Tech Watch & Dev

CVE-2026-33579 is actively exploitable and hits hard.

What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.

Why this matters right now:

• Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
• 135k+ OpenClaw instances are publicly exposed
• 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain

The attack is trivial:

1. Connect to an unauthenticated OpenClaw instance → get pairing access (no credentials needed)
2. Register a fake device asking for operator.admin scope
3. Approve your own request with /pair approve [request-id]
4. System grants admin because it never checks if you are authorized to grant admin
5. You now control the entire instance — all data, all connected services, all credentials

Takes maybe 30 seconds once you know the gap exists.

What you need to do:

1. Check your version: openclaw --version. If it's anything before 2026.3.28, stop what you're doing
2. Upgrade (one command: npm install openclaw@2026.3.28)
3. Run forensics if you've been running vulnerable versions:
   • List admin devices: openclaw devices list --format json and look for admins approved by pairing-only users
   • Check audit logs for /pair approve events in the last week
   • If registration and approval timestamps are seconds apart and approver isn't a known admin = you got hit

strapi-plugin-events dropped on npm today. Three files. Looks like a legitimate community Strapi plugin - version 3.6.8, named to blend in with real plugins like strapi-plugin-comments and strapi-plugin-upload.

On npm install it runs an 11-phase attack with zero user interaction:

• Steals all .env files, JWT secrets, database credentials
• Dumps Redis keys, Docker and Kubernetes secrets, private keys
• Opens a 5-minute live C2 session for arbitrary shell command execution

The publisher account kekylf12 on npm is actively pushing multiple malicious packages right now and all targeting the Strapi ecosystem.

Check the account: npmjs.com/~kekylf12

If you work with Strapi or have any community plugins installed that aren't scoped under strapi/ - audit your dependencies now. Legitimate Strapi plugins are always scoped. Anything unscoped claiming to be a Strapi plugin is a red flag.

Full technical breakdown with IoCs is in the blog.

A suspected major data breach at Adobe, allegedly by a hacker called “Mr. Raccoon,” may have exposed millions of records via a third-party Indian BPO. Reports claim up to 13 million support tickets, 15,000 employee records, and HackerOne submissions were accessed. Adobe hasn’t confirmed the breach, but shared evidence suggests serious gaps in access control and vendor security.

I recently switched from Node/Express, Alpine, and Handlebars to SvelteKit and I have to say, it has been a game changer.

No more manually creating routes, wiring everything together, or dealing with middleware. SvelteKit’s file-based routing, built-in data loading, and reactive UI make building full-stack apps much smoother.

If you are coming from a traditional Node/Express setup, I highly recommend giving it a try.

I see so many cool demos of agents writing code, deploying stuff, resolving incidents. Every week there's a new one that looks incredible.

Then I talk to the eng orgs actually trying to do this at scale and it's a completely different story. The AI part works fine. What breaks is everything around it.

I wrote up 7 specific debts I keep seeing that block orgs from going beyond the demo phase.

Disclaimer: I'm the CEO of port.io so take that into account. This comes from my newsletter and what I see talking to eng teams every week.

I built a testing company and the irony is I still feel this every single day, when we catch something critical before it ships the first reaction is rarely thank you it's more like why didn't we know about this earlier as if finding the problem isn't the whole point.

started this because I genuinely believed quality was something teams wanted to invest in, and they do, but only after something breaks in production, the appetite for testing is always highest the week after a bad release and then slowly fades until the next one.

maybe that's just human nature but it's a strange thing to build a company around, the thing everyone agrees is important but nobody prioritizes until it's too late.

I keep ending up with a pile of long-running terminal sessions: deploys, log tails, migrations, and lately a bunch of Claude Code runs. The annoying part isn’t starting them, it’s figuring out which tab/session actually needs me.

This was useful because it treats terminals as persistent sessions and adds a simple “needs action” layer on top, so the ones blocked on input/approval float up instead of getting lost in the pile. Under the hood it’s basically ttyd + tmux, but wrapped in a way that makes reopening from a browser/desktop/phone less janky than my usual setup.

A couple things I liked:

• sessions survive browser closes and reconnects cleanly
• grid view is handy when you want to watch multiple jobs at once
• descriptions are auto-generated, which is nicer than trying to remember what dev-7 was doing
• sharing a session for pair debugging is less painful than screen sharing a terminal

Mostly posting because this feels relevant to the “too many terminals, not enough attention” problem.

This software's code is partially AI-generated.

Supply chain attacks often rely on speed that is publish a malicious version, let automated builds pull it before detection catches up.

One defense is a cooldown period : refuse any dependency published within the last N hours.

CEL (Common Expression Language) doesn't expose now() by default since it's designed to be hermetic. This article actually walks through registering a custom now() function binding that returns the current UTC timestamp, using duration arithmetic to compare against package_published_at, and using the has() macro to handle packages so new they haven't been indexed yet - which is the edge case that will bite you if you miss it.

Context - I manage a cybersecurity team for a financial services firm. One of the areas I'm responsible for is building the data loss prevention policies, which requires testing for email and web content inspection. Historically we've used 3rd party sites to upload test files and send emails to, failed uploads aligned with system entries validate successful blocks etc. All relatively straightforward however I would like to build our own site for such uploads.

I have a CS background though that was nearly 20 years ago and web development was never really my jam though I expect things have moved on significantly since then, React wasn't a thing the last time I messed around with web dev. In short, I don't know what I don't know, so just looking for a steer in the right direction and I'm happy to do the heavy lifting.

The basic functionality would be accepting file uploads and text through form entry, log the attempt and immediately delete the content. I'll wrap the usual security around it, authentication, input sanitization, file size restrictions and so on. I'd also like to host an SMTP server that would log emails sent to a particular address - source, subject, timestamp then delete the content.

Since this is more a tool to solve other problems I'm ideally not looking to reinvent the wheel or create anything groundbreaking, nor am I going to change careers anytime soon just looking for advice on the simplest way to tackle the problem. I've had some success with Claude building the site and wrapping it into a Docker container but then that would need hosting somewhere that's accessible from the corporate network and definitely not my home, and all the challenges that come with that.

Are there any out-the-box type hosting companies that would work with some tweaking, or am I better off running a linux VM on a Digital Ocean droplet and manage the lot through Docker/Podman/Kubernetes etc?

<Totally not AI generated problem statement that actually just exposes that OP has 0 clue about how anything works>

<Github link 80% of the time. Usually created 1 or 2 days ago. Completely out of whack when compared to OP's other public repo code which are usually named ~"python||typescript testing". Only shows OP as contributor cause they make the repo with AI first then delete and copy/paste/push >

<Generic asking for feedback section and statement that there is a paid version but you dont need to use it at first>

All credit to /u/Arucious for this one lmao