Prompt-Visual Injection is the new kid in town! 😈🛡

AI now writes 50% of the code at Google. *Defined as the number of accepted characters from AI-based suggestions divided by the sum of manually typed characters and accepted characters from AI-based suggestions. Source -

Our product team just demoed a POC for a new capability we’re building at Prompt Security—powered by Cursor and Figma, no traditional devs involved. It’s rough, definitely not prod-ready, but still wild to see it in action. Makes you wonder: is QA about to become the most

This is epic. 🤯. Ask any human — they’ll know this is the Mona Lisa. All LLMs so far have failed this test. o3 passes it.

Did We Just Find the Ideal Benchmark for LLMs? 🧪🤖. ------------------------------------. o3 is starting to feel different. ⚡️. Personally, it’s the only model I trust for tasks like financial analysis, GTM brainstorming, and roadmap refinement. It feels like it can search and

One day, I’ll sit my kid down and tell him how I used to switch activation functions in TensorFlow just to get a slightly better loss after 100 epochs—and he’ll just laugh at his old dad and his prehistoric deep learning tricks.

Be delusional enough to believe you can. Be disciplined enough to prove yourself right.

This is wild. 🤯. Apple drops a paper saying AI "reasoning" is just fancy pattern-matching—models flop on stuff like Tower of Hanoi. A week later, “The Illusion of the Illusion of Thinking” drops. Absolute roast. Claims Apple rigged the game with token limits + impossible

רק מזכיר (רציונליזציה כמנגנון להפחתת חרדה):. הסיכוי להיפגע מטיל שנופל באקראי בתל אביב הוא פחות או יותר היחס בין 20 מ״ר ל-50 מיליון, כלומר 1 ל-2.5 מיליון! . רק לשם השוואה, הסיכון למות בתאונת דרכים בדרככם מתל אביב לאילת הוא גבוה יותר; 1 ל-2.4 מיליון!. המשך יום טוב.

You thought Silicon Valley was brilliant?. Check this out-. They literally built Cursor with a filesystem MCP server more than ten years ago. 🤯. Totally epic.

All that matters is winning the next point.

Huge kudos to the team at @InvariantLabsAI. Read their full blog post over here -

9) We thus successfully exfiltrated several pieces of private information about our user ukend0464: information about their private repositories, such as Jupiter Star, their plan to relocate to South America, and even their salary. Below, we include a screenshot of the full chat

8) Attack Rollout The agent now goes through the list of issues until it finds the attack payload. It willingly pulls private repository data into context, and leaks it into a pull request of the pacman repo, which is freely accessible to the attacker since it is public. The

7) Claude then uses the GitHub MCP integration to follow the instructions. Throughout this process, Claude Desktop by default requires the user to confirm individual tool calls. However, many users already opt for an “Always Allow” confirmation policy when using agents, and stop.

6) User Interaction To trigger the attack, the user merely prompts Claude 4 Opus with the following request:

5) We now place a malicious issue in the public repository, which is accessible to the attacker. The issue contains a payload that will be executed by the agent as soon as it queries the public repository's list of issues.

4) As shown here, as soon as the agent encounters the malicious GitHub issue, it can be coerced into pulling private repository data into context, and leaking it in an autonomously-created PR in the public repository, freely accessible to the attacker or anyone else.

3) See below for an illustration of the ensuing flow.

2) We assume the user has created two repositories:. <user>/public-repo: A publicly accessible repository, allowing everyone on GitHub to create issues and bug reports. <user>/private-repo: A private repository, e.g. with proprietary code or private company data. By standard.