web3

France's government ID portal just lost up to 19 million records. Names, DOBs, addresses, phone numbers, logins. A third of the country, sitting in a criminal forum listing. This is the same government lobbying for encryption backdoors and mandatory digital ID. They can't protect what they already have. https://t.co/2aDHNuim4m

Your smart TV is taking screenshots of your screen every 15 seconds. Not a guess. Not a theory. A peer-reviewed study by researchers at UC Davis, UCL, and UC3M tested it. Samsung TVs: every minute. LG TVs: every 15 seconds. Even when you're just using it as a monitor. Here's how to turn it off for every brand:

I’ve wanted to do this for a decade. But I never did - I refuse to give any company my DNA. It is me. So this week I sequenced my genome entirely at home. Literally on my kitchen table. I never exposed my DNA sequence to the internet. Not at any point. I used a MinION to do the sequencing (it’s smaller + weighs less than an iPhone). I used open-source DNA models for the analysis (Evo2 and AlphaGenome) running locally on a DGX Spark and Mac Studio. I traced mechanisms behind my family’s multigenerational autoimmune conditions that no clinician has been able to understand. When I set out to do this I didn’t know if it would actually work. It does. Your genome is the most private data you will ever have. You probably shouldn’t let it leave your house.

‼️🇪🇺 The EU's new Age Verification app was hacked with little to no effort. When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened. It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.

🚨‼️ Microsoft has suspended the developer accounts of WireGuard and VeraCrypt, making it impossible for them to push updates in case of critical vulnerabilities. WireGuard is used by hundreds of millions of users — directly and indirectly via VPN apps like NordVPN and others. WireGuard dev: "What if there were some critical RCE in WireGuard (...) exploited in the wild, and I needed to update users immediately? (...) In that case, Microsoft would have my hands entirely tied."

1/ Recently an unnamed source shared data exfiltrated from an internal North Korean payment server containing 390 accounts, chat logs, crypto transactions. I spent long hours going through all of it, none of which has ever been publicly released. It revealed an intricate ~$1M/month scheme of fraudulent identities, forged legal documents, and crypto-to-fiat conversion. Enjoy the findings!

Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.

1/ I uncovered a coordinated network of 10+ accounts manufacturing viral panic about war and politics to drive traffic to crypto scams. Strategy: >Purchase accounts with followers >Doompost multiple times per day >Repost content from alt accounts >Promote fake giveaway or scam >Change username

Brendan Eich’s story is wild. He built JavaScript in 10 days. May 1995, almost no sleep, because Netscape needed a scripting language before Navigator 2.0 shipped in September. He was 34. The prototype was called Mocha. For all of 1995 and most of 1996, he was the only developer working full-time on the engine. That 10-day sprint now runs 98.8% of all websites on earth. JavaScript has been the most-used programming language for 13 consecutive years. 66% of all developers use it today. Every time you open Gmail, YouTube, or Netflix, you’re running code that traces back to those 10 sleepless nights in Mountain View. He co-founded Mozilla in 1998 and helped spin it into an independent foundation after AOL gutted Netscape in 2003. Firefox went from zero to 30% browser market share. He proved browsers didn’t have to be a Microsoft monopoly. Then Mozilla made him CEO in March 2014. Eleven days later, he resigned under public pressure over a political donation from six years earlier. The board tried to keep him in a different role. He walked entirely. Here’s where most people’s story would end. He was 53, wealthy, had nothing left to prove. Instead he started Brave from scratch, raised $2.5M from Founders Fund, and built a browser that blocks every ad and tracker by default. He ran a $35M ICO for Basic Attention Token in 2017. He built his own search engine doing 20 billion queries a year. Brave crossed 100 million monthly active users in September 2025 and hit $100M in annualized revenue. Desktop market share doubled in a single year, from 0.8% to 1.3%. Against Chrome’s $20 billion search deal with Apple alone, and Google sitting at 65% global share. The pattern across 30 years is the same every time. Eich builds something, gets told it won’t work or won’t scale, and then the thing he built becomes infrastructure that outlasts the people who doubted it. The 10-day prototype became the language of the internet. The open-source side project became the second most popular browser on earth. The post-cancellation startup just crossed 100 million users. Absolute legend.

Clawd disaster incoming if this trend of hosting ClawdBot on VPS instances keeps up, along with people not reading the docs and opening ports with zero auth... I'm scared we're gonna have a massive credentials breach soon and it can be huge This is just a basic scan of instances hosting clawdbot with open gateway ports and a lot of them have 0 auth