How academic research and engineering practice at Nubank come together to elevate software quality The post An incremental strategy with AI support for unit testing in Clojure appeared first on Building Nubank.  ( 20 min )

What really happens inside Nubank? How are the decisions made that affect millions of customers? Find out in this article! The post Inside Nubank: discover the daily life of those who make the extraordinary happen appeared first on Building Nubank.  ( 20 min )

Gitanjali Venkatraman does wonderful illustrations of complex subjects (which is why I was so happy to work with her on our Expert Generalists article). She has now published the latest in her series of illustrated guides: tackling the complex topic of Mainframe Modernization In it she illustrates the history and value of mainframes, why modernization is so tricky, and how to tackle the problem by breaking it down into tractable pieces. I love the clarity of her explanations, and smile frequently at her way of enhancing her words with her quirky pictures.  ❄                ❄                ❄                ❄                ❄ Gergely Orosz on social media Unpopular opinion: Current code review tools just don’t make much sense for AI-generated code When reviewing code I really want to know:…  ( 5 min )

If you’re a regular reader of my site, you’ll have noticed that in the last few months I’ve been making a number of “fragments” posts. Such a post is a short post with a bunch of little, unconnected segments. These are usually a reference to something I’ve found on the web, sometimes a small thought of my own. A few years ago, I wouldn’t have covered these topics with posts on my own site. Instead I would use Twitter, either retweeting someone else’s point, or just highlighting something I’d found. But since the Muskover, Twitter has effectively died. I’m not saying that due to any technical issues with the site, which has mostly just been fine, nor directly due to any of the policy changes there. The point is that lots of people have left, so that the audience I would have reached with Tw…  ( 2 min )

While on Project Zero, we aim for our research to be leading-edge, our blog design was … not so much. We welcome readers to our shiny new blog! For the occasion, we asked members of Project Zero to dust off old blog posts that never quite saw the light of day. And while we wish we could say the techniques they cover are no longer relevant, there is still a lot of work that needs to be done to protect users against zero days. Our new blog will continue to shine a light on the capabilities of attackers and the many opportunities that exist to protect against them. From 2016: Windows Exploitation Techniques: Race conditions with path lookups by James Forshaw From 2017: Thinking Outside The Box by Jann Horn  ( 1 min )

Preface Hello from the future! This is a blogpost I originally drafted in early 2017. I wrote what I intended to be the first half of this post (about escaping from the VM to the VirtualBox host userspace process with CVE-2017-3558), but I never got around to writing the second half (going from the VirtualBox host userspace process to the host kernel), and eventually sorta forgot about this old post draft… But it seems a bit sad to just leave this old draft rotting around forever, so I decided to put it in our blogpost queue now, 8 years after I originally drafted it. I’ve very lightly edited it now (added some links, fixed some grammar), but it’s still almost as I drafted it back then. When you read this post, keep in mind that unless otherwise noted, it is describing the situation as of 2017. Though a lot of the described code seems to not have changed much since then…  ( 8 min )

This post was originally written in 2016 for the Project Zero blog. However, in the end it was published separately in the journal PoC||GTFO issue #13 as well as in the second volume of the printed version. In honor of our new blog we’re republishing it on this blog and included an updated analysis to see if it still works on a modern Windows 11 system. During my Windows research I tend to find quite a few race condition vulnerabilities. A fairly typical exploitable form look something like this: Do some security check Access some resource Perform secure action  ( 12 min )

An experience that connected our leaders to customers and generated over a thousand insights to evolve our products, services, and journeys The post Nubank leaders experience the customer journey in an immersion day appeared first on Building Nubank.  ( 20 min )

We envision the future of AI-enabled tooling to look like near-effortless engineering for sustainability. We call it Continuous Efficiency. The post The future of AI-powered software optimization (and how it can help your team) appeared first on The GitHub Blog.  ( 14 min )

Posted by Benoît Sevens, Google Threat Intelligence Group Introduction Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. On November 7, 2025 Unit 42 released a blogpost describing how these exploits were used and the spyware they dropped. In this blogpost, we would like to focus on the technical details about how the exploits worked. The exploited Samsung vulnerability was fixed in April 2025. There has been excellent prior work describing image-based exploits targeting iOS, such as Project Ze…  ( 35 min )

Introduction Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. On November 7, 2025 Unit 42 released a blogpost describing how these exploits were used and the spyware they dropped. In this blogpost, we would like to focus on the technical details about how the exploits worked. The exploited Samsung vulnerability was fixed in April 2025. There has been excellent prior work describing image-based exploits targeting iOS, such as Project Zero’s writeup on FORCEDENTRY. Similar in-the-wild “one-shot” image-based exploits targeting Android have received less public documentation, but we would definitely not argue it is because of their lack of existence. Therefore we believe it is an interesting case study to publicly document the technical details of such an exploit on Android.  ( 27 min )

A look at how we rebuilt GitHub Actions’ core architecture and shipped long-requested upgrades to improve performance, workflow flexibility, reliability, and everyday developer experience. The post Let’s talk about GitHub Actions appeared first on The GitHub Blog.  ( 15 min )

In November, we experienced three incidents that resulted in degraded performance across GitHub services. The post GitHub Availability Report: November 2025 appeared first on The GitHub Blog.  ( 11 min )

Why does AI write like… that (NYT, gift link). Sam Kriss delves into the quiet hum of AI writing. AI’s work is not compelling prose: it’s phantom text, ghostly scribblings, a spectre woven into our communal tapestry.  ❄                ❄                ❄                ❄                ❄ Emily Bache has written a set of Test Desiderata, building on some earlier writing from Kent Beck. She lists the characteristics of good tests, and how they support her four “macro desiderata” - the properties of a sound test suite Predict success in production Fast to get feedback Support ongoing code design change Low total cost of ownership She also has a great list of other writers’ lists of good test characteristics.  ❄                ❄                ❄                ❄                ❄ Daphe Keller explains that the EUs fines on X aren’t about free speech. There are three charges against X, which all stem from a multi-year investigation that was launched in 2023. One is about verification — X’s blue checkmarks on user accounts — and two are about transparency. These charges have nothing to do with what content is on X, or what user speech the platform should or should not allow.  ❄                ❄                ❄                ❄                ❄ Cory Doctorow The Reverse-Centaur’s Guide to Criticizing AI Start with what a reverse centaur is. In automation theory, a “centaur” is a person who is assisted by a machine. … And obviously, a reverse centaur is machine head on a human body, a person who is serving as a squishy meat appendage for an uncaring machine. Like an Amazon delivery driver… the van can’t drive itself and can’t get a parcel from the curb to your porch. The driver is a peripheral for a van, and the van drives the driver, at superhuman speed, demanding superhuman endurance.  ( 1 min )

The product principles and execution by Nubank behind disrupting a historically complex and criticized industry The post Inside NuCel: The strategy for launching a new vertical in Nubank’s app appeared first on Building Nubank.  ( 20 min )

Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers. These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation. By retiring these outdated practices, which rely on weaker verification signals like physical mail, phone calls, or emails, we are closing potential loopholes for attackers and pushing the ecosystem toward automated, cryptographically verifiable security. To allow affected website operators …  ( 18 min )

Practical principles for crafting clear, reliable prompts that scale AI collaboration The post How prompt engineering helps us communicate with machines and why it matters appeared first on Building Nubank.  ( 22 min )

MCP is moving to the Linux Foundation. Here's how that will affect developers. The post MCP joins the Linux Foundation: What this means for developers building the next era of AI tools and agents appeared first on The GitHub Blog.  ( 15 min )

AI can help you build faster than ever, but it can also produce bugs, issues, and problems. Use these strategies to keep your speed without losing control of your code. The post Speed is nothing without control: How to keep quality high in the AI era appeared first on The GitHub Blog.  ( 13 min )

Posted by Liz Prucka, Hamzeh Zawawy, Rishika Hooda, Android Security and Privacy Team Last year, Google's Android Red Team partnered with Arm to conduct an in-depth security analysis of the Mali GPU, a component used in billions of Android devices worldwide. This collaboration was a significant step in proactively identifying and fixing vulnerabilities in the GPU software and firmware stack. While finding and fixing individual bugs is crucial, and progress continues on eliminating them entirely, making them unreachable by restricting attack surface is another effective and often faster way to improve security. This post details our efforts in partnership with Arm to further harden the GPU by reducing the driver's attack surface. The Growing Threat: Why GPU Security Matters The Graph…  ( 21 min )

Discover how advanced AI users are redefining software development—shifting from code producers to strategic orchestrators—through delegation, verification, and a new era of AI-fluent engineering. The post The new identity of a developer: What changes and what doesn’t in the AI era appeared first on The GitHub Blog.  ( 18 min )

Posted by Nathan Parker, Chrome security team Chrome has been advancing the web’s security for well over 15 years, and we’re committed to meeting new challenges and opportunities with AI. Billions of people trust Chrome to keep them safe by default, and this is a responsibility we take seriously. Following the recent launch of Gemini in Chrome and the preview of agentic capabilities, we want to share our approach and some new innovations to improve the safety of agentic browsing. The primary new threat facing all agentic browsers is indirect prompt injection. It can appear in malicious sites, third-party content in iframes, or from user-generated content like user reviews, and can cause the agent to take unwanted actions such as initiating financial transactions or exfiltrating sensit…  ( 26 min )

Much has been said about the effects that AI will have on software development, but there is an angle I haven’t seen talked about: I believe that AI will bring formal verification, which for decades has been a bit of a fringe pursuit, into the software engineering mainstream. Proof assistants...  ( 4 min )

Follow this step-by-step guide to learn how to debug your issues using GitHub Copilot Spaces and Copilot coding agent. The post How to use GitHub Copilot Spaces to debug issues faster appeared first on The GitHub Blog.  ( 14 min )

The onboarding transformation boosted satisfaction to 87% and accelerated the practical contribution of our Nuvinhos The post From day one to first delivery: How we redesigned Nubank’s Engineering onboarding appeared first on Building Nubank.  ( 20 min )

Rob Bowley summarizes a study from Carnegie Mellon looking on the impact of AI on a bunch of open-source software projects. Like any such study, we shouldn’t take its results as definitive, but there seems enough there to make it a handy data point. The key point is that the AI code probably reduced the quality of the code base - at least if static code analysis can be trusted to determine quality. And perhaps some worrying second-order effects This study shows more than 800 popular GitHub projects with code quality degrading after adopting AI tools. It’s hard not to see a form of context collapse playing out in real time. If the public code that future models learn from is becoming more complex and less maintainable, there’s a real risk that newer models will reinforce and amplify those t…  ( 3 min )

Use partner-built Copilot agents to debug, secure, and automate engineering workflows across your terminal, editor, and github.com. The post Your stack, your rules: Introducing custom agents in GitHub Copilot for observability, IaC, and security appeared first on The GitHub Blog.  ( 13 min )

Posted by Aden Haussmann, Associate Product Manager and Sumeet Sharma, Play Partnerships Trust & Safety Lead Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle. Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications. These efforts are making a real difference in the lives of Android users. According to a recent YouGov survey1 commissioned by Google, Android users were 58% more likely than iOS users to report they had not received any scam texts in the prior week2. But our work doesn’t stop there. Scammers are continuously evolving, using more sophisticated social engineering tactics to trick users into sharing…  ( 17 min )

Learn how one of GitHub’s fastest-growing open source projects is redefining smart homes without the cloud. The post “The local-first rebellion”: How Home Assistant became the most important project in your house appeared first on The GitHub Blog.  ( 15 min )

Run multiple Copilot agents from one place. Learn prompt techniques, how to spot drift early, and how to review agent work efficiently. The post How to orchestrate agents using mission control appeared first on The GitHub Blog.  ( 15 min )

Finding the perfect gift for your favorite developer is easy with our top tips. The post The ultimate gift guide for the developer in your life appeared first on The GitHub Blog.  ( 10 min )

Discover how Python changed developer culture—and see why it keeps evolving. The post Why developers still flock to Python: Guido van Rossum on readability, AI, and the future of programming appeared first on The GitHub Blog.  ( 14 min )

Learn more about the agentic security principles that we use to build secure AI products—and how you can apply them to your own agents. The post How GitHub’s agentic security principles make our AI agents as secure as possible appeared first on The GitHub Blog.  ( 12 min )

The event brought together more than 200 people in São Paulo and highlighted Brazil’s leading role in the South American Clojure community The post Clojure South conference at Nubank: two days of community, code, and collaboration appeared first on Building Nubank.  ( 20 min )

Drawing from years of running large-scale A/B tests across millions of customers and hundreds of metrics, our Experimentation Platform team shares three lessons from implementing CUPED at Nubank. The post 3 Lessons from implementing Controlled-Experiment Using Pre-Experiment Data (CUPED) at Nubank appeared first on Building Nubank.  ( 25 min )

Calling on developers, startups, and open source organizations to advocate against patent rules that would make it harder to challenge bad patents by the December 2 deadline. The post Developers still need the right to challenge junk patents appeared first on The GitHub Blog.  ( 9 min )

GitHub Copilot’s next edit suggestions just got faster, smarter, and more precise thanks to new data pipelines, reinforcement learning, and continuous model updates built for in-editor workflows. The post Evolving GitHub Copilot’s next edit suggestions through custom model training appeared first on The GitHub Blog.  ( 15 min )

Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. Being able to communicate and connect with friends and family should be easy regardless of the phone they use. That’s why Android has been building experiences that help you stay connected across platforms. As part of our efforts to continue to make cross-platform communication more seamless for users, we've made Quick Share interoperable with AirDrop, allowing for two-way file sharing between Android and iOS devices, starting with the Pixel 10 Family. This new feature makes it possible to quickly share your photos, videos, and files with people you choose to communicate with, without worrying about the kind of phone they use. Most importantly, whe…  ( 21 min )

No content preview

No content preview

No content preview

No content preview