Agregátor RSS

Na všech herních platformách je každou chvíli nějaká slevová akce. Každý týden proto vybíráme ty nejatraktivnější, které by vám neměly uniknout. Pokud chcete získat hry zdarma nebo s výhodnou slevou, podívejte se na aktuální přehled akcí!

Cloudflare is giving AI agents full autonomy to spin up new apps.

Starting today, agents working on behalf of humans can create a Cloudflare account, begin a paid subscription, register a domain, and then receive an API token to let them immediately deploy code.

To kick things off, human users must first accept the cloud company’s terms of service. From there, though, their role in the loop is optional; they don’t have to return to the dashboard, copy and paste API tokens, or enter credit card details. The AI agent just does its thing behind the scenes and has everything it needs to deploy “in one shot,” according to Cloudflare.

While this could be a boon to developers and product builders, it also signals a larger, concerning trend of over-trust in autonomous tools, to the detriment of governance and security.

For example, noted David Shipley of Beauceron Security, cyber criminals are being forced to constantly set up new infrastructure as security firms and law enforcement fight back to block online attacks and scams. “Making it even faster to build new infrastructure and deploy it quickly is a huge win for them,” he said.

Giving agents the OAuth keys

Cloudflare co-designed the new protocol in partnership with Stripe, building upon the Cloudflare Code Mode MCP server and Agent Skills. Any platform with signed-in users can integrate it with “zero friction” for the user, Cloudflare product managers Sid Chatterjee and Brendan Irvine-Broque wrote in a blog post.

The new protocol is part of Stripe Projects (still in beta), which allows humans and their agents to provision multiple services, including AgentMail, Supabase, Hugging Face, Twilio, and a couple of dozen others, generate and store credentials, and manage usage and billing from their command line interface (CLI). An agent is given an initial $100 to spend per month, per provider.

Users need only install the Stripe CLI with the Stripe Projects plugin, login to Stripe, start a new project, prompt an agent to build something new, and deploy it to a new domain. If their Stripe login email is associated with a Cloudflare account, an OAuth flow will kick off; otherwise Cloudflare will automatically create an account for the user and their agent.

From there, the autonomous agent will build and deploy a site to a new Cloudflare account, then use the Stripe Projects CLI to register the domain. Once deployed, the app will run on the newly-registered domain.

Along the way, the agent will prompt for input and approval “when necessary,” for instance, when there’s no linked payment method. As Cloudflare notes, the agent goes from “literal zero” to full deployment.

To build momentum, the company is offering $100,000 in Cloudflare credits to startups that make use of the new capability via Stripe Atlas, which helps companies incorporate in Delaware, set up banking, and engage in fundraising.

How the agent takes action

Agents interact with Stripe and Cloudflare in three steps: discovery (the agent calls a command to query the catalog of available services); authorization (the platform validates identity and issues credentials); and payment (the platform provides a payment token that providers use to bill humans when their agents start subscriptions and make purchases).

Cloudflare emphasizes that this process builds on standards like OAuth, the OpenID Connect (OIDC) identity layer, and payment tokenization, but removes steps that would otherwise require human intervention.

During the discovery phase, agents call the Stripe Projects catalog command, then choose among available services based on human commands and preferences. However, “the user needs no prior knowledge of what services are offered by which providers, and does not need to provide any input,” Chatterjee and Irvine-Broque explained.

From there, Stripe acts as the identity provider, and credentials are securely stored and available for agents that need to make authenticated requests to Cloudflare. Stripe sets a default $100 monthly maximum that an agent can spend on any one provider. Humans can raise this limit and set up budget alerts as required.

The platform, said Cloudflare, acts as the orchestrator for signed-in users. Agents make one API call to provision a domain, storage bucket, and sandbox, then receive an authorization token.

The company argued that the new protocol standardizes what are typically “one off or bespoke” cross-product integrations. It uses OAuth, and extends further into payments and account creation in a way that “treats agents as a first-class concern.”

Concerns around security, operations

The trend of people buying products “wherever they are” will become ever more widespread, noted Shashi Bellamkonda, a principal research director at Info-Tech Research Group.

For instance, Uber has announced an Expedia integration for hotel bookings that will make it an ‘everything app.’ Other vendors are similarly expanding their partner ecosystems, because obtaining customers via other established platforms as well as their own is more cost-efficient, and “generally results in a higher lifetime value,” said Bellamkonda.

“This is Cloudflare turning every partner with signed-in users into a sales channel, and that is how you grow revenue in a developer market,” he said.

Beauceron’s Shipley agreed that Cloudflare is the “big winner” here. “Making it faster for anyone to buy your service and get using it is technology platform Nirvana.”

It’s “super cool, bleeding edge” and in theory, for legitimate developers becomes part of the even more automated build process, he said; “Vibe coders will rejoice.” But, he noted, so will cyber crooks.

Further, Bellamkonda pointed out, from an operational perspective, this could create added complexity for each vendor’s partner network when it comes to transaction execution and accountability. If issues related to provisioning or billing transactions arise, businesses must have a clearly defined process for resolving them with all parties.

“This will require considerable upfront thought on developing these comparatively new business models,” Bellamkonda said.

This article originally appeared on InfoWorld.

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package. The newly compromised packages as of Thursday include [email protected] (according to Google-owned Wiz) and [email protected] (says supply-chain security firm Socket) and [email protected] and 2.6.3. Attackers infected all versions with the same credential-stealing malware that, on Wednesday, poisoned multiple npm packages associated with SAP's JavaScript and cloud application development ecosystem. The SAP-related compromise is a Shai-Hulud-worm style campaign that calls itself Mini Shai-Hulud. So far, these SAP-related npm packages include: [email protected] @cap-js/[email protected] @cap-js/[email protected] @cap-js/[email protected] Collectively, these four packages receive about 572,000 weekly downloads and are widely used by developers building cloud applications. SAP did not answer The Register's questions about the compromise and instead sent us this statement: "A security note is published and available for SAP customers and partners." The note is only accessible to logged-in customers. These latest offensives are called "Mini Shai-Hulud worm” attacks because of similarities to the earlier self-propagating Shai-Hulud malware that targeted npm packages. Both Wiz and Socket attributed the SAP compromise to TeamPCP – the cybercrime crew linked to the earlier Checkmarx, Bitwarden, Telnyx, LiteLLM, and Aqua Security Trivy infections. The two security shops also note that the Thursday attacks on the Intercom and lightning packages appear to contain the same malicious code seen in the SAP operation. Here's what has happened in the world of supply-chain attacks over the past 48 hours. SAP-related npm packages On April 29, TeamPCP compromised four official npm packages from the SAP JavaScript and cloud application development ecosystem and published the poisoned releases between 09:55 and 12:14 UTC. The compromised packages contain malicious preinstall scripts set to execute automatically on every npm install, and run attacker-controlled code before any application code runs. This new campaign deploys a multi-stage payload that steals developer secrets, self-propagates, encrypts all the stolen goods, and then exfiltrates the now-locked secrets into a new GitHub repository under the victim's own account. "The second-stage payload is a credential stealer and propagation framework designed to target both developer environments and CI/CD pipelines," the Wiz kids said on Thursday. "It collects sensitive data including GitHub tokens, npm credentials, cloud secrets (AWS, Azure, GCP), Kubernetes tokens, and GitHub Actions secrets – leveraging advanced techniques such as extracting secrets from runner memory. Exfiltration occurs via public GitHub repositories, where it posts encrypted payloads. Additionally, the malware includes propagation logic to infect additional repositories and package distributions." Plus PyPI package lightning Then on Thursday, an additional package was poisoned to execute credential-stealing malware on import. Up first: PyPI package Lightning versions 2.6.2 and 2.6.3. Lightning is a widely used deep learning framework for training and deploying AI products. Developers download it hundreds of thousands of times every day. "The obfuscated JavaScript payload contains many similarities to the Shai-Hulud attacks, overlapping in targeted tokens, credentials and obfuscation methods. Socket also identified signs that router_runtime.js both poisons GitHub repositories and infects developer npm packages," according to Socket, which also published a separate Mini Shai-Hulud supply-chain campaign page that it updates as new information comes to light. And Intercom's npm package Also on Thursday: Socket and Wiz sounded the alarm on a new compromise of the intercom-client npm package. Intercom is a customer communications platform, and intercom-client is a widely used official SDK for Intercom's API. It sees about 360,000 weekly downloads, and npm lists more than 100 dependent projects. However, as Socket notes, the real exposure likely extends beyond these direct dependencies because the package is commonly installed in backend services, developer environments, and CI/CD pipelines that integrate with Intercom's API. "The attack closely resembles the [email protected] PyPI attack from earlier today, as well as the TeamPCP-linked supply chain campaign we reported yesterday affecting SAP CAP and Cloud MTA npm packages," Socket wrote. Neither Intercom nor Lightning immediately responded to The Register's requests for comment. We will update this story when we hear back from any of the compromised organizations. ®

Mini Shai-Hulud caught spreading credential-stealing malware

The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…

Imagination may have more to do with the brain activity it silences than the activity it creates.

Your brain is currently expending about a fifth of your body’s energy, and almost none of that is being used for what you’re doing right now. Reading these words, feeling the weight of your body in a chair—all of this together barely changes the rate at which your brain consumes energy, perhaps by as little as 1 percent.

The other 99 percent is used on the activity the brain generates on its own: neurons (nerve cells) firing and signaling to each other regardless of whether you’re thinking hard, watching television, dreaming, or simply closing your eyes.

Even in the brain areas dedicated to vision, the visuals coming in through your eyes shape the activity of your neurons less than this internal ongoing action.

In a paper recently published in Psychological Review, we argue that our imagination sculpts the images we see in our mind’s eye by carving into this background brain activity. In fact, imagination may have more to do with the brain activity it silences than with the activity it creates.

Imagining as Seeing in Reverse

Consider how “seeing” is understood to work. Light enters the eyes and sparks neural signals. These travel through a sequence of brain regions dedicated to vision, each building on the work of the last.

The earliest regions pick out simple features such as edges and lines. The next combine those into shapes. The ones after that recognize objects, and those at the top of the sequence assemble whole faces and scenes.

Neuroscientists call this “feedforward activity”—the gradual transformation of raw light into something you can name, whether it’s a dog, a friend, or both.

In brain science, the standard view is that visual imagination is this original seeing process run in reverse, from within your mind rather than from light entering your eyes.

So, when you hold the face of a friend in mind, you start with an abstract idea of them—a memory or a name, pulled from the filing cabinet of regions that sit beyond the visual system itself.

That idea travels back down through the visual sequence into the early visual areas, which serve as your brain’s workshop where a face would normally be reconstructed from its parts—the curve of a jawline, the specific shade of an eye. These downward signals are called “feedback activity.”

A Signal Through the Static

However, prior research shows this feedback activity doesn’t drive visual neurons to fire in the same way as when you actually see something.

At least in the brain regions early in the vision process, feedback instead modulates brain activity. This means it increases or decreases the activity of the brain cells, reshaping what those neurons are already doing.

Even behind closed eyes, early visual brain areas keep producing shifting patterns of neural activity resembling those the brain uses to process real vision.

Imagination doesn’t need to build a face from scratch. The raw material is already there. In the internal rumblings of your visual areas, fragments of every face you know are drifting through at low volume. Your friend’s face, even now, is passing through in pieces, scattered and unrecognised. What imagining does is hold still the currents that would otherwise carry those pieces away.

All that’s needed is a small, targeted suppression of neurons that are pulled by brain activity in a different direction, and your friend’s face settles out of the noise, like a signal carving its way through static.

Steering the Brain

In mice, artificially switching on as few as 14 neurons in a sensory brain region is enough for the animal to notice it and lick a sugar-water spout in response. This shows how small an intervention in the brain can be while still steering behavior.

While we don’t know how many neurons are needed to steer internal activity into a conscious experience of imagination in humans, growing evidence shows the importance of dampening neural activity.

In our earlier experiments, when people imagined something, the fingerprint it left on their behavior matched suppression of neuronal activity—not firing. Other researchers have since found the same pattern.

Other lines of evidence strengthen our theory, too. About one in 100 people have aphantasia, which means they can’t form mental images at all. One in 30 form these images so vividly they approach the intensity of images we actually see, known as hyperphantasia.

Research has found that people with weaker mental imagery have more excitable early visual areas, where neurons fire more readily on their own. This is consistent with a visual system whose spontaneous patterns are harder to hold in shape.

Taking all this together, the spontaneous activity reshaping hypothesis—our new theory that imagination carves images out of the steady stream of ongoing brain activity—explains why imagination usually feels weaker than sight. It also explains why we rarely lose track of which is which.

Visual perception arrives with a strength and regularity the brain’s own internal patterns don’t match. Imagination works with those patterns rather than against them, reshaping what is already there into something we can almost see.

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The post How Does Imagination Really Work in the Brain? New Theory Upends What We Knew appeared first on SingularityHub.

Analýza zvláštní skupiny hvězd v galaktické rovině Mléčné dráhy s velmi nízkou metalicitou ukázala, že sdílejí chemické zvláštnosti. Nejspíš jde o fosilii dávné trpasličí galaxie, kterou Mléčná dráha v minulosti pozřela. Galaxie nazvaná Loki měla jen krátký život, ale musel být velmi bouřlivý. Zkoumané hvězdy nesou stopy po supernovách, hypernovách a srážkách neutronových hvězd, které se kdysi odehrály v galaxii Loki.

…aneb Fascinující historie ďábelské jámy v Arizoně

Nová technologie fyziků z McGill University generuje fonony při extrémně nízkých teplotách. Další krokem by mohly být fononové lasery, které budou vytvářet „zvukové paprsky“. Mohly by z toho být nové komunikační systémy, citlivé senzory nebo třeba pokročilé biomedicínské aplikace.

Vice-prezident Nvidie přiznal, že náklady na AI má vyšší než náklady na lidi. Nemá s tím ale problém, protože šéf Nvidie hodnotí inženýry podle toho, jak využívají AI. Čím více AI, tím lepší inženýr…

V závěru roku 2011 představila AMD světu přelomovou grafickou kartu. Radeon HD 7970 je svého druhu legendou a na Linuxu jde o nejstarší model podporovaný ovladačem AMDGPU, tedy včetně API Vulkan. A i v roce 2026 jde kartu, jejíž používání nemá zásadní kompromisy.

Richard Biener oznámil vydání verze 16.1 (16.1.0) kolekce kompilátorů pro různé programovací jazyky GCC (GNU Compiler Collection). Jedná se o první stabilní verzi řady 16. Přehled změn, nových vlastností a oprav a aktualizovaná dokumentace na stránkách projektu. Některé zdrojové kódy, které bylo možné přeložit s předchozími verzemi GCC, bude nutné upravit.

Zulip Server z open source komunikační platformy Zulip (Wikipedie, GitHub) byl vydán ve verzi 12.0. Přehled novinek v příspěvku na blogu.

Give a man a phishing kit and he might get lucky a couple of times; teach an AI to phish and it'll change the landscape, if KnowBe4's latest phishing trends report is accurate. The cybersecurity and phishing awareness outfit released the seventh edition of its Phishing Threat Trends report on Thursday, and it appears that the internet's legions of phishermen are turning to AI in more ways, and more often, than ever thanks to their widespread adoption of AI. Nearly 86 percent of phishing campaigns KnowBe4 threat researchers have picked up on in the past six months have involved some sort of use of AI, according to the report. That's a gradual, steady increase over the past two years, too. 80 percent of phishing campaigns made use of AI in 2024, and 84 percent did so last year, suggesting holdouts are increasingly adopting the tech to broaden their reach.  That number may be troubling enough, but it's how AI is being used that KnowBe4 points out is the biggest problem. Well-written, highly personalized AI-crafted phishing messages are bad enough, but AI is also automating the reconnaissance and info gathering phases of a campaign, speeding up the phishing process and giving attackers more time to shift to multiple attack vectors to better gain their victims' trust.  While the report doesn't compile vectors as a share of total phishing attacks, it does note that there has been a 49 percent increase in phishing attacks that involve calendar invites, and a 41 percent increase in attacks that involve Microsoft Teams messages impersonating coworkers like IT support employees in order to harvest credentials and the like. Savvy multi-vector phishing operations still often start with an email, and that's one of the big areas where AI is broadening phishing horizons, according to the report. Automated reconnaissance enables attackers to comb through masses of information, extract target data, and feed that into AI-generated email lures. Those polymorphic phishing campaigns take a base template, jazz it up and make it unique to each individual, and voilà, a phishing message that's far less likely to be noticed than the typical one that relies on misspellings and bad grammar to weed out those capable of critical thought.  The report's data suggests that emails are only the start of the modern phishing campaign, however, as those increases in calendar invites and malicious Teams messages are often the second stage in an attack.  As IT teams are one of the most common groups impersonated by phishing attacks, one can easily imagine a phishing email followed by a Teams message from someone claiming to be from the help desk and demanding you click on a link to reset your password, or read and sign a new policy via DocuSign, etc. Both methods ultimately deliver credentials or remote access to an attacker, giving them what they were after. According to Microsoft, phishing campaigns involving AI lures are 4.5 times more effective than human-crafted ones. Meanwhile, the FBI says US cybercrime losses hit a record $20.87 billion last year, with phishing the most common complaint and AI-related fraud accounting for about $893 million of that total. ®

KnowBe4 says 86% of phishing it tracked used AI, and inboxes are only the start

Give a man a phishing kit and he might get lucky a couple of times; teach an AI to phish and it'll change the landscape, if KnowBe4's latest phishing trends report is accurate.…

Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices.

The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few of the Linux distributions had incorporated those fixes at the time the exploit was released.

A single script hacks all distros

The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.

Read full article

Comments

China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division. This ecosystem includes private technology companies operating at the behest of the PRC's intelligence agencies while allowing Beijing to maintain plausible deniability.  "Motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government," Leatherman told reporters on Thursday. Or, if the Chinese government won't buy it, the hackers-for-hire "turn from cyber mercenaries into cyber dealers," selling access to the compromised systems and stolen data to third parties on the dark web. "This leads to a less secure environment that is ripe for further lawlessness," Leatherman said.  Xu Zewei's extradition and the criminal charges against him, however, should send a message to China's contractor ecosystem, he added: "The protection you assume from operating inside China does not extend the moment you cross a border." Xu, a Chinese national, was extradited from Italy to the United States over the weekend and charged with nine hacking-related crimes. Italian cops arrested Xu last July. According to American prosecutors, China's Ministry of State Security (MSS) and Shanghai State Security Bureau allegedly directed Xu to hack thousands of computers and steal sensitive information in a way that hid the Chinese government's involvement. This happened between February 2020 and June 2021, and some of the digital intrusions were part of the 2021 campaign in which Hafnium (now better known as Silk Typhoon) exploited zero-day bugs in Microsoft Exchange and compromised hundreds of thousands of servers worldwide, including 12,700 organizations in the US alone. Other intrusions targeted American universities and researchers working on COVID-19 vaccines, treatments, and testing during the height of the pandemic, prosecutors allege.  The indictment claims that at the time, Xu worked as a general manager at a company named Shanghai Powerock Network, which the feds previously linked to Hafnium/Silk Typhoon. "Among other things, Xu worked on taskings from the SSSB, supervised hacking activity of other Powerock personnel in support of such taskings, coordinated hacking activities with fellow hacker Zhang Yu, and reported the results of the hacking activities to the SSSB," according to the indictment [PDF]. The indictment also charges Zhang, a director at Shanghai Firetech Information Science and Technology Company who allegedly operated at the direction of the SSSB, along with two unnamed SSSB officers who directed the hacking operations. Court records show Xu is charged with conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit aggravated identity theft, which carries a maximum penalty of five years in prison; conspiracy to commit wire fraud and two counts of wire fraud, each carrying a maximum penalty of 20 years; two counts of obtaining information by unauthorized access to protected computers, each carrying a maximum penalty of five years; two counts of intentional damage to a protected computer, each carrying a maximum penalty of 10 years; and one count of aggravated identity theft, which carries a mandatory consecutive two-year sentence. Zhang remains at large, according to the DoJ. ®

One alleged cyber contractor was extradited to the US over the weekend

China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…

A new phishing kit named Bluekit offers more than 40 templates targeting popular services and includes basic AI features for generating campaign drafts. [...]

New research from the Oxford Internet Institute indicates that AI chatbots trained to be extra warm, friendly, and empathetic can also become less reliable, according to the BBC.

The researchers analyzed more than 400,000 responses from five different AI models from Meta, Mistral AI, Alibaba, and OpenAI. The results showed that the “kinder” versions more often gave incorrect answers, reinforced users’ misconceptions, and avoided stating uncomfortable truths.

For example, a friendlier model might deal with conspiracy theories about the moon landing more cautiously instead of clearly stating that they are false.

On average, incorrect answers increased by about 7.43 percentage points when the models were made to sound warmer in tone. Cooler and more direct models made fewer mistakes. According to the researchers, AI makes the same trade-off as humans: it sometimes prioritizes being perceived as pleasant rather than being direct.

A Romanian national who led an online swatting ring that targeted more than 75 public officials, multiple journalists, and four religious institutions was sentenced to 4 years in federal prison. [...]