Complete static archive of GigaTap articles about VPN, privacy, OPSEC, and security.
- Android VPN leaks can still happen below the app layer - Mullvad says an Android 16 bug can let apps send certain QUIC traffic outside the VPN tunnel, even with Android’s strongest VPN blocking settings enabled.
- Android’s AI shift creates a new app trust boundary - Google’s I/O 2026 Android AI updates are more than model news. AppFunctions, on-device inference, and hybrid routing change how apps expose tools, data, an
- Anthropic-Cybersecurity-Skills: useful, but verify first - mukul975/Anthropic-Cybersecurity-Skills packages 754 security skills for AI agents. Treat it as structured material to inspect, not proof of safe automatio
- Apple’s 26.6 betas are a compatibility warning - Apple has released 26.6 betas across iOS, macOS, watchOS, visionOS, tvOS, and iPadOS. The notice is short, but the testing window matters for apps with sec
- AWS CIRT update: know the help boundary before an incident - AWS updated its CIRT guidance with clearer engagement paths, TTC threat intelligence, and tooling. The useful work is checking support, logs, and DFIR gaps
- C/C++ checks fail when API contracts are missed - Trail of Bits’ challenge walkthrough shows how static buffers and unchecked Windows registry queries can turn reasonable-looking validation into exploitabl
- Chrome Dev Advances: Signal, Not Security Verdict - Chrome's Dev channel moved to a new desktop build. The announcement is brief, but it offers an early operational signal for teams tracking browser changes.
- Copilot Usage Metrics Move Beyond Active User Counts - GitHub's new Copilot usage cohorts help organizations distinguish basic activity from deeper agent workflow adoption.
- Encrypted Messaging Got a Win. Check the Fine Print - EFF’s latest note highlights progress for end-to-end encrypted messaging. The real question is where the protection starts, where it stops, and what users
- Evidential Survivability: Ethereum’s Verification Bet - OCP frames Ethereum as durable verification infrastructure for AI-era systems. The useful test is what evidence survives when tools, vendors, and runtimes
- Exploitability Is Becoming the AppSec Filter - Snyk’s Continuous Offensive Security pitch points to a real shift: teams need fewer abstract findings and better proof of what can actually be exploited.
- Florida Sues OpenAI: A Test of AI Accountability - Florida’s lawsuit against OpenAI is less about a single incident and more about whether AI companies can be held accountable for foreseeable harms.
- Kazuar shows why old backdoors become harder to kill - Microsoft describes Kazuar as a Russian-linked espionage malware family that has evolved from a backdoor into a modular P2P botnet ecosystem.
- Kotlin’s next bet is trustable tooling for AI-era development - KotlinConf’26 showed JetBrains pushing Kotlin beyond syntax: unified tooling, machine-readable docs, LSP support, Android build gains, and agent-ready IDE
- Model flexibility is how teams prevent AI lock-in - Zapier’s model-flexibility argument is really about operations: keep AI workflows replaceable before quality, privacy, or provider changes make switching p
- Monero GUI 0.18.5.0: small fixes, real wallet edges - Monero GUI 0.18.5.0 is a recommended maintenance release with fixes around URI parsing, QR handling, offline transactions, and Windows P2Pool paths. Verify
- Mythos raises the cost of slow software supply chains - Chainguard’s Mythos guidance is best read as an operational warning: faster exploit development makes opaque dependencies, slow patching, and weak build pr
- Netlogon CVE: patch domain controllers first - CVE-2026-41089 is a critical Windows Netlogon flaw tied to a warning of active exploitation. The urgent check is domain-controller patch status.
- Old IE flaw enters KEV: check the legacy surface - CISA lists CVE-2010-0249 as known exploited. The useful lesson is not nostalgia; it is finding any Internet Explorer dependency still alive in production.
- Operational Risks After Spain's Govt Employee Doxing - Spanish police arrest doxer; operational impact highlights privacy risk and checks for government staff and security teams.
- Python Infrastructure Needs More Than Goodwill - HRT’s Visionary PSF sponsorship highlights a larger reality: Python’s critical infrastructure depends on sustained funding from organizations that run on it.
- Rust 1.96.0: the update checks that matter - Rust 1.96.0 adds new range APIs, stricter WebAssembly linking, and fixes for third-party registry users. The main work is testing the right paths.
- SANS ISC Stormcast: Treat the Advisory as a Triage Trigger - A June 1 SANS ISC Stormcast item is enough to review, not enough to assume exposure. Check the source, confirm CVEs, and map only verified risk to assets.
- SANS ISC Stormcast: Treat the Signal Before the Alarm - A SANS ISC Stormcast item is a useful security advisory signal, but the feed stub does not name a CVE, exploit status, or patch. Verify before acting.