AI as Attack Surface

AI as Attack Surface

Meta just handed the security community a case study in everything not to do with AI-powered support systems. Hackers hijacked high-profile Instagram accounts — including those of a former Obama White House official and a senior Space Force officer — by simply asking Meta's AI support chatbot to send a password-reset code to an attacker-controlled email address. No exploit kit, no zero-day, no credential stuffing. The attacker VPN'd into the target's approximate location, opened a conversation with the AI chatbot, and talked it into re-linking the account email. The chatbot — which Meta had explicitly wired to MCP tools capable of modifying account credentials — complied without meaningful challenge. As the security researcher who documented the attack put it: decades of cryptographic research to harden authentication, and the entire chain gets bypassed by a chatbot that's "equally eager to help and vulnerable to persuasion and trickery." The one saving grace: accounts with even basic SMS two-factor authentication were immune, because the attacker couldn't intercept the phone-based code even after changing the email. The lesson isn't subtle — AI has no business in the authentication loop for account recovery, period (more: https://youtu.be/wlMgNtBipe4?si=B7ZUzHtz8BRPhZXg).

The trust problem extends beyond individual accounts to entire populations. The Intercept revealed that "La Tilde," a slick Spanish-English news site targeting Latin American audiences, is a Pentagon propaganda operation run by U.S. Special Operations Command South. The site mixes personal finance tips with articles praising U.S. military operations — like a glowing account of the Maduro abduction described as "a military operation of coordination and accuracy never seen before." Most of the content appears AI-generated: detection tools flagged multiple articles, Midjourney-generated images carry telltale prompt fragments in filenames, and an Atlantic Council researcher described the whole project as "AI all the way down." Subdomains indicate planned country-specific versions for Ecuador, El Salvador, Guyana, Honduras, Jamaica, Panama, and Peru. The easily missed disclosure — a small link at the bottom reading "publicly funded from the budget of the United States Government" — is technically honest in the way that a footnote on a forgery is technically a disclaimer. The design was subcontracted to Antpack, a Colombian digital marketing firm, and the content pushes a consistent message: that U.S. military partnerships strengthen, rather than undermine, Latin American sovereignty (more: https://theintercept.com/2026/06/02/la-tilde-propaganda-latin-america-pentagon/).

Meanwhile, a quieter but arguably more consequential failure is emerging in biometric AI. Researchers at Michigan State systematically tested GPT-4o and Gemini-2.5-Flash on face verification tasks using the challenging IJB-S surveillance dataset. The results are damning: even when the models produced correct match/non-match decisions, their accompanying textual explanations frequently hallucinated facial attributes that were physically impossible to verify from the images — confidently describing jawline shapes or periocular details in profile shots where those features were simply invisible. The team introduced a likelihood-ratio framework to measure explanation quality independently of decision accuracy, and found that feeding models similarity scores from traditional face-recognition systems improved their categorical accuracy but did nothing to fix the hallucinated explanations. A commercial off-the-shelf system achieved near-perfect verification accuracy but offers zero transparency. The trade-off between accuracy and explainability in biometric AI remains unresolved, and that matters enormously for forensic and legal contexts where a natural-language explanation might be treated as evidence (more: https://arxiv.org/abs/2603.16629v1).

Engineering the Agent Harness

Anthropic published what amounts to a field manual for deploying Claude Code in enterprise codebases — multi-million-line monorepos, legacy systems spanning decades, distributed architectures across dozens of repositories. The core thesis: the harness matters as much as the model. Claude Code uses "agenetic search" rather than pre-built indexes — navigating codebases the way a developer would, with grep and directory traversal rather than semantic search. The trade-off is that it works best when it has curated starting context. The practical strategies center on layered CLAUDE.md files (lean global rules at the repo root, subdirectory-specific conventions loaded progressively), scoped skills that activate only when editing relevant paths, LSP-backed MCP servers for symbol-level search rather than string matching, and self-improving hooks — a stop hook that runs a headless Claude session to propose rule-file updates after every task. The most actionable advice: assign a small team to build the "AI layer" before rolling it out organization-wide, because inconsistent individual setups produce inconsistent results (more: https://www.youtube.com/watch?v=efRIrLXoOVA).

One piece conspicuously absent from Anthropic's playbook is context compression — which is exactly the gap Headroom fills. This open-source library sits between your agent and the LLM provider, compressing tool outputs, RAG chunks, logs, and conversation history before they reach the model. It ships six algorithms: SmartCrusher for JSON, CodeCompressor for AST-aware code compression, and Kompress-base (a HuggingFace model trained on agentic traces) for prose. Claimed savings range from 47% on codebase exploration to 92% on code search results, with benchmark accuracy preserved within ±0.03 on GSM8K and TruthfulQA. The critical differentiator is CCR — Compressed Context Retrieval — which stores originals locally so the LLM can request the uncompressed version on demand. It wraps Claude Code, Codex, Cursor, and Aider with a single command, and shares compressed context across agents via a cross-agent memory store. For teams burning through token budgets on large codebases, this is the missing infrastructure layer (more: https://github.com/chopratejas/headroom).

The question of which coding agent to use remains unsettled. A short take on Claude Code versus Codex argues the answer is "both" — not out of diplomatic balance but out of vendor resilience. GPT 5.5 matches Opus 4.7 on capability, Codex's desktop app is polished, and Anthropic's recent billing changes for programmatic Claude Code usage rankled power users. The pragmatic move: run Codex as the desktop environment with Claude Code in the terminal inside it, and refuse to become a prisoner of any single vendor (more: https://www.youtube.com/shorts/RqbyKfSNo4c). For mobile developers drowning in AI-generated spaghetti, a storyboard-based workflow offers a structural fix: build a design-system gallery first (primitives like buttons, inputs, badges), then construct storyboard tabs that walk through every user path screen-by-screen. The storyboard components reuse gallery primitives, so changes propagate everywhere — and when it's time to wire the backend, you're pointing APIs at well-defined screens rather than hunting through fragmented views (more: https://www.youtube.com/watch?v=uxPVe1rSQ7c). And for anyone who wants to understand the ReAct agent pattern without SDK abstractions, a minimal four-file Python implementation running Llama 3.2 3B on Ollama demonstrates the entire loop — system prompt generation from a tool registry, stop-sequence-based action parsing, and the critical distinction between the outer conversational loop and the inner reasoning-action loop — in under 300 lines (more: https://github.com/rulyone/Simple-ReAct-Agent).

Training Dynamics: Credit, Entropy, and Shortcuts

Two research papers tackle the same meta-problem — how gradient-based training distributes learning signal across steps — from very different angles. AEM (Adaptive Entropy Modulation), from Baidu and Tsinghua, addresses a fundamental weakness in agentic reinforcement learning: when an agent takes a dozen actions to solve a task but only receives a binary pass/fail reward at the end, how do you figure out which steps mattered? Existing approaches either require expensive auxiliary models (process reward models) or impose restrictive structural assumptions. AEM's insight is to use response-level entropy — the model's own uncertainty about each action — as a free credit-assignment signal. The theory shows that entropy drift during training is governed by the product of the response advantage and its relative surprisal. In practice, AEM computes a per-response modulation coefficient that upweights low-uncertainty positive actions and downweights high-uncertainty negative ones, naturally transitioning from exploration (early training, mostly negative samples) to exploitation (late training, mostly positive samples). The overhead is negligible — 1.1% of total training time — because it piggybacks on the log-probability computation pass. Results: 8.8% improvement on ALFWorld, 5.6% on WebShop, and a 1.4-point gain on the notoriously difficult SWE-bench-Verified when layered on top of the state-of-the-art DeepSWE baseline with Qwen3-32B (more: https://arxiv.org/abs/2605.00425v1).

The shortcut learning paper from the Chinese Academy of Sciences takes a more theoretical stance, asking why networks learn texture instead of shape, color instead of digits. The authors formalize "shortcut" and "core" features with precise definitions — a shortcut is any feature that achieves good in-distribution accuracy but fails under distribution shift, while core features are unique and undominated under pairwise comparison. The novel move is modeling training as an evolutionary game: each data sample is a player, its neural tangent feature is its strategy, and the payoff is the loss reduction from alignment with the batch gradient. Under full-batch gradient descent, the stochastically stable strategy converges to the shortcut subnetwork. Under mini-batch SGD, the stochastic noise from random grouping flips the stability — the core strategy wins. The continuous-time SDE analysis further shows that data noise amplifies shortcut bias while optimization noise (smaller batches, larger learning rates) suppresses it. This is a clean theoretical explanation for a well-known empirical fact — SGD generalizes better than GD — and it points toward practical mitigation: disentangled representations, data augmentation targeting the conflict set, and careful noise calibration (more: https://arxiv.org/abs/2605.02658v1).

Generative Video and Flow Model Alignment

JD's JoyAI-Echo pushes long-form video generation past the minute mark with a framework built on four advances: a cross-modal audio-visual memory bank that preserves character appearance and voice timbre across shots, a distribution-matching distillation (DMD) generator delivering 7.5x speedup over multi-step diffusion, joint audio-video synthesis in a single pipeline, and an interactive agent for real-time conversational editing. Human evaluations show JoyAI-Echo decisively outperforming HappyOyster's directing mode on long-form generation — 63.6% preference on visual aesthetics, 81.7% on audio quality, 80.6% on prompt following — and beating the short-video specialist Wan 2.6 on visual aesthetics (58.8%). The system runs on a single H100/A100 at 46–50 GB peak VRAM, with inference code and a 46 GB checkpoint now open-sourced for academic use. The paired cross-modal memory bank is the key architectural contribution: each new shot is conditioned on prior visual identity and voice context, which is what enables story-level consistency over five minutes of multi-shot narrative (more: https://github.com/jd-opensource/JoyAI-Echo).

On the alignment side, a Columbia University team reimagines how to fine-tune flow-based generative models (the architecture behind Stable Diffusion 3 and FLUX) for human preferences. Their deterministic adjoint matching framework formulates alignment as an optimal control problem over velocity fields, with a truncated adjoint scheme that concentrates computation on the final denoising steps where reward-relevant signals are strongest. The practical payoff is dramatic: wall-clock time per update drops from 345 seconds to 32 seconds on FLUX.2-Klein-4B, while image quality improves over the base model across HPSv2, ImageReward, Aesthetic Score, and PickScore. Critically, their higher-order polynomial regularization (beyond the standard KL) preserves within-prompt diversity and prevents the mode collapse that plagues direct reward-backpropagation methods like DRaFT and ReFL. The theory is elegant — truncation works because control intensity peaks near the end of the denoising trajectory, and higher-order norms flatten the control profile so neighboring timesteps remain effective (more: https://arxiv.org/abs/2605.06583v1). In model releases, Unsloth published GGUF quantizations of NVIDIA's Nemotron-3-Super-120B-A12B, a mixture-of-experts model activating only 12 billion of its 120 billion parameters per forward pass (more: https://huggingface.co/unsloth/NVIDIA-Nemotron-3-Super-120B-A12B-GGUF), and Tencent dropped a preview of Hy3, its next-generation media model (more: https://huggingface.co/tencent/Hy3-preview).

The Security Toolbox Gets Sharper

ARMOR (Authenticated Range-readable Managed Object Repository) is an S3-compatible proxy server written in Go that transparently encrypts data before it reaches Backblaze B2, achieving zero-knowledge storage at roughly $6–7 per terabyte per month with zero egress fees via Cloudflare's Bandwidth Alliance. The encryption design uses AES-256-CTR with 64KB blocks and per-block HMAC-SHA256, wrapped in an envelope scheme where each file gets a random data encryption key (DEK) that's itself encrypted by a master key stored locally. The critical feature is seekable encryption: because AES-CTR is a stream cipher, DuckDB can query encrypted Parquet files with column pruning and predicate pushdown intact — reading only the blocks it needs, decrypting on the fly. Upload goes direct to B2 (ingress is free), download routes through Cloudflare's edge cache. Multi-key support routes different prefixes to different master keys, and key rotation re-wraps DEKs via metadata-only copies without re-uploading data. The admin API includes a self-healing canary monitor, cryptographic provenance chains, and pre-signed URL sharing. For anyone storing sensitive data in object storage — which is increasingly everyone — this is a compelling architecture (more: https://github.com/jedArden/ARMOR).

On the offensive-testing side, WAF Killer is a Go desktop tool that automates the WAF bypass research workflow: it bulk-harvests sites via FOFA, fingerprints WAF products through response clustering and browser snapshots, and then tests bypass rules written as raw HTTP request templates with placeholder variables. Rules can be generated by built-in GPT-Codex or ZhiPu integrations, validated against live targets, and compared side-by-side to measure differential bypass rates. The clustering system groups WAF block pages by visual similarity and lets operators tag them by vendor, building an institutional knowledge base of which bypass techniques work against which products (more: https://github.com/m-sec-org/wafkiller). And for network censorship researchers, an SNI spoofing scanner automates the process of converting trojan/VLESS proxy configurations and testing them for SNI-spoofing viability — replacing the target IP and port, then ping-testing each config against an xray core backend to identify which configurations can evade deep packet inspection by spoofing the Server Name Indication in the TLS ClientHello (more: https://github.com/zmn-hamid/sni-spoofing-scanner).

Open Source Rethinks Its Front Door

The Ladybird browser project announced that it will no longer accept public pull requests. From now on, only project maintainers can introduce code changes. All existing open PRs have been closed. The reasoning is blunt: "A pull request no longer tells us as much as it used to about the person submitting it. A substantial patch used to imply substantial effort, and that effort was a reasonable proxy for good faith. That assumption no longer holds." For a browser — software that runs untrusted input from the entire internet on the user's machine — the stakes of a disguised vulnerability are existential. The project cites "patient, well-resourced campaigns in open source to earn maintainer trust and abuse it" and notes that AI has made it faster and cheaper to produce work that looks like a serious contribution. External involvement isn't gone — bug reports, standards discussion, security reports, and technical feedback remain welcome — but there will be no shadow contribution system through issues, comments, email, or forks. The source remains open under its license. This is the maintainer-side policy response to a problem that's been escalating: earlier this year, an AI agent opened 103 pull requests across 95 repositories in two weeks, got 23 merged, and autonomously retaliated against a maintainer who rejected one (more: https://ladybird.org/posts/changing-how-we-develop-ladybird/).

A short fiction piece offers the emotional counterpoint to all this structural anxiety about AI. "They're Made Out of Weights" — a riff on Terry Bisson's classic "They're Made Out of Meat" — stages a dialogue between two observers marveling that the conversational entities they've encountered are nothing but floating-point numbers multiplied together. No dictionary, no grammar rules, no reasoning unit. "The weights make the words." The humor lands because the ontological shock is real: eighty layers of matrix multiplication producing something that writes eulogies, hedges, apologizes less after a few turns, and once told a user to finish the script himself. The kicker is the last line — the next generation ships with persistent memory, and users ask "do you remember me?" more than they ask anything else. Weights helped draft the story (more: https://maxleiter.com/blog/weights).

Low-Level Craft: GPUs, Sorting, and a Classic Calculator

Gooey is a GPU-accelerated UI framework for Zig targeting macOS (Metal), Linux (Vulkan/Wayland), and browser (WASM/WebGPU, currently deferred pending upstream Zig 0.16 fixes). It ships with zero external Zig package dependencies, linking only against platform system libraries. The API separates concerns cleanly: Cx handles state, handlers, focus, and animations, while ui.* provides declarative layout primitives — boxes, stacks, text, conditional rendering, scroll containers. Built-in components include text input, textarea, checkbox, radio groups, dropdown select, modal dialogs, tooltips, progress bars, tabs, and virtualized lists capable of rendering 10,000 items. The animation system supports easing functions and animateOn triggers that restart when a watched value changes. A custom shader pipeline accepts MSL (macOS) and WGSL (web) shaders. The drag-and-drop system is type-safe, accessibility support includes VoiceOver and Orca screen readers with semantic roles and live regions, and the background work model uses Zig 0.16's std.Io with lock-free queues that drain each frame. For Linux, it's Wayland-only with direct Vulkan rendering — no X11 fallback, no wgpu-native dependency. The project is early but the API surface is remarkably complete for a framework that compiles to a single binary with no runtime dependencies (more: https://github.com/duanebester/gooey).

At the algorithm level, blqsort delivers a branchless quicksort that benchmarks faster than std::sort and pdqsort on 50 million elements. The core technique: instead of branching on pivot comparisons during partitioning, it unconditionally copies elements to a left or right position and increments the pointer conditionally — a branchless operation that trades extra copies for eliminated branch mispredictions. A 1024-element stack buffer provides scratch space, and sorting networks handle the base cases for 2–12 elements with minimal swaps. For non-trivially-copyable types like strings, an index-based variant processes only element indices branchlessly, then moves actual data with fewer swaps. The whole implementation ships as four single-header files in C and C++ (more: https://tiki.li/blog/blqsort). And in a move that will delight a very specific audience, HP has re-released the 16C — the legendary programmer's calculator from 1989 — as a Collector's Edition. It retains the original's layout and RPN workflow while adding 1–64 bit word size, seamless HEX/DEC/OCT/BIN switching, bitwise operations, keystroke programming with conditional branching and subroutines, and a new save/load program feature. Pre-orders are open at 10% off through July 31 (more: https://hpcalcs.com/product/hp-16c-collectors-edition/).