to read (pdf)

generated: June 19, 2026 at 15:58:39

June 19, 2026
1. 🔗 HexRaysSA/plugin-repository commits fix duplicated plugin idalib-rust-bindings (#33) rss
```
fix duplicated plugin idalib-rust-bindings (#33)
```
2. 🔗 Hex-Rays Blog IDA 9.4: Apple Dyld Shared Cache workflow improvements rss
  
  Over the years, the Apple ecosystem (iOS, macOS, …) has seen steady gains in security, application load-time, and more. One of the cornerstones enabling those is the "Dyld Shared Cache" (DSC): a highly specific collection of common system libraries, pre-optimized on many fronts and used across applications.
3. 🔗 r/reverseengineering Martyx00/VulnFanatic-NG: BianryNinja plugin for identifying vulnerabilities in decompiled binaries with both programmatic scans and LLM support. rss
  
  submitted by /u/Martypx00
  [link] [comments]
4. 🔗 earendil-works/pi v0.79.8 release
  New Features
  - Selective provider base entry points - SDK users can pair @earendil-works/pi-ai/base and @earendil-works/pi-agent-core/base with explicit provider registration to keep bundled applications from including unused provider transports. See pi-ai Base Entry Point and pi-agent-core Base Entry Point.
  - Mistral prompt caching - Mistral sessions now use provider-side prompt caching with session affinity and cached-token usage/cost accounting. See API Keys and Environment Variables.
  - Post-compaction token estimates - Compact results and compaction events now include estimated post-compaction token counts so clients can show the approximate context reduction. See RPC compact and compaction events.
  - OpenRouter Fusion alias - openrouter/fusion is available as a built-in OpenRouter model alias. See API Keys.
  Added
  - Added inherited @earendil-works/pi-ai/base and @earendil-works/pi-agent-core/base entry points for selective provider registration in bundled applications (#5348 by @FredKSchott).
  - Added inherited Mistral prompt caching using the pi session ID as prompt_cache_key, including cached-token usage and cost accounting (#5854).
  - Added estimated post-compaction token counts to compact results and compaction events (#5877).
  - Added the inherited OpenRouter Fusion alias as openrouter/fusion (#5866 by @dannote).
  Fixed
  - Updated vulnerable runtime dependencies, including undici and the packaged protobufjs transitive dependency.
  - Fixed compaction to refuse sessions with no eligible messages instead of producing empty summaries (#4811).
  - Fixed successful overflow-triggered auto-compaction to avoid retrying completed assistant responses (#5720).
5. 🔗 MetaBrainz Phishing attempts using MetaBrainz messages rss
  
  There have been reports of users receiving phishing messages via the MetaBrainz messaging service.
  
  Remember: MetaBrainz staff will never ask for your password. MetaBrainz staff will never ask you to log in to a third-party site (or 'verify' your username and password in any other way).
  
  Staff are also likely to email you about account issues directly from an @metabrainz account rather than the user-to-user messaging service.
  
  You can go a step further and apply these rules to every website and service… you are now 99% phishing-proof!
  
  Below is an example of a reported phishing message. This is not a message from staff. It is an attempt to compromise a MetaBrainz account by getting a user to enter their username and password into a third-party website.
  
  If you receive phishing attempts (or spot other scams) via MetaBrainz services please leave a comment here. There is also a thread on the community forums discussing the phishing messages.
6. 🔗 r/reverseengineering BSim-foundry: pre-built function signatures for zlib, OpenSSL, mbedTLS, SQLite, libcurl and 24 more. headless + GUI + IDA/BN via SightHouse rss
  
  submitted by /u/LisbonNAKA
  [link] [comments]

June 18, 2026

🔗 IDA Plugin Updates IDA Plugin Updates on 2026-06-18 rss
IDA Plugin Updates on 2026-06-18

New Releases:
Activity:
- atelier
  - 88b48395: chore: bump to v0.4.20
  - 515396b9: chore: bump to v0.4.19
  - 04079e76: fix(install): pick newest wheel, clean stale ones; cache statusline s…
  - 5fca8f2c: chore: bump to v0.4.18
  - 148f2372: fix(install): make dev kills prod-path MCP servers, spares only .venv…
  - 6b59442d: chore: bump to v0.4.17
  - f9ccf622: feat(index): show 'N of X commits (rest in background)' in git histor…
  - 43269d9a: Merge: linearize grep symbol-span extraction (vscode grep ~240s -> <1s)
  - bd87f039: perf(search): linearize grep symbol-span extraction (quadratic -> lin…
  - 427b2a69: chore: bump to v0.4.16
  - 64998584: fix(init): -no-index on install, 10s lock timeout (was 30s hang)
  - 6cd943cb: fix(install): follow redirects for Content-Length; make release target
  - 6cb7451d: fix(install): bundle AGENTS.atelier.md; show host error output; 30s i…
  - 7ee2f930: chore: bump to v0.4.13
- capa
  - 29575cac: Merge pull request #3110 from mandiant/dependabot/npm_and_yarn/web/ex…
  - e2154630: build(deps): bump form-data from 4.0.4 to 4.0.6 in /web/explorer (#3109)
  - f28a1505: Merge pull request #3105 from mandiant/dependabot/npm_and_yarn/web/ex…
- disrobe
  - a9907897: native: detect obfusheader.h by its strip-surviving pointer-shuffle c…
  - e39d29fd: native: detect guardian-rs x86-64 virtualizer by its embedded .vm/.by…
  - b8691069: native: detect rust-obfuscator/cryptify by its CRYPTIFY_KEY decrypt s…
  - 9ccae3de: skip the mio (0.8/1.x) and yaxpeax-arch (0.2/0.3) transitive duplicat…
  - 69983fc9: native: detect obfus.h by its .obfh signature section
  - 818c5e3d: shell: detect real Chameleon long-random variable renames (Invoke-Ste…
  - fc8cfe9e: cover Protector::BitMono in the chain quality_for match (the chain-fe…
  - b887f1d2: dotnet: detect BitMono + tolerate its anti-static-tooling header corr…
  - 47fff2fc: jvm: fold skidfuscator xor-seed integer obfuscation back to literals
  - c61daac2: native: fold real -O0 ollvm -bcf opaque-predicate-or-real-condition b…
  - cde7b2ad: native: lift real -O0 ollvm -sub through stack slots and reduce its x…
  - c5c8bdf6: native: make the synthetic packer-detection test buffers valid PE images
  - af4fe246: rustfmt the frisk-gauntlet temp-dir join (i committed the race fix wi…
  - 191e63df: native: label the Tigress CFF self-authored fixture as not-real-proof…
  - 4ce3b000: native: label the self-authored iced ollvm tests as the linear-chain/…
  - 4a8cb6ec: native: recover real ollvm-16 flattened LOOPS - resolve a case block'…
  - 0c79b882: give each frisk-gauntlet staged corpus its own temp dir (the per-pid …
  - 9bb85f99: native: recover REAL ollvm-16 control-flow flattening - generalize th…
  - aa7fcd7e: php deob: CFG-restructure pass that recovers yakpro goto-flattened co…
  - 32cb2c7b: regenerate the js/jvm/beam chain goldens after the decimal-radix, fin…
- doki-ida
  - 17a72dfe: Fixing the sticker and adding crawling asset
- hrtng
  - 13f20220: deinline: fix single block mode
- ida-domain
  - 1819169c: Fix problems with invalid license for CI tests (#88)
- project
  - cb289b8d: added access path shortening
- showcomments
  - 5d5ee41c: Add copyright notice
- zenyard-ida-public
  - 8edba8e6: Sync with 3c18c5fe1f2ddd30b17f09d629f3362309e4913d
🔗 Simon Willison Datasette Apps: Host custom HTML applications inside Datasette rss
Today we launched a new plugin for Datasette, datasette-apps, with this launch announcement post on the Datasette project blog. That post has the what, but I'm going to expand on that a little bit here to provide the why.

The TL;DR

Datasette Apps are self-contained HTML+JavaScript applications that run in a tightly constrained <iframe> sandbox hosted on your Datasette application. They can use JavaScript to run read-only SQL queries against data in Datasette, and can run write queries too if you configure them with some stored queries.

Here's a very simple example and a more complex custom timeline example - the latter looks like this:

Apps are allowed to run JavaScript and render HTML and CSS. They are limited in terms of access - the <iframe sandbox="allow-scripts allow-forms"> they run in prevents them from accessing cookies or localStorage and they also have an injected CSP header (thanks to this research) which prevents them from making HTTP requests to outside hosts, preventing a malicious or buggy app from exfiltrating private data.

Datasette Apps started out as my attempt at building a Claude Artifacts mechanism for Datasette Agent, but I quickly realised that the sandboxed pattern is interesting for way more than just adding custom apps to the interface surface and promoted it to its own top-level concept within the Datasette ecosystem.

They're also a fun way to turn my multi-year experiment in vibe-coded HTML tools into a core feature of my main project!

You can try out Datasette Apps by signing in with GitHub to the agent.datasette.io demo instance.

Why build this?

Since the very first release, Datasette has offered a flexible backend for creating custom HTML apps via its JSON API.

One of my earliest Datasette projects was an internal search engine for documentation when I worked at Eventbrite - it worked by importing documents from different systems into SQLite on a cron and then serving them through a Datasette instance with a custom HTML+JavaScript search interface that directly queried the Datasette API.

I had client-side JavaScript constructing SQL queries, which originally was intended as an engineering joke but turned out to be a really productive way of iterating on the app!

That project, combined with my experience building my HTML tools collection and my experiments with Claude Artifacts, has convinced me that adding a Datasette-style backend to a self-contained HTML frontend is an astonishingly powerful combination.

Imagine how much more useful Claude Artifacts could be if they had access to a persistent relational database. That's what I'm building with Datasette Apps!

Neat ideas in Datasette Apps

Here are a few of the ideas and patterns I've figured out building this which I think have staying power.

<iframe sandbox="allow-scripts" srcdoc="..."> + <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data: blob:;">

This is the magic combination that makes Datasette Apps feasible in the first place. I need to run untrusted HTML and JavaScript on a highly sensitive domain - an authenticated Datasette instance can contain all sorts of private data. The sandbox= attribute lets me run that untrusted code in a way that cannot interact with the parent application - it can't read the DOM, or access cookies, or steal secrets from localStorage. It can however use fetch() and friends to load content (or exfiltrate data) from other domains. But... it turns out if you start an HTML page with a <meta http-equiv="Content-Security-Policy"> header you can set additional policies that lock down access to other domains. I was worried that malicious JavaScript would be able to update or remove that header but it turns out that doesn't work - once set, the CSP policy is immutable for the content of that frame.

Locked down APIs with postMessage() and MessageChannel()

Having locked down those iframes to the point that they couldn't do anything interesting at all, the challenge was to open them back again such that they could run an allow-list of operations, starting with read-only SQL queries against specified databases.

I built the first version of this with postMessage(), which allows a child iframe to send messages to the parent window. I created a simple protocol for requesting that the parent run a SQL query - the parent could then verify it was against an allow-listed database before executing it.

One of the LLM tools, I think it was GPT-5.5, suggested that postMessage() on its own can be exploited if the iframe somehow loads additional code from an untrusted domain. I don't think that applies to Datasette Apps, but I also believe in defense in depth, so I had GPT-5.5 help me port to a MessageChannel() based transport instead.

MessageChannel() has the advantage that if a page navigates to somewhere else the channel closes automatically, removing any chance of executing commands sent from an untrusted external page.

Visible logs, for queries and errors

If you navigate to the timeline demo and search for the string usercontent you'll pull in some search results that embed images from the user-images.githubusercontent.com domain. This domain is not in the CSP allow-list, so it trips an error.

Those errors are captured and transmitted back to the parent frame, where they can be displayed in a useful error log. This is meant to make hacking on apps more productive by surfacing otherwise-invisible problems.

I built an experiment demonstrating that you can even turn this into a one-click-to-allow mechanism for building the CSP allow-list based on what breaks, but I haven't integrated that idea into datasette-apps just yet.

SQL queries are also visibly logged - scroll to the bottom of the timeline page to see that in action.

Stored queries for write operations

I want apps to be able to conditionally write to the database, but this is an even more dangerous proposition than SQL reads!

My solution involves Datasette's stored queries feature, rebranded from "canned queries" and given a major upgrade in the recent Datasette 1.0a31 - work that was directly inspired by Datasette Apps.

Users can create a stored write query that performs an insert or update, then allow-list that specific query for an app to use. Usage from code inside an app looks like this:
```
const result = await datasette.storedQuery("todos", "add_todo", {
  title: "Buy milk",
  due_date: "2026-06-20",
  priority: "high",
  completed: false
});
```
I'm only just beginning to explore the possibilities this unlocks myself, but my goal is to support full read-write applications built safely as Datasette Apps.

Copy and paste a prompt to build an app

The Datasette Apps plugin has no dependency on LLMs at all, but these self-contained apps are the perfect shape to be written by a modern LLM.

The create app form includes a copyable prompt at the end. This prompt has everything a model needs to know to build a new app, including the schema of any selected databases.

This means you can click "copy", paste it into ChatGPT or Claude or Gemini, tell it what you need, and there's a good chance the model will spit out the code necessary to build the app.

If you have Datasette Agent installed your AI assistant will also gain tools to both create new apps and edit existing ones, Claude Artifacts style.

$Screenshot of a "Chat" interface with a "← Back" link top-left and an "EXPORT" button top-right. A blue user message bubble reads "Build an app showing the 5 most recent headlines from the blog_posts table". Below are two collapsed toggles: "► Tool: describe_table" and "► Result: describe_table". A thinking line reads "Thinking: …will transition to creating the application using app_create as the next step." A section headed "Querying Latest Posts" reads "I've successfully queried the blog_posts table for the 5 most recent titles. The SQL query, SELECT title FROM blog_posts ORDER BY datetime_utc DESC LIMIT 5, is working as expected. Now, I will transition to creating the application using app_create as the next step." An expanded "▼ Tool: app_create" box shows escaped JSON HTML: { "html": "...." Below: "Recent Blog Headlines created." with "View app" and "Edit" buttons, a collapsed "► Result: app_create" toggle, and a final message: "The app "Recent Blog Headlines" has been created. It displays the 5 most recent headlines from the blog_posts table in the content database."$

Built with so much AI assistance

Datasette Apps started life back in April as datasette-agent-artifacts, a plugin I have since renamed to datasette-agent-edit keeping only its editing tools. I built that as one of the first plugins for Datasette Agent, to help get the plugin hooks into the right shape. That first prototype was mainly built using Claude Opus 4.6 in Claude Code.

When I switched track to Datasette Apps I started with a plan constructed using Codex Desktop and GPT-5.5 xhigh, based on extensive dialog and feeding in both datasette-agent-artifacts and other prototypes I had built.

Most of the work that followed stuck with Codex, but in the few short days that we had access to Claude Fable 5 I had it run a security evaluation of the product (an ability that would get it banned by the US government shortly afterwards) and it found a very real problem.

I was allowing users to allow-list CSP hosts for their apps, but Fable pointed out the following attack:
1. A less privileged user with create-app permission creates an app that queries SQLite for all available tables and selects and exfiltrates all of the data to a host they had allow-listed via CSP.
2. They then trick an administrator user with access to private data into visiting their app.
3. ... and the app can now run queries as that user and steal their private data!
That's clearly unacceptable. I fixed it by restricting the ability to allow-list any domain to a new apps-set-csp permission, which is intended just for trusted staff. Site administrators can also configure Datasette with a list of allowed_csp_origins, which regular users can then select. This means you can do things like allow cdnjs.cloudflare.com and your users will be able to build apps that load extra JavaScript libraries from the cdnjs CDN.

I've reviewed Datasette Apps extremely closely, especially the security-adjacent parts of it. The critical sandbox and CSP configuration are based on multiple AI-assisted prototypes and tests.

It's looking good so far

I'm really pleased with this initial release.

Datasette is growing beyond its origins as an application for serving read-only data into a much richer ecosystem of tools for doing useful things with that data once it has been collected.

Datasette's roots are in data journalism. I've always been interested in the question of what comes next after a journalist gets their hands on a giant dump of data about the world. Datasette supports exploring and publishing it. Datasette Agent adds interrogating it with AI assistance. Now Datasette Apps expands that to building custom interfaces and visualizations to help unlock the stories that are hidden within.

You are only seeing the long-form articles from my blog. Subscribe to /atom/everything/ to get all of my posts, or take a look at my other subscription options.
🔗 r/reverseengineering GitHub - Zypherion-Technologies/UnConfuserEx: A ConfuserEx2 deobfuscator with support for anti tamper, compressor, constants, control flow, and resource recovery. rss

submitted by /u/AhmedMinegames
[link] [comments]

🔗 HexRaysSA/plugin-repository commits sync repo: +1 plugin, +1 release rss

sync repo: +1 plugin, +1 release

## New plugins
- [idasvg](https://github.com/chichou/idasvg) (0.1.0)

🔗 earendil-works/pi v0.79.7 release
New Features
- Automatic theme mode - /settings can choose separate light and dark themes and follow terminal color-scheme changes. See Selecting a Theme.
- Self-only updates by default - pi update now updates pi only, with pi update --all for updating pi and packages together. See Install and Manage.
- Extension API helpers - extensions can use CONFIG_DIR_NAME for project config paths and import edit diff helpers for edit-style diffs. See ctx.cwd and SDK Exports.
- Warp inline images - Warp terminals now get inline image rendering through Kitty graphics detection. See Image.
Added
- Added automatic theme mode so /settings can use separate light and dark themes and follow terminal color-scheme changes (#5874).
- Added inherited Warp terminal image capability detection so inline images render through Warp's Kitty graphics support (#5841 by @dodiego).
- Exported CONFIG_DIR_NAME from the coding-agent public API so extensions can resolve project config paths without hardcoding .pi (#5869 by @xl0).
- Exported edit diff helpers (generateDiffString, generateUnifiedPatch, and EditDiffResult) from the public API for extensions that need edit-style diffs (#5756 by @xl0).
Changed
- Changed bare pi update to update only pi, added pi update --all for updating pi and extensions together, and clarified extension update prompts.
- Reserved / in theme names for automatic light/dark theme settings.
- Updated extension docs, examples, runtime help, trust prompts, and config labels to use the configured project config directory instead of hardcoded .pi paths.
Fixed
- Fixed RPC unknown-command errors to include the request id so clients do not hang waiting for a response (#5868).
- Fixed /model autocomplete and model selection searches to match provider/model queries regardless of whether the provider or model token is typed first.
- Fixed the tree navigator to horizontally pan deep entries so the selected item remains readable (#5830).
🔗 r/reverseengineering Rustemsoft unveils Opaquer .NET Obfuscator, a powerful new tool for protecting .NET applications from reverse engineering. The release delivers advanced control‑flow scrambling, string encryption, and metadata hiding with all core obfuscation features available free of charge. rss

submitted by /u/Rustemsoft
[link] [comments]
🔗 r/reverseengineering VAXD update: public v1.00 release is now available rss

submitted by /u/Bicurico
[link] [comments]

🔗 HexRaysSA/plugin-repository commits Fix/EA-762 cap ida versions (#32) rss

Fix/EA-762 cap ida versions (#32)

* fix(merger): cap idaVersions at latest released IDA (EA-762)

The upstream HCLI index expands open-ended specs like >=9.0 into a concrete
list that includes unreleased placeholders (e.g. 10.0), so plugin pages
advertised compatibility with non-existent IDA releases.

- cap_ida_versions() trims idaVersions to <= the latest released IDA in both
  transform paths (sp-aware comparison); prettified ranges follow.
- LATEST_RELEASED_IDA resolves from env, defaulting to a reviewed constant.
- justfile + deploy.yml derive it dynamically from the hcli download catalog
  (hcli download --list-tags, authed via HCLI_API_KEY in CI); falls back to the
  default when hcli is unavailable/unauthenticated, so the build never fails.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* revert(EA-762): drop hcli download --list-tags wiring; keep env-overridable cap

plugin-repository is public, so we don't want a Hex-Rays portal API key in CI
even as a secret. Remove the hcli-based dynamic derivation from the justfile
(latest-ida recipe) and deploy.yml (HCLI_API_KEY + --list-tags).

idaVersions are still capped via merge_plugins.py's LATEST_RELEASED_IDA — a
reviewed default (9.4) overridable with the LATEST_RELEASED_IDA env var when a
new IDA ships. No auth, no secret.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* chore(EA-762): drop redundant cap comments from justfile and deploy.yml

The override mechanism is documented at LATEST_RELEASED_IDA in merge_plugins.py;
these were duplicate notes on now-generic merger invocations.

* feat(EA-762): derive LATEST_RELEASED_IDA from hcli download catalog in CI

Re-introduce the dynamic IDA-version cap: justfile (latest-ida recipe + dynamic
merge-plugins) and deploy.yml derive LATEST_RELEASED_IDA from
`hcli download --list-tags`, authenticated via the HCLI_API_KEY repo secret.
Falls back to merge_plugins.py's reviewed default when hcli is unavailable or
unauthenticated, so the build never fails on this.

A GitHub Actions secret is encrypted, runtime-only and log-masked (not in the
public source); neither sync nor deploy runs on fork pull_request, so there is
no fork-PR exfiltration path. Use a dedicated download-scoped portal key.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: fnania <fnania@hex-rays.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

🔗 Console.dev newsletter databow rss

Description: CLI to query any ADBC database.

What we like: Run SQL against any ADBC database e.g. DuckDB, BigQuery, Postgres, SQLite. Syntax highlights the query. Output in a table, CSV, JSON, or Apache Arrow. Supports non-interactive queries from the CLI rather than using the TUI.

What we dislike: Requires an ADBC driver to exist, which means you can’t query some popular databases like MySQL, Clickhouse, etc.
🔗 Console.dev newsletter Epiq rss

Description: Issue tracker backed by Git.

What we like: Manage issues from a TUI, locally-backed by Git so issues live with the code. Works offline and uses append-only events to avoid conflicts (later events take precedence). Uses worktrees to isolate sync from the main dev workflow. Built in kanban board and a web UI.

What we dislike: The tradeoff is no public web UI for others to view / submit issues.

🔗 Ampcode News A Faster Librarian rss

The Librarian is now ~3x faster and 43% cheaper, with the same quality.

It now runs on GPT-5.5 (no reasoning) with websocket mode and an updated system prompt that encourages more parallel exploration. The Librarian fires ~8 tool calls in parallel per turn, up from ~3 with Sonnet, and wraps up a search in ~5 turns instead of ~15.

In our internal eval, about a quarter of that speedup comes from OpenAI's websocket mode and the rest from switching to GPT-5.5 with no reasoning:

	Sonnet-4.6 (medium)	GPT-5.5 (none)
Latency (mean)	237s	81s (2.9x faster)
↳ gain from websocket	—	~1.3x
↳ gain from model	—	~2.2x
Quality (F1, mean)	0.47	0.48
Average cost	$1.21	$0.69

Here's a comparison:

How does Kubernetes' HorizontalPodAutoscaler handle missing pod metrics when scaling down — does it assume missing pods are at 100% of their resource requests, or 100% of the target utilization? Cite the function and logic in the source.

Sonnet 4.6 (left) took 2 minutes and cost $1.08, while GPT-5.5 (right) took 40 seconds and cost just $0.47.

June 17, 2026
1. 🔗 IDA Plugin Updates IDA Plugin Updates on 2026-06-17 rss
  IDA Plugin Updates on 2026-06-17
  
  Activity:
  - ida_graph_parser
    
    9745ca0e: analyze at function level, then group back to annotate blocks with re…
    
    65a30029: wip
    
    564be8b0: summarization skeleton
  - ToCode
    
    02075c47: Import the angr backend lazily
    
    9ffad7cd: Install via a dedicated venv on the non-uv path (PEP 668)
    
    56e3a161: Fix -full: pass angr extra to the installed tocode command
2. 🔗 Simon Willison GLM-5.2 is probably the most powerful text-only open weights LLM rss
  
  Chinese AI lab Z.ai released GLM-5.2 to their coding plan subscribers on June 13th, and then yesterday (June 16th) released the full open weights under an MIT license. Similar in size to their previous GLM-5 and GLM-5.1 releases, this is 753B parameter, 1.51TB monster - with 40 active parameters (Mixture of Experts). GLM-5.2 is a text input only model - Z.ai have a separate vision family most recently represented by GLM-5V-Turbo, but that one isn't open weights. GLM-5.2 has a 1 million token context window, up from GLM-5.1's 200,000.
  
  The buzz around this model is strong.
  
  Artificial Analysis, who run one of the most widely respected independent benchmarks: GLM-5.2 is the new leading open weights model on the Artificial Analysis Intelligence Index.
  
  GLM-5.2 is the leading open weights model on the Intelligence Index v4.1. At 51, it leads MiniMax-M3 (44), DeepSeek V4 Pro (max, 44) and Kimi K2.6 (43)
  
  They did however find it to be quite token-hungry:
  
  GLM-5.2 uses more output tokens per task than other leading open weights models: the model uses 43k output tokens per Intelligence Index task, up from GLM-5.1 (26k) and above MiniMax-M3 (24k), Kimi K2.6 (35k) and DeepSeek V4 Pro (max, 37k)
  
  The model is also now ranked 2nd on the Code Arena WebDev leaderboard, behind only Claude Fable 5. That leaderboard measures "front-end web development tasks, including agentic coding workflows". I'm impressed to see it rank so highly given the lack of image input, which I had incorrectly assumed was a key part of building a truly great frontend coding model.
  
  I've been trying it out via OpenRouter, which has it from 9 different providers, almost all of which are charging $1.40/million for input and $4.40/million for output. For comparison, GPT-5.5 is $5/$30 and Claude Opus 4.5-4.8 is $5/$25.
  
  Excellent pelican, disappointing opossum
  
  GLM-5.1 gave me one of my favorite pelicans and my all time favorite opossum (for the prompt "Generate an SVG of a NORTH VIRGINIA OPOSSUM ON AN E-SCOOTER".) Interestingly, in both of those cases the model chose to return SVG wrapped in an HTML document that added additional animations using CSS.
  
  Let's try GLM-5.2. For "Generate an SVG of a pelican riding a bicycle" I got this:
  
  It's a self-contained fully animated SVG, and the animations aren't broken! Often I'll see eyes falling off or wheels rotating independently of the bicycle but here everything works great. It's a very nice vector illustration of a pelican too. Very impressive.
  
  Sadly, the NORTH VIRGINIA OPOSSUM ON AN E-SCOOTER did not come out nearly as well:
  
  This is such a step down from GLM-5.1! As a reminder, that possum looked like this:
  
  5.2 didn't even try to animate it.
  
  You are only seeing the long-form articles from my blog. Subscribe to /atom/everything/ to get all of my posts, or take a look at my other subscription options.
3. 🔗 @HexRaysSA@infosec.exchange ⏱️ IDA 9.4 pre-release teasers start now. mastodon
  
  ⏱️ IDA 9.4 pre-release teasers start now.
  First up: wider processor and platform support.
  
  The upcoming release adds a Qualcomm Hexagon module, MCore and C-SKY V1, complete AArch64 SVE/SME, improved TriCore analysis with proper calling conventions, and expanded RISC-V coverage including Hazard3/RP2350 and new vendor extensions.
  
  👉 https://hex-rays.com/blog/ida-9.4-wider-processor-and-platform- support
4. 🔗 Jessitron Symmathesy and Ai with Kent Beck rss
5. 🔗 gchq/CyberChef v11.2.0 release
  
  See the CHANGELOG and commit messages for details.
6. 🔗 r/reverseengineering Reverse engineering "encrypted" kids VTech walkie talkie rss
  
  submitted by /u/sillysillysoftware
  [link] [comments]
June 16, 2026
1. 🔗 IDA Plugin Updates IDA Plugin Updates on 2026-06-16 rss
  IDA Plugin Updates on 2026-06-16
  
  Activity:
  - augur
    
    3b2ad122: doc: improve comments
  - capa
    
    ce29c1dd: Merge pull request #3108 from mandiant/dependabot/pip/pyinstaller-6.21.0
    
    039759c3: Merge pull request #3107 from mandiant/dependabot/pip/pytest-9.1.0
    
    6ea2647f: Merge pull request #3106 from mandiant/dependabot/pip/vivisect-2332c2…
  - diaphora
    
    99df6031: Merge pull request #357 from joxeankoret/joxeankoret-patch-15
    
    c24612e8: Update ida-plugin.json
  - haruspex
    
    8dbbea2c: doc: improve comments
  - hrtng
    
    128f397b: deinline remake
  - ida_rpc
    
    3083059e: Refactor imports, improve string searching, and fix IDA base address …
  - rhabdomancer
    
    02d5cb63: doc: improve comments
2. 🔗 earendil-works/pi v0.79.6 release
  Fixed
  - Fixed HTTP dispatcher configuration to preserve a caller's deliberate fetch override instead of reinstalling the undici global fetch over it.
  - Fixed inherited OpenCode Go DeepSeek V4 thinking-off requests to send the provider's thinking: { type: "disabled" } compatibility parameter.
3. 🔗 r/reverseengineering wit keeps claims tied to the thing that proves them rss
  
  submitted by /u/zboralski
  [link] [comments]
4. 🔗 r/reverseengineering VAXD - lightweight PE EXE/DLL disassembler and patch-assistance tool for Windows rss
  
  submitted by /u/Bicurico
  [link] [comments]
5. 🔗 earendil-works/pi v0.79.5 release
  New Features
  - Provider-scoped API key environments - auth.json API key entries can now include env overrides for provider-specific Cloudflare, Azure OpenAI, Google Vertex, Amazon Bedrock, cache retention, and proxy settings without changing the project shell. See Auth File.
  - Global HTTP proxy setting - Configure httpProxy once in global settings to apply HTTP_PROXY and HTTPS_PROXY to Pi-managed HTTP clients. See Network.
  - Vercel AI Gateway attribution - Vercel AI Gateway requests now include Pi attribution headers by default. See API Keys.
  Added
  - Added Vercel AI Gateway request attribution headers (http-referer and x-title) for Vercel AI Gateway models (#5798 by @rwachtler).
  - Added an xp footer marker when experimental features are enabled.
  - Added a global httpProxy setting that applies as HTTP_PROXY and HTTPS_PROXY for Pi-managed HTTP clients (#5790).
  - Added auth.json API key env values so provider-specific environment overrides can be scoped to Pi and propagated to inherited provider configuration (#5728).
  Changed
  - Updated the vendored Markdown parser used by HTML session exports to marked 18.0.5.
  Fixed
  - Fixed inherited OpenAI Responses streaming to tolerate null message content from OpenAI-compatible servers before tool calls (#5819).
  - Fixed inherited OpenCode DeepSeek V4 thinking requests to avoid sending both thinking and reasoning_effort (#5818).
  - Fixed device-code login to stop opening the browser automatically.
  - Fixed inherited editor Cursor Up handling so non-empty drafts jump to the start of the line before browsing input history (#5789 by @4h9fbZ).
  - Fixed inherited Z.AI GLM-5.2 thinking requests to send reasoning_effort with the provider's high/max effort mapping (#5770).
  - Fixed successful pi update on Windows to exit naturally instead of calling process.exit(0), avoiding a Node.js/libuv assertion after version-check network requests (#5805).
  - Fixed inherited Google and google-vertex Gemini model metadata to map latest aliases to the current models, add Gemini 3.5 Flash for Vertex, correct Gemini 2.5 Flash Vertex cache pricing, and remove shut-down Vertex preview models (#5761).
  - Fixed the session selector to stay open and show the all-sessions empty state when both current-folder and all-scope session lists are empty (#5747).
  - Fixed inherited Moonshot AI China model metadata to include Kimi K2.7 Code, and omitted unsupported thinking-off payloads for Kimi K2.7 Code models (#5760).
6. 🔗 3Blue1Brown (YouTube) 100 random chords, how many intersections? rss
  
  Part of a series of monthly puzzles done in collaboration with MoMath.
7. 🔗 r/reverseengineering Reverse Engineering 1988's BattleTech: The Crescent Hawk's Inception (Westwood/Infocom) - Seeking Collaborators rss
  
  submitted by /u/kessen999
  [link] [comments]
8. 🔗 Kagi release notes June 16th, 2026 - Search widgets catching up, Assistant starts fresh rss
  Bringing search widgets up to speed
  
  We’re starting a broader effort to improve our search widgets! First up: sports scores and dice rolling.
  
  Sports scores now show up in a sidebar next to search results, so you can quickly check upcoming games, live scores, and recent results, just in time for the World Cup.
  
  And we’ve also added dice rolling support for all you gamers out there, in case you ever need to roll a d20, 2d4 + 2, or perhaps even 8d6.
  
  The new Kagi Assistant is here
  
  Over the last few weeks, we’ve been rolling out a new Kagi Assistant experience. Most of you are already using it, and today we’re officially retiring the old assistant.
  
  This is more than a visual refresh, we rebuilt the Assistant experience around a new layout, smoother web and mobile use, and a lot of UX improvements that add up quickly.
  
  And just as importantly, this gives us the foundation we need for the next set of Assistant improvements we’ve been working towards.
  
  Note: there is one notable change - folders have replaced tags. This means each thread can now belong to only one folder. We appreciate this is a downgrade for users who relied on multiple tags per thread, and we don’t want to handwave that away. We made this tradeoff because folders give Assistant a simpler, more predictable organisation model, and because multi tag usage was relatively low: about 20% of active accounts used tags at all, and appx 4% had any thread with more than one tag.
  
  Still, for those affected, we understand this change may be frustrating. Thank you for bearing with us as we build towards a stronger Assistant experience!
  
  Kagi Translate update
  
  We've paused free access to Kagi Translate while we sort out running costs, so you'll need to be signed in to use it. If you have an active subscription, Translate still works. Sign in on translate.kagi.com or in the mobile apps. We share more details on this decision in this blog post.
  
  Other improvements and bug fixes
  
  Kagi Search
  - Different output formats for Wolfram Alpha results #3183 @mm00
  - Incorrect lens default #10796 @maus986
  - Wikipedia widget shouldn't show disambiguation pages #10646 @Numerlor
  - Chaining from one image to another in image search #10458 @howtaobrowncow
  - Unrelated Wikipedia widget results #10655 @kpj
  - AI image filter fails on query "porcelain horse toilet" #10318 @Recast
  - File-only queries do not create corresponding title and subtitle #10130 @dreifach
  - Wikipedia LaTeX images doesn't render #10659 @3top1a
  - Lenses don't appear to support queries anymore #10419 @arizvisa
  - Wildcard suffix domains don't work in lenses but do in a normal search #10438 @decayingposture
  - Trailing wildcard on path-prefixed domain breaks Lens results #10666 @Dannn404
  - Quick answer references should link the entire trigger element #10781 @mootari
  - Account 2FA UX broken #10760 @gntlrm
  - Incorrect lens default #10796 @maus986
  - Cloudflare 404 - Kagi Turnstyle (Vivaldi Browser) #10809 @NyraSyn
  - Assistant threads were wrongly moved to Temporary #10100 @eltaco
  Kagi APIs
  - NEW: Extraction now keeps links from the original document, to enable deeper crawling flows.
  - NEW: Related searches is now part of the API responses, with more metadata than the v0 version where applicable.
  - NEW: Per-key cost tracking is now enabled. You can select a key in the usage page to see the specific key cost attached. (Cost tracking only available from when we deployed, historic data is not present.)
  - Fix: Extraction is now faster and more reliable.
  - Fix: Personalization rule types are now correctly validated with the doc types.
  - Fix: Various other internal improvements for a more stable experience.
  Kagi Assistant
  - Regression: new assistant scrolls to bottom when inference completes #10648 @spiffytech
  - The new Assistant does not let me edit the output from the model. #10670 @Fernold
  - Japanese IME: Enter key submits message instead of confirming composition #10707 @n22z9y28vh
  - New system prompt causing regressions esp. in no-search mode, and ignores /system_prompt_overwrite #10684 @igakagi
  - New assistant doesn't respect prefers-reduced-motion #10711 @magiruuvelvet
  - New Kagi Assistant does not remember sidebar on refresh #10727 @emptyjar
  - New Assistant: Undo File Type Restrictions #10721 @AzuraFilth
  - Assistant converts CSV uploads into markdown #10647 @fxgn
  - Specific code snippet returns 403 Forbidden error #10689 @Fusl
  - Assistant Not Searching Web or Citing Sources Despite Web Sarch Toggle Enabled #10657 @cmart
  - Kagi Assistant Does Not Reliably Read Larger Documents/Attached Files #10516 @aeiro
  - Assistant can't reach github files #10697 @Numerlor
  - Assistant does not scroll on output #10742 @emptyjar
  - References do not export, Markdown or JSON. #10741 @relaxos_palaiologos
  - Images inside Kagi Assistant responses do not appear #10296 @MustafaD
  - Assistant sidebar does not stay closed when resizing the window #10762 @emptyjar
  - Pressing 'Enter' key should confirm deletion dialog in Kagi Assistant #10793 @kray
  - Enter key does not submit message on iPadOS #10708 @n22z9y28vh
  - New assistant models from Anthropic, such as Claude Fable 5, refuse to work. #10812 @FranziKay
  - New Assistant hides lines, when it clearly has the space #10710 @7aad94e9
  - The new UI for Assistant is worse in every measurable way #10720 @mspgrunt
  - Settings -> Appearance -> Save : Not working in Orion Private mode #10724 @markkrueg
  - Customizable keyboard shortcuts (Assistant/General) #6650 @bert
  - Kagi Assistent new UI is too small #6142 @HRA42
  - Pasting text that exceeds x characters should automatically attach it as a text file #6739 @Coops
  - Dynamic Chat Window Scaling for Widescreen Users #6379 @unruffled5088
  Kagi Translate
  - Text cannot be copied anymore from Word and text from a PDF has hard returns behind every line #10476 @JaninevdK
  - “curled quotes” instead of "straight quotes" #7011 @FranziKay
  - Kagi Translate extension wrongly detects certain monitor as 'mobile' #10693 @Roon
  Post of the week
  
  This week's featured social media mention:
  
  Featured Kagi tip 💡
  
  Here's a guide on how to make Kagi truly yours with custom CSS. Tweak colors, fonts, and layout, hide elements you don't need, or apply a community theme for a search experience that looks exactly how you want.
9. 🔗 Hex-Rays Blog IDA 9.4: Wider Processor and Platform Support rss
  
  IDA 9.4 comes with a brand-new Qualcomm Hexagon DSP module, an MCore family covering C-SKY V1, and deeper coverage of ARM, TriCore and RISC-V.
10. 🔗 HexRaysSA/plugin-repository commits Feat/EA-771 recently added pipeline (#31) rss
```
Feat/EA-771 recently added pipeline (#31)

* feat(merger): drive Recently Added by catalog-entry date (EA-771)

Stop propagating stale recently_added/recently_updated editorial tags from
api-plugins.json into combined.json (they had no date check; 169 plugins
carried them regardless of recency). Add dynamic_metadata.added_at sourced
from known-repositories.txt '# Discovered on' markers so the UI can drive
"Recently added" by when a plugin entered the Hex-Rays catalog rather than
when its underlying GitHub repo was created.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* ci: pass --known-repos to the merge step (EA-771)

The CI build runs merge_plugins.py inline in deploy.yml, not via the justfile.
Without --known-repos the merger gets no catalog-entry dates, so every plugin
ships with added_at=null and 'Recently added' renders empty. Pass the file so
production matches local builds.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* refactor(merger): derive added_at from git history, not comment markers

Parsing known-repositories.txt's '# Discovered on' / '# added' comments made
that human-written format a load-bearing API. Instead, reconstruct each repo's
catalog-entry date from the author date of the commit that first added its line
(one git log pass). Dates stay UTC; a shallow-clone guard omits added_at rather
than collapsing every repo onto the boundary commit. Coverage improves (seed
repos now dated too) with no dependency on comment formatting.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* refactor(merger): derive added_at from the HCLI index history, drop --known-repos

Reconstruct catalog-entry dates from the git history of plugin-repository.json
(the HCLI index, already passed via --hcli) instead of known-repositories.txt.
The index is the source of truth for what's installable via the plugin manager,
so a plugin's added_at is the author date of the commit that first introduced
its host. Removes the --known-repos arg and its justfile/deploy.yml wiring.

Semantics: 'recently added' now means 'recently indexed into the manager', so a
freshly-packaged but long-existing repo (e.g. diaphora) correctly surfaces.
Legacy api-only plugins aren't in the index and get no added_at — they are a
frozen, all-old dump that can never be 'recently added', so null is correct and
has zero UI impact.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: fnania <fnania@hex-rays.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
```
11. 🔗 @HexRaysSA@infosec.exchange It's not too late to sign-up... mastodon
  
  It's not too late to sign-up...
  
  We're hosting a free virtual workshop/webinar on idalib — IDA as a library. Call IDA's analysis engine directly from your own code, automate workflows without launching the GUI, and integrate IDA into any toolchain you're already running.
  
  👉 https://2dgu4h.share- eu1.hsforms.com/2D4ZYPjdCRFODEGRKtMILwQ
12. 🔗 Confessions of a Code Addict Page Tables from First Principles rss
  
  This is the fourth video in our virtual memory series based on the article/ebook I wrote. In the last few videos, we covered what virtual memory is, its size, and the address space layout of a process. In this video, we learn how the kernel stores virtual-to-physical address mappings in the form of a page table, what that looks like, and how the hardware performs an address translation by walking the page table.
  
  But instead of jumping directly to page tables, we derive the design from first principles like real system designers. We start from the problem statement of efficiently storing virtual address mappings and performing lookups efficiently, and from there, we iteratively arrive at the final solution that looks like modern-day page tables. I believe that this way, not only you would understand page tables better, but also develop the design chops needed to build solutions in other domains.
  
  In the next video, we will talk about protection bits in virtual pages. Till then, if you haven't read the original article/book, I recommend checking that out. You can also get it in the form of a beautiful PDF for offline reading using the link below.
  
  Get Virtual Memory Ebook
  
  Read more
13. 🔗 r/reverseengineering VAXD - lightweight PE EXE/DLL disassembler and patch-assistance tool for Windows rss
  
  submitted by /u/Bicurico
  [link] [comments]
14. 🔗 backnotprop/plannotator v0.20.3 release
  Follow @plannotator on X for updates
  
  Missed recent releases? Release | Highlights
  ---|---
  v0.20.2 | Pierre CodeView all-files review, large-PR pipeline and instant-open checkout, unified agent engine selection, Pi programmatic plan mode
  v0.20.1 | Pi extension install hotfix (pinned @pierre/diffs after a broken upstream release)
  v0.20.0 | Multi-repo workspace reviews, semantic diff overview, UI 2.0 themes and plan look chooser, leaner single-source skill install
  v0.19.27 | Kiro CLI integration, Glimpse native window, annotate-last message picker
  v0.19.26 | Amp plugin production fixes, Mermaid rendering fix, Settings flicker fix, update notification toast and shimmer
  v0.19.24 | Amp integration, configurable data directory, Auto Mode permission option, Pi plan approval fix
  v0.19.23 | Droid integration, Windows Pi AI fix, quieter update indicator
  v0.19.22 | Safari copy fix in plan viewer, CLAUDE_CONFIG_DIR support for session logs
  v0.19.21 | Ask AI in plan review and annotate mode, shared AI runtime, origin-aware provider defaults
  v0.19.20 | Interactive goal setup UI, OpenCode submit_plan fixes, browser no-op sentinel handling for Claude agents
  v0.19.18 | Edit-based submit_plan for OpenCode, Pi namespace migration, Codex annotate-last fix, OpenCode commands dir fix
  
  What's New in v0.20.3
  
  v0.20.3 is a small patch of two PRs, both focused on the comment popover used in plan review and annotate mode. The first stops in-progress annotation text from being thrown away, and stops the annotation panel from forcing itself open. The second adds a way to find a comment box again after it scrolls out of view. Both came out of community feature requests.
  
  Annotations No Longer Lost When You Click Away
  
  The comment popover used to close on any click outside it, which discarded whatever you had typed but not yet saved. A misplaced click meant retyping the annotation. Now a popover that holds text or an attached image stays open when you click elsewhere, so your in-progress work survives a stray click. Empty popovers still close on an outside click, and Escape and the X button still cancel explicitly, so nothing changes about how you dismiss a box you actually want to discard.
  
  The same release stops annotations from forcing the right annotation panel open. If you had closed the panel, adding a plan annotation or a code-file popout annotation used to reopen it and pull focus away from what you were reading. The panel now stays in whatever state you left it, and you can open it from the header toggle when you want it. The annotation itself is still selected and still shows its highlight, so it is never lost or hidden.
  - #919 closing #821 and #888, contributed by @backnotprop
  Off-Screen Indicator for an Open Comment
  
  Because an open comment box now persists when you click or scroll away, it became possible to leave one open above or below the visible area and lose track of it. When that happens, a small pill appears pinned to the top or bottom of the viewport with a chevron pointing toward the box and an "Open comment" label. Clicking it scrolls back to the comment. The indicator only appears for a box that has actually left the viewport and disappears as soon as it returns, so it stays out of the way the rest of the time.
  - #920, contributed by @backnotprop
  Install / Update
  
  macOS / Linux:
```
curl -fsSL https://plannotator.ai/install.sh | bash
```
  Windows:
```
irm https://plannotator.ai/install.ps1 | iex
```
  Extra skills (compound, setup-goal, visual-explainer), opt-in:
```
npx skills add backnotprop/plannotator/apps/skills/extra
```
  Claude Code Plugin: Run /plugin in Claude Code, find plannotator , and click "Update now".
  
  OpenCode: Clear cache and restart:
```
rm -rf ~/.bun/install/cache/@plannotator
```
  Then in opencode.json:
```
{
  "plugin": ["@plannotator/opencode@latest"]
}
```
  Pi: Install or update the extension:
```
pi install npm:@plannotator/pi-extension
```
  Droid: Install via the plugin marketplace:
```
droid plugin marketplace add backnotprop/plannotator
droid plugin install plannotator@plannotator
```
  Amp: Install the CLI first, then copy the plugin:
```
mkdir -p ~/.config/amp/plugins
curl -fsSL https://raw.githubusercontent.com/backnotprop/plannotator/main/apps/amp-plugin/plannotator.ts \
  -o ~/.config/amp/plugins/plannotator.ts
```
  Kiro CLI: The installer auto-detects Kiro and installs skills automatically. After installing the CLI, launch with:
```
kiro-cli chat --agent plannotator
```
  Upgrading from before v0.20.0? Read the v0.20.0 release notes first; that release changed how skills install.
  
  What's Changed
  - Keep annotation panel closed when adding annotations by @backnotprop in #919
  - feat(annotate): off-screen indicator for open comment popover by @backnotprop in #920
  Community
  
  Both changes in this release answer feature requests from the community. @8bitjoey asked for the annotation input to keep its text instead of closing on an outside click (#821), and @jj- valentine asked for annotations to be saved rather than lost (#888). @SyahrulBhudiF and @gwynnnplaine joined the discussion on #821 that shaped the behavior.
  
  Full Changelog : v0.20.2...v0.20.3
15. 🔗 HexRaysSA/plugin-repository commits sync repo: +1 plugin, +3 releases, ~1 changed rss
```
sync repo: +1 plugin, +3 releases, ~1 changed

## New plugins
- [ida-nativeaot](https://github.com/dump-guy/ida-nativeaot) (1.0.2, 1.0.1, 1.0.0)

## Changes
- [diaphora](https://github.com/joxeankoret/diaphora):
  - 3.4: archive contents changed, download URL changed
```
16. 🔗 Ampcode News Diffs rss
  
  Outsource your coding, but not your understanding of the code.
  
  As agents generate larger quantities of code, it is more important than ever for humans to comprehend the code to ensure its quality.
  
  You can now review any thread's code changes directly in Amp, on desktop or mobile.
  
  While a thread has an active environment, you can scroll through the diff, request changes on specific sections, and stage changes interactively:
  
  Some care and attention has gone into the diffing algorithm, which performs duplicate block detection to make it easier to see what has actually changed. This can significantly reduce cognitive load when reviewing large agent-generated changesets.
  
  Here is an example where Amp (left) makes it easier to see that the only thing that has changed is the removal of the if-branch of the conditional:
  
  Ours
  
  Theirs
  
  If you drive your threads primarily from the terminal, use the command palette (Ctrl-O) to open the diff for your current thread in your browser: