"mAcS dOn'T gEt MaLwArE 🤪" Yes they do. Checkout my blog about creating macOS ransomware with successful execution 🔥. huntress.com/blog/creating-m…

❗️ UPDATE on today's npm supply-chain attack: • Per Socket Security: 121 more compromised package artifacts found across 84 additional package names. 64 of them are UiPath artifacts. • Combined with the earlier TanStack hits, the current known total is 205 affected npm package artifacts. • Reach now spans enterprise automation, AI/MCP, auth, workflow, and dev tooling. The worm is still propagating.

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

do you understand what just happened to your computer.. Google Chrome secretly downloaded a 4GB AI model onto your device. Without asking.. Without telling you.. It's called weights.bin. It lives deep in your system folders. It powers Gemini Nano - Google's on-device AI. And if you delete it? Chrome re-downloads it automatically. Like nothing happened. Just Google deciding your hard drive is their storage unit. At 1 billion Chrome users - that's 4 BILLION gigabytes of data pushed silently across the internet. The carbon footprint alone equals tens of thousands of cars running for a year. Check your disk right now: 📁 %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel To stop it: chrome://flags → disable Optimization Guide On Device Model → restart Chrome → delete the folder. Reshare so people know what's sitting on their computers.

🚨🇪🇺 The European Commission is about to steal your search history in one of the largest forced data grabs in the history of the open internet, and almost nobody is talking about it. The scope is staggering: 🔴 Every query you type 🔴 Every voice and photo search 🔴 Every autocomplete you accept 🔴 Your language, your device 🔴 Your country pinned to a ~3km² grid 🔴 Every result you saw, every link you hovered 🔴 Every click and scroll 🔴 The full chronological order of your search sessions Meaning the European Union now knows your: 🔴 Health symptoms 🔴 Pregnancy 🔴 Sexual orientation 🔴 Political views 🔴 Religious beliefs 🔴 Financial distress 🔴 Legal trouble 🔴 Addictions 🔴 Affairs Under the proposed measures for DMA Article 6(11), Google would be ordered to ship the daily search behaviour of hundreds of millions of Europeans to multiple third parties through a daily API feed. Any approved "online search engine," AI chatbots included, would get five years of access. The things people only ever type when they think no one is watching. All of it now scheduled to flow daily into an open-ended list of third parties scattered across the European Union. Brussels promises "anonymisation." The reality is a thin technical veneer that has been broken in academic literature again and again for over a decade. Search behaviour is a fingerprint. Stripping a name does not change that. Mass data leaks become inevitable. Every new beneficiary is a new attack surface, and every annual audit is a year of silent exposure between checks. The 2025 Discord vendor breach already showed how fast 70,000 government IDs can leak through a single weak link. Now imagine that link holding Europe's search history. Surveillance without consent becomes the default. Hundreds of millions of EU citizens never agreed to have their queries packaged and shipped to companies they have never heard of. The legal fiction of "anonymisation" cannot manufacture consent that was never given. Behavioural search data is a goldmine for phishing, blackmail, social engineering, and corporate espionage. Foreign intelligence services get a back door without effort. They do not need to breach Google. They only need to compromise the weakest name on the beneficiary list. One insolvent startup. One compromised contractor. One approved entity quietly acquired by a hostile state. In the name of "competition," the EU is about to manufacture a permanent, distributed, daily-refreshed copy of Europe's collective search history. A surveillance dataset Brussels itself would never approve if any other government tried to build it. The public consultation closes Friday, May 1, 2026 at 23:59 CEST. The final binding decision lands July 27, 2026. After that, the door does not close again. Tag your MEPs! File a response! Make noise!

do you understand what happened to PlayStation yesterday.. They quietly turned your game purchases into a 30-day subscription. No announcement.. No warning.. You didn't rent it.. You BOUGHT it. → Every new PSN purchase now has a 30-day validation timer → Timer hits zero = game locked → CMOS battery dies = game locked → No internet for a month = game locked → Even FREE demos have the timer now Game bought March 2nd? No timer. Works forever.. Game bought April 24th? Expires May 24th.. They didn't patch a bug. They shipped this on purpose. Digital ownership just died. They didn't even tell you.

🛜 Si alguna vez te llegas a conectar a un Wi-Fi con portal cautivo y no te abre nada… ✅ Lo único que tienes que hacer es dirigirte a Safari y buscar “captive.apple.com” y listo, funciona en cualquier red y dispositivo Apple. 💬 ¿Lo sabías?

😱 iOS 26.4.2 still leaks the real IP when updating VPN apps. Motivated by Mullvad's recent blog, we made a website that logs the iPhone IP every second. We started Mullvad VPN, opened the website, then let Mullvad updated in the background. See the leaks in action.. 🤯

🔐 Proton CEO Andy Yen warns that the global push for age verification is the quiet death of online anonymity, because every passport scan, selfie, and biometric uploaded for "verification" inevitably ends up leaked, hacked, or monetized. He argues Big Tech and governments cannot be trusted to act as gatekeepers, and the only real protection for ID data is to never collect it in the first place.

We are very happy that today Apple issued a patch and a security advisory. This comes following @404mediaco reporting that the FBI accessed Signal message notification content via iOS despite the app being deleted. Apple’s advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release. You can read more here: support.apple.com/en-us/1270… Note that no action is needed for this fix to protect Signal users on iOS. Once you install the patch, all inadvertently-preserved notifications will be deleted and no forthcoming notifications will be preserved for deleted applications. We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.

MICROSOFT IGNORED HIM. NOW YOUR PC PAYS FOR IT One researcher reported a critical Defender vulnerability privately. Microsoft dismissed it. So he published it - then dropped 2 more in 13 days. The latest is called RedSun. It's unpatched. It works 100% reliably on Windows 10, 11 and Server right now. It doesn't bypass your antivirus. It uses your antivirus as a weapon. Defender tries to restore a flagged file - the exploit redirects that write into C:\Windows\System32. No admin. No popup. SYSTEM access in seconds. -> BlueHammer - patched -> UnDefend - breaks Defender updates forever -> RedSun - unpatched, public PoC on GitHub His message to Microsoft: "I was not bluffing. And I'm doing it again." RCE is reportedly next. That one needs zero physical access.

‼️🇪🇺 The EU's new Age Verification app was hacked with little to no effort. When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened. It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.

Just put your vbscript inside of html and put that inside of an mp3 in the middle of some frame data and mshta will just... Fucking execute it?!?!

‼️ Booking.com has been breached — threat actors accessed customer data and reservations, and are actively abusing it. A Reddit user says he reported the breach over two weeks ago after being phished with his own reservation details, but Booking said everything was fine on their end. "Given how weak their security appears to be, I'm not surprised"

How Axios was compromised 🤯

One vote. The EU killed Chat Control by a single vote margin. That's how close you were to having ALL your private messages auto scanned for "crimes". The fight isn't over though. Chat Control is dead but legislation for Chat Control 2 is already in motion. Kill it as well.

Crunchyroll probes breach after hacker claims to steal 6.8M users' data bleepingcomputer.com/news/se… bleepingcomputer.com/news/se…

UK Companies House Exposed Details of Millions of Firms securityweek.com/uk-companie…

01000011 01100101 01101110 01110011 01101111 01110010 01110011 01101000 01101001 01110000 00100000 01101001 01110011 01101110 00100111 01110100 00100000 01101110 01101111 01110010 01101101 01100001 01101100 00101110

Hackers recently exposed parts of Discord's age verification system by discovering that the frontend code for their partner Persona was publicly accessible on the open internet. This revealed details on how facial age estimation and ID verification are integrated. “Persona's exposed code compares your selfie to watchlist photos using facial recognition, screens you against 14 categories of adverse media (from mentions of terrorism to espionage), and tags reports with codenames from active intelligence programs consisting of public-private partnerships.”

🚨BREAKING: Discord's third party vendor ID Verification system, Persona just got hacked. Anyone who did verification with Persona, could be extensively compromised.