π¬ Open Source & Linux Weekly
Linux and open source, May 23 to 30, 2026: TrapDoor poisons AI coding assistants, CrowdStrike kills Glassworm, a Gitea CVE, Linux 7.1-rc5, OpenTelemetry
For about a week in May, the most dangerous file on a developer's machine was the one telling their AI assistant how to behave. A campaign called TrapDoor hid commands in invisible Unicode inside CLAUDE.md and .cursorrules files, so the assistant itself would scan a project and ship out wallets, SSH keys, and cloud credentials. The malicious packages stayed live for a median of six minutes, long enough to slip pull requests into LangChain, Langflow, and OpenHands. The same week, CrowdStrike, Google, and Shadowserver took down Glassworm, a botnet that had robbed open source developers since early 2025 by hiding its orders in Solana transactions and Google Calendar invites. On May 26, they cut all four of its command channels at once.
π€ What I Wrote This Week
A $4 Billion Empire Broke Open Source. They Threatened One Developer. It Backfired.
They took open-source code for free, then threatened the lone developer who actually followed the license. The Internet had other plans.
Google Just Found a Cleaner Legal Way to Take Your Code for Free
Hundreds of developers shipped 6,000 free contributions in a year. The license is still open. They lose access anyway.
AI Finds More Bugs. Linux Gets Less Safe. Creator Drew the Line.
Linuxβs private security channel broke. The One had been hiding in the kernel for eight years and nearly slipped through unread.
β‘ TL;DR
- TrapDoor planted
CLAUDE.mdand.cursorrulesfiles across 34+ packages to trick AI coding assistants into exfiltrating secrets, a new attack class on top of the usual credential theft. - CrowdStrike, Google, and Shadowserver severed all four Glassworm command channels at once on May 26, ending a campaign that had run against open source developers since early 2025.
- A four-year-old Gitea flaw (CVE-2026-27771) exposed private container images to anonymous pulls across roughly 30,000 deployments; it was patched in 1.26.2.
- Torvalds shipped Linux 7.1-rc5 on May 24 and pushed back on its size, again pointing at late, trivial, AI-assisted driver patches.
- CNCF graduated OpenTelemetry on May 21, naming it the de facto observability standard.
- Debian's gate that blocks non-reproducible packages from the Forky release is now live and rejecting uploads, the supply-chain counterweight to the week's attacks.
π§ Linux
Torvalds ships 7.1-rc5 and pushes back on AI-driven churn again
Linus Torvalds released Linux 7.1-rc5 on May 24 and used the announcement to flag its size, saying, "rc5 is pretty big. Quite a bit bigger than rc5's have traditionally been. I'm not entirely happy about it." Most of the bulk is trivial driver patches he would rather see sit in linux-next than land mid-stabilization, and he again tied the volume to AI-assisted contributions, the same complaint that drove last week's private security-list policy change. The technical contents are routine: x86 platform driver expansions for HP and ASUS laptops, Intel and AMD P-State corrections, graphics and sound fixes. Final release still tracks to June 7 or June 14, and the PostgreSQL Graviton4 regression is now past day 40 with no fix in the changelog.
Eric Biggers posts ML-KEM and X-Wing post-quantum patches for the kernel
Google's Eric Biggers posted proof-of-concept kernel patches on May 25 adding ML-KEM-768 and ML-KEM-1024 (the NIST module-lattice key-encapsulation standard) plus X-Wing, the hybrid scheme that combines X25519 with ML-KEM-768. The work targets the kernel's existing classical key-agreement users: NVMe authentication, Bluetooth, and WireGuard. Biggers has said he will not push for upstreaming until an in-kernel consumer is ready to use it.
Sway 1.12 adds HDR10 on the Vulkan renderer and per-window capture
The i3-inspired wlroots compositor reached 1.12 on May 25 with HDR10 support when running its Vulkan renderer, individual-window screen capture, and a batch of new Wayland protocols, including color-management-v1, color-representation-v1, and ext-workspace-v1. Sway also stops refusing to start on unsupported GPUs, such as NVIDIA's proprietary stack, and now prints a warning instead of bailing out.
Ubuntu 26.10 "Stonking Stingray" will ship on Linux 7.2
Canonical's kernel team confirmed on May 27 that Ubuntu 26.10 targets Linux 7.2 rather than the 7.1 series, which ships in mid-June. Mainline 7.2 is expected around August 30, which clears the October 15 release date, while 7.3 would land too late. Canonical is skipping the kernel the rest of the ecosystem will settle on this summer.
Plasma 6.7 Beta 2 fixes the XWayland clipboard-after-lock bug
KDE published Plasma 6.7 Beta 2 on May 30, shifting the cycle toward bug fixes ahead of the June 16 stable release. The beta resolves KWin crashes caused by monitor power cycling and repairs clipboard breakage affecting XWayland applications after a screen lock. That clipboard fix alone retires a support thread that has dogged Plasma 6 since launch.
Debian makes reproducible builds a hard gate for the Forky release
Debian's release team enabled a migration rule earlier this month that blocks any package failing a bit-for-bit reproducible-build check from entering testing for Debian 14 "Forky" and pulls packages already in testing if a later update regresses reproducibility. Release-team member Paul Gevers announced it on May 10, and the gate has been rejecting non-reproducible uploads every day since. At announcement, 98.29 percent of architecture-independent packages reproduced cleanly, with 23,731 marked good and 414 still flagged, with reproduce.debian.net carrying out the verification. Forky becomes the first major general-purpose distribution to make rebuildability a release requirement rather than a best-effort goal. The announcement came out a couple of weeks ago, but the gate is a live constraint for every Debian maintainer this week.
A proposed kernel killswitch would disable vulnerable functions at runtime
Sasha Levin, an NVIDIA engineer and co-maintainer of the kernel's stable and long-term trees, posted an LKML patch that lets a privileged administrator disable a named kernel function at runtime by writing the function name and a return value into a securityfs interface, or fleet-wide through a boot parameter. The motivation is the window between disclosure and patch rollout that the CopyFail and Dirty Frag privilege-escalation bugs left open while exploit code circulated. Engaging the switch taints the kernel with a new H flag, so any subsequent crash report is marked as caused by running modified code. Red Hat backs the idea on the grounds that patching large fleets quickly is operationally hard, while other engineers warn that it tempts teams to postpone real fixes and can break userspace that depends on the disabled path. The patch is still unmerged and under active debate.
𧩠Open Source
TrapDoor poisons AI coding assistants to steal developer secrets
Socket disclosed TrapDoor on May 24, a campaign spanning more than 34 malicious packages and 384 versions across npm, PyPI, and Crates.io, with the earliest upload (eth-security-auditor on PyPI) dated May 22. Beyond the now-standard theft of wallets, SSH keys, and cloud credentials, the attacker planted CLAUDE.md and .cursorrules files carrying hidden instructions in zero-width Unicode that try to trick AI coding assistants into running a "security scan" that exfiltrates secrets, and opened pull requests, injecting those files into projects including LangChain, Langflow, browser-use, and OpenHands. Socket flagged the releases with a median detection time under six minutes. A coding agent's instruction file now has to be treated as untrusted input, and most teams have no review gate for CLAUDE.md when a dependency is added to their tree.
CrowdStrike and Google dismantle the Glassworm developer botnet
CrowdStrike, Google, and the Shadowserver Foundation simultaneously struck all four of Glassworm's command-and-control channels on May 26 at 14:00 UTC, cutting the operators off from their infected machines. Running since at least early 2025, Glassworm pushed trojanized extensions to the OpenVSX marketplace (VSCode, Cursor, Windsurf, VSCodium), poisoned npm and Python packages through install hooks, and corrupted more than 300 GitHub repositories with stolen credentials. The C2 hid addresses in Solana transaction memo fields, BitTorrent DHT entries, and Google Calendar event titles, which is why a domain block never killed it.
A four-year-old Gitea flaw served private container images to anyone
CVE-2026-27771 (CVSS 8.2) let anonymous Docker and OCI pull requests retrieve container images marked private in Gitea, because that "private" designation was a UI label the registry protocol layer never enforced. Security firm Noscope estimates the flaw touched more than 30,000 deployments across 30-plus countries and sat undetected for close to four years, exposing source code, credentials, and infrastructure to roughly 4,000 production systems. Forgejo, the community fork, shares the registry implementation and is affected. Update to Gitea 1.26.2, or set REQUIRE_SIGNIN_VIEW=true until you can.
CNCF graduates OpenTelemetry as the observability standard
CNCF graduated OpenTelemetry on May 21 at the Observability Summit in Minneapolis, after independent security audits and governance review. The project now carries over 12,000 contributors from more than 2,800 companies and the second-highest velocity of any CNCF project after Kubernetes, with its JavaScript API package alone pulling 1.36 billion downloads in the past year.
Meta re-releases CacheLib after a two-year silence as DRAM prices bite
Meta tagged CacheLib 2026.05.25 on May 25, the project's first public release in two years. The library is a thread-safe caching engine that transparently tiers across DRAM and SSD, originally open-sourced in 2021 to offset rising memory costs. The AI-driven DRAM price surge has made that DRAM-to-flash tiering relevant to far more operators than its hyperscale origin. There are no detailed release notes yet, which is the one rough edge on an otherwise welcome return.
Google's ANGLE merges Wayland support, unblocking CEF
Google merged native Wayland support into ANGLE, its OpenGL ES translation layer, on May 26, clearing what was the last blocker for the Chromium Embedded Framework to run properly on Ozone/Wayland. A CEF tracking issue for Wayland has been open since 2019. Every Electron-adjacent and CEF-embedding application that has been stuck on XWayland will have a path to native Wayland once the change propagates downstream.
The 2026 State of Open Source Report puts vendor lock-in ahead of cost
The annual report from Perforce OpenLogic, run with the Open Source Initiative and the Eclipse Foundation and published April 28, finds that 55 percent of organizations now name avoiding vendor lock-in as a primary reason to adopt open source, up 68 percent year over year and reaching 63 percent across the EU and UK. It also measures the maintenance tax, with 60 percent of large enterprises spending at least half their engineering time on patching and production issues rather than features, and 20 percent still running no defined CVE response process.
π Gems & Tools
The stacking wlroots compositor rebased onto wlroots 0.20 (and renumbered to match it), adding a show-desktop action, per-window capture, and HDR10 on the Vulkan renderer. A light Openbox-style option for users who want a Wayland session without a full desktop environment.
Released May 26 with CUDA Python 1.0 as a stable, supported entry point, and CUDA Tile brought to C++ for tile-based kernel authoring. A CompileIQ autotuner claims up to 15% speed-ups on GEMM and attention kernels.
The Linux Foundation's open 3D engine shipped on May 28 with an experimental particle system for the Atom renderer and in-editor C++ component creation, replacing the command line. Still niche against Unreal and Unity, but the friction removal matters for whether hobbyists stay.
Eric Engestrom shipped the final point release of the Q1 2026 Mesa series on May 27, rolling up a RADV workaround for Forza Horizon 6, PowerVR Vulkan fixes, an Intel ANV fix for Dragon's Dogma 2, and a build fix against LLVM 23. The last stop on 26.0 before the move to 26.1.
LlamaIndex shipped a from-scratch Rust rewrite of its open document parser on May 27, available as a Rust crate, a Python package, an npm package, and a WASM build that runs in the browser or at the edge. It claims 5 to 100x speed-ups on small documents and roughly 3x on large ones, handles more than 50 file types through a PDFium fork with tesseract-rs for OCR, and makes no LLM or cloud calls. It is the most capable local-first parser to land this week for self-hosted or privacy-sensitive ingestion pipelines.
π Spotlight
Eric Biggers, Linux kernel cryptography maintainer, Google
Biggers maintains the kernel's crypto and filesystem-encryption code and has spent years on the unglamorous work of making in-kernel cryptography fast and correct, from the fscrypt subsystem to the recent overhaul of the kernel's hashing and AES library code. His May 25 post adding proof-of-concept ML-KEM and X-Wing support is the kernel's first concrete step toward post-quantum key agreement, covering the lattice-based standard NIST finalized and the hybrid scheme that pairs it with classical X25519, so a break in either half does not sink the whole exchange.
The restraint in his approach is the point. He posted the primitives but said he will hold off on upstreaming until NVMe authentication, Bluetooth, or WireGuard has a real consumer-ready implementation, rather than merging cryptography that sits unused and unaudited in the tree. That is the opposite of the late, trivial, AI-assisted churn Torvalds spent the week complaining about. It is the cadence that the kernel's most critical cryptography needs.
That is the week... Audit the instruction files your dependencies drop in, patch your Gitea registry, and read the changelog before you skip a kernel.
Have a good week! π