may 23, 2026
4 links from the engineering internet.
laravel-lang supply chain attack: 700+ composer versions poisoned with rce
socket research found github tag manipulation backdooring 700+ laravel-lang composer versions with a php credential stealer. it autoloads via composer and exfiltrates cloud tokens, kubernetes secrets, ssh keys, ci/cd credentials, and .env files without authentication.
drupal sql injection cve-2026-9082 in active exploitation, added to cisa kev
cisa added drupal's unauthenticated postgresql sql injection flaw to its known exploited vulnerabilities catalog. imperva tracked over 15,000 attacks targeting nearly 6,000 sites. federal agencies have until may 27 to patch.
llama.cpp build b9294 adds opencl adreno moe kernel support
rolling build b9294 generalizes mixture-of-experts opencl kernels for adreno gpus on snapdragon and apple m-series. ships prebuilt binaries for 30 platforms including cuda, rocm, vulkan, and metal backends.
opencode v1.15.10 fixes broken production desktop session flows
hotfix restoring the desktop flows for opening projects and starting sessions that regressed in the v1.15.9 ui redesign. opencode is anomalyco's open-source coding agent.