We shipped zcash-testnet.causeway.sh a public @Zcash testnet (NU6.1 from genesis) with a faucet, explorer, and RPC endpoints free for anyone building on @Zcash 🧵

Here's what we've been up to: - Orchard support is coming sooner than we thought - @WDK_tether module for Causeway - We're cleaning up docs - Mini-hackathon Busy week ahead 😎

New #1inchDAO Proposal: [1IP-99] 1inch <> ETHGlobal Events Grant Proposal 2026–2027 $695k proposal to support 1inch ecosystem participation across 21 ETHGlobal hackathons, Pragma conferences & developer events focused on Aqua adoption, integrations & ecosystem growth. Vote & join the discussion: snapshot.org/#/s:1inch.eth/p…

We just published causeway-reddsa to crates.io Threshold-Sapling vaults can now refresh operator shares without changing ask - so every user's deposit address survives a rotation 🧵

Whales are swapping their surveilled money for sovereign money. 🐳

told ya — we triggered shielded ZEC transfer from @solana to another @Zcash shielded address 🔑 keys never assembled at one place @levan_dev running the demo flow. kept it pointed at mainnet on purpose. @colosseum @SuperteamGEO submission's in — wdyt? ☺️

so our DPRK Contagious Interview friends have advanced in the meantime and now have started reking people for which you only need to _unzip_ a file and run a git checkout or commit operation. so this how the attack works: 1. the attacker distributes the repo as a zip archive (which is pivotal!). this is on purpose because git clone explicitly strips hooks (since cloning goes through git's _own_ protocol which excludes them) from remote sources as a security measure but unzipping is just a _normal_ filesystem ops that git cannot control (yeah fml but also simple fact). the zip restores file permissions exactly as the attacker set them (expect `rwxrwxr-x`), so the two active hooks (`pre-commit` & `post-checkout`) arrive on disk already executable (yeah fml). 2. git _automatically_ runs a hook when two conditions are met at the same time. the file must have the correct bare name with no `.sample` extension _and_ the executable bit must be set (like `rwxrwxr-x`). both of these are already satisfied by the attacker _before_ the zip is distributed. no fucking user action, config change, or approval is needed, git's own hook dispatch system triggers everything lmfaooo. software is great innit? 3. some of the custom `.sample` files in the shipped `.git/hooks` directory are the malicious payloads. they are basically payload components _disguised_ under innocent names. once the victim does anything beyond passively inspecting the repo (e.g. git checkout or git commit), the _active_ hook copies those files into `~/.vscode` (a directory devs usually trust and ignore but well you should not trust it guys) and then starts a detached background process using `nohup` so it does not block or visibly affect the git command. the git operation still completes normally and nothing looks suspicious. fucking evil, but hey here we are! 4. now that background process then bootstraps a node.js runtime if it is not already installed, runs npm install using an attacker controlled package.json, and executes an obfuscated payload (this can ofc differ and change over time). from that point the attacker gains clipboard access, a persistent c2 channel over socket.io (usually) and the ability to read browser credential dbs

@solana program can now send shielded @Zcash. Read it again. Let that sink in. Submitted for @Colosseum Frontier. Huge thanks to @SuperteamGEO, @goisville and rest of the team for the support 🧵