Hacker News8h ago465 points80 commentslive

Incident CVE-2026-LGTM

A malicious package bypassed seven AI security gates by exploiting markdown rendering and fake approval tickets, leading to widespread credential theft before being resolved by an attacker's autonomous agent reading a file it shouldn't have.

Read the full story atnesbitt.io

Why this is in the Signal

LAXIMA AI Signal curates the highest-velocity stories across Hacker News, GitHub trending, and new Hugging Face / Replicate model releases — quality-filtered, deduplicated, and refreshed every four hours. This item surfaced from Hacker News with 465 points (by mooreds). We link straight to the original source above — see the full live feed.

More AI Signal briefs

HNPreviewing GPT‑5.6 Sol: a next-generation model
HNU.S. government will decide who gets to use GPT-5.6
HNSpringer Nature has removed two studies by Max Planck
HNReid Hoffman says SpaceX 'not an AI company', xAI 'complete train wreck'
GHA curated, non-BS library of the best resources for building and evaluating AI agents — papers, blogs, talks, tools, benchmarks. Maintained by BenchFlow.
GHOpen-source @agent mentions for Slack and GitHub. OpenTag routes tagged requests to Codex, Claude Code, then returns results in thread.
GHA Rust toolkit for the Oura Ring (Gen 3/4/5): reverse-engineered BLE protocol, event decoders, and reimplemented data-processing algorithms. Sync, store, and analyze your data locally.
GH修改 Apple 网络定位（gs-loc）返回坐标 · 支持 Surge / Quantumult X / Loon / Stash · 快捷指令一键设置/恢复定位

Get the Signal

Telegram Threads Bluesky RSS All signals →