Reading List - September 29, 2025
Hacks galore, both MCP and AI data collectors, and more!
Measuring AI "Slop" in Text
By: Whom
AI generated text is everywhere... but can you identify it? How could you be better at it?
First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails
By: Idan Dardikman
Think twice before you give an Agent access to your email, a hacker hijacked Postmark's MPC to include a malicious backdoor that silently BCCs every sent email to the attacker’s server.
From MCP to Shell
By: Veria Labs
The blog describes how flaws in MCP (Model Context Protocol) OAuth handling let attackers inject malicious redirect URLs and achieve Remote Code Execution via tools like Claude Code and Gemini CLI. It outlines some defense measures, like URL sanitization, removing shell usage, and stricter URI scheme check to improve users' security postures.
Neon App Shut Down After Breach Exposes Calls, Numbers for AI Training
By: WebProNews
The Neon app, which paid users to record phone calls for AI training (gross), was shut down after a security flaw exposed users’ phone numbers, call recordings, and transcripts.
There is no such thing as a tokenizer-free lunch
By: Catherine Arnett
Catherine argues that calling new “tokenizer-free” language modeling is misleading, since all approaches ultimately discretize input into units (bytes, characters, or subwords) - a defense of traditional static tokenization.
ASML: The Machine that Builds the "Machine God(s)"
By: MBI Deep Dives
This Deep Dive profiles ASML, the Dutch company that builds the ultra-complex photolithography machines essential to modern semiconductor manufacturing. It traces ASML’s evolution, its role as a near-monopoly in chipmaking infrastructure, and the challenges in its supply chain and competitive landscape.
Tweet of the Week
Easily the cutest scathing indictment we've seen!
