David Busby

The UK government wants to install Spyware on all British phones to scan all content. You will need Digital ID to access the internet soon. The UK is part of the digital experiment & are following behind Australia. Canada will be next. They all signed us up to be their Guinea pigs. They are attempting to remove personal privacy & install mass surveillance of citizens for control. This is NOT about the kids.

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

🚨 Major supply chain attack targeting npm is in progress. Multiple packages compromised and injected with Shai-Hulud style malware. [email protected] (4.2M dl/mo) [email protected] (3.8M dl/mo) @antv/[email protected] (2.2M dl/mo) [email protected] (1.15M) @antv/[email protected] (1M) @antv/[email protected] (1.1M) @antv/[email protected] (975K) @antv/[email protected] (883K) @antv/[email protected] (751K) @antv/[email protected] [email protected] (4.2M) [email protected] (1.15M) @antv/[email protected] (1M) @antv/[email protected] (975K) @antv/[email protected] (751K) @antv/[email protected] (1.25M) @antv/[email protected] (547K)

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?