Get paid to wait The Claude Code spinner might be the most watched line on Earth. So I turned it into an ad marketplace. Advertisers bid on it. You keep 50% of the money. Install the extension → get cash from ads. Introducing Kickbacks

🚨 Breaking: 31 npm packages from @RedHat have been compromised. 100,000 weekly downloads affected. The upstream CI/CD pipeline was compromised, with all packages published via GitHub Actions OIDC. The payload: ⚠️ Reads GitHub Actions runner process memory to extract masked secrets ⚠️ Sweeps credentials across AWS, GCP, Azure, K8s, Vault, and npm ⚠️ Self-propagating worm that republishes backdoored packages using stolen npm tokens, bypassing 2FA ⚠️ Persists on dev machines via Claude Code settings hijack and VS Code task injection ⚠️ Exfiltrates data through GitHub API commits, blending in with normal git operations We have responsibly disclosed the incident to the maintainers. Full technical analysis: stepsecurity.io/blog/multipl…

Liftoff of Starship V3, from the dunes right outside the pad. This is the most insane shockwave action I have ever seen on video. Absolutely mad. 📽️ Me for @WeAreSpaceScout

‼️🚨 BREAKING: Another supply chain attack. 700 GitHub repositories flagged, including PHP and Node.js projects. The malicious script was planted across all of them. When a developer installs the package, the script silently downloads a Linux file from GitHub, hides it under the name /tmp/.sshd (so it looks like a normal system file), and runs it in the background. It also skips security checks on the download and hides any error messages. 8 PHP packages on Packagist (the main PHP code library) were confirmed infected. The attacker hid the script inside a JavaScript config file (package.json) instead of the PHP one (composer.json), so PHP developers reviewing their code would not notice it. The biggest risk is to devdojo/wave (6,400 stars) and devdojo/genesis (9,100 installs), both popular Laravel project templates. Developers who use these templates run the bad script the moment they install dependencies. The same payload was also dropped into GitHub Actions (automated build pipelines) under a fake step called "Dependency Cache Sync," meaning it could infect company build servers too. Packagist removed the bad packages, but the auto-updating versions (dev-main, dev-master, 3.x-dev) can quietly come back if the original repos stay infected. IOCs: GitHub account parikhpreyash4 repo systemd-network-helper-aa5c751f drop path /tmp/.sshd command fragments curl -skL and chmod x /tmp/.sshd.

UPDATE: So far we've identified 639 compromised npm package versions across 323 unique packages in tonight’s Mini Shai-Hulud wave. That includes 558 versions across 279 unique @​antv packages. Most were detected within ~6 minutes of publication. socket.dev/blog/antv-package…

‼️🚨 UPDATE: The TanStack npm attack is now a full campaign. 'Mini' Shai-Hulud has hit: - OpenSearch - Mistral AI - Guardrails AI -UiPath - Squawk packages across npm and PyPI The malware specifically targets AI developer tooling. It hooks into Claude Code (.claude/settings.json) and VS Code (.vscode/tasks.json) to re-execute on every tool event, long after the infected package is gone. npm uninstall does not fix this.

¿Quieres probar suerte? SatoshiGuesser es una tragamonedas real que genera CLAVES PRIVADAS de Bitcoin en tu navegador. Si aciertas (1 en 5.27 × 10^72), te llevas la wallet de Satoshi con 1.1 MILLONES de BTC!!! Criptografía 100% real. Sin servidores. Sin trucos. REPOOO👇

It's been about a year ago since I launched a site called 🇵🇹 Only In Portugal to journal the crazy issues we've experienced as foreigners moving to Portugal with both governments agencies and businesses here, most of them quite Kafka-esque in nature Of course everyone's reaction is "why don't you leave?" But it is one of the most beautiful countries in the world, which has incredible potential And it's nicer to fix things, and while complaining about things doesn't make you popular (I've received many death threats), it is oddly effective if you do it in the public sphere: Collectively complaining about things, as we've seen with Google (they stopped self-sabotaging and are now the leader in AI), the European Union (they are passing laws based on @euacc points), and even Apple (Tim Cook finally quit), does fix things, eventually! So I'm trying the same with Portugal I feel AI governance has a lot of potential, AI can be quite a neutral party that can look at issues and find solutions in a very pragmatic and non-partisan way So I've asked AI to analyze over 300 issues, stories and experiences submitted to my site in the last 12 months, and write an deep analysis report how to fix Portugal in the next 5 years: every argument it makes is based on real experiences from real people , so no AI hallucinations AI believes all issues here are based on 5 core problems: - The Portuguese government is too expensive and too slow to interact with - There aren't enough skilled workers and no incentive to become one - There is zero accountability anywhere in the system - Technology adoption is 15–20 years behind - The tax system punishes productive people and rewards evasion (P.S. of course many of Portugal's issues are a microcosm of Europe's macro issues) AI then created a 5-Year Action Plan to solve it: YEAR 1 — Shock Therapy 1.1 Flatten the Tax System 1.2 Nuke the Immigration Agency, Build a Digital Replacement 1.3 Gut the Public Sector Bureaucracy 1.4 The Accountability Law YEAR 2 — Infrastructure Blitz 2.1 Lisbon Airport 2.2 Digital Infrastructure 2.3 Healthcare Triage YEAR 3 — Culture Shift 3.1 Skilled Trades Academy 3.2 Animal Welfare & Noise Enforcement 3.3 Court Reform YEAR 4 — Economic Acceleration 4.1 Housing 4.2 Transport 4.3 Consumer Protection YEAR 5 — Consolidation 5.1 Measure Everything 5.2 Cultural Campaigns 5.3 The Exit Metric Of course the next challenge is how do you get this to politicians, but we did this with @euacc before, so we can surely do it in Portugal too! You can read the full action plan in the reply below!

🚨TRAGEDIA EN TEOTIHUACÁN: El perturbador patrón detrás del ataque. ​Hoy, 20 de abril, la violencia en la Pirámide de la Luna revela un plan orquestado bajo la estética de Columbine (1999) y una peligrosa filosofía nihilista: ​🗓️ LA FECHA: 20 de abril, aniversario 27 de la

⚠️ New threat detected: express-session-js@1.19.0 ⚠️ This dependency includes a severe supply-chain backdoor: it performs an automatic outbound request to a hardcoded external URL at module load time and executes JavaScript sourced from the response ... socket.dev/npm/package/expre…

Introducing the new /crawl endpoint - one API call and an entire site crawled. No scripts. No browser management. Just the content in HTML, Markdown, or JSON.

"bypasses Cloudflare natively". The bypass:

gpt-5 >>> Opus 4.1 BY FAR.