Cybersecurity on JVQ.net: Just Very Quick https://jvq.net/tags/cybersecurity/ Recent content in Cybersecurity on JVQ.net: Just Very Quick Hugo en-us Sun, 12 Apr 2026 00:00:00 +0000 AI Finds the Holes https://jvq.net/ai-finds-the-holes/ Sun, 12 Apr 2026 00:00:00 +0000 https://jvq.net/ai-finds-the-holes/ <p>Financial industry leaders convened to discuss the cyber risks posed by Anthropic&rsquo;s latest AI model after it reportedly found weaknesses in every major computer operating system. That&rsquo;s a sentence that would have read as science fiction five years ago. It&rsquo;s now a compliance meeting.</p> <p>The specifics of what was found, and how, remain unclear from public reporting — which is its own kind of signal. When that kind of information circulates first in closed industry sessions rather than public disclosures, it suggests the vulnerabilities are either still being patched, or the exposure is broad enough that nobody wants to start a countdown clock before fixes are in place. Either way, the episode is a clean illustration of the dual-use problem at the core of frontier AI: the same capability that finds vulnerabilities defensively is also the one that finds them offensively. The institutions meeting about this risk are right to take it seriously. Whether they&rsquo;re moving fast enough is a different question.</p> Nine Hours https://jvq.net/nine-hours/ Sun, 12 Apr 2026 00:00:00 +0000 https://jvq.net/nine-hours/ <p>A critical remote code execution vulnerability in Marimo — an open-source Python notebook tool used heavily in AI and data science workflows — was weaponized by attackers roughly nine hours after public disclosure. The flaw, tracked as CVE-2026-39987, allowed unauthenticated access. Within a working day of anyone knowing about it, someone was using it.</p> <p>Nine hours is not an anomaly anymore; it&rsquo;s a benchmark. The window between vulnerability disclosure and active exploitation has collapsed to the point where patch cycles that assume days or weeks of safety are simply wrong. For teams running notebook environments close to model infrastructure or internal data pipelines, this particular incident is worth treating as a drill. The CVE was patched; the lesson — that developer tooling is a high-value attack surface and exposure time is measured in hours — is ongoing.</p>