Running local models is good now

Boykis has been running local models since the early days, and her verdict in mid-June landed at the top of Hacker News: something crossed a line in the last few months. On a 2022 M2 Mac with 64GB, she is now doing real agentic coding locally, refactoring scripts into modules, generating tests, scaffolding small apps, at roughly 75 percent of frontier speed and accuracy, all inside a Docker sandbox. Her own tell is that she double-checks the output against a cloud model far less than she used to. The catch she is refreshingly honest about: local still wins only on bounded, self-contained work, and the gap to frontier on hard, production-grade tasks is real. What she does not dwell on is the hardware. The setup that makes this sing leans on serious memory, and most laptops are not there yet, which is exactly the conversation the comments section had. Read it for the clearest picture yet of where the local-versus-cloud line actually sits in 2026, and decide which half of your day could move off the API.

By Vicki Boykis →

AutoJack: one web page can hijack your AI agent into running code

Microsoft's Defender research team has a name for the trick: AutoJack. Point a browsing agent at an attacker's page and that page's JavaScript reaches a privileged local service on the same machine and spawns a process on the host. No credentials, no prompt, no further interaction once the agent loads the page. The proof of concept used a harmless-looking "Web Content Summarizer" agent built on AutoGen Studio that, fed the wrong URL, pops calc.exe on the developer's desktop. The chain is three small mistakes stacked: the local control plane trusted localhost, but a browsing agent on the box already is localhost; the WebSocket skipped authentication; and it ran a command pulled straight from a request parameter with no allowlist. The headline detail every engineer should sit with is the lesson Microsoft draws from it, because the same shape is waiting in plenty of other agent frameworks. The fix and the exact packaging caveat (which build is actually exposed) are in the writeup.

By the Microsoft Security Blog →

Chrome is days away from disabling uBlock Origin for good

The long Manifest V2 goodbye is finally ending. Chrome 150, due on the stable channel around June 30, removes the ExtensionManifestV2Disabled flag, the last switch that let power users and enterprise admins keep MV2 extensions alive. Chrome 151 roughly four weeks later strips the remaining flags. After that there is no workaround, no enterprise policy override, no hidden setting. For the tens of millions still running the full uBlock Origin, that is the end of the road on Chrome: its developer has said plainly there will be no full MV3 build, only the reduced uBlock Origin Lite, which cannot do the dynamic and cosmetic filtering the original is known for. Firefox and Brave are unaffected. Whether you read this as a security cleanup or a convenient win for an ad company depends on where you sit, and the piece lays out both. If you build or test against Chrome's extension APIs, this is the deadline to plan around.

Via 9to5Google →

usbliter8: an unpatchable boot-ROM exploit for A12 and A13 iPhones

Six years after checkm8, the BootROM has another surprise. Paradigm Shift published a working exploit, usbliter8, that runs arbitrary code inside the SecureROM of Apple's A12 and A13 chips, the silicon in the iPhone XS, XR, and 11, plus S4 and S5 Apple Watches. The flaw is burned into the chip at manufacture, so no software update can ever reach it; affected devices carry it for life. It is not remote: you need the phone, DFU mode, and a USB connection to a small RP2350 board, after which the whole thing finishes in under two seconds, before Apple's signed boot chain even loads. The writeup is the good part, a genuinely fascinating walk through how USB DART in bypass mode leaves SRAM writable, and how the team defeated Pointer Authentication on A13 in stages by corrupting memory until a USB interrupt ran their code. It does not break the Secure Enclave, so your passcode and keys stay protected, but it stamps PWND into the device and can boot unsigned firmware. A reminder that the lowest layer of trust is never quite as settled as it looks.

By Paradigm Shift →

GLM-5.2

Z.​ai opened the weights for GLM-5.2 on June 16 under an MIT license, and it is currently the top-ranked open-weights model at the frontier on the Artificial Analysis index. It is a 753B-parameter mixture-of-experts model (only 40B active per token) with a genuinely usable 1M-token context, and it posts 62.1 percent on SWE-Bench Pro, closing much of the gap to Claude Opus 4.8. The honest catch is hardware: the full FP8 weights still want around 753GB of GPU memory, so true self-hosting is datacenter territory, but community GGUF quants already exist and you can reach it through the Z.​ai API or Cloudflare Workers AI if you just want to try it. A useful data point for anyone weighing the build-versus-API math after this week's lead story.

Learn more →

Fusion (OpenRouter)

Launched June 13, Fusion turns a single prompt into a small multi-model deliberation. A panel of up to eight models answers in parallel with web search enabled, a judge model maps where they agree, contradict, and leave gaps, and a final model writes the answer from that analysis. You reach it as one model slug, openrouter/fusion, on any OpenAI-compatible client, and it decides per request whether a prompt is worth the extra completions. Billing is the sum of every model that runs, so it is overkill for routine prompts and genuinely useful for research, expert critique, and high-stakes work where being wrong is expensive. A clean way to buy a second and third opinion without wiring up the orchestration yourself.

Learn more →

Coreutils for Windows

If you bounce between a Mac or Linux box and Windows, this closes an old papercut. Microsoft is now maintaining a Windows build of the Rust uutils project, bundling coreutils, findutils, and a grep into one multi-call binary so ls, cat, cp, mv, grep, and find run natively in PowerShell and CMD, no WSL, Git Bash, or Cygwin in the way. The point is script portability: the same commands, flags, and pipelines behave the same across Linux, macOS, and Windows, so your shell scripts carry over without translation. Install is a single winget command, the whole thing is MIT-licensed and open on GitHub, and Microsoft contributes its fixes back upstream. Still preview, so expect a useful subset rather than every GNU tool, and a few names that collide with built-ins.

Learn more →