Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: security

Optical device uses humidity to unlock hidden information and offers new option for data storage

Engineers at the University of California San Diego have developed an optical device that reveals hidden images and changes colors in response to different levels of humidity. The technology, published in Light: Science & Applications, could lead to the development of new anti-counterfeiting labels, secure data storage, interactive displays, and environmental sensors.

The device works by displaying different images depending on moisture levels in the air. Under normal conditions or low humidity levels, one image (UC San Diego Triton logo) is visible. When humidity increases, a second image (UC San Diego library logo) emerges and conceals the first. This transition can be triggered even when a person breathes on the device. It happens in a fraction of a second and can be repeated many times.

“You can imagine using this as a built-in security feature with the environment acting like a key that unlocks different pieces of information,” said study first author Asad Nauman, an electrical and computer engineering postdoctoral researcher at UC San Diego. “One example would be something like a credit card security tag, where you can blow on it and reveal a hidden code. Another application would be an environmental sensor that changes color as the humidity changes.”

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Anthropic appears to be preparing for the public rollout of “Mythos,” which was announced in April as a restricted model that poses major security risks to private and public software.

On April 7, Anthropic announced the Mythos in early preview and called it a new frontier model with strikingly advanced capabilities in computer security tasks.

Anthropic said the Mythos model shows major improvements in code reasoning and autonomy, far above its current flagship model, Opus 4.7.

Google accidentally exposed details of unfixed Chromium flaw

Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device.

The flaw was reported by security researcher Lyra Rebane and acknowledged as valid in December 2022, as per the thread on Chromium Issue Tracker.

An attacker could exploit the problem to create a malicious webpage with a Service Worker, such as a download task, that never terminates. Rebane says that this could allow an attacker to execute JavaScript code on the visitors’ devices.

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has released security updates for a “highly critical” security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.

The vulnerability, now tracked as CVE-2026–9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is used in Drupal Core to validate queries and ensure they are sanitized against SQL injection attacks.

“A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases,” it said. “This can lead to information disclosure, and in some cases privilege escalation, remote code execution, or other attacks.”

Microsoft shares mitigation for YellowKey Windows zero-day

Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives.

The security flaw was disclosed last week by an anonymous security researcher known as ‘Nightmare Eclipse,’ who described it as a backdoor and published a proof-of-concept (PoC) exploit.

Nightmare Eclipse said that exploiting this zero-day involves placing specially crafted ‘FsTx’ files on a USB drive or EFI partition, rebooting into WinRE, and then triggering a shell with unrestricted access to the BitLocker-protected storage volume by holding down the CTRL key.

Exploit released for new PinTheft Arch Linux root escalation flaw

A recently patched Linux privilege escalation vulnerability now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems.

The vulnerability, named PinTheft by the V12 security team and still waiting to be assigned a CVE ID for easier tracking, exists in the Linux kernel’s RDS (Reliable Datagram Sockets) and was patched earlier this month.

“PinTheft is a Linux local privilege escalation exploit for an RDS zerocopy double-free that can be turned into a page-cache overwrite through io_uring fixed buffers,” V12 said in a Tuesday advisory.

/* */