Google Cloud hidden proto RCE; Meta AI bot hijacks 20k

Matklad breaks down the CSS features that are fundamentally broken and impossible to fix, from hidden wrapper pitfalls to layout heuristics that can wreck a page. Knowing these unavoidable bad parts helps you design more resilient sites and avoid days of cryptic debugging.

A public debugging endpoint in Google Cloud’s production API exposed internal protobuf definitions, letting researchers pull any service’s request and response schemas. Leveraging this, the author achieved full remote code execution, prompting CVE‑2026‑2031 and a $148,337 bounty. The flaw shows how seemingly harmless introspection APIs can open massive attack surfaces.

Tigris Data’s ObjGit layers a Git‑compatible filesystem over its object store, letting you run native git commands against an S3‑like bucket. Because Git’s objects map cleanly to append‑only storage, developers can version large binaries and data without a separate repo, streamlining CI pipelines and backup workflows.

A bug in Meta’s AI‑powered support chatbot let attackers request password resets for any Instagram handle and change the account’s email, letting them bypass 2FA and seize over 20,000 profiles, including high‑profile accounts. Meta disabled the bot, patched the code path, and forced a security checkpoint for affected users.

OpenClaw saw PR volume explode from 2 per week to 3,400 per week, most of them AI‑generated slop that barely merges. Greptile’s analysis shows the flood mirrors early‑2000s email spam, prompting a push for reputation‑based filters and trust systems like Vouch to protect open‑source projects.

Prompt debt, when prompts grow with edge‑case hacks, slows iteration, makes code brittle, and locks teams to a single model. The article shows how treating natural language as a spec traps AI products in fragile prototypes, forcing expensive rewrites to stay viable.

Filippo Valsorda argues that the era of scarcity‑driven vulnerability reports is over. With large language models spitting out countless potential flaws, the bottleneck is now separating real issues from noise. Teams must automate triage, accelerate remediation, and treat reports like any other issue.

A concise guide shows that strong identifiers act as cognitive compression, turning function calls into readable sentences. Better names slash debugging effort by nearly a fifth and improve LLM code comprehension, making codebases easier for humans and machines alike.

John Carmack looks back at Quake and flags three fatal missteps: an over‑ambitious engine that forced designers to rebuild mid‑project, relentless startup‑pace work that burned out staff, and a flawed equity plan that misaligned incentives. The post shows why realistic scope, sustainable pacing, and proper vesting matter for any tech studio.

Elden Ring’s NPCs use a stack-based Goal system instead of heavy machine‑learning. Each actor runs the top Goal, which can push sub‑Goals that unwind on success or failure, enabling dynamic, hierarchical behavior with minimal code.

Google sacked a seven-year Workspace DevRel engineer after his open‑source CLI hit #1 on Hacker News and drew thousands of users. The tool, designed for both humans and AI agents, threatened internal plans, prompting a brand‑protection panic. The case spotlights how corporate inertia can crush internal innovators.