contains six identity claims. One is accura...
A peer-reviewed study of 3,500 workers found that AI collaboration improved output quality while cutting intrinsic motiv...
MCP and A2A are becoming the communication layer for autonomous software. MCP assumes the thing on the other end is a to...
Researchers found tens of thousands of exposed OpenClaw agent instances and over a million compromised API tokens. The e...
Your browser introduces itself to every server it contacts. The introduction contains six identity claims. One is accura...
A peer-reviewed study of 3,500 workers found that AI collaboration improved output quality while cutting intrinsic motiv...
MCP and A2A are becoming the communication layer for autonomous software. MCP assumes the thing on the other end is a to...