poncho

❗️ UPDATE on today's npm supply-chain attack: • Per Socket Security: 121 more compromised package artifacts found across 84 additional package names. 64 of them are UiPath artifacts. • Combined with the earlier TanStack hits, the current known total is 205 affected npm package artifacts. • Reach now spans enterprise automation, AI/MCP, auth, workflow, and dev tooling. The worm is still propagating.

‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

do you understand what just happened to your computer.. Google Chrome secretly downloaded a 4GB AI model onto your device. Without asking.. Without telling you.. It's called weights.bin. It lives deep in your system folders. It powers Gemini Nano - Google's on-device AI. And if you delete it? Chrome re-downloads it automatically. Like nothing happened. Just Google deciding your hard drive is their storage unit. At 1 billion Chrome users - that's 4 BILLION gigabytes of data pushed silently across the internet. The carbon footprint alone equals tens of thousands of cars running for a year. Check your disk right now: 📁 %LOCALAPPDATA%\Google\Chrome\User Data\OptGuideOnDeviceModel To stop it: chrome://flags → disable Optimization Guide On Device Model → restart Chrome → delete the folder. Reshare so people know what's sitting on their computers.

🚨🇪🇺 The European Commission is about to steal your search history in one of the largest forced data grabs in the history of the open internet, and almost nobody is talking about it. The scope is staggering: 🔴 Every query you type 🔴 Every voice and photo search 🔴 Every autocomplete you accept 🔴 Your language, your device 🔴 Your country pinned to a ~3km² grid 🔴 Every result you saw, every link you hovered 🔴 Every click and scroll 🔴 The full chronological order of your search sessions Meaning the European Union now knows your: 🔴 Health symptoms 🔴 Pregnancy 🔴 Sexual orientation 🔴 Political views 🔴 Religious beliefs 🔴 Financial distress 🔴 Legal trouble 🔴 Addictions 🔴 Affairs Under the proposed measures for DMA Article 6(11), Google would be ordered to ship the daily search behaviour of hundreds of millions of Europeans to multiple third parties through a daily API feed. Any approved "online search engine," AI chatbots included, would get five years of access. The things people only ever type when they think no one is watching. All of it now scheduled to flow daily into an open-ended list of third parties scattered across the European Union. Brussels promises "anonymisation." The reality is a thin technical veneer that has been broken in academic literature again and again for over a decade. Search behaviour is a fingerprint. Stripping a name does not change that. Mass data leaks become inevitable. Every new beneficiary is a new attack surface, and every annual audit is a year of silent exposure between checks. The 2025 Discord vendor breach already showed how fast 70,000 government IDs can leak through a single weak link. Now imagine that link holding Europe's search history. Surveillance without consent becomes the default. Hundreds of millions of EU citizens never agreed to have their queries packaged and shipped to companies they have never heard of. The legal fiction of "anonymisation" cannot manufacture consent that was never given. Behavioural search data is a goldmine for phishing, blackmail, social engineering, and corporate espionage. Foreign intelligence services get a back door without effort. They do not need to breach Google. They only need to compromise the weakest name on the beneficiary list. One insolvent startup. One compromised contractor. One approved entity quietly acquired by a hostile state. In the name of "competition," the EU is about to manufacture a permanent, distributed, daily-refreshed copy of Europe's collective search history. A surveillance dataset Brussels itself would never approve if any other government tried to build it. The public consultation closes Friday, May 1, 2026 at 23:59 CEST. The final binding decision lands July 27, 2026. After that, the door does not close again. Tag your MEPs! File a response! Make noise!

do you understand what happened to PlayStation yesterday.. They quietly turned your game purchases into a 30-day subscription. No announcement.. No warning.. You didn't rent it.. You BOUGHT it. → Every new PSN purchase now has a 30-day validation timer → Timer hits zero = game locked → CMOS battery dies = game locked → No internet for a month = game locked → Even FREE demos have the timer now Game bought March 2nd? No timer. Works forever.. Game bought April 24th? Expires May 24th.. They didn't patch a bug. They shipped this on purpose. Digital ownership just died. They didn't even tell you.

🔐 Proton CEO Andy Yen warns that the global push for age verification is the quiet death of online anonymity, because every passport scan, selfie, and biometric uploaded for "verification" inevitably ends up leaked, hacked, or monetized. He argues Big Tech and governments cannot be trusted to act as gatekeepers, and the only real protection for ID data is to never collect it in the first place.

MICROSOFT IGNORED HIM. NOW YOUR PC PAYS FOR IT One researcher reported a critical Defender vulnerability privately. Microsoft dismissed it. So he published it - then dropped 2 more in 13 days. The latest is called RedSun. It's unpatched. It works 100% reliably on Windows 10, 11 and Server right now. It doesn't bypass your antivirus. It uses your antivirus as a weapon. Defender tries to restore a flagged file - the exploit redirects that write into C:\Windows\System32. No admin. No popup. SYSTEM access in seconds. -> BlueHammer - patched -> UnDefend - breaks Defender updates forever -> RedSun - unpatched, public PoC on GitHub His message to Microsoft: "I was not bluffing. And I'm doing it again." RCE is reportedly next. That one needs zero physical access.

‼️🇪🇺 The EU's new Age Verification app was hacked with little to no effort. When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened. It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.

‼️ https://t.co/5Bh62HuixW has been breached — threat actors accessed customer data and reservations, and are actively abusing it. A Reddit user says he reported the breach over two weeks ago after being phished with his own reservation details, but Booking said everything was fine on their end. "Given how weak their security appears to be, I'm not surprised"

Hackers recently exposed parts of Discord's age verification system by discovering that the frontend code for their partner Persona was publicly accessible on the open internet. This revealed details on how facial age estimation and ID verification are integrated. “Persona's exposed code compares your selfie to watchlist photos using facial recognition, screens you against 14 categories of adverse media (from mentions of terrorism to espionage), and tags reports with codenames from active intelligence programs consisting of public-private partnerships.”