Everything is pwn'd now

TL;DR

AI has collapsed the timeline from vulnerability discovery to exploit, breaking the foundational assumptions of software security and making everything effectively compromised.

Key Points

• 1.CopyFail is a critical Linux kernel exploit affecting nearly every major distro. It requires only 732 bytes of Python to escalate to root by sliding a memory window to access unauthorized memory; it spawned follow-on exploits CopyFail 2 and Dirty Frag built on the same core flaw.
• 2.The three foundational truths of software security have all collapsed. Only experts could find exploits (now AI can), the 90-day disclosure window was sufficient (no longer), and going from patch to exploit was hard (AI closes that gap instantly).
• 3.AI can identify security patches from raw commit diffs in seconds. When the CopyFail fix was handed to Gemini 3.1 Pro, GPT o3 Thinking, and Claude Opus 4.7, all three correctly identified it as a security patch just from the diff, enabling automated exploit bots.
• 4.Two researchers independently found the same critical Linux vulnerability just 9 hours apart. This unprecedented overlap demonstrates how AI-assisted scanning has made the 90-day embargo model functionally obsolete.
• 5.84 Tanstack npm packages were compromised via a niche CI caching exploit. The attacker filed a malicious PR that leveraged cached tokens to push to npm without needing direct token access; Socket later found 121 total compromised packages across 84 names.
• 6.Linux distribution maintainers are not included in kernel security disclosures. Ubuntu, Arch, Red Hat, and others only learn of vulnerabilities when they go public — the same moment as attackers — giving hackers a speed advantage over patching pipelines.
• 7.A new 'trusted actors' tier between maintainers and the public is urgently needed. This middle layer would verify companies like Microsoft to receive early disclosure, allow staged private branches on platforms like GitHub, and let distribution maintainers ship patches before public announcement.
• 8.Personal defense now means assuming all systems are already compromised. Recommended steps include offline air-gapped backups (e.g. a second Synology), family education on deepfake voice calls and SIM swaps, safe words to verify identity, and cautious package update hygiene — waiting on dot releases but staying current on OS patches.