Robot vacuums that clean and mop in a single pass have always carried a serious premium, but this deal turns that long standing assumption completely on its head this week.
That saving buys genuine engineering rather than a stripped back budget alternative, since dual mop pads and PerfectEdge design reach along skirting boards and corners, covering 18% more floor area than standard cleaning.
Advertisement
That extra coverage matters even more once you consider how little hands on effort the AutoWash Dock actually demands, since it empties debris automatically for up to seventy five days before it needs any attention.
The same dock also washes and heat dries the mop pads after every single run, delivering up to four weeks of hands free mopping so results stay fresh rather than dragging dirt through the house.
That fresh start matters even more given the Roomba 505X also brings up to seventy times more suction than older six hundred series models, tackling scattered cereal and muddy pawprints with real confidence.
Advertisement
That confidence extends into navigation too, since PrecisionVision AI recognises cords, shoes, and even pet accidents in real time, steering around them instead of dragging mess through the whole home.
Mapping is handled by ClearView Pro LiDAR, which charts the layout of a home precisely enough to clean efficiently by day or by night, while built in cliff sensors guard against falls near stairs.
Dried on messes get the same attention, since SmartScrub applies extra pressure exactly where stains have set in, breaking down muddy footprints and kitchen splatter without any scrubbing by hand.
Cleaning style stays flexible throughout, since the Roomba Home App lets you vacuum, mop, or combo clean room by room, automatically lifting the mop pads whenever it crosses from hard floor onto carpet.
Advertisement
Advertisement
The one thing worth planning for is space, since the AutoWash Dock needs a dedicated spot near a wall alongside room for its water tank, rather than tucking into a small cupboard.
Anyone tired of manual mopping and frequent bin emptying now has a genuine case for upgrading to the Roomba 505X, and can check our best Vacuum Cleaner guide to see it sit alongside the market’s strongest robot cleaners for exactly this kind of comparison.
The Note Air is one of the best larger-screen colour ereaders, particularly for those who don’t want to be hemmed in by proprietary software systems. It doesn’t bring particularly striking generational improvements, though, and suffers from the same display limitations as other colour E Ink devices of the moment.
Versatile Android OS
Large enough for a good magazine and comic experience
Ambitious laptop aspirations
Not all that affordable
Limited generational improvements
No official water resistance
Limited colour and contrast
Key Features
Advertisement
Review Price:
£499
Colour E Ink screen
Advertisement
A Kaleido 3 screen allows for 4096 rendered shades, with a bit to a contrast hit in the bargain
Keyboard connector
Advertisement
This generation’s biggest change is support for a keyboard add-on, for more laptop-like use
Stylus support
Advertisement
This reader can be bought with a stylus that supports 4096 pressure levels.
Introduction
The Boox Note Air5 C is a large reader from one of the pioneers of the category. It’s colour, it supports a stylus, and it can run Android apps, making it far more versatile than a Kindle Scribe.
This generation is arguably not much of an upgrade over the Boox Note Air 4C, though. It has the same generation of screen, Kaleido 3, it looks familiar and it has the same fundamental skills.
Advertisement
What’s new? The Boox Note Air5 C has a microSD slot and support for a keyboard add-on. Boox mines the versatility of the Android software to let it become a low-key laptop-a-like.
Advertisement
Long-term typing is likely to feel a little cramped, though. For most it’s best thought of as a secondary skill for a top larger-screen colour e-reader.
Design
Metal casing
Plastic display cover
Supports keyboard accessory
The Boox Note Air5 C is a large, very thin E Ink tablet. It’s just 4.6mm thick and, like the previous generations, has a heathy border on one side for your thumb. You can easily rotate the interface, so there’s no worries for left-handers here.
Image Credit (Trusted Reviews)
This feels like a high-end piece of tech too. It’s dense as well as thin, and has a metal outer casing with a fairly sharp sense of style. A bold stripe of orange sits across the back, but it manages to avoid seeming juvenile or overly attention-grabbing.
Advertisement
Advertisement
Image Credit (Trusted Reviews)
There are a couple of design parts missing, though. The Boox Note Air5 C does not have any official water resistance rating, and its top-most screen layer is plastic rather than an etched glass. As such, it’s more likely to pick up display scratches in general use than, say, an iPad.
Changes you can actually see for this generation amount to a pop-out microSD slot and a set of metal pins on the back. These interface with an official keyboard case designed to turn the Boox Note Air5 C into something like a low-distraction laptop replacement.
I have not had a chance to try this out, but it’s demonstrative of how Boox is pushing a little more aggressively at the borders of what these devices might be used for, compared to Amazon’s Kindle Scribe series.
Image Credit (Trusted Reviews)
Screen
Familiar Kaleido 3 panel
Very good sharpness
Lesser contrast than B&W ereaders
Advertisement
The Boox Note Air5 C has a 10.3-inch colour E Ink screen. There is no major hardware change here over the previous generation Air 4C.
They both have Kaleido 3 screens, the current top option for mainstream colour ereaders. Its resolution and perceived sharpness are great. 2480 x 1860 resolution works out at 300ppi, enough for excellent, Kindle Paperwhite-matching text smoothness.
Advertisement
Like all of these colour ereaders, colour resolution is much lower (1240 x 930). But I don’t find this much of an issue.
Image Credit (Trusted Reviews)
There are some points to note, though, especially if you have experience with classic black and white ereaders. The Boox Note Air5 C’s “white” page is darker, more mottled-looking, than that of a monochome model. And that leads to lower contrast, and a greater need to rely on the front light to get a nice white-looking page.
Image Credit (Trusted Reviews)
Advertisement
And as with all these colour E Ink devices, colour saturation is limited. The number of colours it can render is super-limited too, at 4096. This means gradients are going to look crude. Smooth transitions aren’t the forte, although the limited colour pop is far more obvious.
Image Credit (Trusted Reviews)
To be clear: these issues apply to the Boox Note Air5 C’s rivals too. And while there’s an alternative tech called E Ink Gallery 3 with better colour, but there’s a trade-off in the refresh style that has seemingly put most manufacturers off using it.
At the time of the Boox Note Air5 C’s release Kaleido 3 remains the most practical all-round solution for colour E Ink.
This is also a far better screen for PDFs and reading comics and graphic novels than 7-inch and smaller ereaders. While the Boox Note Air5 C isn’t as large as the average comic page, you can comfortably look at a smaller form factor version on this display.
Advertisement
Image Credit (Trusted Reviews)
Advertisement
Stylus support really helps for note-taking too. This is a proper pressure-sensitive stylus, and the tablet screen has a textured surface to make doodling and scrawling feel more natural. There’s minimal lag until you start trying to aggressively sketch in an app that challenges the CPU, although I would recommend a tablet with stylus like the Samsung Galaxy Tab S10 FE or S10 Lite over this for digital art.
The colour and responsiveness benefits of OLED and LCD versus E Ink are just too great in that situation.
Software and Reading
The Boox Note Air5 C runs Android and has full access to Google Play. But a bunch of apps come preloaded and there are some important customisations to the interface.
Alongside the usual navigation soft keys at the bottom of the screen you’ll find two extras. One performs a manual full refresh of the screen, to get rid of any ghosting. The other lets you comprehensively alter the refresh behaviour of the screen, and this can be set per app.
Advertisement
Image Credit (Trusted Reviews)
Boox offers a “store” app that features free, out-of-copyright books. And you are free to use whatever other app you like, including Amazon Kindle, Kobo or the Libby app – among others.
Advertisement
The general reading experience here is excellent, with the main potential issue being the flip side of one of its great strengths. The Boox Note Air5 C is a larger tablet that weighs a good bit more than a Kindle Paperwhite and isn’t the best fit for breezy bedtime reading – for many, anyway.
Image Credit (Trusted Reviews)
Just as I’d take this tablet over a Kindle Paperwhite or Colorsoft any day for graphic novels and PDFs, I’d much rather use a smaller e-reader to read a novel – particularly for bedtime reading.
Unlike most ereaders these days, though, it does have physical page-turn buttons, after a fashion, anyway. The pair that act as volume controls and sit where such buttons usually do on a phone, but not on a tablet, turn into page buttons when in a book.
Image Credit (Trusted Reviews)
Features and performance
Weak processor does the job just fine
Short battery life when used for apps rather than reading
Can run most Android apps
Advertisement
One of the Boox Note Air5 C’s apparent key upgrades is a processor upgrade. This really isn’t worth getting excited about.
Advertisement
The tablet has a Qualcomm Snapdragon 690 processor with 6GB RAM, whereas the Note Air 4C used a Snapdragon 750G at launch, but some batches had a Snapdragon 690 anyway.
I tried the Boox Note Air5 C with benchmarking tool Geekbench 6, and not only did the process take an inordinately long time, the scores were poor too. It’s no great surprise. The Snapdragon 690 was mostly used by affordable phones half a decade ago.
It has enough power for an e-reader – no problem there – but if this were a standard Android tablet I’d be laying into it for its lack of power.
Testing out of the Boox Note Air5 C’s comfort zone shows it’s still a modern and capable processor, though. For example, you can run Fortnite. The frame rate is really too low for comfort, milling around the teens of frames per second with default settings, but it does work.
Advertisement
This is not an all-rounder entertainment device, though. Fast motion, colour content like Fortnite doesn’t look great on the Boox Note Air5 C. And the tablet’s speakers are quieter and much thinner-sounding than more conventional tablets at a similar price.
Advertisement
The Boox Note Air5 C also has a far lower capacity battery than more conventional tablets of this size. It’s a 3700mAh cell, where the 11in Samsung Galaxy Tab A11+ has a 7040mAh battery, for example. It matches its predecessor in this respect.
Lower capacity is used because E Ink screens don’t consume significant energy when simply displaying a page of text. Of course, it also has a somewhat more demanding operating system than a Kindle too – it’s full Android 15.
Advertisement
Boox doesn’t make any grand claims about battery life, but it’s not going to be terrific when used actively, as the product page contends you might. When playing video at high screen brightness, the Boox Note Air5 C lasts only about 3.5 hours – less than you might expect given the fuss made about how energy-efficient E Ink readers can be.
Squirrel Widget
Should you buy it?
Buy if you want a more free-wheeling large colour reader
Advertisement
Android apps, a first-party keyboard add-on and dynamic display control opens you up to far more with this Boox than Kindle or Remarkable devices.
Advertisement
Don’t buy if you want an E Ink PC
Weak general performance, limited colour depth, contrast and responsiveness mean the Boox still shines in its traditional role as a low-glare reading device than a PC-replacement.
Advertisement
Final Thoughts
The Boox Note Air family’s relatively regular upgrades mean there’s not huge amount here for those who already own an older model. But the Boox Note Air5 C see it push further into the ways it differs from the Kindle Scribe Colorsoft.
It’s a less streamlined, more open kind of device that can even be used like a tablet-laptop hybrid thanks to a new optional keyboard case.
This aside, the Note Air 5 C has largely all the same strengths and weakness as the last couple entries in this series. A larger, colour E-Ink display makes this one of the best ereaders in the world for graphic novels, comics and PDFs.
However, that Kaleido 3 screen tech still reigns supreme in this area does mean we’re still left with the same limited colour saturation and lower contrast (versus B&W alternatives) that’s been in place since colour E Ink went mainstream.
Advertisement
Advertisement
How We Test
We test every e-reader we review thoroughly. We use the device over the review period. We’ll always tell you what we find and we never, ever, accept money to review a product.
Tested for over two weeks
Compared against similar devices
FAQs
What’s new in the Boox Note Air5 C?
Compared to its predecessor it is based on a newer version of Android and has POGO pins for an optional keyboard case.
Advertisement
Is the Boox Note Air5 C water resistant?
It has no water resistance rating so should be used carefully around liquids.
In the weeks since the EU Pay Transparency rules came into full effect, how have organisations responded to the change?
In early June, changes were made to how companies in EU member states are required to disseminate employee-relevant information. The EU Pay Transparency Directive is a policy that aims to reduce the gender pay gap, ensure fairer pay structures and create an atmosphere in which professionals and jobseekers can have open conversations about pay and other topics.
Having first been passed in 2023, countries were given three years to align themselves with the new rules and make any necessary changes. A month has gone by now since that final deadline, but what has changed?
Job search platform Mokaru analysed 1,776,876 global job listings posted between April and June, on the career sites of 48,758 employers, across more than 46 applicant tracking systems. What was discovered is that one month after the EU Pay Transparency Directive deadline, only 6.6pc of EU job ads are disclosing salary information. This is compared to nearly 40pc in the US.
Advertisement
Mokaru’s experts said, “If you are job hunting in Europe, you already know the ritual, read the listing, scan for the salary, find nothing, apply anyway and hope the number at the end of four interview rounds does not waste everyone’s time. Our data shows exactly how bad it is and how different it could be.”
With US figures notably higher than the available European data, Mokaru said, “Here is the uncomfortable timing, the EU Pay Transparency Directive, the law that, among other things, gives applicants the right to salary information before the interview, had its implementation deadline on 7 June, 2026. One month later, European employers’ job ads are still overwhelmingly silent.”
Evolving landscapes
Canada and the US are setting the pace as research found that salaries are disclosed in more than one-third of listings. For comparison, the UK trailed behind at 21pc, the Netherlands at 12pc, Ireland at 10pc, France at 9pc and Austria also at 9pc.
Mokaru also found that numbers varied dramatically, even in cases where employers from different regions were utilising the same job promotion platforms. Germany is one such example as on Workday only 2.8pc of employers chose to disclose salary information, compared to more than 40pc of US-based employers.
Advertisement
Sweden lies at the bottom of the list, having the least transparent jobs market, at just 0.4pc, or fewer than one in 200 job listings. Despite the law coming into effect and the European Commission sticking to the timeline, many countries have elected to ‘postpone’ implementation, with Sweden pausing it completely for the time being.
Mokaru said, “To be fair to the directive, it is early days. Four weeks is not enough time to rewrite hiring workflows and in most member states the national law that actually binds employers is not yet in force, the bulk of implementations will land between now and January 2027, with enforcement and sanctions following later.
“The honest conclusion from this data is not that the directive has failed, it is that, one month in, employer behaviour has not yet started to move.”
Rising trends
The research highlighted other patterns and trends that stand out, such as the impact the policy has had so far on remote job listings. What the data uncovered is that remote job listings in the EU are almost twice as likely to disclose salary as on-site listings, at 11.5pc and 6.2pc respectively.
Advertisement
The report said, “Employers hiring remotely compete in an international talent pool, one where US-style transparency is increasingly the norm. Competition is currently doing more for European pay transparency than regulation. In the US, the remote/on-site gap barely exists (39.5pc versus 37.4pc), transparency laws there apply regardless of where the work happens.”
Looking at the data that is specific to Ireland, Mokaru also found that as seniority rises, transparency has a tendency to fall, as junior roles disclose at around 32pc, compared to 11pc of senior roles and 9pc of lead roles.
The report said, “more than four in five Irish job ads keep candidates guessing and the higher the role, the quieter the ad, junior positions disclose pay three times more often than senior ones.”
Ultimately, Mokaru’s experts are of the opinion that the burden of the European information gap falls largely on those who have the least negotiating power, mainly invested candidates who cannot afford to walk away from multiple rounds of interviews when the offer finally lands below their floor.
Advertisement
And “until the directive has teeth”, European candidates should be aware of the factors that best indicate whether the role they are applying for is at a company likely to embrace the change in policy.
So, until then be aware of your rights, look into remote friendly opportunities and research market rates because even if your employer plans to keep you in the dark, the information is likely available elsewhere.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
Chemistry Ventures, the VC firm launched two years ago by Bessemer, Index Ventures and Andreessen Horowitz alums, is raising $500 million for its second fund, according to an SEC filing.
Founded by Mark Goldberg, Ethan Kurzweil and Kristina Shen, Chemistry launched with a $350 million fund, and invests in early-stage startups building developer tools, fintech and infrastructure. Its portfolio companies include Granola, Decagon, Persona, Serval and Nova Intelligence.
Goldberg previously worked at Index Ventures, Kurzweil with Bessemer, and Shen with a16z. The trio launched the firm to combine their experience working at large venture capital firms.
The Wall Street Journal reports that the second fund is already oversubscribed and the fundraise is expected to close soon.
Advertisement
Chemistry did not immediately return a request for comment.
An aerial view of Shasta Dam in California. After a July 4 visit, computer scientist Daphne Koller argued that America’s signature achievement is taking what was scarce and making it abundant: water into power at Shasta, electricity into a grid anyone could plug into, computation into a pocket. AI, she reasons, is the next chapter, “making abundant one of the world’s scarcest resources: powerful reasoning.” (Flickr Photo via Bureau of Reclamation)
America just turned 250. The founders designed self-government for a world of pamphlets and town meetings, and we now run their political architecture on AI.
The birthday question is whether AI bolsters democracy or undercuts it. Serious thinkers have lined up on both sides with substantial arguments.
Here is my scorecard, distilled from five books and seven articles, and then the question neither side asks: which is growing faster, power over AI or access to it?
Start with surveillance.
Yuval Noah Harari argues in Nexus that a democracy is a distributed information network with self-correcting mechanisms: a free press, opposition parties, and courts that catch mistakes and fix them. A dictatorship is a centralized network that suppresses correction. For two centuries, centralization carried a built-in cost, because total surveillance required armies of human informants, and armies are expensive. AI removes the cost. It watches everyone, all the time, for pennies. The evidence is no longer hypothetical. A study in the Quarterly Journal of Economics documented the feedback loop in China: local unrest leads to government purchases of facial-recognition AI, and those purchases suppress subsequent unrest. The authors titled their paper “AI-tocracy.”
The second argument is economic.
Advertisement
Past technologies replaced particular workers, the switchboard operator, the toll collector, while creating jobs for the people who ran the new machines. AI’s ambition targets the entire workforce. Daron Acemoglu and Simon Johnson devoted a book, Power and Progress, to this worry, writing that “the current path of AI is neither good for the economy nor for democracy.” Acemoglu, a 2024 Nobel laureate, sharpened the point in Fortune this February, warning that on the current path of job destruction and rising inequality, “U.S. democracy is not going to survive.”
The third argument targets the machinery of self-government itself.
I sounded this alarm in Harvard Business Review back in 2019, warning that AI was poised to make high-fidelity forgery of video, audio, and documents cheap and automated, with potentially disastrous consequences for democracy. Forgery is ancient. AI industrializes it. Security technologist Bruce Schneier predicts that AI will optimize lobbying and draft “micro-legislation,” tiny provisions that quietly benefit one group, and he observes that the technology mostly makes the powerful more powerful. He and Nathan Sanders began worrying in earnest when an AI-written letter opposing AI regulation ran in the New York Times. Marietje Schaake supplies the institutional capstone in The Tech Coup: unelected companies now perform functions that once belonged to governments.
The prosecution rests. Now comes the defense.
Advertisement
On July 4, computer scientist Daphne Koller marked the country’s 250th birthday, and her own 37th anniversary as an immigrant, with a visit to Shasta Dam. In a reflection posted that day, she argued that America’s signature achievement is taking what was scarce and making it abundant: water into power at Shasta, electricity into a grid anyone could plug into, computation into a pocket. She has done it herself; Coursera, which she co-founded, put an elite education in front of more than 150 million learners. AI, she wrote, is the next chapter, “making abundant one of the world’s scarcest resources: powerful reasoning.” The judgment once reserved for credentialed specialists now belongs to anyone who can frame the right question. Lawyers and doctors bill by the hour. AI answers by the second.
The economic counter comes from Acemoglu’s MIT colleague David Autor, who argues in Noema that AI can extend expertise to workers without elite credentials and thereby rebuild the hollowed-out middle of the labor market. Early evidence points his way. When a Fortune 500 firm gave its customer-support agents an AI assistant, productivity rose 15% on average, and the gains went overwhelmingly to the newest and least skilled workers, who improved in both speed and quality. The study, published in the Quarterly Journal of Economics, found that the most experienced agents gained little. If the pattern holds, AI could compress the very gaps Acemoglu fears it will widen.
Reid Hoffman and Greg Beato’s Superagency states the optimistic case in general form: AI amplifies individual agency so broadly that the real danger lies in democracies ceding its development to less benevolent actors. In Plurality, Taiwan’s first digital minister Audrey Tang and economist Glen Weyl describe a decade of digital tools that found consensus across a polarized public on live legislation, from ride-sharing rules to pandemic policy. A controlled experiment backs them up. Google DeepMind researchers built an AI mediator, tested it on 5,734 Britons deliberating questions like Brexit and immigration, and reported in Science that participants preferred the AI’s group statements to a human mediator’s, rating them clearer and less biased. The groups also ended up less divided. A town hall has never fit a million people. It might now.
I set the two columns side by side and noticed something odd: they never meet. The pessimists are arguing about who controls AI. The optimists are arguing about who gets to use it. Power and access are different questions, and both camps can be right at the same time.
Advertisement
Koller’s dam makes the point physically. Generation is concentrated, a handful of turbines owned by a few. The grid is distributed, and anyone can plug in. One machine does both at once. AI shares that anatomy: anyone can plug into a frontier model for $20 a month, while the frontier weights and the data centers that train them belong to a half-dozen companies.
Gutenberg adds the time dimension. The press broke Rome’s monopoly on scripture, and four centuries later it built Hearst’s empire; access and power traded places on the same machine. Both forces are real. The open question is which one moves faster, and the current fights over open weights, chip exports, and model ownership are fights that will help settle this question.
The founders faced a similar question about concentrated power and answered it by distributing the vote, narrowly at first, and later to nearly everyone. Koller ended her post with an obligation that fits the country’s 250th year: anyone given more than their share owes the work of making sure the next scarce thing does not stay scarce for long. Intelligence is the next scarce thing. Koller’s dam is already built, along with the frontier models and the data centers that train them. The choice in front of us is whether we also build the grid, providing broad, cheap access to AI for all Americans.
A green pipeline is not a governed one, and agentic coding is widening the gap faster than review can close it.
By Shane Warden, Principal Architect, ActiveState
In June 2026, researchers at Novee Security disclosed a class of CI/CD weakness they named Cordyceps. They scanned roughly 30,000 high-impact repositories across the npm, PyPI, crates.io, and Go ecosystems, then flagged 654 and confirmed more than 300 as fully exploitable.
The affected build tooling included projects published by Microsoft,Google, Apache, Cloudflare, and the Python Software Foundation, and the entry requirement for an attacker is a free GitHub account. No org membership, no elevated privileges.
Advertisement
Every one of those pipelines was green. The scanners ran, the checks passed, and the dashboards reported healthy results the entire time the exposure existed. The scanners were never built to see this danger.
The Vulnerability Is in the Composition, Not the File
GitHub Actions workflows are usually triggered by pull_request, which runs in the untrusted context of the fork, without repository secrets and with a read-only token. The trouble starts with pull_request_target and workflow_run, which run in the context of the base repository with access to secrets and a read and write GITHUB_TOKEN.
An attacker can induce both to act on attacker-controlled content from the pull request that triggered them. GitHub Security Lab calls this the pwn request.
Three primitives do the damage. Command injection interpolates attacker-controlled data, a branch name, a title, a comment, straight into a run step, so it lands unescaped inside a shell command and executes. Code injection through actions/github-script evaluates attacker input as JavaScript at runtime.
Advertisement
And cross-workflow privilege escalation lets a low-privilege workflow write untrusted data into an artifact or output, which a second, high-privilege workflow then reads and acts on with the maintainer’s token. Neither workflow is exploitable alone.
The vulnerability exists because of how they connect, which is exactly why the scanners stay green: a SAST or DAST tool pattern-matches a single file, and each file here is valid, well-formed YAML doing exactly what it was told.
“A scanner sees a workflow. An attacker sees a four-step chain to a permanent credential,” explains Warden.
There is no single line to flag, because no single line is wrong.
Advertisement
That is the worst version of a measurement failure, because a red light sends someone to look for a problem and a green light sends everyone home.
Cordyceps passed every check because no single workflow file was wrong, it was the composition that was exploitable.
See how to close that gap by governing what enters your build at the source, not just what passes the scan.
One Pull Request, Persistent Write Access to Shipped Security Content
On Microsoft’s Azure Sentinel repository, Novee showed that a comment on a pull request could run anonymous attacker code on Microsoft’s CI and steal a non-expiring GitHub App key, confirmed by Microsoft’s Security Response Center.
Advertisement
Sentinel is Microsoft’s SIEM, and its Content Hub ships detection rules and automated playbooks directly into customer workspaces.
A stolen key there offers persistent write access to the security content thousands of organizations rely on to detect attacks, quietly weakened and shipped downstream as a trusted update.
Google’s AI Agent Development Kit sample repository is a reference thousands of developers copy when building agents on Google Cloud. A single pull request could execute code in Google’s CI and escalate to roles/owner on the associated Google Cloud project, permanent owner-level access, confirmed by Google.
Apache Doris had a comparable path to credential theft, confirmed and fixed by the Apache Security Team. Three organizations, one composition problem, no line of code that a scanner could point to.
Advertisement
Nobody Decided to Trust That Pull Request
The phrase that should stop an engineering leader is “trust boundary that no one audited.” Someone configured a workflow to treat an outsider’s input as if it came from a maintainer. No human made that call on purpose.
This risk accreted, one reasonable-looking commit at a time, and it increases with AI-generated workflows, where the moment of decision may never be audited at all.
I have put AI tooling into production engineering work and measured what it changed, so I will say plainly that the leverage is real and I am not arguing to slow it down.
But Novee is explicit that agentic coding is the multiplier: AI tools generate CI/CD configuration quickly and reproduce the same insecure patterns, so one mistake compounds across potentially millions of repositories, emitted with confidence and no provenance signal.
Advertisement
The volume of workflow decisions an organization now absorbs has outrun a review process sized for human-speed output.
Our standard security systems aren’t ready for this either. Cordyceps is not a CVE, so it never enters the enumeration model. Furthermore, NIST acknowledged in April 2026 that it can no longer enrich every CVE, with submissions up 263% since 2020. Risks are multiplying.
Fortunately, Novee found no evidence of exploitation in the wild, and the named vendors have hardened or patched. However, this is a proven, exploitable pattern, not one single specific breach, and it is largely unpatched by default across the industry.
The immediate fixes are worth doing now: prefer pull_request over pull_request_target for untrusted contributions, never check out pull request head code inside a privileged workflow, pass event data through a quoted env variable rather than inlining it, default permissions to read-only, pin third-party actions to a commit SHA rather than a moving tag, and gate privileged workflows behind manual approval for first-time contributors.
Advertisement
Do all of that and you have closed today’s problems, but not the class of problems. The next pattern will build from individually correct steps, and it will also pass the scan. AI-driven development is widening this software supply chain governance gap, and it’s accelerating.
The durable control is to govern what your build can trust at the source, so the components and workflows entering your pipeline come from a governed origin with verifiable provenance, built from source rather than trusted on faith.
A hijacked upstream that publishes a poisoned package must meet and fail a check at the point of ingestion. A human owns the trust boundaries. That ownership has to operate at the speed AI is now generating decisions, because manual review at the far end of the pipeline cannot catch up.
Cordyceps did not defeat anyone’s security tools. It walked past them, because every individual piece worked exactly as designed. That is the measurement trap in its purest form: the number stayed green while the thing it was supposed to guarantee stopped being true, if it was ever true at all.
Advertisement
Those pipelines were not exposed because the scanners failed. They were exposed because passing the scan didn’t mean they were governed. For a while, nobody went looking.
Samsung’s smartwatches rarely see meaningful discounts, especially not this close to a fresh release, which makes this particular price drop worth paying attention to.
That saving matters more once you consider what the Watch 8 is actually built to do, starting with Advanced Sleep Coaching that studies your patterns and pushes tailored bedtime guidance every night.
Advertisement
That same attentiveness carries into the day, since a dedicated Running Coach analyses pace and effort in real time and adapts its feedback for specific goals like 5Ks or marathons.
That independence extends further too, since built-in GPS lets workouts be tracked accurately outdoors without needing a phone to tag along, whether that means a quick jog or a longer run.
Between sessions, a personal AI assistant sits right on the wrist, ready to help navigate tasks and daily to-do lists without ever needing to reach for a phone at all.
Advertisement
None of that intelligence comes wrapped in bulk either, since the Watch8 arrives in a thinner, more lightweight design than previous generations while still feeling genuinely sporty on the wrist.
That slimmer build hasn’t come at the cost of stamina, since an improved battery keeps tracking steps, heart rate and notifications reliably across a genuinely full day of active wear.
Each morning builds on that data too, since Energy Score with Galaxy AI turns yesterday’s sleep, activity and heart rate into one simple number worth glancing at before the day even properly begins.
Connectivity stays flexible as well, since the Watch8 pairs seamlessly with Samsung phones while also working with other Android devices through the Galaxy Wearable and Samsung Health apps once both are installed.
Advertisement
Advertisement
If you’ve been circling the Galaxy Watch8 since launch, waiting for Samsung to finally blink on price, this is the markdown that proves patience occasionally pays off, and it might not last.
A single thunderstorm can fry your PC, TV, fridge, router, PlayStation and pretty much anything else you have plugged in. It only takes seconds, but the damage can be quite costly, especially as appliances and tech can catch fire in such situations. In fact, “quite costly” is mildly put, because residential electrical fires caused over $1.2 billion in property losses in the US in 2021. The good news is that a few proactive steps can save you from an expensive repair bill.
Being quick to act when a storm hits and making preemptive investments in your home’s safety are the best ways to help avoid a costly loss. After all, you don’t want to wait until you’re replacing a $1,500 PC and your massive TV, right?
Advertisement
How does lightning actually damage electronics?
Pexels: Саша Алалыкин
In recent years, we’re seeing powerful storms more frequently. Climate change has had a direct impact on both the frequency and intensity of such events, so we’re likely to encounter more extreme weather incidents as time goes on. When lightning storms strike near your home, they can send a massive power surge through your electrical wiring. That surge travels fast, overwhelming the circuits inside your device.
According to the CDC, lightning can also travel through a building’s plumbing and any metal wires embedded in concrete walls or flooring, so the threat is broader than most people realize.
Power surges don’t have to come from a direct strike, either. A nearby strike can induce a voltage spike strong enough to damage sensitive electronics like computers, TVs and gaming consoles.
Advertisement
What should you do to safeguard your devices from lightning strikes?
Alvarez/Getty Images
The instructions from FEMA are pretty clear on what your first line of defense has to be: when you see a bad storm coming, unplug everything. It’s the easiest and most affordable thing you can do.
While taking action during storms is certainly important, it’s equally essential to think ahead and work on prevention. Here are a few things you can do to safeguard your expensive tech before storms hit:
Use surge protectors. You can buy power strips with internal overload protection that you can use for sensitive electronics like computers and entertainment systems.
Plug major appliances directly into wall outlets. Extension cords can overheat, so FEMA’s advice is to plug your fridge, stove, washers and dryers directly into wall outlets.
Whole-home surge protection is an option. Installed into your home’s electric panel, these devices offer downstream protection for all your electronics.
Look into lightning rods or a lightning protection system. If you live in a storm-prone area, you may need to take additional steps to redirect electrical energy safely into the ground.
What to look for when safeguarding your home against lightning storms
Gary Hershorn/Getty Images
Lightning protection isn’t complicated, but it does require a plan. Surge protectors should be one of the first investments you make for your most valuable electronics. A standard power strip just adds extra outlets, but a surge protector diverts the excess voltage away from your devices. The Joule rating indicates how much energy the protector can absorb before it fails. You’ll need a rating of 2,000 joules or higher for your computer. The clamping voltage is the trigger voltage that causes the protector to start diverting power; you want this to be under 400V (the lower, the better).
For larger devices that need to be plugged in around the clock and you can’t just unplug when a storm nears, you could look into an Uninterruptible Power Supply (UPS). The UPS acts as a middleman between the wall outlet and your tech; it contains a battery backup and advanced surge protection circuitry. If the power spikes or goes out completely, the UPS switches to battery power.
Advertisement
Although it may be a bit more pricey, getting a licensed electrician to install a surge protective device into your main electrical panel may be the best route.
Protecting your electronics from lightning is simple: prepare before the storm, not after it. And remember, when you’re home, unplugging your devices remains a reliable and sustainable choice. When you’re away, the financial investments you make in surge protectors may make the difference between losing expensive gadgets and your home being safe.
We’re halfway though 2026, and this year has already delivered some of the best soundbars we’ve seen — or rather, heard. The standout amongst the models we’ve tested is the “phenomenal” Samsung HW-Q990H — one of a select group of 5-star products, thanks to its “powerful, engaging and detailed sound profile”, straightforward setup and strong connectivity options. Another winner was the LG Sound Suite Immersive Suite 7 Pro. If you’re yearning for some “phenomenal rumbling bass”, this is the soundbar for you.
Those are both premium picks, but we also reviewed a couple of brilliant budget options. The Klipsch Flexus Core 100 comes in at a fraction of the price of that Samsung model, and while its soundscape is understandably less expansive, it still impressed us by delivering clear dialogue, strong bass, and a useful, responsive display.
The rather utilitarian-looking Zvox AccuVoice AV855 also stood out from the pack; this bar is especially designed to make dialogue easier to hear. It’s built especially for those with hearing impairments, but will appeal to anyone who’s sick of having to turn on the subtitles on just to understand what’s happening.
Advertisement
Scroll down to see all my picks. Hit the ‘View details’ button for a summary of what we thought about each one, plus a link to our full review.
JP Morgan increased the price target for Apple’s stock to $345, insisting that the RAM-driven hardware cost increases won’t impact long-term revenue gains.
Late in June, Apple finally gave in and raised the price of many products, in the face of the global memory crisis. In the view of JP Morgan, it’s not that big an issue for the company.
In a note to investors seen by AppleInsider on Tuesday, JP Morgan has increased its price target for Apple to $345. This is an increase of $20 from January, when it last raised the stock target price to $325.
The firm acknowledges the hefty price increases are going to be a short-term issue, with investors trying to judge how badly consumers will take the news. But even so, the news isn’t enough to dampen JP Morgan’s spirits.
Advertisement
Elastic pricing
In its reasoning, JP Morgan first says that the historical data for sales volumes covering iPhone, Mac, and iPad show a “limited relationship” to pricing across multiple years. Essentially, consumers are going to buy Apple products anyway, and pricing doesn’t seem to matter too much.
Mac sales are probably the most insulated in JP Morgan’s view, with more price point options and AI-led demand working in its favor.
The iPhone also benefits from limited elasticity on the premium end. Those with larger budgets are less affected by price changes, it seems.
That said, the budget end of iPhone and iPad sales is more significantly affected by price. However, even they are considered “modest revenue headwinds” when combined with premium model sales.
Advertisement
While it will be some time before anyone knows how Apple will weather the memory pricing storm, we will get an early indication from Apple’s Q3 results, released on July 30.
Since the price hikes, AAPL stock has been doing very well for itself. Following the price hike news on June 25, the company’s stock fell to $275.15. It closed on July 6 at $312.66.
Primitive Labs co-founders, from left: CTO Jean Farmer, CEO Rohit Talluri and COO Gabriel Fong. (Primitive Labs Photo)
Rohit Talluri learned the tradition at Amazon: always keep an empty chair in the room to represent the customer — a reminder of the people who will ultimately use whatever gets built.
Now, with AI coding tools creating software faster than ever, Talluri and his co-founders, fellow Amazon veterans Jean Farmer and Gabriel Fong, recognize that the customer can be easily forgotten in the process. So they’re creating a seat at the table for AI agents.
That’s the idea behind Primitive Labs. The startup is building what it calls behavioral intelligence: systems that observe, reason and act as customers would across software platforms and devices, helping product teams learn how people will react to a new feature, design or marketing decision before it ships.
Traditional user research and focus groups can take weeks or months, so teams under pressure to ship quickly are tempted to skip them. Primitive Labs is automating that research with agents that simulate human behavior, aiming to make it a routine step in building software.
“It’s bringing humans back to the center of a world that’s created by AI,” Talluri said. “That is the goal here.”
Advertisement
The mission, according to the startup’s launch post, is to “make human behavior a first-class primitive of software development.” That’s the inspiration for Primitive Labs’ name. The idea is to build products that people will understand, trust and keep using — not the average user, but specific types of users in specific contexts.
Founding team: Talluri, the Primitive Labs CEO, is joined by co-founders Farmer, CTO; and Fong, COO.
Fong and Talluri have worked together since 2020. At AWS in Seattle, Fong held product marketing and enterprise account roles, then led sales and marketing at the cloud consultancy DoiT International.
At Primitive Labs, his role runs broader than sales and marketing, spanning product direction, customer development and operations. Talluri describes him as highly technical and a hands-on contributor to the company’s core product work.
Advertisement
Farmer and Talluri worked together at AWS on large-scale machine-learning infrastructure, including the SageMaker HyperPod training service, before both moved into Amazon’s AGI organization.
Farmer worked on the Amazon Nova models’ ability to use software tools — designing how the models call tools and take actions, and building the systems to test and measure how well the resulting agents perform. That work included benchmarks for the Model Context Protocol (MCP), the emerging standard for connecting AI models to outside tools and data.
Roots in AI autonomy: Talluri joined the AGI Autonomy Lab, the group Amazon assembled around talent it hired from Adept, a San Francisco startup building AI agents that operate software on their own.
Amazon had brought on Adept’s CEO, David Luan, a former OpenAI executive, along with other co-founders in 2024, and licensed the startup’s technology, putting Luan in charge of the lab. Talluri worked there on computer-use agents and helped launch Nova Act, Amazon’s agentic computer-use model.
Advertisement
Talluri said he initially came close to leaving Amazon in 2025 to start a company, before leaders there steered him toward the Autonomy Lab to work under Luan (who has since left Amazon).
Funding: Primitive Labs has raised a pre-seed round, led by a16z Speedrun and joined by several small, newer venture funds and a group of angel investors. The company isn’t disclosing the funding amount.
Its launch post lists backers including Olive Tree Capital, Cloverfield Fund and Unexpected Investments (from former TechCrunch editor Josh Constine), plus angels such as Luan, Harsh Patel and Artur Kiulian, and others with backgrounds at OpenAI, Amazon, Google DeepMind, Databricks, Nvidia and Meta.
Primitive Labs will join a16z Speedrun’s cohort starting this month, and expects to raise its next round around the end of the program, in September or October.
Advertisement
Headquarters: The company is based in San Francisco, where it’s working part-time out of a16z’s Speedrun space, with plans to get its own office after making its first hires.
Talluri, a University of Washington graduate who read GeekWire as a student and dreamed of launching a startup of his own, said the choice came down to San Francisco’s talent density and the pace of AI research there, plus the Speedrun program being there.
Primitive Labs posted its first job listings last week — for founding engineers, researchers and an intern, in San Francisco or New York.
Product status: The company is pre-revenue and working with a small group of early customers who are testing its product and helping shape it, including private previews with what Talluri described as Fortune 500 and Fortune 50 consumer-technology and e-commerce brands.
Advertisement
The company plans to launch its products in general availability later this year.
How it works: The agents work across devices including computers and phones, focused for now on digital products and customer journeys. The company says it has also explored using them to gauge reactions to physical products, such as brand and packaging.
The underlying research draws on computational cognitive science, continual learning and custom memory systems modeled on how people store information — work Talluri said the company plans to publish and partly open-source in the coming months.
While other startups are working on agent-based simulation and automated testing of user interfaces, what sets Primitive Labs apart, Talluri said, is the focus on human alignment. That means building agents that faithfully represent a specific product’s users, and making that a standard layer of how software gets built. He described the key measure as behavioral fidelity, or how closely an agent’s choices track human decisions.
Advertisement
Asked whether the startup will keep a chair empty when it gets an office, in the Amazon tradition, Talluri didn’t hesitate. “100%,” he said. And yes, he said, they’ll be envisioning an agent sitting there.
You must be logged in to post a comment Login