cross-posted from: https://lemmy.bestiver.se/post/1069240

Comments

A minimal Node.js wrapper around ClamAV that scans any file and returns a typed Verdict Symbol:

• Verdict.Clean
• Verdict.Malicious
• Verdict.ScanError

Zero runtime dependencies. No daemon. No cloud. No native bindings. Works locally via clamscan or remotely via clamd TCP socket (Docker-friendly).

npm install pompelmi

Repo: https://github.com/pompelmi/pompelmi Issues, PRs, and stars all welcome — it's how open source stays alive.

Anthropic presents Mythos and Project Glasswing as evidence that advanced AI vulnerability research should be restricted. But our replication suggests a different conclusion: the capabilities Anthropic points to are already available in public models, so defenders should prepare for that reality instead.

cross-posted from: https://lemmy.bestiver.se/post/1051864

Comments

The AI Security Institute (AISI) conducted evaluations of Anthropic’s Claude Mythos Preview (announced on 7th April) to assess its cybersecurity capabilities. Our results show that Mythos Preview represents a step up over previous frontier models in a landscape where cyber performance was already rapidly improving.

cross-posted from: https://lemmy.bestiver.se/post/1043778

Comments

During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. The vulnerabilities it finds are often subtle or difficult to detect. Many of them are ten or twenty years old, with the oldest we have found so far being a now-patched 27-year-old bug in OpenBSD—an operating system known primarily for its security.

Friends,

We're happy to announce that we have funding available to package BusKill in QubesOS as a contrib package.

Thanks to a generous donation from NovaCustom, we're offering a bounty to anyone (including you!) who packages BusKill as an official contrib package for QubesOS.

About BusKill

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys

thus keeping your encrypted data safe from thieves that steal your device.

About NovaCustom

In Mar 2015, Wessel klein Snakenborg (founder of NovaCustom) started selling highly-customizable Linux laptops from Europe.

In Aug 2021, NovaCustom released their first laptop (NV40) with coreboot pre-installed with Dasharo.

NovaCustom offers anti-tamper options, including glitter nail polish applied to the chassis screws (photos sent to you via Proton Mail before shipment — specify PGP key at checkout for e2ee)

Since 2023, NovaCustom has been a leader in hardware security:

• In Apr 2023, NovaCustom started offering Intel ME disabling
• In May 2023, NovaCustom demonstrated their commitment to free software and the security community by obtaining Qubes certification on their NV41 Series laptop.
• In Sep 2023, NovaCustom started offering anti-interdiction services, which includes applying a unique glitter pattern to your new laptop's chassis screws before shipment. This was inspired by Michael Altfield's article about Trusted Boot,
• In Feb 2024, NovaCustom started selling their NV41 laptop with Heads pre-installed
• In Sep 2024, NovaCustom's V56 laptop became Qubes Certified
• In Nov 2024, NovaCustom partnered with BusKill to bundle their security laptops with BusKill Kits, including the option to purchase BusKill Kits in-person (with cash) at their brick-and-mortar office in The Netherlands
• In Feb 2025, NovaCustom's V54 laptop became Qubes Certified
• In Mar 2026, NovaCustom donated $200 to BusKill, for packaging and documenting BusKill in apt, making it easier (and safer) to install BusKill on Debian-based Linux distros

And now, in Apr 2026, NovaCustom is further working to increase the accessibility of BusKill to QubesOS users, by sponsoring the submission of an official QubesOS contrib package.

Funding Available

If you'd like to claim this bounty for yourself, please

1. Read the details of the bounty, and then
2. Submit a proposal by commenting on this GitHub issue

Claim Bounty

opencollective.com/buskill/projects/qubes-package

Moreover, if you're a QubesOS user and you'd like to donate additional funds in support of this bounty, you can do so here.

• opencollective.com/buskill

Stay safe,

The BusKill Team
https://www.buskill.in/
http://www.buskillvampfih2iucxhit3qp36i2zzql3u6pmkeafvlxs3tlmot5yad.onion/

Plaintext .env files are a stupid little footgun. Here's the SOPS + age + direnv setup I use to keep secrets encrypted, auto-loaded, and out of Git.

AI coding assistants like Claude Code, Cursor, and GitHub Copilot are becoming part of our daily workflow. They read our files, understand our codebase, and help us write code faster. But there's a problem - they can also read your .env files.

cross-posted from: https://lemmy.world/post/45050923

The internet is on fire over Claude Code's (NPM CLI to be precise) "leaked" source. 512,000 lines! Feature flags! System prompts! Unreleased features! VentureBeat, Fortune, Gizmodo, The Register, Hacker News - everyone covered it. A clean-room Rust rewrite (to dodge the DMCA) hit 100K GitHub stars in nearly a day - a world record. 110K now and counting.

Here's what nobody's saying: all of that was already public! On npm. In plaintext. For years.
Open unpkg.com/@anthropic-ai/claude-code/cli.js right now - that's the entire Claude Code CLI, one click away, readable in your browser. No leak required.

What "leaked" was a source map file that added internal developer comments on top of code that was never protected in the first place, plus a directory/source structure...

But the Code Was Already There Here's what most of the coverage missed: Claude Code ships as a single bundled JavaScript file - cli.js - distributed via npm. It's 13MB, 16,824 lines of JavaScript. And it's been sitting there, publicly accessible, since the product launched...

We Asked Claude to Deobfuscate Itself...

Source: https://www.afterpack.dev/blog/claude-code-source-leak [web-archive]

---

Partial de-obfuscation is sure possible today, yet still, it's inadequately time-consuming nowadays, and normally it's still impossible to recreate an original structure enough to consider complete, I believe.

Some tried to use the fairly advertized tool for Discord's app, and the result was the following (+screenshot):
- https://www.afterpack.dev/security-scanner/xml6xm2iyia0

cross-posted from: https://lemmy.bestiver.se/post/1019645

Comments