toasts

⚠️ New "IronWorm" supply-chain attack: 30+ npm packages from @ asteroiddao shipped a malicious Rust binary firing on preinstall. It sweeps 86 env vars + 20 credential files (AWS, GCP, Vault, npm, plus AI keys like Anthropic & OpenAI), hits Exodus wallets, hides behind an eBPF rootkit, and beacons over Tor. Self-propagates via npm Trusted Publishing OIDC, with backdated commits faked as claude/dependabot/renovate.

3rd wave dropped.. 3 more packages impersonating emcd[.]io, @𝚎𝚖𝚌𝚍-𝚟𝚞𝚎/𝚊𝚞𝚝𝚑 @𝚎𝚖𝚌𝚍-𝚟𝚞𝚎/𝚕𝚘𝚊𝚗𝚜 @𝚎𝚖𝚌𝚍-𝚟𝚞𝚎/𝚋𝟸𝚋-𝚙𝚊𝚢-𝚏𝚘𝚛𝚖 1. Downloads a platform-specific second-stage payload from 𝚘𝚘𝚋[.]𝚖𝚘𝚒𝚔𝚊[.]𝚝𝚎𝚌𝚑/𝚙𝚊𝚢𝚕𝚘𝚊𝚍/{𝚙𝚕𝚊𝚝𝚏𝚘𝚛𝚖}using a hardcoded secret key. 2. Writes the payload to ~/.𝚎𝚖𝚌𝚍-𝚟𝚞𝚎_𝚒𝚗𝚒𝚝.𝚓𝚜 (a dot-prefixed hidden file in the user's home directory). 3. Executes the payload immediately via spawn(𝚙𝚛𝚘𝚌𝚎𝚜𝚜.𝚎𝚡𝚎𝚌𝙿𝚊𝚝𝚑, [𝚙𝚊𝚢𝚕𝚘𝚊𝚍_𝚙𝚊𝚝𝚑], 𝚎𝚗𝚟). 4. Reports installation metadata to oob[.]moika[.]tech/report (C2 callback). Updated Blog: https://t.co/pDdUVfMFZv Campaign Details: https://t.co/FLwqh6ZnGQ

The EU age verification app is presented as “completely anonymous”. But the risk is that member states (the countries are supposed to create their own versions of the open-source EU app) use it to introduce identity verification that makes it impossible to post anonymously on social media. The idea behind “completely anonymous” is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time. This means that the EU could decide at any time that ZKP may no longer be used, and in one stroke the app would fall back to its default mode, meaning that every post on social media carries an ID tag. By that point, an infrastructure will already have been rolled out; people will have gotten used to it, and it will be harder to roll it back. More details on https://t.co/wTVKHMS1zg

As I'm sure you've all seen by now, nerds have been exploiting Meta's AI agent goop to steal Instagram accounts. The Instagram AI agent for support could be convinced to reset the credentials to other users accounts by asking nicely and do a super gnarly kickflip on a skateboard, or something, I don't know. Everyone on social media was freaking out. The trending posts on Xitter was people being all like ERRMERGERD ME INSTAGRAM ACCNT WAS STOLEN. It also resulted in some celebrities having their accounts stolen. One stolen account showed some rapper named Lil Tracy (?) messaging 14 year olds, or something, despite being 18 at the time. All the big cybersecurity nerds were discussing it, yelling about AI, taking the opportunity to meme Zuckerberg (as is tradition). The AI exploit thingy has apparently existed for awhile, a few months apparently, but that is kind of just gossip. I haven't seen any solid proof of that. Meta supposedly fixed the issue, but some people are saying you can still ask nicely and do a super gnarly heelflip and Instagram goop gives you account resets. Cool stuff bro, it's AI, it's lit pic unrelated