An autonomous hackbot pulls a CVE out of Adobe Magento overnight

Joseph Thacker pointed FUZZ-E, an autonomous hackbot from AutonomousCyber, at hand-picked, hardened enterprise targets and let it run overnight. By morning it had earned a CVE for a local file inclusion bug in Adobe Magento — patched today through APSB26-49 — plus two pending Angular zero-days. The disclosure went through Adobe's standard advisory pipeline; the discovery didn't.

FUZZ-E earns a CVE in Adobe Magento overnight

@rez0__

Thacker pointed FUZZ-E at hardened enterprise targets and let it run overnight. It came back with a CVE for a local file inclusion bug in Magento and two pending Angular zero-days. He notes it's "even better with gpt5.5 now" — model upgrades translate directly to bug yield per run.

“With 1 run overnight, it found vulns in wildly hardened projects.”

Adobe security advisory APSB26-49

Adobe Product Security

The primary-source Adobe advisory for the Magento LFI. Anchors the FUZZ-E result to a real vendor patch — the autonomy was at discovery, not at disclosure.

Thacker on the GitHub bug-bounty backlash

@rez0__

The companion read on the same agentic-coding wave. Thacker argues most of GitHub's 325 unpaid bounty submissions aren't valid — AI is producing more noise than signal, while a tuned hackbot pulls real CVEs from Magento overnight.

“It's painfully obvious that it's the second in this case. And also, they probably haven't paid the majority of any valid bugs submitted.”

Computer use in Codex

OpenAI — Roma & Ari Weinstein

Weinstein and Roma walk through Codex driving native Mac apps via the accessibility tree plus screenshots. A separate cursor, no focus-stealing, and per-app permissions on first use — the design point is that you keep working while the agent operates other apps. Roadmap target is 2-5-10x human speed; Windows is coming "very soon."

“Every computer use implementation I've ever seen takes over your entire computer. So you can't use your computer while the agent is using your apps.”

Give your agent a computer — Nico Albanese, Vercel

Vercel

AI SDK 6 ships an object-oriented toolLoopAgent primitive with end-to-end type inference from agent definition to UI message rendering. Vercel's internal observation: handing the agent a file system didn't just add storage, it changed the agent's behavior — it followed through on long tasks and built on its own prior work.

“The big assumption that goes through every single AI SDK API decision is that we want the agent definition to be the source of truth that everything else inherits from.”

Needle — a 26M-parameter tool-calling model distilled from Gemini

LocalLLaMA

A 26-million-parameter open-weights function-calling model distilled from Gemini tool-calling traces, reporting 6,000 tokens per second prefill and 1,200 per second decode on consumer phones. The premise is that tool calling decomposes to retrieve-and-assemble, so the right architecture for that step is small and specialized.

GPT-5.5 high notches the first full solve on ProgramBench

ProgramBench

GPT-5.5 at high reasoning becomes the first model to fully solve a ProgramBench instance — the cmatrix CLI — in 34 API calls; the xhigh variant did it in 40. Claude Opus 4.7 at xhigh used 178 calls and still failed 19 unit tests, 11 of them on strcmp where strcasecmp was needed and 8 on the wrong exit code for an invalid color.

Lighthouse Attention from Nous Research

@omarsar0

Nous wraps ordinary scaled-dot-product attention with a hierarchical, gradient-free selection layer for long-context pretraining — and removes it at deployment, leaving plain vanilla attention behind. It trades training-time compute for inference-time fidelity, a different shape from the usual efficient-attention work.

“What if you could speed up long-context pretraining with a subquadratic wrapper that you remove before deployment?”

Sebastian Raschka on what makes Lighthouse Attention pragmatic

@rasbt

Raschka flags the property that matters for a pretraining team — you don't have to bet a whole training run on the modification. Train with it most of the way, switch back to vanilla attention near the end, and recover full-attention-equivalent quality.

“It is a relatively low-commitment attention modification. One can use it during most of training, switch back to vanilla attention near the end, and recover roughly the same modeling performance as if full attention had [been used throughout].”

How a 2017 Linux CUBIC patch became a 2026 QUIC bug

Cloudflare

A QUIC test failed 61% of the time because a 2017 kernel patch for CUBIC's idle-handling had been ported into quiche in 2020, but the follow-up fix from a week later was not. After heavy loss, the congestion window pinned at the two-packet floor and never grew back. The fix is three lines; the investigation took weeks of qlog instrumentation.

“The effort to find the bug was massive, but the fix itself was basically one line of logic.”

Isomorphic Labs closes a $2.1B Series B

Isomorphic Labs

Thrive Capital leads; MGX, Temasek, CapitalG, and the UK Sovereign AI Fund join; Alphabet and GV follow on. First major outside funding since the 2021 spinout, earmarked for the IsoDDE drug-design engine and the company's pipeline of drug candidates.

My graduation cap runs Rust

Eric Park

A Purdue senior built a Digispark ATtiny85 plus 48 WS2812B LEDs into a graduation cap, triggered by a reed switch and a magnet as the tassel moves. Firmware in Rust on a forked avr-hal; two hours of coding, three-plus hours of hardware. He isn't going to wear it.

“It looks like what kids would think of as a gaming PC and what boomers would think of as a seizure.”

Nick Cammarata on identity in an AI-doubling world

@nickcammarata

Comic exaggeration on capability-doubling, pointing at a real felt-sense among researchers: identity built on being the smartest person in the room is unstable when capability moves faster than you can.

“Everyone is handling AI doubling every fourteen hours surprisingly well. They mostly just dropped it and work out more.”