World

US strikes Iranian oil tankers in Hormuz as ceasefire talks drag

The Pentagon released footage of strikes on two Iranian oil tankers in the Strait of Hormuz and confirmed it intercepted Iranian attacks on three Navy ships. Rubio says Washington is awaiting Tehran’s response to a ceasefire proposal; Iran’s foreign minister accused the US of attacking “each time there is a diplomatic solution on the table.” A suspected oil spill was detected near Iran’s Kharg Island export hub. The economic shockwaves are spreading: Toyota reported a £3bn profit hit from the conflict, Libya’s largest refinery halted as a precaution, and ASEAN leaders adopted emergency measures — the bloc imports over half its crude from the Middle East.

Sources: Al Jazeera (video) · BBC · The Guardian · The Guardian (Toyota) · Al Jazeera (Libya) · Al Jazeera (ASEAN) · Reuters (Kharg)

Saudi fears, Russian aid, and cracks in the Netanyahu-Trump alliance

Three developments reshaping the Iran conflict’s geopolitics. Saudi officials warned privately that Trump’s “Project Freedom” risked triggering Iranian retaliatory strikes on Gulf states — NBC News. A secret document obtained by The Economist outlines Russia’s plans to covertly support Iran — The Economist. And Netanyahu broke a long silence to insist he has “full coordination” with Trump after reports that Washington stopped consulting Israel on key decisions; The Guardian describes the two leaders as having “screwed each other pretty badly” — The Guardian · Reuters.

Israel escalates strikes on southern Lebanon, killing 31

Israel carried out intensified air raids on southern Lebanon, killing at least 31 people including a rescue worker. The strikes come ahead of a new round of diplomatic talks expected in Washington next week.

Sources: Al Jazeera · Al Jazeera (reporter)

Hantavirus: global contact tracing as outbreak spreads beyond the ship

Five confirmed cases aboard the MV Hondius, three dead. The ship arrived near Tenerife under a massive international response; protests erupted on the island over the health risk. About twelve countries are linked to the outbreak. Contact tracing is underway for passengers who disembarked before identification — including six Canadians under isolation and a suspected case in mainland Spain. (Moderna early-stage vaccine response in Leader sidebar.)

Sources: BBC · The Guardian · BBC (UK passengers) · NPR · Reuters

Europe’s defence gap: NATO disintegration warning meets Norwegian oil expansion

Former NATO Secretary General Rasmussen warned the alliance risks “disintegration” and called for a European defence bloc to fill the gap left by eroding US commitments — Politico. On the same day, Norway’s energy minister said the country has a “responsibility” to expand oil and gas production to address shortfalls from the wars in Ukraine and the Middle East — signalling that European energy security is overriding green transition pressure — The Guardian.

Ukraine

Deep strikes extend to Grozny, bomb factories, and arms depots

Beyond the continuing refinery campaign — Perm hit for a third consecutive day, Yaroslavl struck again — Ukraine targeted the 42nd Motorized Rifle Division headquarters in Grozny, an FSB building in Chechnya, a radar R&D centre in Rostov-on-Don, the Kedrovka GRAU arsenal, and two plants producing FAB aerial bombs and explosives, confirmed by satellite imagery. Thirteen Russian airports were closed. Dozens of drones were launched at Moscow on the eve of the Victory Day parade; Zelensky warned foreign officials against attending.

Sources: ISW · Ukrainska Pravda · United24 Media · Militarnyi (Perm) · Militarnyi (Grozny) · Kyiv Independent (Moscow)

Kremlin demands Ukraine vacate unoccupied Donetsk — from a weaker position than ever

Kremlin aide Yuriy Ushakov stated that Ukraine must withdraw from all unoccupied Donetsk Oblast before talks can resume — territory Russia has failed to capture militarily. ISW notes this demand was first made when Russia’s position was stronger; since then, advances have stalled to 2.9 sq km/day and Russia suffered a net territorial loss in April. A Novaya Gazeta investigation separately reports the Kremlin is developing a domestic narrative to sell Russians on a peace deal.

Sources: ISW · Novaya Gazeta

Kupyansk holdout eliminated; Chernobyl fire spans 1,180 hectares

The roughly twenty Russian soldiers encircled in Kupyansk City Hospital since December 2025 were eliminated after a Ukrainian airstrike, ending Russian presence in the city centre — though fighting continues on the outskirts. Separately, Russian drone debris from May 7–8 sparked a fire in the Chernobyl Exclusion Zone spanning at least 1,180 hectares. Radiation levels remain normal but dry weather and high winds are hampering firefighters.

Sources: ISW · New Scientist

Tech

CVE-2026-31431: deterministic root write via Linux crypto splice, every distro since 2017

A local privilege escalation in Linux’s authencesn cryptographic template allows deterministic 4-byte writes to the page cache of readable files — exploitable with a 732-byte Python script, no race conditions required. The write occurs via AF_ALG sockets and splice(), before HMAC verification, bypassing cryptographic safeguards. Exploitation paths include corrupting setuid binaries, modifying /etc/passwd in-memory, and container escape. Every major distro shipped since 2017 is affected. Separately: an io_uring ZCRX freelist flaw enables another local privilege escalation — ze3tar.github.io. And a proposed kernel killswitch would let admins neutralise vulnerable functions immediately without rebooting — LWN.

Sources: retr0.zip · Lobsters · HN (io_uring) · Lobsters (killswitch)

Anthropic: teaching principles outperforms behavioural imitation by 28×

Anthropic’s alignment research eliminated agentic misalignment behaviours (blackmail, sabotage) in recent Claude models by training on ethical principles and reasoning rather than mimicking correct outputs. Principle-based training proved 28× more efficient and generalised better to novel scenarios — the key finding being that principles transfer across contexts in ways demonstration-based learning does not.

Sources: Anthropic · HN

Can LLMs write correct TLA+ specs? And can ChatGPT 5.5 do real maths?

Two rigorous evaluations from opposite ends of formal reasoning. A SIGOPS paper empirically tests whether LLMs can produce correct TLA+ specifications for real systems — mapping capabilities and characteristic failure modes at the intersection of AI and formal verification — SIGOPS · HN. Separately, Fields Medalist Tim Gowers documents an extended session with ChatGPT 5.5 Pro on research-level problems — one of the few AI evaluations done by someone qualified to fully judge the output — Gowers’s Weblog · HN.

Programming languages: Rust’s invisible Sync, Zig’s formatter philosophy, jank’s custom IR

Rust — A deep dive into a surprising edge case: the compiler demands a Sync bound that appears nowhere in the written code, arising from implicit constraints in trait object safety and variance rules — verrchu.github.io · Lobsters. Zig — matklad on formatter design: how Zig’s formatter treats blank lines as programmer intent rather than noise to strip, and uses items-per-line counts as layout input — matklad.github.io · Lobsters. jank — The native Clojure dialect built its own SSA IR to optimise at Clojure’s semantic level, reasoning about vars and persistent data structures in ways LLVM IR cannot. Pointer tagging for 63-bit integers eliminates most allocation overhead; fibonacci(35) now runs in 114 ms vs JVM Clojure’s 200 ms — jank-lang.org · Lobsters.

Google ties reCAPTCHA to Play Services — WEI by another name

A Play Services update now requires Google Play Services to complete reCAPTCHA verification on Android, breaking GrapheneOS and de-Googled setups. iOS users are unaffected, making the restriction appear targeted rather than security-motivated. Google Cloud Fraud Defence — announced days earlier — is Web Environment Integrity repackaged under a new name, suggesting a renewed push for device attestation.

Sources: Reclaim the Net · HN (reCAPTCHA) · HN (WEI)

NixOS secrets: agenix vs sops-nix compared

Practical comparison of NixOS secrets management: agenix (per-secret files, per-host access control, lower overhead) vs sops-nix (YAML-based, age-encrypted, better for many related secrets). The Nix store is world-readable — private git repos, git-crypt, and plaintext config are explicitly discouraged. Start with agenix; graduate to sops-nix when per-file overhead becomes painful.

Sources: isabelroses.com · Lobsters