The biggest security story today is VS Code token theft, not because one bug landed, but because it exposed how much credential trust has quietly accumulated inside browser-based developer tooling. The rest of the file is a mix of hardware attack surface, embedded chips getting more capable, web PKI inching toward post-quantum migration, and Elixir making its type-system pitch more concrete.
VS Code token theft exposes web IDE trust
A June 3 report said a VS Code webview bug enabled VS Code token theft in one click by running malicious JavaScript, simulating keypresses in the editor, installing an extension, and extracting the GitHub OAuth token sent to github.dev. According to BleepingComputer, the stolen token could then be used to query the GitHub API and enumerate private repositories the victim could access.
The exact boundary of the bug is still murky. The strongest reporting ties it to a webview flow centered on github.dev, while a secondary summary says crafted Jupyter notebooks on desktop VS Code may also be in scope. There is also a vendor-doc gap: the research notes did not surface an official Microsoft or GitHub post confirming the issue, affected versions, or a patch. That uncertainty matters, but not in a comforting way. The real takeaway is that web IDEs now combine browser execution, extension installs, and repo credentials in one place, and a single break in that chain has repo-level consequences.
Creative soundbar attack turns accessory into HID
A June 3 security write-up claimed Creative’s Sound Blaster Katana V2X can be attacked over Bluetooth from about 15 meters away, reflashed without pairing or physical access, and modified to impersonate a USB keyboard on the attached PC. According to El Solitario, the researcher also said the same path could turn the soundbar, which includes a mic, into an eavesdropping device.
Creative’s own product page confirms the Katana V2X has Bluetooth 5.0 and BLE control features, and Creative support pages show the Katana line has firmware update infrastructure. What is missing is the part that matters most: an official advisory. The notes say the vendor did not publish one, and the researcher says Creative eventually responded that it did not consider the issue a cybersecurity risk. If that account holds, the awkward lesson is that firmware-updatable peripherals are still treated like appliances until they start typing on your machine.
Let’s Encrypt and post-quantum certificate planning
Let’s Encrypt has not formally announced a full post-quantum certificate redesign, but its own forum now has active roadmap threads on post-quantum cryptography, and its 2026 blog posts show it is already changing core certificate operations with shorter lifetimes, 6-day certs, ARI, and new hierarchy work. Per the Let’s Encrypt community forum, PQC is now a live planning topic inside the CA community, not just conference material.
The bigger architectural push is coming from Chrome. In a February 2026 security post, Google said Chrome and partners are developing Merkle Tree Certificates, and that there is no immediate plan to add traditional X.509 certificates containing post-quantum cryptography to the Chrome Root Store. Google also pointed to a Phase 2 bootstrapping plan in Q1 2027. That is the important shift: the migration may not be a simple algorithm swap inside today’s certificate stack, but a redesign of the certificate format and tooling around it.
Source: community.letsencrypt.org
ESP32-S31 packs more networking onto cheap silicon
Espressif has formally unveiled the ESP32-S31 as a dual-core RISC-V SoC with Wi-Fi 6, Bluetooth 5.4, IEEE 802.15.4, Ethernet, and a wide SIMD data path. In Espressif’s own announcement, the company positions the part for edge multimedia and AI or ML workloads, which is a notable amount of connectivity and compute for the ESP32 line.
The timing suggests this is moving quickly from announcement to usable platform. Espressif’s developer portal page is dated March 26, 2026 and tells developers to use the HEAD of the master branch until full support ships, while the technical-documents index shows ESP32-S31 documentation dated May 21, 2026. No price surfaced in the notes, so the “cheap chip” thesis is still inference, not fact. But the feature mix alone pushes more wired-plus-wireless embedded work into a familiar, open-toolchain lane.
Elixir v1.20 advances gradual typing milestone
Elixir’s gradual typing effort hit a clear implementation milestone on January 9, 2026, when the project announced the first release candidate for v1.20 and said it performs type inference of all language constructs. Per the Elixir blog, the team describes the system as sound and gradual, and the roadmap in that post pointed to a final v1.20 release in May 2026.
This is meaningful, but it is not a sudden conversion from dynamic to static typing. Elixir had already introduced gradual set-theoretic types in v1.17 on June 12, 2024, and v1.18 on December 19, 2024, added type checking of function calls. So the news is not that Elixir “became typed” overnight. It is that one of the ecosystem’s biggest objections is being addressed through compiler work that has now reached all language constructs, with more pieces still to come.
The common thread is trust boundaries getting renegotiated, whether the boundary is a web IDE, a Bluetooth accessory, a certificate chain, or a dynamic language compiler.
Sources
- A VS Code notebook bug exposed one-click GitHub token theft, bleepingcomputer.com
- A Bluetooth soundbar can reflash itself into a PC keyboard, elsolitario.org
- Let’s Encrypt is redesigning web certificates for post-quantum crypto, community.letsencrypt.org
- Espressif put Wi-Fi, Ethernet, SIMD, and RISC-V on one cheap chip, espressif.com
- Elixir just crossed into gradual typing, elixir-lang.org
Related reading
- DeepSeek Tests Open Model Economics; Foreign Coauthors (2026-05-23)
- White House Seeks Early Model Access; Adafruit Says Flux Sent Legal Threat; Microsoft Turns Evals Into QA; Gmail AI Gets More Personal (2026-06-03)
- Red Hat Scope Turns Hostile; Weather Balloons Beat Public Models; FriendliAI Sells Spare GPU Cycles; CERN Anomaly Stays Below Discovery (2026-06-02)