cuppa

brewed 03:14 AM
← May 07

Friday

may08

2026

May 09 →

the brief

Agents leveled up on multiple fronts: OpenAI pushed GPT‑Realtime‑2 for live voice reasoning and expanded trusted access to GPT‑5.5‑Cyber, while Google released Gemini 3.1 Flash‑Lite for high‑volume workflows. AWS’s Bedrock AgentCore added payments and Cursor shipped recursive orchestration, as DeepSeek’s new Metal engine hit local inference. Ship fast, but patch faster—Next.js/RSC advisories and a universal Linux LPE demand immediate upgrades.

the poursit · sip · 13 items

alerts

(03)
  • vercel/news· feedMay 7, 01:00 PM

    Next.js ships critical security patches

    A coordinated May release fixes 13 advisories across DoS, middleware/proxy bypass, SSRF, cache poisoning, XSS, and an RSC CVE—teams should upgrade immediately.

    Next.js May 2026 security release — Summary We have shipped a coordinated security release for Next.js addressing 13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting. One advisory addresses an upstream React Server Components vulnerability tracked as . CVE-2026-23870 Patched versions are available for both React and Next.js, and all should upgrade immediately.affected users The release addresses the follow...

    signal 9hype 1security_releasenextjsreactsource ↗
  • @CloudflareDevMay 7, 07:16 PM

    Cloudflare warns on Next.js, RSC vulns

    Multiple vulnerabilities in React Server Components and Next.js were disclosed; Cloudflare WAF mitigates the DoS vectors, but affected apps still need urgent updates.

    Multiple security vulnerabilities affecting React Server Components and Next.js have been disclosed. We strongly recommend updating your applications immediately. Cloudflare WAF managed rules already mitigate the disclosed denial-of-service vulnerabilities, and we are

    signal 9hype 2security_vulnerabilitynext_jsreact_server_componentssource ↗
  • hn/frontpage· feedMay 7, 07:21 PM

    Dirtyfrag Linux local root disclosed

    A new universal Linux privilege‑escalation technique landed on oss‑security; admins should prioritize distro patches and hardening for multi‑tenant and shared hosts.

    Dirtyfrag: Universal Linux LPE — Article URL: https://www.openwall.com/lists/oss-security/2026/05/07/8 Comments URL: https://news.ycombinator.com/item?id=48053623 Points: 454 # Comments: 198

    signal 9hype 1security_vulnerabilitylinux_kernelprivilege_escalationsource ↗

pulse

(08)
  • @OpenAIMay 7, 05:19 PM

    OpenAI launches GPT Realtime 2 API

    OpenAI’s newest voice model brings GPT‑5‑class reasoning to streaming conversations, enabling agents that can listen, think, and act in real time via the API.

    Introducing GPT-Realtime-2 in the API: our most intelligent voice model yet, bringing GPT-5-class reasoning to voice agents. Voice agents are now real-time collaborators that can listen, reason, and solve complex problems as conversations unfold. Now available in the API pic.x.com/2DY1LU2vO8

  • openai/blog· feedMay 7, 01:00 PM

    OpenAI expands Trusted Access for Cyber

    Verified defenders get GPT‑5.5 and GPT‑5.5‑Cyber to accelerate vulnerability research and protect critical infrastructure, extending gated access that balances capability with safety controls.

    Scaling Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber — OpenAI expands Trusted Access for Cyber with GPT-5.5 and GPT-5.5-Cyber, helping verified defenders accelerate vulnerability research and protect critical infrastructure.

    signal 8hype 1model_releasesecuritycyber_defensesource ↗
  • @GoogleAIStudioMay 7, 06:21 PM

    Gemini 3.1 Flash-Lite debuts

    Google’s most cost‑efficient Gemini targets high‑volume agentic tasks, translation, and simple data processing—useful for scaling low‑latency, low‑cost automations.

    gemini 3.1 flash-lite is here it's our most cost-efficient model, optimized for high-volume agentic tasks, translation, and simple data processing pic.x.com/QhaTNoLcgu

    signal 7hype 2model_releasegoogle_geminicost_efficiencysource ↗
  • @cursor_aiMay 7, 04:58 PM

    Cursor ships recursive agent orchestrator

    The new /orchestrate skill spawns agents via the Cursor SDK; internally it cut token use 20%, improved evals, and reduced backend cold‑start times by 80%.

    Introducing /orchestrate, a skill that recursively spawns agents to tackle your most ambitious tasks with the Cursor SDK. We’ve used it to: - Autoresearch our internal skills, cutting token use by 20% while improving evals - Cut cold start times on our internal backend by 80% pic.x.com/8Hm8S9J5pg

    signal 7hype 2agent_frameworksdkproduct_featuresource ↗
  • aws/whatsnew· feedMay 7, 12:00 PM

    Bedrock AgentCore adds payments preview

    AWS now lets agents autonomously pay for APIs, MCP servers, web content, and other agents—built with Coinbase and Stripe—handling wallet auth and transactions end‑to‑end.

    Agents that transact: Amazon Bedrock AgentCore now includes Payments (preview) — Today, Amazon Bedrock AgentCore announces the preview of AgentCore payments, enabling AI agents to autonomously access and pay for APIs, MCP servers, web content, and other agents. Built in partnership with Coinbase and Stripe, AgentCore payments is the first managed payment capabilities purpose-built for autonomous agents, handling the full payment lifecycle from wallet authentication through transaction executi...

  • hn/frontpage· feedMay 7, 03:40 PM

    DeepSeek 4 Flash Metal engine

    Antirez’s ds4 brings a local inference engine optimized for Apple Metal, pushing faster on‑device generation for Mac users with an open‑source stack.

    DeepSeek 4 Flash local inference engine for Metal — Article URL: https://github.com/antirez/ds4 Comments URL: https://news.ycombinator.com/item?id=48050751 Points: 307 # Comments: 89

    signal 9hype 1github_repoinference_enginemetalsource ↗
  • @ElevenLabsMay 7, 02:00 PM

    ElevenLabs cuts speech and agent pricing

    Self‑serve developers get up to 55% lower TTS, 45% lower STT, and 20% lower Agents costs with pay‑as‑you‑go—useful for tightening voice app unit economics.

    We’ve cut ElevenAPI and ElevenAgents pricing for self-serve developers. From today, prices are lower and you can pay as you go: - Text to Speech is now up to 55% lower cost - Speech to Text is now up to 45% lower cost - Agents is now up to 20% lower cost Performance, quality, pic.x.com/yCJnz9mObP

  • @gdbMay 8, 02:56 AM

    GPT-5.5-Cyber enters limited preview

    OpenAI is granting vetted defenders access to a specialized GPT‑5.5 variant focused on securing critical infrastructure, signaling tighter alignment of frontier models with cyber defense.

    GPT-5.5-Cyber is now in limited preview for defenders for securing critical infrastructure. It's a very capable model. x.com/fouadmatin/sta…

    signal 7hype 3model_releaseopenaisecuritysource ↗

findings

(01)
  • @AnthropicAIMay 7, 05:08 PM

    Translating Claude activations to text

    Anthropic’s Natural Language Autoencoders map internal activations to human‑readable text, advancing interpretability and offering a new window into model “thoughts.”

    New Anthropic research: Natural Language Autoencoders. Models like Claude talk in words but think in numbers. The numbers—called activations—encode Claude’s thoughts, but not in a language we can read. Here, we train Claude to translate its activations into human-readable text. pic.x.com/pMLsxM2VAO

    signal 8hype 1interpretabilityresearchpapersource ↗

voices

(01)