alti

❗️ Over 30 official Red Hat npm packages were compromised. How they got in: - A Red Hat employee's GitHub account was compromised. - Attackers pushed "orphan commits" (detached from branch history) straight in, bypassing code review with no pull request. - Payload "Miasma" (Mini Shai-Hulud variant) steals GitHub/cloud/Vault/SSH/npm secrets. Rotate everything since June 1. - The commits added a workflow (ci.yaml) + script (_index.js) that abused npm trusted publishing, requesting a real OIDC token to publish backdoored versions.

I have been saying this for a while. It was only a matter of time until someone started running the much cheaper Chinese models on US-based infrastructure. Until now, you could still argue: "Who wants to send sensitive data to a Chinese provider?" Healthcare, defense, government, finance - for many of them this was basically a no-go. But if the same model runs on US-hosted hardware, with a US-based inference provider, many of those objections get weaker. And then it gets interesting. What happens when investors realize that maybe 50-70% of enterprise AI use cases don't need OpenAI or Anthropic at all? Maybe they run fine on: - cheaper hosted models - open-weight models - local models - or some future box of GPUs nobody had on their bingo card The big frontier models may still be needed for the hard stuff. But if only 10-20% of workloads really need them, the ROI story looks very different. That is where the card house starts to shake a bit.

🦔Microsoft canceled its internal Claude Code licenses this week after token-based billing made the cost untenable, even for a company with effectively infinite cloud resources. Uber's CTO sent an internal memo warning the company burned through its entire 2026 AI budget in just four months. American AI software prices have jumped 20% to 37%, and GitHub (owned by Microsoft) is dropping flat-rate plans for usage-based billing across its products. My Take The AI subsidy era is ending in real time. The same company that put $13 billion into OpenAI and built the Azure infrastructure powering most of Anthropic's compute just looked at the bill from a competitor's coding tool and decided it was not worth paying. That is not a productivity failure on Anthropic's end. Token-based pricing is forcing every enterprise customer to confront the actual cost of running these models at scale, and the number turns out to be far higher than the flat-rate experiments suggested. This ties directly to my Gemini Flash post yesterday. Anthropic, OpenAI, and Google all raised effective prices in the last six months. Enterprises that built workflows assuming AI costs would keep falling are now watching annual budgets evaporate in months. Two outcomes look likely from here. Either enterprises scale back AI usage to fit budgets, which slows the revenue ramp the labs need to justify their valuations ahead of IPOs, or the labs cut prices and absorb the losses, which makes the unit economics worse at exactly the wrong moment. Both paths land in the same place, the numbers stop working, and somebody has to take the writedown. Hedgie🤗

I just released Memtest86+ v8.10! 🥳🎉 -- TL;DR changelog -- ➡️ Better support for Intel Lunar/Panther Lake ➡️ Better Bandwidth measurement ➡️ Add support for x2APIC ➡️ Enable SIMD (SSE2) on x86_64 build ➡️ Fix timings on LPDDR5 ➡️ Fix AMI BIOS boot issues from unexpected W^X policy change ➡️ Fix older GRUB boot issues ➡️ Fix SecureBoot code & binary structure for future shim review ➡️ LA64-specific improvements ➡️ Bug fixes Thanks to all contributors! Check it out at: https://t.co/2UH56ubzw4 Source code on Github as usual! #FLOSS

the YellowKey Bitlocker Bypass is genuinely one of the craziest Windows security concepts you'll seen in a while. it basically turns normal Windows behaviour into malware. no exploit. no kernel bug. no scary ransomware binary. just trusted Windows components, signed binaries, and Defender assumptions being chained together into something extremely cursed. modern EDRs are very good at detecting malware. but they're much worse at detecting Windows itself becoming the attack.

❗️ Linux is having a brutal week. Another local to root privilege escalation vulnerability just dropped: "Copy Fail 2: Electric Boogaloo." This is the third Linux LPE in a row, after Copy Fail and Dirty Frag. The PoC is public on GitHub. There is still no coordinated patch. https://t.co/6XifksYgZ6

‼️🚨 One of the world's largest Certificate Authorities, DigiCert, was compromised by a malicious screensaver file sent through a customer support chat. Their antivirus blocked the malware four times. The agent kept clicking. The fifth try got through. 27 code signing certificates were stolen and used to sign malware. DigiCert ultimately revoked 60 certificates. Per DigiCert's incident report, filed in Mozilla's CA compliance tracker as Bug 2033170, here is how it unfolded: April 2: an attacker contacted a DigiCert helpdesk agent through the company's customer support chat channel, posing as a customer. The lure was a zip file pitched as a screenshot. Inside the zip was a .scr file. On Windows, .scr files are executables, and this one carried a malicious payload. Opening a file a customer sent through the official support channel is what an agent is supposed to do. Support staff are the one role designed to accept files from strangers. DigiCert's endpoint security blocked four infection attempts. On the fifth, the support analyst's machine was infected. DigiCert detected the infection, ran an investigation, and concluded the incident was contained. Eleven days later, an external researcher tipped DigiCert off about misuse of DigiCert-issued code signing certificates in the wild. That tip led to the discovery of a second compromised machine, belonging to a different support analyst, infected through the same vector. The EDR on that machine had not been functioning correctly, so the original investigation missed it. The second machine gave the attacker access to DigiCert's internal support portal. That portal lets support staff reach limited views of customer accounts, including initialization codes for ordered but not-yet-issued code signing certificates. Combining a stolen initialization code with an approved order let the attacker pull a real, validly issued code signing certificate. They did this 27 times. DigiCert's own list of what went wrong: - File-type filtering on the customer support chat channel did not catch the .scr - EDR coverage was inconsistent and incomplete, creating a blind spot - Initialization codes for code signing certificates were not adequately protected DigiCert says it got lucky. An outside researcher found the malware abuse before DigiCert did. Without that tip, the second machine and the active certificate theft might still be running today.

Apple built AirDrop. Then locked the best version of it inside their ecosystem. So a developer on GitHub said: “What if every phone, laptop, and OS could send files like AirDrop for free and also locally?” Its called LocalSend. You can share files with no account, no cloud, no subscription, and no company sitting in the middle. This is what Tien Do Nam built for us. Just device to device file sharing over your local network. Works on Windows, macOS, Linux, Android, and iOS. The billion-dollar version is locked. The open-source version is free: https://t.co/tLWCOFNYo9 https://t.co/fLeB5Q4SF2