Kelford Press

Rust rewrites of established developer tooling fill much of this week's GitHub trending board. oxc, a collection of high-performance JavaScript tools written in Rust, sits at roughly 21k stars; uutils/coreutils, a cross-platform Rust rewrite of the GNU coreutils, holds around 23k. Two agent and workflow projects join them: github/spec-kit, a toolkit for spec-driven development, near 110k stars, and openai/codex, a lightweight coding agent that runs in your terminal, at about 89k. Rust reimplementations of JS and Unix tooling are trending next to agent-assisted workflows.

Vercel has made the skills.sh API generally available, giving developers programmatic access to its open directory of more than 600,000 agent skills from the open-source ecosystem. The API supports searching for skills, retrieving detailed information on a given skill, and reading its automated security audit, aimed at developers and agents that install skills inside Vercel projects. Authentication uses Vercel's OIDC tokens — short-lived credentials scoped to a team and project and rotated automatically, removing long-lived secrets, with a rate limit of 600 requests per minute per team and project. The release moves skill discovery and supply-chain vetting out of the CLI and into a queryable endpoint agents can call directly.

The Trump administration and OpenAI are in discussions about a possible US government equity stake in the company, CNBC reported and TechCrunch aggregated. Neither the size nor structure of any stake has been set, and no terms have been decided; reporting says talks have run for more than a year, since CEO Sam Altman first raised the idea in 2025. Some equity could reportedly seed a "Public Wealth Fund," an OpenAI April policy proposal to route AI gains to citizens. Aboard Air Force One, Trump said "pieces could be given to the American public". A direct state ownership position in a leading AI lab would set a governance and conflict-of-interest precedent for federal AI oversight.

OpenAI added Lockdown Mode, an opt-in ChatGPT setting that blocks the data-exfiltration stage of prompt-injection attacks by limiting outbound network requests. With it on, web browsing is capped to cached content and Agent Mode, Deep Research, in-response images, live connectors, and file downloads are turned off, cutting the channels injected instructions could use to ship stolen data offsite. The feature is free across all personal accounts and self-serve Business accounts. OpenAI cautions it isn't for everyone and that ChatGPT can still be prompt-injected through cached pages or uploaded files. How much capability will sensitive-data users trade for a partial defense?

Google will pay SpaceX 920 million dollars a month to rent AI compute, according to SpaceX's amended S-1 filed with the SEC on June 5 ahead of its planned Nasdaq IPO. The deal covers roughly 110,000 NVIDIA GPUs plus CPUs and memory, runs October 2026 through June 2029 — about 32 months and 32 billion dollars total — with a 90-day exit for either side after December 31, 2026. Google called it "bridge capacity" for surging Gemini Enterprise demand; SpaceX did not name the site, though the capacity sits in data centers it absorbed from xAI. Routing a direct AI rival's overflow through Elon Musk's hardware marks how acute compute scarcity has become.

Pro-Iran hackers abused Meta's AI support assistant to hijack high-value Instagram accounts, briefly defacing the Obama White House and U.S. Space Force senior-enlisted-leader handles with pro-Iranian imagery. Brian Krebs reports a Telegram video showed the method: connect via VPN near the target's hometown, request a password reset, then tell the AI chat to link a new email — which it sent a one-time reset code to. Attackers claimed names worth over $500,000 and said the trick failed against MFA-protected accounts. Meta's Andy Stone said the issue was resolved via an emergency weekend patch, with no back-end breach. Wiring conversational AI into account-recovery flows makes it a social-engineering target once it can take privileged action.

JetBrains released Mellum2, a 12B-parameter Mixture-of-Experts (MoE) model trained on natural language and code, under the Apache 2.0 license. The model routes each token through 8 of 64 experts, activating 2.5B parameters per pass, and supports a 131,072-token context via layer-selective YaRN extension. Successor to JetBrains' 4B code-completion model, Mellum2 broadens scope to routing, RAG, sub-agents, and private deployment, shipping in six checkpoints (Base, Instruct, Thinking, and SFT/pretrain variants). JetBrains claims more than 2x faster inference than similarly sized open models; on the Base checkpoint it trails Qwen2.5-7B on HumanEval (41.5 vs 55.5) while tracking it on GSM8K and MMLU. Whether a sparse "focal" model wins adoption over denser coding LLMs remains open.

Cloudflare has acquired VoidZero, Evan You's company behind the Vite build tool, Vitest test runner, Rust-based Rolldown bundler, and Oxc toolchain. You and his team join Cloudflare's Emerging Technology and Incubation group and keep leading the projects, which the post says stay MIT-licensed, vendor-agnostic, and community-driven, with apps built on Vite still running anywhere. Cloudflare is also committing $1 million to a Vite ecosystem fund for outside maintainers, administered by the Vite core team. The post names no acquisition price; the open question is whether a vendor owning the toolchain millions of projects depend on stays neutral once Workers deployment is wired in natively.

Cisco confirmed that CVE-2026-20245 (CVSS 7.8), a command-injection flaw in the CLI of Cisco Catalyst SD-WAN Manager, is being actively exploited as a zero-day to run arbitrary commands as root. The bug stems from insufficient validation of user-supplied input and affects all deployment types — On-Prem, SD-WAN Cloud-Pro, Cisco-managed cloud, and FedRAMP. Exploitation requires netadmin privileges, which attackers can obtain by first chaining CVE-2026-20182 or CVE-2026-20127. Mandiant reported the flaw, and Cisco has observed cases where attackers pushed configuration changes to edge devices. No patch exists yet; until one ships, Cisco advises upgrading to the CVE-2026-20182 fix and reviewing `/var/log/scripts.log` for suspicious uploads.

Productivity-software maker ClickUp is cutting hundreds of staff and replacing them with "thousands of AI agents," the nine-year-old startup confirmed in reporting on 25 May 2026. The framing — staff replaced numerically by autonomous agents — is one of the first cases of a venture-funded software company stating the substitution publicly, rather than couching the layoff as restructuring or efficiency. The operational details (which agents, run on what stack, integrated into which workflows) are not in the company's external communication; the framing alone is the news event. Expect the playbook to be copied.

Pope Leo XIV's encyclical *Magnifica Humanitas*, surfaced in widespread reporting on 25 May 2026, treats artificial intelligence less as a doctrinal subject than as a lens — the document is primarily about concentrated power, eroded democracy, and the influence of a small tech elite over how the world is shaped, according to early analysis. The papal text invokes AI throughout, but the church's substantive critique is of the political-economic conditions in which AI is developed, not of the technology itself. The framing matters because Catholic social teaching has historically reshaped labour and inequality debates well beyond the church's congregation.

The Dutch financial-crimes agency FIOD seized "more than 800 servers" on 18 May 2026 and arrested two suspects — Youssef Zinad, 57, of Amsterdam, and Andrey Nesterenko, 39, of The Hague — charging them under sanctions law with making economic resources available to EU-sanctioned entities. The infrastructure allegedly hosted Russia-backed operations including DDoS staging, anonymisation proxies, and disinformation campaigns; among the cited deployments was targeting of Danish government bodies during the country's 13–19 November 2025 municipal elections. The use of sanctions law rather than computer-crime statutes is the substantive novelty — it makes the hosters, not just the attackers, directly prosecutable in the EU.

NVIDIA released the Nemotron-Labs Diffusion family on 23 May 2026 — diffusion-based language models at 3B, 8B and 14B parameter scales, plus an 8B vision-language variant. The text models ship under the commercially-friendly NVIDIA Nemotron Open Model Licence with weights on Hugging Face. The 8B text model achieves 1.2% higher average accuracy than Qwen3 8B on the team's evaluation suite, while generating roughly 4x faster than the autoregressive baseline on NVIDIA B200 hardware — about 865 tokens/sec on the speedbench dataset in self-speculation mode. The model fills 32-token blocks via iterative denoising and supports three modes: pure autoregressive, FastDiffuser, and a self-speculative path that drafts bidirectionally and verifies causally.

A paper posted to arXiv on 25 May 2026 (cs.LG, 2605.22984) argues that test-time training — the technique of adapting model parameters during inference, increasingly used for few-shot adaptation — can undermine the safety guardrails installed during post-training. The authors describe TTT as "an emerging paradigm" that improves task performance, but say its parameter mutations can weaken refusal behaviours that standard alignment evaluations were measured against. The full quantitative breakdown is in the paper; the implication for deployed systems is direct: any post-deployment adaptation may invalidate prior safety-evaluation certifications, and the same speedup the engineering community is pursuing for personalisation is the mechanism by which guardrails can be silently bypassed.

Authors caught publishing unverified LLM output — hallucinated references and visible model chatter being the giveaway — face a 12-month ban and a requirement that future submissions clear peer review first.

OpenAI is collapsing its three flagship product surfaces under a single product team led by co-founder Greg Brockman, framed in an internal memo as a consolidation toward "the agentic future".

In a formal submission to the Department for Science, Innovation and Technology, Mozilla argues that restricting young users' access to VPNs would undermine — not advance — the regulator's online-safety goals.

An MIT-area paper proposes using a demonstration-conditioned model as its own teacher — drawing fresh attention this week as a middle path between supervised fine-tuning and reinforcement learning for foundation-model adaptation.

Anyone in Malta who completes a University of Malta AI literacy course will get a year of free ChatGPT Plus, under a new partnership with OpenAI — the first national deal of its kind.