NEW: malware developers added nuclear & biological weapons text to to their spyware. Goal? To trigger LLM safety refusals... so that their spyware wouldn't be analyzed by an AI security scanner. Cleanest practical example I can think of for why over-indexing on first order safety alignment is risky. When closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover...and exploit. We are only in the earliest days of attackers leveraging these features, and it wouldn't surprise me if users systems that need to handle complex cybersecurity issues demand that models be less safety-blunted. In the weeds: @SocketSecurity's post also shows why intention matters in how you design a malware analysis pipeline to avoid prompt manipulation. H/T to colleagues that shared this with me socket.dev/blog/mini-shai-hu…

Has anybody heard of software called `garalt`? This user is probing many large repos with injection attempts to steal a `garalt_secret`. I can only find one reference to that name, and it's another user with the same type of activity: github.com/radeeshovashsain/…

Here's the imposter commit that caused the new wave: github.com/RedHatInsights/fr… And workflow run: github.com/RedHatInsights/fr…

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

This is probably the best look at the shockwaves I’ve seen from the latest Starship flight. Captured from a GoPro I clamped onto a proper camera to record simultaneous video. (I’ll show you the photo the better camera took in the reply)

Following @greynoiseio's post regarding broad SonicWall scanning, Huntress has observed a sharp increase in compromise of SonicWall SSLVPN devices from IP addresses 173.208.148[.]250 (WholeSale Internet) and 45.86.230[.]72 (Clouvider) 🧵

maybe i’m just young and brainrotted but the first few seconds of the phone blurrily readjusting to the moon affected me more viscerally than any other photo that came out of Artemis

Yeah, so pretty much this cpuid.com malware is a pain in the ass. I'd have to spend a good bit of time trying to bonk it with a stick and reconstruct some of it. Whoever developed this malware actually cares about evasion and made some intelligent decisions when developing this malware payload. This appears to only impact HWMonitor 64bit. It appears (based on user reports) cpuid became malicious around 7PM EST, April 10th, 2026. However, it is possible it was much earlier than this, this is just when people began noticing and discussing it online. From an extremely high-level overview, it appears the ultimate goal of this malware is data theft, specifically browser credentials. However, I could be wrong in that assessment, but I'm fairly confident in it. I'm guessing this is the end goal because when I emulated it I can see it messing with Google Chrome's IElevation COM interface (trying to dump and decrypt saved passwords). However, between this it does a bunch of other stuff too. 1. They (an unknown Threat Actor) compromised cpuid.com to deliver malware from HWMonitor. It impacts the actual installer as well as the portable installer. It downloads stuff from supp0v3-dot-com, the same domain used from a previous malware campaign targeting FileZilla in the beginning of March, 2026 initially reported by MalwareBytes. 2. HWMonitor comes packaged with a malicious CRYPTBASE.dll. CRYPTBASE.dll is a legitimate Windows library, but they made a fake one to blend in (malware masquerading). This DLL is responsible for connecting to their C2 and downloading the other malware stages. 3. It tries to detect emulation and prevent reverse engineering by checking for the presence of specific registry keys on the machine. However, they failed doing this and didn't account for everything. Notably, they only check for VirtualBox (whomp, whomp). 4. It downloads a .cs file from a remote C2 and then compiles it manually on the machine by invoking .NET stuff. This is an interesting strategy. It does all of this via Powershell (LOLBIN nonsense). 5. The .cs file it compiles is a .NET binary with NTDLL exports. The main HWMonitor binary performs process injection using this compiled .NET binary. This is an interesting strategy. 6. Almost everything it does is performed in-memory. I would have to do through this and manually bonk all of this stuff with a stick and determine precisely how it operates. However, I don't think that is necessary because at this point we know this is malware and we know it's trying to steal browser credentials. 2 points for IElevation COM Interface credential dumping 1 point for inline Powershell CLI DLL compilation 1 point for .NET assembly NTDLL export proxying -1 point for botched anti-emulation 2 points for website compromise and supply chain attack 1 point for memory persistence -3 points for recycling the same C2 from March, 2026 campaign Overall I give this malware a B-. This is pretty good malware.

@NASA has just released some EXTRAORDINARY tracking footage from Artemis II's launch just one week ago. Mesmerizing exhaust flow interaction between all four RS-25's & twin SRB's.

Earthset. The Artemis II crew captured this view of an Earthset on April 6, 2026, as they flew around the Moon. The image is reminiscent of the iconic Earthrise image taken by astronaut Bill Anders 58 years earlier as the Apollo 8 crew flew around the Moon.

I have been working on building my own seismometer and infrasound detector over the past few weeks and finally got everything up and operational tonight. The data looks super interesting! Next step is to get it outside and underground to get it away from footsteps and other noise

We are working it, sharing what we know as of now - gist.github.com/joe-desimone…

IoC, look for this right now sfrclak[.]com:8000

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

here’s johnny