yan

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

📣🚨 BAT SIGNAL: A law in France that would mandate a backdoor in end to end encrypted communications is set for a vote within the next day, after some start-stop skirmishes.  The French Narcotraffic law would require encrypted communications providers—like Signal—create a backdoor by giving the government the ability to add themselves to any group or chat they like. In the name of (checks notes) fighting drug trafficking.  While those hyping this bad law have rushed to assure French politicians that the proposal isn’t’ ‘breaking encryption’ their arguments are as tedious as they are stale as they are laughable. For those catching up, let’s review the basics: end to end encryption must only have two ‘ends’—sender and recipient(s). Otherwise, it is backdoored. Whatever method is devised to add a ‘third end’ —from a perverted PRNG in a cryptographic protocol, to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats—it rips a hole in the hull of private communications and is a backdoor.  Indeed, the ghost participant proposal was roundly rebuked (humiliated, even) when it was first proposed in 2019 in the UK. The technical community was united, and it was never implemented in law or otherwise.  We cannot accept any backdoor, however it’s dressed up. Communications don’t stay within jurisdictional boundaries. Which means a hole created in France becomes a vector for anyone wanting to undermine Signal’s robust privacy guarantees, anywhere. Instead of contending with unbreakable math, they only have to compromise a French government employee, or the vendor-provided software used to sideload government operatives into your private chats.  This is why, as always, Signal would exit the French market before it would comply with this law as written. At this moment especially, there is simply too much riding on Signal, on our being able to forge a future in which private communication persists, to allow such pernicious undermining.  We hope—WE HOPE—that this callow, dishonest attack will fail, and will be the last. We would love to get back to the work of maintaining and improving our core technologies, instead of fighting legislation which is distinguished in nothing as much as its refusal to listen to decades of expert consensus in its drive to imperil global cybersecurity and the human right of privacy.