Victor Rosillo

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

🚨A HACKER GROUP JUST STOLE 4,000 OF GITHUB'S OWN PRIVATE REPOSITORIES.. PUT THEM UP FOR SALE FOR $50,000.. AND THE WAY THEY GOT IN IS THE SCARIEST PART.. They didn't hack GitHub's servers.. They poisoned a VS Code extension.. One GitHub employee installed it.. And the attackers walked through the front door using the employee's own credentials.. The group calls themselves TeamPCP.. They name their malware after the sandworms from Dune.. And they've been running the most sophisticated supply chain attack campaign in cybersecurity history.. Here's how the whole thing unfolded.. In March.. They poisoned Trivy.. One of the most trusted security scanners in the world.. Used by over 10,000 development workflows globally.. They injected credential-stealing malware into Trivy's official GitHub Action.. The malware ran silently BEFORE the security scan.. So every log showed "scan completed successfully" while the malware was stealing AWS keys, SSH credentials, database passwords, and Kubernetes tokens in the background.. It took Aqua Security 5 days to fully remove them.. Using the stolen credentials.. They breached Cisco Systems.. Cloned over 300 private repositories.. Including source code for unreleased AI products.. And repositories belonging to Cisco's customers.. Major banks.. Government agencies.. BPO firms.. In April.. They hit Checkmarx.. Another security vendor.. Poisoned 5 official Docker images in 83 minutes.. The scanner worked perfectly.. It just silently sent all your secrets to the attackers.. That automatically cascaded into Bitwarden.. The password manager.. Their CI/CD system pulled the poisoned Docker image.. And the attackers injected malware into Bitwarden's official CLI package published on npm.. One compromised security scanner poisoned a password manager.. Automatically.. No human involved.. In May.. They hit TanStack.. Libraries downloaded millions of times per week.. 84 malicious package versions across 42 packages.. And here's the terrifying part.. The malware scraped the raw memory of GitHub's build servers.. Extracted authentication tokens.. Used those tokens to bypass two-factor authentication.. And then published the infected packages with completely valid cryptographic signatures.. Every security verification tool on earth said the packages were legitimate.. Because they were signed by the real pipeline.. Using real keys.. The attackers just happened to be inside the pipeline when it signed.. They defeated the entire trust model of modern software supply chains.. The same week they hit the Nx Console VS Code extension.. 2.2 million installations.. The malware specifically targeted Claude Code configurations.. Hunting for AI assistant credentials.. That's a first.. Supply chain malware designed to steal your AI's access keys.. Then on May 19.. They revealed the GitHub breach.. 4,000 internal repositories.. Listed for sale at $50,000.. With a warning.. "If nobody buys it.. We leak everything for free".. Their malware is self-propagating.. Once it infects one package.. It automatically finds every other package that developer maintains.. Steals the publish tokens.. And infects all of them.. Then those packages infect the next developer.. And the next.. It jumps between npm and PyPI automatically.. The group doesn't even do the extortion themselves.. They sell stolen credentials to ransomware gangs.. One gang used TeamPCP's data to threaten Cisco with leaking FBI and NASA personnel records.. And the scariest part of all.. They didn't break any encryption.. They didn't find any zero-days.. They exploited the fact that the entire software industry blindly trusts its own build tools.. Every security scanner.. Every Docker image.. Every VS Code extension.. Every GitHub Action.. Is a potential weapon if someone poisons it upstream.. And right now.. Nobody can tell the difference between a legitimate build and a compromised one.. Because the compromised ones have valid signatures too.

This is just my opinion: Approximately 25% of all earthquakes at or above magnitude M 5.0 ( M 5+) can be associated with planetary alignments. Moon-Earth-Planet alignments leave a distinctive "U" shaped magnetic anomaly on ground based magnetometers due to the Moon's motion. Other planetary alignments, not involving the Moon, do not show such a distinctive magnetic anomaly, however the alignments make themselves known through the triggering of M 5+ earthquakes often within an hour of the alignment's forecast time. Forecast times and Earth's affected regions are determined by planetary positions and do not need a time series. Time series is useful in that it has show certain angles are more important than others, for example 0°, 45°, 60°, 90°, 120°, 135°, and 180° are most important.

❗️Here is our current estimate of the percentage of all M 5+ earthquakes (earthquakes of magnitude 5.0 or greater) that can be associated with Moon-Earth-Planet alignments: Definitions: A hit (H) is an M 5+ earthquake that occurs within one hour of a Moon-Earth-Planet alignment AND with a 5,000 km radius of the forecast location. A forecast (F) is a Moon-Earth-Planet alignment i.e. an impact (states time AND location). A quake (Q) is any M 5+ earthquake that occurs, regardless of what triggered it. To calculate the daily % of forecast successes (S), the formula is S= 100%*2*H/(F+Q). The factor of 2 in the numerator is because a hit (H) absorbs one F AND one Q. Example: Let's say a day had 5 impacts F, 4 M5+ quakes Q, and one hit H. Then the %success S = 100%*2*1/(5 +4) = 22.2%. I plotted the 3-day rolling average of forecast successes over the past 15 days in the graph below. The average forecast success was 26%. Here is the big conclusion: Of all M 5+ earthquakes that happen, roughly 25% of them can be associated with planetary alignments!

In a world where artificial intelligence can replicate a person’s voice or face in seconds, Denmark is stepping forward with a groundbreaking proposal: a copyright law that grants every citizen ownership of their own likeness. If passed, this law would mean no one — not even AI companies — could legally use your face, voice, or body data without consent. The move comes amid growing global concerns about deepfakes, where digital replicas of real people are used in scams, misinformation, and even political manipulation.

⁉️ I just got an answer back from British Geological Survey (BGS) regarding the current inability of https://t.co/x0nSQdEszR to retrieve raw magnetic data from https://t.co/aQzY1tIyJD: Hi Richard, We had some infrastructure problems on Friday which have led to a tightening of security on the devices at BGS which forward your requests to our servers. Whilst this doesn’t seem to have affect interactive use of our service with a web browser, we’ve had reports from other people who operate automated systems that collect data from our web services that their collection has been affected. I hope that this will get resolved early next week when our IT infrastructure staff are able to look at the issues. In the meantime if you are able to send me the code you use to retrieve data from our service (and if I’m able to replicate the problem you are seeing) I may be able to recommend a workaround. There’s been no change to the web service for Intermagnet data that we operate. Best wishes, Simon P.S. from Richard - I'll keep my followers informed of any further progress.

❗️Here is how I calculate my success rate at forecasting M 5+ earthquakes (quakes of magnitude 5 or above) using Moon-Planet alignments (aspects): The variables are: F = The number of upcoming planetary aspects (impacts) on my list (forecast) for the next day. Q = The number of M 5+ earthquakes that actually happened on the next day. H = The number of "Hits", defined as the number of M 5+ earthquakes that occurred within one hour of the forecast time AND within 5,000 km of the forecast location. The % success (S) is then S = (100%)*2*H/(F +Q). The reason for the factor of 2 in the numerator is that each Hit (H) absorbs one F and one Q. Over the past week my success rate was 26%. This may be okay if we assume that, of the many triggers of M 5+ earthquakes, planetary impacts make up ~25%, while the other 75% are the usual tectonic plate movements, faulting, volcanics, human industrial, etc.

❗️Suppose, according to my hypothesis, an M 5+ earthquake occurs within one hour of a planetary impact forecast time AND within a 5,000 km radius of the impact forecast location. Was it just an accident or a real causation? Start with these two basic tools: 1) The probability of an earthquake happening by accident within a particular 2-hour interval in a 24 hour day is 2/24 = 8.33%. 2) The probability of the earthquake happening by accident within a radius of 5,000 km of a given point is ~Area of circle/Area of Earth = 15.4%. So the probabily of both happening by accident is 8.33% x 15.4 % = 1.28 %. Now let's make it less favorable to me: On an average day there are five M 5+ quakes, so now the accident probaility goes up to 1.28% x 5 = 6.4 %. Finally, making it even less favorable to me, lets say I list four impact times. Now the accident probability goes up to 6.4% x 4 = 25%. I still feel good since 25% accidental means 75% real causation!

Apple shipped macOS Tahoe with an icon next to every single menu item. And in doing so, destroyed the entire point of icons. An icon is a signal, and signals only work through contrast. The moment everything has one, none of them mean anything, you've just added noise that looks like clarity. Apple even reuses the same icon for completely different actions. The right menu is my take: icons only on the actions you actually reach for daily: New Window, New Tab, Close. Everything else stays clean. Your eye knows exactly where to go. The left is Tahoe. Every item screaming at the same volume. Apple's own 1992 design guidelines called out every single one of these mistakes. Thirty years later, they made all of them. Adding more is not the same as adding value. What's your take?

In 1948, a 32-year-old at Bell Labs published a paper nobody fully understood. Engineers found it too mathematical. Mathematicians found it too engineering-focused. One prominent mathematician reviewed it negatively. That paper - "A Mathematical Theory of Communication", became the founding document of the digital age. The man was Claude Shannon. Father of Information Theory. At 21, he wrote the most important master's thesis of the 20th century. Working at MIT on an early mechanical computer, Shannon noticed its relay switches had exactly two states - open or closed. He had just taken a philosophy course introducing Boolean algebra, which also operated on two values: true and false. Nobody had ever connected these two things. His 1937 thesis proved that Boolean algebra and electrical circuits are mathematically identical, and that any logical operation could be built from simple switches. Howard Gardner called it "possibly the most important, and also the most famous, master's thesis of the century." Every digital computer ever built traces back to this insight. At 29, he proved that perfect encryption exists. During WWII, Shannon worked on classified cryptography at Bell Labs. His work contributed to SIGSALY, the secure voice system used for confidential communications between Roosevelt and Churchill. In a classified 1945 memorandum, he mathematically proved the one-time pad provides perfect secrecy, unbreakable not just computationally, but provably, permanently, against an adversary with infinite power. When declassified in 1949, it transformed cryptography from an art into a science. It laid the foundations for DES, AES, and every modern encryption standard. At 32, he defined what information is. His 1948 paper introduced one equation: H = −Σ p(x) log p(x) Shannon entropy. The average uncertainty in a probability distribution. The minimum bits required to encode a message. Three things followed: > He defined the bit - the fundamental unit of all information. His colleague John Tukey coined the name. > He proved the channel capacity theorem, every communication channel has a maximum rate of reliable transmission. You can approach it. You can never exceed it. > He unified telegraph, telephone, and radio into a single mathematical framework for the first time. Robert Lucky of Bell Labs called it the greatest work "in the annals of technological thought." Where his equation lives in AI today: Cross-entropy loss - the function training every classifier and language model, is derived directly from H. Decision tree splits use information gain, which is H applied to data. Perplexity, the standard LLM evaluation metric, is an exponentiation of cross-entropy. Every time a neural network trains, Shannon's formula runs inside it. He also built the first AI learning device. In 1950, Shannon built Theseus, a mechanical mouse that navigated a maze through trial and error, learned the correct path, and repeated it perfectly. Mazin Gilbert of Bell Labs said: "Theseus inspired the whole field of AI." That same year he published the first paper on programming a computer to play chess. He co-organized the 1956 Dartmouth Workshop, the founding event of AI as a field. The man: He rode a unicycle through Bell Labs hallways while juggling. He built a flame-throwing trumpet, a rocket-powered Frisbee, and Styrofoam shoes to walk on the lake behind his house. He called his home Entropy House. When asked what motivated him: "I was motivated by curiosity. Never by the desire for financial gain. I just wondered how things were put together." In 1985, he appeared unexpectedly at a conference in Brighton. The crowd mobbed him for autographs. Persuaded to speak at the banquet, he talked briefly, then pulled three balls from his pockets and juggled instead. One engineer said: "It was as if Newton had showed up at a physics conference." He died in 2001 after a decade with Alzheimer's, the cruel irony of information slowly leaving the mind of the man who defined what information was. Claude, the AI model, is named after Claude Shannon, the mathematician who laid the foundation for the digital world we rely on today.